diff --git a/.github/workflows/gcs_chart_publish_insiders.yml b/.github/workflows/gcs_chart_publish_insiders.yml index 1ffbde05..d8b1b527 100644 --- a/.github/workflows/gcs_chart_publish_insiders.yml +++ b/.github/workflows/gcs_chart_publish_insiders.yml @@ -53,8 +53,11 @@ jobs: sed -i 's/appVersion:.*/appVersion: insiders/g' charts/*/Chart.yaml sed -i '/^version:/ s/"$/-insiders.${{ steps.metadata.outputs.shortSHA }}"/' charts/*/Chart.yaml - - name: Package helm charts - run: for i in charts/*; do helm package -u $i; done + - name: Package Sourcegraph helm charts + run: for i in charts/*; do [ -f "$i/Chart.yaml" ] && helm package -u $i; done + + - name: Package Sourcegraph executor helm charts + run: for i in charts/sourcegraph-executor/*; do [ -f "$i/Chart.yaml" ] && helm package -u $i; done - name: Publish chart if it doesn't already exist in the repository run: | diff --git a/.github/workflows/gcs_chart_publish_release.yml b/.github/workflows/gcs_chart_publish_release.yml index 9445f753..fe0c137d 100644 --- a/.github/workflows/gcs_chart_publish_release.yml +++ b/.github/workflows/gcs_chart_publish_release.yml @@ -44,8 +44,11 @@ jobs: - name: Set up helm repo run: helm repo add sg gs://${{ env.BUCKET_NAME }}/${{ env.BUCKET_PATH }} - - name: Package helm charts - run: for i in charts/*; do helm package -u $i; done + - name: Package Sourcegraph helm charts + run: for i in charts/*; do [ -f "$i/Chart.yaml" ] && helm package -u $i; done + + - name: Package Sourcegraph executor helm charts + run: for i in charts/sourcegraph-executor/*; do [ -f "$i/Chart.yaml" ] && helm package -u $i; done - name: Publish chart if it doesn't already exist in the repository run: | diff --git a/charts/sourcegraph-executor/CHANGELOG.md b/charts/sourcegraph-executor/CHANGELOG.md new file mode 100644 index 00000000..07d20354 --- /dev/null +++ b/charts/sourcegraph-executor/CHANGELOG.md @@ -0,0 +1,7 @@ +# Changelog + + +## Unreleased + +* Added new chart `sourcegraph-executor-k8s` to deploy Sourcegraph executors that use Kubernetes jobs. +* **BREAKING:** Renamed `sourcegraph-executor` chart to `sourcegraph-executor-dind` to indicate these are Docker in Docker executors. To update to newer versions of this chart, ensure the new Chart name is used. diff --git a/charts/sourcegraph-executor/README.md b/charts/sourcegraph-executor/README.md index a49d4517..e2632a89 100644 --- a/charts/sourcegraph-executor/README.md +++ b/charts/sourcegraph-executor/README.md @@ -1,102 +1,16 @@ - +# Sourcegraph executor helm charts -# Sourcegraph Exexutor Helm Chart +This directory contains two Helm charts for deploying executors on Kubernetes. [Read the docs](doc/admin/executors/deploy_executors_kubernetes.md) for more information on executors on Kubernetes. -This chart contains two deployments, Sourcegraph Executors and a private Docker Registry. It is a supplemental chart for the parent [sourcegraph/sourcegraph] Helm Chart if you wish to deploy executors +## Native Kubernetes (k8s) +This chart deploys executors that interact with the Kubernetes API to handle jobs. This is the preferred deployment option. +Your cluster will need to allow configuration of the following RBAC rules: -Use cases: +| API Groups | Resources | Verbs | Reason | +|------------|--------------------|---------------------------|-------------------------------------------------------------------------------------------| +| `batch` | `jobs` | `create`, `delete` | Executors create Job pods to run processes. Once Jobs are completed, they are cleaned up. | +| | `pods`, `pods/log` | `get`, `list`, `watch` | Executors need to look up and steam logs from the Job Pods. | -- Deploy Sourcegraph Executors on Kubernetes - -## Requirements - -* [Helm 3 CLI](https://helm.sh/docs/intro/install/) -* Kubernetes 1.19 or greater - -## Installation - -Add the Sourcegraph charts repo to Helm: - -```sh -helm repo add sourcegraph https://helm.sourcegraph.com/release -``` - -## Usage - -> The chart has to be installed in the same namespace as the parent [sourcegraph/sourcegraph] chart - -## Rendering manifests for kubectl deployment - -Manifests rendered using the `helm template` command can be used for direct deployment using `kubectl`. - -## Configuration Options - -Reference the table below for available configuration parameters and consult [executor] documentation. - -In addition to the documented values, the `executor` and `private-docker-registry` services also supports the following values - -- `executor.affinity` - [learn more](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) -- `executor.nodeSelector` - [learn more](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) -- `executor.tolerations` - [learn more](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) -- `executor.podSecurityContext` - [learn more](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) -- `executor.env` - consult `values.yaml` - -- `privateDockerRegistry.affinity` - [learn more](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) -- `privateDockerRegistry.nodeSelector` - [learn more](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) -- `privateDockerRegistry.tolerations` - [learn more](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) -- `privateDockerRegistry.podSecurityContext` - [learn more](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) -- `privateDockerRegistry.env` - consult `values.yaml` file - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| dind.image.registry | string | `"index.docker.io"` | | -| dind.image.repository | string | `"docker"` | | -| dind.image.tag | string | `"20.10.22-dind"` | | -| executor.enabled | bool | `true` | | -| executor.env.EXECUTOR_FRONTEND_PASSWORD | object | `{"value":""}` | The shared secret configured in the Sourcegraph instance site config under executors.accessToken. Required. | -| executor.env.EXECUTOR_FRONTEND_URL | object | `{"value":""}` | The external URL of the Sourcegraph instance. Required. | -| executor.env.EXECUTOR_QUEUE_NAME | object | `{"value":""}` | The name of the queue to pull jobs from to. Possible values: batches and codeintel. Required. | -| executor.image.defaultTag | string | `"5.0.6@sha256:f78a0ba3d84941ec3577f19075e935bec34a9bfaa9dcb85908142fff017e9d6d"` | | -| executor.image.name | string | `"executor"` | | -| privateDockerRegistry.image.registry | string | `"index.docker.io"` | | -| privateDockerRegistry.image.repository | string | `"docker/regisry"` | | -| privateDockerRegistry.image.tag | int | `2` | | -| sourcegraph.affinity | object | `{}` | Affinity, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) | -| sourcegraph.image.defaultTag | string | `"{{ .Chart.AppVersion }}"` | Global docker image tag | -| sourcegraph.image.pullPolicy | string | `"IfNotPresent"` | Global docker image pull policy | -| sourcegraph.image.repository | string | `"index.docker.io/sourcegraph"` | Global docker image registry or prefix | -| sourcegraph.image.useGlobalTagAsDefault | bool | `false` | When set to true, sourcegraph.image.defaultTag is used as the default defaultTag for all services, instead of service-specific default defaultTags | -| sourcegraph.imagePullSecrets | list | `[]` | Mount named secrets containing docker credentials | -| sourcegraph.labels | object | `{}` | Add a global label to all resources | -| sourcegraph.nameOverride | string | `""` | Set a custom name for the app.kubernetes.io/name annotation | -| sourcegraph.nodeSelector | object | `{}` | NodeSelector, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) | -| sourcegraph.podAnnotations | object | `{}` | Add extra annotations to attach to all pods | -| sourcegraph.podLabels | object | `{}` | Add extra labels to attach to all pods | -| sourcegraph.tolerations | list | `[]` | Tolerations, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | -| storageClass.allowedTopologies | object | `{}` | Persistent volumes topology configuration, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/storage/storage-classes/#allowed-topologies) | -| storageClass.create | bool | `false` | Enable creation of storageClass. Defaults to Google Cloud Platform. Disable if you have your own existing storage class | -| storageClass.name | string | `"sourcegraph"` | Name of the storageClass. Use to customize to the existing storage class name | -| storageClass.parameters | object | `{}` | Extra parameters of storageClass, consult your cloud provider persistent storage documentation | -| storageClass.provisioner | string | `"kubernetes.io/gce-pd"` | Name of the storageClass provisioner, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/storage/storage-classes/#provisioner) and consult your cloud provider persistent storage documentation | -| storageClass.type | string | `"pd-ssd"` | Value of `type` key in storageClass `parameters`, consult your cloud provider persistent storage documentation | - -## Troubleshooting - -See a list of running executor pods - -```sh -kubectl get pods -l app=executor -``` - -Check logs of the executor container - -```sh -kubectl logs -l app=executor -c executor -``` - -[sourcegraph/sourcegraph]: ../sourcegraph/ -[sourcegraph/sourcegraph-executor]: ./ -[executor]: https://docs.sourcegraph.com/admin/executors +## Docker in Docker (dind) +This chart deploys executors that deploy a [Docker in Docker](https://www.docker.com/blog/docker-can-now-run-within-docker/) sidecar with each executor pod to avoid accessing the host container runtime directly. This method requires privileged access to a container runtime daemon in order to operate correctly. +If you have security concerns, consider deploying via [a non-Kubernetes method](https://docs.sourcegraph.com/admin/executors). diff --git a/charts/sourcegraph-executor/.helmignore b/charts/sourcegraph-executor/dind/.helmignore similarity index 100% rename from charts/sourcegraph-executor/.helmignore rename to charts/sourcegraph-executor/dind/.helmignore diff --git a/charts/sourcegraph-executor/dind/Chart.yaml b/charts/sourcegraph-executor/dind/Chart.yaml new file mode 100644 index 00000000..747d16b0 --- /dev/null +++ b/charts/sourcegraph-executor/dind/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: sourcegraph-executor-dind +description: Chart for installing Sourcegraph executors using Docker in Docker (dind) +icon: https://sourcegraph.com/favicon.ico +type: application + +# Chart version, separate from Sourcegraph +version: "5.0.2" + +# Version of Sourcegraph release +appVersion: "5.0.2" diff --git a/charts/sourcegraph-executor/dind/README.md b/charts/sourcegraph-executor/dind/README.md new file mode 100644 index 00000000..bbfd8149 --- /dev/null +++ b/charts/sourcegraph-executor/dind/README.md @@ -0,0 +1,106 @@ + + +# Sourcegraph Exexutor Helm Chart + +This chart contains two deployments, Sourcegraph Executors and a private Docker Registry. It is a supplemental chart for the parent [sourcegraph/sourcegraph] Helm Chart if you wish to deploy executors + +Use cases: + +- Deploy Sourcegraph Executors on Kubernetes + +## Requirements + +* [Helm 3 CLI](https://helm.sh/docs/intro/install/) +* Kubernetes 1.19 or greater + +## Installation + +Add the Sourcegraph charts repo to Helm: + +```sh +helm repo add sourcegraph https://helm.sourcegraph.com/release +``` + +## Usage + +> The chart has to be installed in the same namespace as the parent [sourcegraph/sourcegraph] chart + +## Rendering manifests for kubectl deployment + +Manifests rendered using the `helm template` command can be used for direct deployment using `kubectl`. + +## Configuration Options + +Reference the table below for available configuration parameters and consult [executor] documentation. + +In addition to the documented values, the `executor` and `private-docker-registry` services also supports the following values + +- `executor.affinity` - [learn more](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) +- `executor.nodeSelector` - [learn more](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) +- `executor.tolerations` - [learn more](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) +- `executor.podSecurityContext` - [learn more](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) +- `executor.env` - consult `values.yaml` + +- `privateDockerRegistry.affinity` - [learn more](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) +- `privateDockerRegistry.nodeSelector` - [learn more](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) +- `privateDockerRegistry.tolerations` - [learn more](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) +- `privateDockerRegistry.podSecurityContext` - [learn more](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) +- `privateDockerRegistry.env` - consult `values.yaml` file + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| dind.image.registry | string | `"index.docker.io"` | | +| dind.image.repository | string | `"docker"` | | +| dind.image.tag | string | `"20.10.22-dind"` | | +| executor.enabled | bool | `true` | | +| executor.env.EXECUTOR_FRONTEND_PASSWORD | object | `{"value":""}` | The shared secret configured in the Sourcegraph instance site config under executors.accessToken. Required. | +| executor.env.EXECUTOR_FRONTEND_URL | object | `{"value":""}` | The external URL of the Sourcegraph instance. Required. | +| executor.env.EXECUTOR_QUEUE_NAME | object | `{"value":""}` | The name of the queue to pull jobs from to. Possible values: batches and codeintel. **Either this or EXECUTOR_QUEUE_NAMES is required.** | +| executor.env.EXECUTOR_QUEUE_NAMES | object | `{"value":""}` | The comma-separated list of names of multiple queues to pull jobs from to. Possible values: batches and codeintel. **Either this or EXECUTOR_QUEUE_NAME is required.** | +| executor.image.defaultTag | string | `"5.1_230340_2023-06-23_5.0-93d39d620e83@sha256:172770133661d4d148327d2cac87c051a6409871ee6f6e28ce3495b60f883ad5"` | | +| executor.image.name | string | `"executor"` | | +| executor.replicaCount | int | `1` | | +| privateDockerRegistry.enabled | bool | `true` | Whether to deploy the private registry. Only one registry is needed when deploying multiple executors. More information: https://docs.sourcegraph.com/admin/executors/deploy_executors#using-private-registries | +| privateDockerRegistry.image.registry | string | `"index.docker.io"` | | +| privateDockerRegistry.image.repository | string | `"docker/regisry"` | | +| privateDockerRegistry.image.tag | int | `2` | | +| privateDockerRegistry.storageSize | string | `"10Gi"` | | +| sourcegraph.affinity | object | `{}` | Affinity, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) | +| sourcegraph.image.defaultTag | string | `"{{ .Chart.AppVersion }}"` | Global docker image tag | +| sourcegraph.image.pullPolicy | string | `"IfNotPresent"` | Global docker image pull policy | +| sourcegraph.image.repository | string | `"index.docker.io/sourcegraph"` | Global docker image registry or prefix | +| sourcegraph.image.useGlobalTagAsDefault | bool | `false` | When set to true, sourcegraph.image.defaultTag is used as the default defaultTag for all services, instead of service-specific default defaultTags | +| sourcegraph.imagePullSecrets | list | `[]` | Mount named secrets containing docker credentials | +| sourcegraph.labels | object | `{}` | Add a global label to all resources | +| sourcegraph.nameOverride | string | `""` | Set a custom name for the app.kubernetes.io/name annotation | +| sourcegraph.nodeSelector | object | `{}` | NodeSelector, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) | +| sourcegraph.podAnnotations | object | `{}` | Add extra annotations to attach to all pods | +| sourcegraph.podLabels | object | `{}` | Add extra labels to attach to all pods | +| sourcegraph.tolerations | list | `[]` | Tolerations, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | +| storageClass.allowedTopologies | object | `{}` | Persistent volumes topology configuration, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/storage/storage-classes/#allowed-topologies) | +| storageClass.create | bool | `false` | Enable creation of storageClass. Defaults to Google Cloud Platform. Disable if you have your own existing storage class | +| storageClass.name | string | `"sourcegraph"` | Name of the storageClass. Use to customize to the existing storage class name | +| storageClass.parameters | object | `{}` | Extra parameters of storageClass, consult your cloud provider persistent storage documentation | +| storageClass.provisioner | string | `"kubernetes.io/gce-pd"` | Name of the storageClass provisioner, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/storage/storage-classes/#provisioner) and consult your cloud provider persistent storage documentation | +| storageClass.type | string | `"pd-ssd"` | Value of `type` key in storageClass `parameters`, consult your cloud provider persistent storage documentation | + +## Troubleshooting + +See a list of running executor pods + +```sh +kubectl get pods -l app=executor +``` + +Check logs of the executor container + +```sh +kubectl logs -l app=executor -c executor +``` + +[sourcegraph/sourcegraph]: ../sourcegraph/ +[sourcegraph/sourcegraph-executor]: ./ +[executor]: https://docs.sourcegraph.com/admin/executors diff --git a/charts/sourcegraph-executor/README.md.gotmpl b/charts/sourcegraph-executor/dind/README.md.gotmpl similarity index 100% rename from charts/sourcegraph-executor/README.md.gotmpl rename to charts/sourcegraph-executor/dind/README.md.gotmpl diff --git a/charts/sourcegraph-executor/dind/templates/_helpers.tpl b/charts/sourcegraph-executor/dind/templates/_helpers.tpl new file mode 100644 index 00000000..d2797759 --- /dev/null +++ b/charts/sourcegraph-executor/dind/templates/_helpers.tpl @@ -0,0 +1,115 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "sourcegraph.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "sourcegraph.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "sourcegraph.labels" -}} +helm.sh/chart: {{ include "sourcegraph.chart" . }} +{{ include "sourcegraph.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- if .Values.sourcegraph.labels }} +{{ toYaml .Values.sourcegraph.labels }} +{{- end }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "sourcegraph.selectorLabels" -}} +app.kubernetes.io/name: {{ include "sourcegraph.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "sourcegraph.serviceAccountName" -}} +{{- $top := index . 0 }} +{{- $service := index . 1 }} +{{- default $service (index $top.Values $service "serviceAccount" "name") }} +{{- end }} + +{{/* +Create the docker image reference and allow it to be overridden on a per-service basis +Default tags are toggled between a global and service-specific setting by the +useGlobalTagAsDefault configuration +*/}} +{{- define "sourcegraph.image" -}} +{{- $top := index . 0 }} +{{- $service := index . 1 }} +{{- $imageName := (index $top.Values $service "image" "name")}} +{{- $defaultTag := (index $top.Values $service "image" "defaultTag")}} +{{- if $top.Values.sourcegraph.image.useGlobalTagAsDefault }}{{ $defaultTag = (tpl $top.Values.sourcegraph.image.defaultTag $top) }}{{ end }} + +{{- $top.Values.sourcegraph.image.repository }}/{{ $imageName }}:{{ default $defaultTag (index $top.Values $service "image" "tag") }} +{{- end }} + +{{- define "sourcegraph.nodeSelector" -}} +{{- $top := index . 0 }} +{{- $service := index . 1 }} +{{- $globalNodeSelector := (index $top.Values "sourcegraph" "nodeSelector") }} +{{- $serviceNodeSelector := (index $top.Values $service "nodeSelector") }} +nodeSelector: +{{- if $serviceNodeSelector }} +{{- $serviceNodeSelector | toYaml | trim | nindent 2 }} +{{- else if $globalNodeSelector }} +{{- $globalNodeSelector | toYaml | trim | nindent 2 }} +{{- end }} +{{- end }} + +{{- define "sourcegraph.affinity" -}} +{{- $top := index . 0 }} +{{- $service := index . 1 }} +{{- $globalAffinity := (index $top.Values "sourcegraph" "affinity") }} +{{- $serviceAffinity := (index $top.Values $service "affinity") }} +affinity: +{{- if $serviceAffinity }} +{{- tpl ($serviceAffinity | toYaml) $top | trim | nindent 2 }} +{{- else if $globalAffinity }} +{{- tpl ($globalAffinity | toYaml) $top | trim | nindent 2 }} +{{- end }} +{{- end }} + +{{- define "sourcegraph.tolerations" -}} +{{- $top := index . 0 }} +{{- $service := index . 1 }} +{{- $globalTolerations := (index $top.Values "sourcegraph" "tolerations") }} +{{- $serviceTolerations := (index $top.Values $service "tolerations") }} +tolerations: +{{- if $serviceTolerations }} +{{- $serviceTolerations | toYaml | trim | nindent 2 }} +{{- else if $globalTolerations }} +{{- $globalTolerations | toYaml | trim | nindent 2 }} +{{- end }} +{{- end }} + + +{{- define "executor.name" -}} +{{- if .Values.executor.env.EXECUTOR_QUEUE_NAME.value -}} +executor-{{.Values.executor.env.EXECUTOR_QUEUE_NAME.value}} +{{- else if .Values.executor.env.EXECUTOR_QUEUE_NAMES.value -}} +executor-{{replace "," "-" .Values.executor.env.EXECUTOR_QUEUE_NAMES.value }} +{{- end }} +{{- end }} + +{{- define "executor.labels" -}} +app: {{ include "executor.name" . }} +deploy: sourcegraph +sourcegraph-resource-requires: no-cluster-admin +app.kubernetes.io/component: executor +{{- end}} diff --git a/charts/sourcegraph-executor/templates/executor/docker-daemon.ConfigMap.yaml b/charts/sourcegraph-executor/dind/templates/executor/docker-daemon.ConfigMap.yaml similarity index 100% rename from charts/sourcegraph-executor/templates/executor/docker-daemon.ConfigMap.yaml rename to charts/sourcegraph-executor/dind/templates/executor/docker-daemon.ConfigMap.yaml diff --git a/charts/sourcegraph-executor/templates/executor/executor.Deployment.yaml b/charts/sourcegraph-executor/dind/templates/executor/executor.Deployment.yaml similarity index 94% rename from charts/sourcegraph-executor/templates/executor/executor.Deployment.yaml rename to charts/sourcegraph-executor/dind/templates/executor/executor.Deployment.yaml index da1eee94..ab058fab 100644 --- a/charts/sourcegraph-executor/templates/executor/executor.Deployment.yaml +++ b/charts/sourcegraph-executor/dind/templates/executor/executor.Deployment.yaml @@ -10,13 +10,12 @@ metadata: {{- if .Values.executor.labels }} {{- toYaml .Values.executor.labels | nindent 4 }} {{- end }} - deploy: sourcegraph - app.kubernetes.io/component: executor + {{- include "executor.labels" . | nindent 4 }} spec: selector: matchLabels: {{- include "sourcegraph.selectorLabels" . | nindent 6 }} - app: executor + app: {{ include "executor.name" . }} minReadySeconds: 10 replicas: {{ .Values.executor.replicaCount }} revisionHistoryLimit: 10 @@ -43,8 +42,7 @@ spec: {{- if .Values.executor.podLabels }} {{- toYaml .Values.executor.podLabels | nindent 8 }} {{- end }} - deploy: sourcegraph - app: executor + {{- include "executor.labels" . | nindent 8 }} spec: containers: - name: executor @@ -87,7 +85,7 @@ spec: - mountPath: /scratch name: executor-scratch - name: dind - image: {{ .Values.dind.image.registry}}/{{ .Values.dind.image.repository}}:{{ .Values.dind.image.tag}} + image: "{{ .Values.dind.image.registry}}/{{ .Values.dind.image.repository}}:{{ .Values.dind.image.tag}}" imagePullPolicy: {{ .Values.sourcegraph.image.pullPolicy }} securityContext: privileged: true diff --git a/charts/sourcegraph-executor/dind/templates/executor/executor.Service.yaml b/charts/sourcegraph-executor/dind/templates/executor/executor.Service.yaml new file mode 100644 index 00000000..579af804 --- /dev/null +++ b/charts/sourcegraph-executor/dind/templates/executor/executor.Service.yaml @@ -0,0 +1,26 @@ +{{- if .Values.executor.enabled -}} +apiVersion: v1 +kind: Service +metadata: + annotations: + prometheus.io/port: "6060" + sourcegraph.prometheus/scrape: "true" + {{- if .Values.executor.serviceAnnotations }} + {{- toYaml .Values.executor.serviceAnnotations | nindent 4 }} + {{- end }} + labels: + {{- include "executor.labels" . | nindent 4 }} + {{- if .Values.executor.serviceLabels }} + {{- toYaml .Values.executor.serviceLabels | nindent 4 }} + {{- end }} + name: executor +spec: + ports: + - name: debug + port: 6060 + targetPort: debug + selector: + {{- include "sourcegraph.selectorLabels" . | nindent 4 }} + app: {{include "executor.name" . }} + type: {{ .Values.executor.serviceType | default "ClusterIP" }} +{{- end }} diff --git a/charts/sourcegraph-executor/templates/private-docker-registry/private-docker-registry.Deployment.yaml b/charts/sourcegraph-executor/dind/templates/private-docker-registry/private-docker-registry.Deployment.yaml similarity index 98% rename from charts/sourcegraph-executor/templates/private-docker-registry/private-docker-registry.Deployment.yaml rename to charts/sourcegraph-executor/dind/templates/private-docker-registry/private-docker-registry.Deployment.yaml index 488a5fa3..eba01538 100644 --- a/charts/sourcegraph-executor/templates/private-docker-registry/private-docker-registry.Deployment.yaml +++ b/charts/sourcegraph-executor/dind/templates/private-docker-registry/private-docker-registry.Deployment.yaml @@ -1,4 +1,4 @@ -{{- if .Values.executor.enabled -}} +{{- if .Values.privateDockerRegistry.enabled -}} apiVersion: apps/v1 kind: Deployment metadata: diff --git a/charts/sourcegraph-executor/templates/private-docker-registry/private-docker-registry.PersistentVolumeClaim.yaml b/charts/sourcegraph-executor/dind/templates/private-docker-registry/private-docker-registry.PersistentVolumeClaim.yaml similarity index 100% rename from charts/sourcegraph-executor/templates/private-docker-registry/private-docker-registry.PersistentVolumeClaim.yaml rename to charts/sourcegraph-executor/dind/templates/private-docker-registry/private-docker-registry.PersistentVolumeClaim.yaml diff --git a/charts/sourcegraph-executor/templates/private-docker-registry/private-docker-registry.Service.yaml b/charts/sourcegraph-executor/dind/templates/private-docker-registry/private-docker-registry.Service.yaml similarity index 100% rename from charts/sourcegraph-executor/templates/private-docker-registry/private-docker-registry.Service.yaml rename to charts/sourcegraph-executor/dind/templates/private-docker-registry/private-docker-registry.Service.yaml diff --git a/charts/sourcegraph-executor/tests/executor_test.yaml b/charts/sourcegraph-executor/dind/tests/executor_test.yaml similarity index 100% rename from charts/sourcegraph-executor/tests/executor_test.yaml rename to charts/sourcegraph-executor/dind/tests/executor_test.yaml diff --git a/charts/sourcegraph-executor/tests/privateDockerRegistry_test.yaml b/charts/sourcegraph-executor/dind/tests/privateDockerRegistry_test.yaml similarity index 100% rename from charts/sourcegraph-executor/tests/privateDockerRegistry_test.yaml rename to charts/sourcegraph-executor/dind/tests/privateDockerRegistry_test.yaml diff --git a/charts/sourcegraph-executor/values.yaml b/charts/sourcegraph-executor/dind/values.yaml similarity index 65% rename from charts/sourcegraph-executor/values.yaml rename to charts/sourcegraph-executor/dind/values.yaml index de1a7d3e..2fbc8e18 100644 --- a/charts/sourcegraph-executor/values.yaml +++ b/charts/sourcegraph-executor/dind/values.yaml @@ -52,58 +52,12 @@ storageClass: # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/storage/storage-classes/#allowed-topologies) allowedTopologies: {} - -# Generic application configuration options, used by most applications below -# app: # Generally matches directory name -# replicaCount: 1 -# -# image: -# # Application-specific default tag. Overrides the global tag. Do not modify - use tag instead -# defaultTag: -# # Override the default tag on a service-specific basis -# tag: -# # Override the default docker image name -# name: -# -# # Add additional labels and annotations to various resources -# labels: {} -# podLabels: {} -# podAnnotations: {} -# serviceLabels: {} -# serviceAnnotations: {} -# # Override default service/deployment names -# name: "" -# # Provide custom environment variables -# env: {} -# # Set resource requests / limits -# resources: {} -# podSecurityContext: {} -# securityContext: {} -# # Add additional volumes and mounts to deployments -# extraVolumeMounts: {} -# extraVolumes: {} -# # Add sidecars -# extraContainers: {} -# # Toggle serviceAccount creation -# serviceAccount.create: true -# # Customize service account name -# serviceAccount.name: "" -# # Override service type (defaults to ClusterIP) -# serviceType: "" -# # Set disk size on PVC's for stateful deployments -# storageSize: "" -# # Optionally bind PVC's to an existing PV -# volumeName: "" -# # Use an existing configmap (specified by name) instead of creating one -# existingConfig: "" -# # Toggle deployment of applications on/off. Applies to databases and third-party applications -# enabled: true - executor: enabled: true image: - defaultTag: 5.0.6@sha256:f78a0ba3d84941ec3577f19075e935bec34a9bfaa9dcb85908142fff017e9d6d + defaultTag: 5.1_230340_2023-06-23_5.0-93d39d620e83@sha256:172770133661d4d148327d2cac87c051a6409871ee6f6e28ce3495b60f883ad5 name: "executor" + replicaCount: 1 env: # -- The external URL of the Sourcegraph instance. Required. EXECUTOR_FRONTEND_URL: @@ -111,9 +65,12 @@ executor: # -- The shared secret configured in the Sourcegraph instance site config under executors.accessToken. Required. EXECUTOR_FRONTEND_PASSWORD: value: "" - # -- The name of the queue to pull jobs from to. Possible values: batches and codeintel. Required. + # -- The name of the queue to pull jobs from to. Possible values: batches and codeintel. **Either this or EXECUTOR_QUEUE_NAMES is required.** EXECUTOR_QUEUE_NAME: value: "" + # -- The comma-separated list of names of multiple queues to pull jobs from to. Possible values: batches and codeintel. **Either this or EXECUTOR_QUEUE_NAME is required.** + EXECUTOR_QUEUE_NAMES: + value: "" dind: image: @@ -122,7 +79,11 @@ dind: tag: 20.10.22-dind privateDockerRegistry: + # -- Whether to deploy the private registry. Only one registry is needed when deploying multiple executors. + # More information: https://docs.sourcegraph.com/admin/executors/deploy_executors#using-private-registries + enabled: true image: registry: index.docker.io repository: docker/regisry tag: 2 + storageSize: 10Gi diff --git a/charts/sourcegraph-executor/k8s/.helmignore b/charts/sourcegraph-executor/k8s/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/charts/sourcegraph-executor/k8s/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/sourcegraph-executor/Chart.yaml b/charts/sourcegraph-executor/k8s/Chart.yaml similarity index 63% rename from charts/sourcegraph-executor/Chart.yaml rename to charts/sourcegraph-executor/k8s/Chart.yaml index 7443497d..96c53522 100644 --- a/charts/sourcegraph-executor/Chart.yaml +++ b/charts/sourcegraph-executor/k8s/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 -name: sourcegraph-executor -description: Chart for installing Sourcegraph executors +name: sourcegraph-executor-k8s +description: Chart for installing Sourcegraph executors using Kubernetes jobs icon: https://sourcegraph.com/favicon.ico type: application diff --git a/charts/sourcegraph-executor/k8s/README.md b/charts/sourcegraph-executor/k8s/README.md new file mode 100644 index 00000000..86b0bb3a --- /dev/null +++ b/charts/sourcegraph-executor/k8s/README.md @@ -0,0 +1,111 @@ + + +# Sourcegraph Executor Helm Chart + +This chart contains two deployments, Sourcegraph Kubernetes native Executors and a private Docker Registry. It is a supplemental chart for the parent [sourcegraph/sourcegraph] Helm Chart if you wish to deploy Kubernetes native executors. + +Use cases: + +- Deploy Sourcegraph Kubernetes native Executors on Kubernetes + +## Requirements + +* [Helm 3 CLI](https://helm.sh/docs/intro/install/) +* Kubernetes 1.19 or greater + +## Installation + +Add the Sourcegraph charts repo to Helm: + +```sh +helm repo add sourcegraph https://helm.sourcegraph.com/release +``` + +## Usage + +> The chart has to be installed in the same namespace as the parent [sourcegraph/sourcegraph] chart + +## Rendering manifests for kubectl deployment + +Manifests rendered using the `helm template` command can be used for direct deployment using `kubectl`. + +## Configuration Options + +Reference the table below for available configuration parameters and consult [executor] documentation. + +In addition to the documented values, the `executor` and `private-docker-registry` services also supports the following values + +- `executor.affinity` - [learn more](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) +- `executor.nodeSelector` - [learn more](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) +- `executor.tolerations` - [learn more](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) +- `executor.podSecurityContext` - [learn more](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) +- `executor.extraEnv` - consult `values.yaml` + +- `privateDockerRegistry.affinity` - [learn more](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) +- `privateDockerRegistry.nodeSelector` - [learn more](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) +- `privateDockerRegistry.tolerations` - [learn more](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) +- `privateDockerRegistry.podSecurityContext` - [learn more](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) +- `privateDockerRegistry.env` - consult `values.yaml` file + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| executor.affinity | object | `{}` | Affinity, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) | +| executor.configureRbac | bool | `true` | Whether to configure the necessary RBAC resources. Required only once for all executor deployments. | +| executor.debug.keepJobs | string | `"false"` | If true, Kubernetes jobs will not be deleted after they complete. Not recommended for production use as it can hit cluster limits. | +| executor.debug.keepWorkspaces | string | `"false"` | | +| executor.dockerAddHostGateway | string | `"false"` | For local deployments the host is 'host.docker.internal' and this needs to be true | +| executor.enabled | bool | `true` | | +| executor.extraEnv | string | `nil` | Sets extra environment variables on the executor deployment. See `values.yaml` for the format. | +| executor.frontendPassword | string | `""` | The shared secret configured in the Sourcegraph instance site config under executors.accessToken. Required. | +| executor.frontendUrl | string | `""` | The external URL of the Sourcegraph instance. Required. **Recommended:** set to the internal service endpoint (e.g. `http://sourcegraph-frontend.sourcegraph.svc.cluster.local:30080` if Sourcegraph is deployed in the `sourcegraph` namespace). This will avoid unnecessary network charges as traffic will stay within the local network. | +| executor.image.defaultTag | string | `"5.1_230340_2023-06-23_5.0-93d39d620e83@sha256:172770133661d4d148327d2cac87c051a6409871ee6f6e28ce3495b60f883ad5"` | | +| executor.image.name | string | `"executor-kubernetes"` | | +| executor.kubeconfigPath | string | `""` | The path to the kubeconfig file. If not specified, the in-cluster config is used. | +| executor.kubernetesJob.deadline | string | `"1200"` | The number of seconds after which a Kubernetes job will be terminated. | +| executor.kubernetesJob.fsGroup | string | `"1000"` | The group ID which is set on the job PVC file system. | +| executor.kubernetesJob.node.name | string | `""` | The name of the Kubernetes Node to create job pods on. If not specified, the pods are created on the first available node. | +| executor.kubernetesJob.node.requiredAffinityMatchExpressions | string | `""` | The JSON encoded required affinity match expressions for Kubernetes Jobs. e.g. `[{"key": "foo", "operator": "In", "values": ["bar"]}]` | +| executor.kubernetesJob.node.requiredAffinityMatchFields | string | `""` | The JSON encoded required affinity match fields for Kubernetes Jobs. e.g. `[{"key": "foo", "operator": "In", "values": ["bar"]}]` | +| executor.kubernetesJob.node.selector | string | `""` | A comma separated list of values to use as a node selector for Kubernetes Jobs. e.g. `foo=bar,app=my-app` | +| executor.kubernetesJob.node.tolerations | string | `""` | The JSON encoded tolerations for Kubernetes Jobs. e.g. [{"key": "foo", "operator": "Equal", "value": "bar", "effect": "NoSchedule"}] | +| executor.kubernetesJob.pod.affinity | string | `""` | The JSON encoded pod affinity for Kubernetes Jobs. e.g. [{"labelSelector": {"matchExpressions": [{"key": "foo", "operator": "In", "values": ["bar"]}]}, "topologyKey": "kubernetes.io/hostname"}] | +| executor.kubernetesJob.pod.antiAffinity | string | `""` | The JSON encoded pod anti-affinity for Kubernetes Jobs. e.g. [{"labelSelector": {"matchExpressions": [{"key": "foo", "operator": "In", "values": ["bar"]}]}, "topologyKey": "kubernetes.io/hostname"}] | +| executor.kubernetesJob.resources.limits.cpu | string | `""` | The maximum CPU for a job. | +| executor.kubernetesJob.resources.limits.memory | string | `"12Gi"` | The maximum memory for a job. | +| executor.kubernetesJob.resources.requests.cpu | string | `""` | The requested CPU for a job. | +| executor.kubernetesJob.resources.requests.memory | string | `"1Gi"` | The requested memory for a job. | +| executor.kubernetesJob.runAsGroup | int | `-1` | The group ID to run Kubernetes jobs as. | +| executor.kubernetesJob.runAsUser | int | `-1` | The user ID to run Kubernetes jobs as. | +| executor.log.format | string | `"condensed"` | | +| executor.log.level | string | `"warn"` | Possible values are `dbug`, `info`, `warn`, `eror`, `crit`. | +| executor.log.trace | string | `"false"` | | +| executor.maximumNumJobs | int | `10` | The maximum amount of jobs that can be executed concurrently. | +| executor.maximumRuntimePerJob | string | `"30m"` | | +| executor.namespace | string | `"default"` | The namespace in which jobs are generated by the executor. | +| executor.nodeSelector | object | `{}` | NodeSelector, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) | +| executor.queueName | string | `""` | The name of the queue to pull jobs from to. Possible values: batches and codeintel. **Either this or queueNames is required.** | +| executor.queueNames | list | `[]` | The names of multiple queues to pull jobs from to. Possible values: batches and codeintel. **Either this or queueName is required.** | +| executor.replicas | int | `1` | | +| executor.storageSize | string | `"10Gi"` | The storage size of the PVC attached to the executor deployment. | +| executor.tolerations | list | `[]` | Tolerations, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | +| sourcegraph.affinity | object | `{}` | Affinity, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) | +| sourcegraph.image.defaultTag | string | `"{{ .Chart.AppVersion }}"` | Global docker image tag | +| sourcegraph.image.pullPolicy | string | `"IfNotPresent"` | Global docker image pull policy | +| sourcegraph.image.repository | string | `"index.docker.io/sourcegraph"` | Global docker image registry or prefix | +| sourcegraph.image.useGlobalTagAsDefault | bool | `false` | When set to true, sourcegraph.image.defaultTag is used as the default defaultTag for all services, instead of service-specific default defaultTags | +| sourcegraph.imagePullSecrets | list | `[]` | Mount named secrets containing docker credentials | +| sourcegraph.labels | object | `{}` | Add a global label to all resources | +| sourcegraph.nameOverride | string | `""` | Set a custom name for the app.kubernetes.io/name annotation | +| sourcegraph.nodeSelector | object | `{}` | NodeSelector, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) | +| sourcegraph.podAnnotations | object | `{}` | Add extra annotations to attach to all pods | +| sourcegraph.podLabels | object | `{}` | Add extra labels to attach to all pods | +| sourcegraph.tolerations | list | `[]` | Tolerations, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | +| storageClass.allowedTopologies | object | `{}` | Persistent volumes topology configuration, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/storage/storage-classes/#allowed-topologies) | +| storageClass.create | bool | `false` | Enable creation of storageClass. Defaults to Google Cloud Platform. Disable if you have your own existing storage class | +| storageClass.name | string | `"sourcegraph"` | Name of the storageClass. Use to customize to the existing storage class name | +| storageClass.parameters | object | `{}` | Extra parameters of storageClass, consult your cloud provider persistent storage documentation | +| storageClass.provisioner | string | `"kubernetes.io/gce-pd"` | Name of the storageClass provisioner, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/storage/storage-classes/#provisioner) and consult your cloud provider persistent storage documentation | +| storageClass.type | string | `"pd-ssd"` | Value of `type` key in storageClass `parameters`, consult your cloud provider persistent storage documentation | diff --git a/charts/sourcegraph-executor/k8s/README.md.gotmpl b/charts/sourcegraph-executor/k8s/README.md.gotmpl new file mode 100644 index 00000000..679793aa --- /dev/null +++ b/charts/sourcegraph-executor/k8s/README.md.gotmpl @@ -0,0 +1,53 @@ + + +# Sourcegraph Executor Helm Chart + +This chart contains two deployments, Sourcegraph Kubernetes native Executors and a private Docker Registry. It is a supplemental chart for the parent [sourcegraph/sourcegraph] Helm Chart if you wish to deploy Kubernetes native executors. + +Use cases: + +- Deploy Sourcegraph Kubernetes native Executors on Kubernetes + +## Requirements + +* [Helm 3 CLI](https://helm.sh/docs/intro/install/) +* Kubernetes 1.19 or greater + +## Installation + +Add the Sourcegraph charts repo to Helm: + +```sh +helm repo add sourcegraph https://helm.sourcegraph.com/release +``` + +## Usage + +> The chart has to be installed in the same namespace as the parent [sourcegraph/sourcegraph] chart + +## Rendering manifests for kubectl deployment + +Manifests rendered using the `helm template` command can be used for direct deployment using `kubectl`. + +## Configuration Options + +Reference the table below for available configuration parameters and consult [executor] documentation. + +In addition to the documented values, the `executor` and `private-docker-registry` services also supports the following values + +- `executor.affinity` - [learn more](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) +- `executor.nodeSelector` - [learn more](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) +- `executor.tolerations` - [learn more](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) +- `executor.podSecurityContext` - [learn more](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) +- `executor.extraEnv` - consult `values.yaml` + +- `privateDockerRegistry.affinity` - [learn more](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) +- `privateDockerRegistry.nodeSelector` - [learn more](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) +- `privateDockerRegistry.tolerations` - [learn more](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) +- `privateDockerRegistry.podSecurityContext` - [learn more](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) +- `privateDockerRegistry.env` - consult `values.yaml` file + +{{ template "chart.valuesTable" . }} diff --git a/charts/sourcegraph-executor/templates/_helpers.tpl b/charts/sourcegraph-executor/k8s/templates/_helpers.tpl similarity index 88% rename from charts/sourcegraph-executor/templates/_helpers.tpl rename to charts/sourcegraph-executor/k8s/templates/_helpers.tpl index e8c9fd72..70f75b28 100644 --- a/charts/sourcegraph-executor/templates/_helpers.tpl +++ b/charts/sourcegraph-executor/k8s/templates/_helpers.tpl @@ -97,3 +97,18 @@ tolerations: {{- $globalTolerations | toYaml | trim | nindent 2 }} {{- end }} {{- end }} + +{{- define "executor.name" -}} +{{- if .Values.executor.queueName -}} +executor-{{.Values.executor.queueName}} +{{- else if .Values.executor.queueNames -}} +executor-{{join "-" .Values.executor.queueNames }} +{{- end }} +{{- end }} + +{{- define "executor.labels" -}} +app: {{ include "executor.name" . }} +deploy: sourcegraph +sourcegraph-resource-requires: no-cluster-admin +app.kubernetes.io/component: executor +{{- end}} diff --git a/charts/sourcegraph-executor/k8s/templates/executor.ConfigMap.yaml b/charts/sourcegraph-executor/k8s/templates/executor.ConfigMap.yaml new file mode 100644 index 00000000..aa8a7f77 --- /dev/null +++ b/charts/sourcegraph-executor/k8s/templates/executor.ConfigMap.yaml @@ -0,0 +1,46 @@ +{{- if .Values.executor.enabled -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "executor.name" . }} + labels: +{{- include "executor.labels" . | nindent 4 }} +data: + EXECUTOR_USE_FIRECRACKER: "false" + EXECUTOR_FRONTEND_URL: "{{ .Values.executor.frontendUrl }}" + EXECUTOR_MAXIMUM_NUM_JOBS: "{{ .Values.executor.maximumNumJobs }}" + EXECUTOR_MAXIMUM_RUNTIME_PER_JOB: "{{ .Values.executor.maximumRuntimePerJob }}" + EXECUTOR_QUEUE_NAME: "{{ .Values.executor.queueName }}" + EXECUTOR_QUEUE_NAMES: "{{join "," .Values.executor.queueNames }}" + + SRC_LOG_LEVEL: "{{ .Values.executor.log.level }}" + SRC_LOG_FORMAT: "{{ .Values.executor.log.format }}" + SRC_TRACE_LOG: "{{ .Values.executor.log.trace }}" + + EXECUTOR_KUBERNETES_NAMESPACE: "{{ .Values.executor.namespace }}" + EXECUTOR_KUBERNETES_CONFIG_PATH: "{{ .Values.executor.kubeconfigPath }}" + EXECUTOR_KUBERNETES_PERSISTENCE_VOLUME_NAME: "sg-{{include "executor.name" . }}" + + EXECUTOR_KUBERNETES_NODE_NAME: "{{ .Values.executor.kubernetesJob.node.name }}" + EXECUTOR_KUBERNETES_NODE_SELECTOR: "{{ .Values.executor.kubernetesJob.node.selector }}" + EXECUTOR_KUBERNETES_NODE_TOLERATIONS: "{{ .Values.executor.kubernetesJob.node.tolerations }}" + EXECUTOR_KUBERNETES_NODE_REQUIRED_AFFINITY_MATCH_EXPRESSIONS: "{{ .Values.executor.kubernetesJob.node.requiredAffinityMatchExpressions }}" + EXECUTOR_KUBERNETES_NODE_REQUIRED_AFFINITY_MATCH_FIELDS: "{{ .Values.executor.kubernetesJob.node.requiredAffinityMatchFields }}" + + EXECUTOR_KUBERNETES_POD_AFFINITY: "{{ .Values.executor.kubernetesJob.pod.affinity }}" + EXECUTOR_KUBERNETES_POD_ANTI_AFFINITY: "{{ .Values.executor.kubernetesJob.pod.antiAffinity }}" + + EXECUTOR_KUBERNETES_RESOURCE_REQUEST_CPU: "{{ .Values.executor.kubernetesJob.resources.requests.cpu }}" + EXECUTOR_KUBERNETES_RESOURCE_REQUEST_MEMORY: "{{ .Values.executor.kubernetesJob.resources.requests.memory }}" + EXECUTOR_KUBERNETES_RESOURCE_LIMIT_CPU: "{{ .Values.executor.kubernetesJob.resources.limits.cpu }}" + EXECUTOR_KUBERNETES_RESOURCE_LIMIT_MEMORY: "{{ .Values.executor.kubernetesJob.resources.limits.memory }}" + + KUBERNETES_JOB_DEADLINE: "{{ .Values.executor.kubernetesJob.deadline }}" + KUBERNETES_RUN_AS_USER: "{{ .Values.executor.kubernetesJob.runAsUser }}" + KUBERNETES_RUN_AS_GROUP: "{{ .Values.executor.kubernetesJob.runAsGroup }}" + KUBERNETES_FS_GROUP: "{{ .Values.executor.kubernetesJob.fsGroup }}" + + EXECUTOR_DOCKER_ADD_HOST_GATEWAY: "{{.Values.executor.dockerAddHostGateway }}" + KUBERNETES_KEEP_JOBS: "{{ .Values.executor.debug.keepJobs }}" + EXECUTOR_KEEP_WORKSPACES: "{{ .Values.executor.debug.keepWorkspaces }}" +{{- end }} diff --git a/charts/sourcegraph-executor/k8s/templates/executor.Deployment.yaml b/charts/sourcegraph-executor/k8s/templates/executor.Deployment.yaml new file mode 100644 index 00000000..b2554e32 --- /dev/null +++ b/charts/sourcegraph-executor/k8s/templates/executor.Deployment.yaml @@ -0,0 +1,107 @@ +{{- if .Values.executor.enabled -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "executor.name" . }} + annotations: + description: Runs a sourcegraph executor + kubectl.kubernetes.io/default-container: executor + labels: + {{- include "executor.labels" . | nindent 4 }} + {{- if .Values.executor.labels }} + {{- toYaml .Values.executor.labels | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + {{- include "sourcegraph.selectorLabels" . | nindent 6 }} + app: {{ include "executor.name" . }} + minReadySeconds: 10 + replicas: {{ .Values.executor.replicas }} + revisionHistoryLimit: 10 + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: executor + {{- if .Values.sourcegraph.podAnnotations }} + {{- toYaml .Values.sourcegraph.podAnnotations | nindent 8 }} + {{- end }} + {{- if .Values.executor.podAnnotations }} + {{- toYaml .Values.executor.podAnnotations | nindent 8 }} + {{- end }} + labels: + {{- include "sourcegraph.selectorLabels" . | nindent 8 }} + {{- if .Values.sourcegraph.podLabels }} + {{- toYaml .Values.sourcegraph.podLabels | nindent 8 }} + {{- end }} + {{- if .Values.executor.podLabels }} + {{- toYaml .Values.executor.podLabels | nindent 8 }} + {{- end }} + {{- include "executor.labels" . | nindent 8 }} + spec: + securityContext: + fsGroup: {{ .Values.executor.kubernetesJob.fsGroup }} + serviceAccountName: sg-executor + containers: + - name: executor + image: {{ include "sourcegraph.image" (list . "executor") }} + imagePullPolicy: {{ .Values.sourcegraph.image.pullPolicy }} + ports: + - containerPort: 6060 + name: debug + envFrom: + - configMapRef: + name: {{ include "executor.name" . }} + - secretRef: + name: {{ include "executor.name" . }} + {{- if .Values.executor.extraEnv }} + env: + {{- with .Values.executor.extraEnv }} + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- end }} + livenessProbe: + exec: + command: + - /usr/bin/pgrep + - -f + - /usr/local/bin/executor + initialDelaySeconds: 15 + timeoutSeconds: 5 + readinessProbe: + exec: + command: + - /usr/bin/pgrep + - -f + - /usr/local/bin/executor + periodSeconds: 5 + volumeMounts: + - mountPath: /data + name: "sg-{{include "executor.name" . }}" + terminationMessagePolicy: FallbackToLogsOnError + {{- with .Values.executor.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.executor.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.executor.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.sourcegraph.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + - name: "sg-{{include "executor.name" . }}" + persistentVolumeClaim: + claimName: "sg-{{include "executor.name" . }}" +{{- end }} diff --git a/charts/sourcegraph-executor/k8s/templates/executor.PersistentVolumeClaim.yaml b/charts/sourcegraph-executor/k8s/templates/executor.PersistentVolumeClaim.yaml new file mode 100644 index 00000000..fe276240 --- /dev/null +++ b/charts/sourcegraph-executor/k8s/templates/executor.PersistentVolumeClaim.yaml @@ -0,0 +1,15 @@ +{{- if .Values.executor.enabled -}} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: "sg-{{include "executor.name" . }}" + labels: +{{ include "executor.labels" . | indent 4 }} +spec: + storageClassName: {{ .Values.storageClass.name }} + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.executor.storageSize }} +{{- end}} diff --git a/charts/sourcegraph-executor/k8s/templates/executor.Role.yaml b/charts/sourcegraph-executor/k8s/templates/executor.Role.yaml new file mode 100644 index 00000000..d184dd5d --- /dev/null +++ b/charts/sourcegraph-executor/k8s/templates/executor.Role.yaml @@ -0,0 +1,28 @@ +{{- if .Values.executor.configureRbac }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: sg-executor-role + labels: + category: rbac + deploy: sourcegraph + sourcegraph-resource-requires: cluster-admin + app.kubernetes.io/component: executor +rules: + - apiGroups: + - batch + resources: + - jobs + verbs: + - create + - delete + - apiGroups: + - "" + resources: + - pods + - pods/log + verbs: + - get + - list + - watch +{{- end }} diff --git a/charts/sourcegraph-executor/k8s/templates/executor.RoleBinding.yaml b/charts/sourcegraph-executor/k8s/templates/executor.RoleBinding.yaml new file mode 100644 index 00000000..f13311c5 --- /dev/null +++ b/charts/sourcegraph-executor/k8s/templates/executor.RoleBinding.yaml @@ -0,0 +1,18 @@ +{{- if .Values.executor.configureRbac }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: sg-executor-role-binding + labels: + category: rbac + deploy: sourcegraph + sourcegraph-resource-requires: cluster-admin + app.kubernetes.io/component: executor +subjects: + - kind: ServiceAccount + name: sg-executor +roleRef: + kind: Role + name: sg-executor-role + apiGroup: rbac.authorization.k8s.io +{{- end }} diff --git a/charts/sourcegraph-executor/k8s/templates/executor.Secret.yaml b/charts/sourcegraph-executor/k8s/templates/executor.Secret.yaml new file mode 100644 index 00000000..53e300da --- /dev/null +++ b/charts/sourcegraph-executor/k8s/templates/executor.Secret.yaml @@ -0,0 +1,9 @@ +{{- if .Values.executor.enabled -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "executor.name" . }} +type: Opaque +data: + EXECUTOR_FRONTEND_PASSWORD: {{ .Values.executor.frontendPassword | b64enc | quote }} +{{- end }} diff --git a/charts/sourcegraph-executor/templates/executor/executor.Service.yaml b/charts/sourcegraph-executor/k8s/templates/executor.Service.yaml similarity index 83% rename from charts/sourcegraph-executor/templates/executor/executor.Service.yaml rename to charts/sourcegraph-executor/k8s/templates/executor.Service.yaml index 0ae7181c..13c4b5cc 100644 --- a/charts/sourcegraph-executor/templates/executor/executor.Service.yaml +++ b/charts/sourcegraph-executor/k8s/templates/executor.Service.yaml @@ -9,13 +9,11 @@ metadata: {{- toYaml .Values.executor.serviceAnnotations | nindent 4 }} {{- end }} labels: - app: executor - deploy: sourcegraph - app.kubernetes.io/component: executor +{{ include "executor.labels" . | indent 4 }} {{- if .Values.executor.serviceLabels }} {{- toYaml .Values.executor.serviceLabels | nindent 4 }} {{- end }} - name: executor + name: {{ include "executor.name" . }} spec: ports: - name: debug @@ -23,6 +21,6 @@ spec: targetPort: debug selector: {{- include "sourcegraph.selectorLabels" . | nindent 4 }} - app: executor + app: {{ include "executor.name" . }} type: {{ .Values.executor.serviceType | default "ClusterIP" }} {{- end }} diff --git a/charts/sourcegraph-executor/k8s/templates/executor.ServiceAccount.yaml b/charts/sourcegraph-executor/k8s/templates/executor.ServiceAccount.yaml new file mode 100644 index 00000000..6a0f4462 --- /dev/null +++ b/charts/sourcegraph-executor/k8s/templates/executor.ServiceAccount.yaml @@ -0,0 +1,11 @@ +{{- if .Values.executor.configureRbac }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: sg-executor + labels: + category: rbac + deploy: sourcegraph + sourcegraph-resource-requires: cluster-admin + app.kubernetes.io/component: executor +{{- end }} diff --git a/charts/sourcegraph-executor/k8s/tests/executor_test.yaml b/charts/sourcegraph-executor/k8s/tests/executor_test.yaml new file mode 100644 index 00000000..b9ef5e6a --- /dev/null +++ b/charts/sourcegraph-executor/k8s/tests/executor_test.yaml @@ -0,0 +1,48 @@ +suite: executor +templates: + - executor.Deployment.yaml + - executor.Service.yaml + - executor.ConfigMap.yaml + - executor.PersistentVolumeClaim.yaml +tests: + - it: should render the Deployment, Service, ConfigMap, PVC if executor is enabled + set: + executor: + enabled: true + queueName: "test" + rbac: + enabled: true + asserts: + - containsDocument: + kind: Deployment + apiVersion: apps/v1 + name: executor-test + template: executor.Deployment.yaml + - containsDocument: + kind: Service + apiVersion: v1 + name: executor-test + template: executor.Service.yaml + - containsDocument: + kind: ConfigMap + apiVersion: v1 + name: executor-test + template: executor.ConfigMap.yaml + - containsDocument: + kind: PersistentVolumeClaim + apiVersion: v1 + name: sg-executor-test + template: executor.PersistentVolumeClaim.yaml + + - it: should not render any resources if executor is disabled + set: + executor: + enabled: false + rbac: + enabled: false + asserts: + - hasDocuments: + count: 0 + templates: + - executor.Deployment.yaml + - executor.Service.yaml diff --git a/charts/sourcegraph-executor/k8s/values.yaml b/charts/sourcegraph-executor/k8s/values.yaml new file mode 100644 index 00000000..caad2a2c --- /dev/null +++ b/charts/sourcegraph-executor/k8s/values.yaml @@ -0,0 +1,152 @@ +# These values are dervied from https://github.com/sourcegraph/deploy-sourcegraph-helm/blob/main/charts/sourcegraph/values.yaml + +### Common Configuration ### +sourcegraph: + image: + # -- Global docker image tag + defaultTag: '{{ .Chart.AppVersion }}' + # -- Global docker image pull policy + pullPolicy: IfNotPresent + # -- Global docker image registry or prefix + repository: index.docker.io/sourcegraph + # -- When set to true, sourcegraph.image.defaultTag is used as the default defaultTag for all services, instead of service-specific default defaultTags + useGlobalTagAsDefault: false + # -- Mount named secrets containing docker credentials + imagePullSecrets: [ ] + # -- Add a global label to all resources + labels: { } + # -- Set a custom name for the app.kubernetes.io/name annotation + nameOverride: "" + # -- Affinity, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) + affinity: { } + # -- NodeSelector, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + nodeSelector: { } + # -- Tolerations, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [ ] + # -- Add extra annotations to attach to all pods + podAnnotations: { } + # -- Add extra labels to attach to all pods + podLabels: { } + + +storageClass: + # -- Enable creation of storageClass. Defaults to Google Cloud Platform. Disable if you have your own existing storage class + create: false + # -- Name of the storageClass. + # Use to customize to the existing storage class name + name: sourcegraph + # -- Name of the storageClass provisioner, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/storage/storage-classes/#provisioner) + # and consult your cloud provider persistent storage documentation + provisioner: kubernetes.io/gce-pd + # -- Value of `type` key in storageClass `parameters`, + # consult your cloud provider persistent storage documentation + type: pd-ssd + # -- Extra parameters of storageClass, + # consult your cloud provider persistent storage documentation + parameters: { } + # -- Persistent volumes topology configuration, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/storage/storage-classes/#allowed-topologies) + allowedTopologies: { } + +executor: + # -- Whether to configure the necessary RBAC resources. Required only once for all executor deployments. + configureRbac: true + replicas: 1 + enabled: true + image: + defaultTag: 5.1_230340_2023-06-23_5.0-93d39d620e83@sha256:172770133661d4d148327d2cac87c051a6409871ee6f6e28ce3495b60f883ad5 + name: "executor-kubernetes" + # -- The external URL of the Sourcegraph instance. Required. **Recommended:** set to the internal service endpoint (e.g. `http://sourcegraph-frontend.sourcegraph.svc.cluster.local:30080` if Sourcegraph is deployed in the `sourcegraph` namespace). + # This will avoid unnecessary network charges as traffic will stay within the local network. + frontendUrl: "" + # -- The shared secret configured in the Sourcegraph instance site config under executors.accessToken. Required. + frontendPassword: "" + # -- The name of the queue to pull jobs from to. Possible values: batches and codeintel. **Either this or queueNames is required.** + queueName: "" + # -- The names of multiple queues to pull jobs from to. Possible values: batches and codeintel. **Either this or queueName is required.** + queueNames: [ ] + # -- The maximum amount of jobs that can be executed concurrently. + maximumNumJobs: 10 + # - The maximum wall time that can be spent on a single job. + maximumRuntimePerJob: "30m" + + log: + # -- Possible values are `dbug`, `info`, `warn`, `eror`, `crit`. + level: "warn" + format: "condensed" + trace: "false" + + # -- The storage size of the PVC attached to the executor deployment. + storageSize: 10Gi + # -- The namespace in which jobs are generated by the executor. + namespace: "default" + # -- The path to the kubeconfig file. If not specified, the in-cluster config is used. + kubeconfigPath: "" + + kubernetesJob: + # -- The number of seconds after which a Kubernetes job will be terminated. + deadline: "1200" + # -- The user ID to run Kubernetes jobs as. + runAsUser: -1 + # -- The group ID to run Kubernetes jobs as. + runAsGroup: -1 + # -- The group ID which is set on the job PVC file system. + fsGroup: "1000" + resources: + requests: + # -- The requested CPU for a job. + cpu: "" + # -- The requested memory for a job. + memory: "1Gi" + limits: + # -- The maximum CPU for a job. + cpu: "" + # -- The maximum memory for a job. + memory: "12Gi" + + node: + # -- The name of the Kubernetes Node to create job pods on. If not specified, the pods are created on the first available node. + name: "" + # -- A comma separated list of values to use as a node selector for Kubernetes Jobs. e.g. `foo=bar,app=my-app` + selector: "" + # -- The JSON encoded tolerations for Kubernetes Jobs. e.g. [{"key": "foo", "operator": "Equal", "value": "bar", "effect": "NoSchedule"}] + tolerations: "" + # -- The JSON encoded required affinity match expressions for Kubernetes Jobs. e.g. `[{"key": "foo", "operator": "In", "values": ["bar"]}]` + requiredAffinityMatchExpressions: "" + # -- The JSON encoded required affinity match fields for Kubernetes Jobs. e.g. `[{"key": "foo", "operator": "In", "values": ["bar"]}]` + requiredAffinityMatchFields: "" + + pod: + # -- The JSON encoded pod affinity for Kubernetes Jobs. e.g. [{"labelSelector": {"matchExpressions": [{"key": "foo", "operator": "In", "values": ["bar"]}]}, "topologyKey": "kubernetes.io/hostname"}] + affinity: "" + # -- The JSON encoded pod anti-affinity for Kubernetes Jobs. e.g. [{"labelSelector": {"matchExpressions": [{"key": "foo", "operator": "In", "values": ["bar"]}]}, "topologyKey": "kubernetes.io/hostname"}] + antiAffinity: "" + + debug: + # -- If true, Kubernetes jobs will not be deleted after they complete. Not recommended for production use as it can hit cluster limits. + keepJobs: "false" + keepWorkspaces: "false" + + # -- Affinity, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) + affinity: { } + + # -- NodeSelector, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + nodeSelector: { } + + # -- Tolerations, + # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [ ] + + # -- Sets extra environment variables on the executor deployment. See `values.yaml` for the format. + extraEnv: +# - name: MY_ENV +# value: my_value + + # -- For local deployments the host is 'host.docker.internal' and this needs to be true + dockerAddHostGateway: "false" diff --git a/scripts/ci/validate-schema.sh b/scripts/ci/validate-schema.sh index 8729ebcf..62913a25 100755 --- a/scripts/ci/validate-schema.sh +++ b/scripts/ci/validate-schema.sh @@ -11,10 +11,11 @@ sudo cp kubeconform /usr/local/bin function validate_schema() { echo "Validating schema for $1" echo "Generating template output..." - helm template sourcegraph-helm-default ./charts/$1 > $1-helm-default.yaml - kubeconform -verbose -summary -strict -schema-location https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/ $1-helm-default.yaml + helm template sourcegraph-helm-default $1 > $2-helm-default.yaml + kubeconform -verbose -summary -strict -schema-location https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/ $2-helm-default.yaml } -validate_schema "sourcegraph" -validate_schema "sourcegraph-migrator" -validate_schema "sourcegraph-executor" +validate_schema "./charts/sourcegraph" "sourcegraph" +validate_schema "./charts/sourcegraph-migrator" "sourcegraph-migrator" +validate_schema "./charts/sourcegraph-executor/k8s" "executor-k8s" +validate_schema "./charts/sourcegraph-executor/dind" "executor-dind"