From 23261fcb4bc726bb38110a1fce04a1abf287282a Mon Sep 17 00:00:00 2001
From: Marc <7050295+marcleblanc2@users.noreply.github.com>
Date: Wed, 8 Oct 2025 01:15:50 -0600
Subject: [PATCH] Add support for deploying without using Kubernetes secrets
 (#752)

...and to disable RBAC resources.

Customer's Kubernetes security policies block the creation of secrets
and RBAC resources

This PR doesn't change any default behaviour which would impact other
customers, only adds a couple new configs customer can choose to use.

### Checklist

- [x] Follow the [manual testing
process](https://github.com/sourcegraph/deploy-sourcegraph-helm/blob/main/TEST.md)
- [ ] Update
[changelog](https://github.com/sourcegraph/deploy-sourcegraph-helm/blob/main/charts/sourcegraph/CHANGELOG.md)
- [ ] Update [Kubernetes update
doc](https://docs.sourcegraph.com/admin/updates/kubernetes)

### Test plan

Tested with customer

<!--
As part of SOC2/GN-104 and SOC2/GN-105 requirements, all pull requests
are REQUIRED to
provide a "test plan". A test plan is a loose explanation of what you
have done or
implemented to test this, as outlined in our Testing principles and
guidelines:

https://docs.sourcegraph.com/dev/background-information/testing_principles
  Write your test plan here after the "Test plan" header.
-->

(cherry picked from commit c96a004a6aef259cb1440755b16bcd0fc6583d78)
---
 charts/sourcegraph/README.md                  |  4 +++-
 charts/sourcegraph/templates/_helpers.tpl     | 23 +++++++++++++++++--
 .../codeinsights-db.Secret.yaml               |  2 +-
 .../codeintel-db/codeintel-db.Secret.yaml     |  2 +-
 .../sourcegraph-frontend.Deployment.yaml      | 10 +++++++-
 .../grafana/grafana.StatefulSet.yaml          |  2 ++
 .../grafana/grafana.pgsql.Secret.yaml         |  2 +-
 .../templates/pgsql/pgsql.Secret.yaml         |  2 +-
 .../prometheus.ClusterRoleBinding.yaml        |  2 +-
 .../prometheus/prometheus.RoleBinding.yaml    |  2 +-
 .../templates/redis/redis-cache.Secret.yaml   |  2 +-
 .../templates/redis/redis-store.Secret.yaml   |  2 +-
 charts/sourcegraph/values.yaml                |  6 ++++-
 13 files changed, 48 insertions(+), 13 deletions(-)

diff --git a/charts/sourcegraph/README.md b/charts/sourcegraph/README.md
index 1e905141..5e917aa7 100644
--- a/charts/sourcegraph/README.md
+++ b/charts/sourcegraph/README.md
@@ -249,8 +249,9 @@ In addition to the documented values, all services also support the following va
 | preciseCodeIntel.resources | object | `{"limits":{"cpu":"2","memory":"4G"},"requests":{"cpu":"500m","memory":"2G"}}` | Resource requests & limits for the `precise-code-intel-worker` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) |
 | preciseCodeIntel.serviceAccount.create | bool | `false` | Enable creation of ServiceAccount for `precise-code-intel-worker` |
 | preciseCodeIntel.serviceAccount.name | string | `""` | Name of the ServiceAccount to be created or an existing ServiceAccount |
-| priorityClasses | list | `[]` | Additional priorityClasses minimise re-scheduling downtime for StatefulSets. Each StatefulSets might use different priority class. learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass) Sample class definition: - name: gitserver-class   value: 100   preemptionPolicy: Never   description: "gitserver priority class" |
+| priorityClasses | list | `[]` | Additional priorityClasses minimize re-scheduling downtime for StatefulSets. Each StatefulSets might use different priority class. learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass) Sample class definition: - name: gitserver-class   value: 100   preemptionPolicy: Never   description: "gitserver priority class" |
 | prometheus.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":false,"runAsGroup":100,"runAsUser":100}` | Security context for the `prometheus` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) |
+| prometheus.createRoleBinding | bool | `true` | Disable the creation of a RoleBinding object, for customers who block all RBAC resource creation |
 | prometheus.enabled | bool | `true` | Enable `prometheus` (recommended) |
 | prometheus.existingConfig | string | `""` | Name of existing ConfigMap for `pgsql`. It must contain a `prometheus.yml` key |
 | prometheus.image.defaultTag | string | `"6.0.0@sha256:86a315720fd9813d9ef9746d92e637bc20cd9ebd90da78d8cc6906062252891f"` | Docker image tag for the `prometheus` image |
@@ -302,6 +303,7 @@ In addition to the documented values, all services also support the following va
 | searcher.storageSize | string | `"26Gi"` | Size of the PVC for searcher pods to store cache data |
 | sgTestConnection | object | `{"enabled":true}` | Enable the busybox connection test after deployment |
 | sourcegraph.affinity | object | `{}` | Global Affinity, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) |
+| sourcegraph.disableKubernetesSecrets | bool | `false` | Disable the creation of Kubernetes secrets objects |
 | sourcegraph.image.defaultTag | string | `"{{ .Chart.AppVersion }}"` | Global docker image tag |
 | sourcegraph.image.pullPolicy | string | `"IfNotPresent"` | Global docker image pull policy |
 | sourcegraph.image.repository | string | `"index.docker.io/sourcegraph"` | Global docker image registry or prefix |
diff --git a/charts/sourcegraph/templates/_helpers.tpl b/charts/sourcegraph/templates/_helpers.tpl
index 87c18720..caf8f0b5 100644
--- a/charts/sourcegraph/templates/_helpers.tpl
+++ b/charts/sourcegraph/templates/_helpers.tpl
@@ -45,7 +45,7 @@ For top-level services, pass in the top-level values:
 {{ include "sourcegraph.serviceAccountName" (list . "frontend") }}
 
 frontend:
-  serivceAccount:
+  serviceAccount:
     create: false
 
 For nested services, pass in the nested values:
@@ -248,7 +248,25 @@ app.kubernetes.io/name: jaeger
   value: "localhost:$(DATA_SOURCE_PORT)/$(DATA_SOURCE_DB)?sslmode=disable"
 {{- end }}
 
+{{/*
+Set redisCache and redisStore endpoints
+So that customers can configure them any of these ways:
+1. Create a new Kubernetes secret, with default values (default, no override config required)
+2. Use an existing Kubernetes secret, by configuring .Values.redisCache.connection.existingSecret
+3. Do not create or use Kubernetes secrets, just pass the default values directly as environment variables into the needed pods, by configuring .Values.sourcegraph.disableKubernetesSecrets = true
+4. Do not create or use Kubernetes secrets, but pass custom values (ex. external Redis) directly as environment variables into the needed pods, by configuring .Values.sourcegraph.disableKubernetesSecrets = true, .Values.redisCache.connection.endpoint = "", .Values.redisStore.connection.endpoint = "", and defining the REDIS_CACHE_ENDPOINT and REDIS_STORE_ENDPOINT env vars on frontend, gitserver, searcher, and worker pods
+*/}}
 {{- define "sourcegraph.redisConnection" -}}
+{{- if .Values.sourcegraph.disableKubernetesSecrets -}}
+{{- if .Values.redisCache.connection.endpoint -}}
+- name: REDIS_CACHE_ENDPOINT
+  value: {{ .Values.redisCache.connection.endpoint }}
+{{- end -}}
+{{- if .Values.redisStore.connection.endpoint -}}
+- name: REDIS_STORE_ENDPOINT
+  value: {{ .Values.redisStore.connection.endpoint }}
+{{- end -}}
+{{- else -}}
 - name: REDIS_CACHE_ENDPOINT
   valueFrom:
     secretKeyRef:
@@ -259,7 +277,8 @@ app.kubernetes.io/name: jaeger
     secretKeyRef:
       key: endpoint
       name: {{ default .Values.redisStore.name .Values.redisStore.connection.existingSecret }}
-{{- end }}
+{{- end -}}
+{{- end -}}
 
 {{- define "sourcegraph.authChecksum" -}}
 {{- $checksum := list .Values.codeInsightsDB.auth -}}
diff --git a/charts/sourcegraph/templates/codeinsights-db/codeinsights-db.Secret.yaml b/charts/sourcegraph/templates/codeinsights-db/codeinsights-db.Secret.yaml
index 251eeddf..650c58e8 100644
--- a/charts/sourcegraph/templates/codeinsights-db/codeinsights-db.Secret.yaml
+++ b/charts/sourcegraph/templates/codeinsights-db/codeinsights-db.Secret.yaml
@@ -1,4 +1,4 @@
-{{- if not .Values.codeInsightsDB.auth.existingSecret }}
+{{- if and (not .Values.sourcegraph.disableKubernetesSecrets) (not .Values.codeInsightsDB.auth.existingSecret) -}}
 apiVersion: v1
 kind: Secret
 metadata:
diff --git a/charts/sourcegraph/templates/codeintel-db/codeintel-db.Secret.yaml b/charts/sourcegraph/templates/codeintel-db/codeintel-db.Secret.yaml
index 68878d30..021a54f0 100644
--- a/charts/sourcegraph/templates/codeintel-db/codeintel-db.Secret.yaml
+++ b/charts/sourcegraph/templates/codeintel-db/codeintel-db.Secret.yaml
@@ -1,4 +1,4 @@
-{{- if not .Values.codeIntelDB.auth.existingSecret }}
+{{- if and (not .Values.sourcegraph.disableKubernetesSecrets) (not .Values.codeIntelDB.auth.existingSecret) -}}
 apiVersion: v1
 kind: Secret
 metadata:
diff --git a/charts/sourcegraph/templates/frontend/sourcegraph-frontend.Deployment.yaml b/charts/sourcegraph/templates/frontend/sourcegraph-frontend.Deployment.yaml
index 187a5c6d..e2dad382 100644
--- a/charts/sourcegraph/templates/frontend/sourcegraph-frontend.Deployment.yaml
+++ b/charts/sourcegraph/templates/frontend/sourcegraph-frontend.Deployment.yaml
@@ -52,9 +52,12 @@ spec:
       - name: migrator
         image: {{ include "sourcegraph.image" (list . "migrator") }}
         imagePullPolicy: {{ .Values.sourcegraph.image.pullPolicy }}
+        {{- if .Values.migrator.command }}
+        command: {{ .Values.migrator.command }}
+        {{- end }}
         args: {{- default (list "up") .Values.migrator.args | toYaml | nindent 8 }}
         env:
-        {{- if not .Values.migrator.databaseAuthOverrideEnvVars }}
+        {{- if and (not .Values.migrator.databaseAuthOverrideEnvVars) (not .Values.sourcegraph.disableKubernetesSecrets) }}
         {{- include "sourcegraph.databaseAuth" (list . "pgsql" "PG") | nindent 8 }}
         {{- include "sourcegraph.databaseAuth" (list . "codeIntelDB" "CODEINTEL_PG") | nindent 8 }}
         {{- include "sourcegraph.databaseAuth" (list . "codeInsightsDB" "CODEINSIGHTS_PG") | nindent 8 }}
@@ -78,11 +81,16 @@ spec:
       - name: frontend
         image: {{ include "sourcegraph.image" (list . "frontend") }}
         imagePullPolicy: {{ .Values.sourcegraph.image.pullPolicy }}
+        {{- if .Values.frontend.command }}
+        command: {{ .Values.frontend.command }}
+        {{- end }}
         args: {{- default (list "serve") .Values.frontend.args | toYaml | nindent 8 }}
         env:
+        {{- if not .Values.sourcegraph.disableKubernetesSecrets }}
         {{- include "sourcegraph.databaseAuth" (list . "pgsql" "PG") | nindent 8 }}
         {{- include "sourcegraph.databaseAuth" (list . "codeIntelDB" "CODEINTEL_PG") | nindent 8 }}
         {{- include "sourcegraph.databaseAuth" (list . "codeInsightsDB" "CODEINSIGHTS_PG") | nindent 8 }}
+        {{- end }}
         {{- range $name, $item := .Values.frontend.env}}
         - name: {{ $name }}
           {{- $item | toYaml | nindent 10 }}
diff --git a/charts/sourcegraph/templates/grafana/grafana.StatefulSet.yaml b/charts/sourcegraph/templates/grafana/grafana.StatefulSet.yaml
index da3cb0e4..4d748bd0 100644
--- a/charts/sourcegraph/templates/grafana/grafana.StatefulSet.yaml
+++ b/charts/sourcegraph/templates/grafana/grafana.StatefulSet.yaml
@@ -52,7 +52,9 @@ spec:
         {{- end }}
         terminationMessagePolicy: FallbackToLogsOnError
         env:
+        {{- if not .Values.sourcegraph.disableKubernetesSecrets -}}
         {{- include "sourcegraph.databaseAuth" (list . "grafana" "GRAFANA_PGSQL_") | nindent 8 }}
+        {{- end -}}
         {{- range $name, $item := .Values.grafana.env}}
         - name: {{ $name }}
           {{- $item | toYaml | nindent 10 }}
diff --git a/charts/sourcegraph/templates/grafana/grafana.pgsql.Secret.yaml b/charts/sourcegraph/templates/grafana/grafana.pgsql.Secret.yaml
index 7b3484d3..a96fcb44 100644
--- a/charts/sourcegraph/templates/grafana/grafana.pgsql.Secret.yaml
+++ b/charts/sourcegraph/templates/grafana/grafana.pgsql.Secret.yaml
@@ -1,4 +1,4 @@
-{{- if and .Values.grafana.auth (not .Values.grafana.auth.existingSecret) }}
+{{- if and (not .Values.sourcegraph.disableKubernetesSecrets) .Values.grafana.auth (not .Values.grafana.auth.existingSecret) -}}
 apiVersion: v1
 kind: Secret
 metadata:
diff --git a/charts/sourcegraph/templates/pgsql/pgsql.Secret.yaml b/charts/sourcegraph/templates/pgsql/pgsql.Secret.yaml
index 4f1757bd..73280504 100644
--- a/charts/sourcegraph/templates/pgsql/pgsql.Secret.yaml
+++ b/charts/sourcegraph/templates/pgsql/pgsql.Secret.yaml
@@ -1,4 +1,4 @@
-{{- if not .Values.pgsql.auth.existingSecret }}
+{{- if and (not .Values.sourcegraph.disableKubernetesSecrets) (not .Values.pgsql.auth.existingSecret) -}}
 apiVersion: v1
 kind: Secret
 metadata:
diff --git a/charts/sourcegraph/templates/prometheus/prometheus.ClusterRoleBinding.yaml b/charts/sourcegraph/templates/prometheus/prometheus.ClusterRoleBinding.yaml
index bdd4352f..d6ab69ab 100644
--- a/charts/sourcegraph/templates/prometheus/prometheus.ClusterRoleBinding.yaml
+++ b/charts/sourcegraph/templates/prometheus/prometheus.ClusterRoleBinding.yaml
@@ -1,4 +1,4 @@
-{{- if and .Values.prometheus.enabled .Values.prometheus.privileged -}}
+{{- if and .Values.prometheus.enabled .Values.prometheus.privileged .Values.prometheus.createRoleBinding -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
diff --git a/charts/sourcegraph/templates/prometheus/prometheus.RoleBinding.yaml b/charts/sourcegraph/templates/prometheus/prometheus.RoleBinding.yaml
index c7345da9..4fa1376d 100644
--- a/charts/sourcegraph/templates/prometheus/prometheus.RoleBinding.yaml
+++ b/charts/sourcegraph/templates/prometheus/prometheus.RoleBinding.yaml
@@ -1,4 +1,4 @@
-{{- if and .Values.prometheus.enabled (not .Values.prometheus.privileged) -}}
+{{- if and .Values.prometheus.enabled (not .Values.prometheus.privileged) .Values.prometheus.createRoleBinding -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
diff --git a/charts/sourcegraph/templates/redis/redis-cache.Secret.yaml b/charts/sourcegraph/templates/redis/redis-cache.Secret.yaml
index c6cf9dfc..ac24267c 100644
--- a/charts/sourcegraph/templates/redis/redis-cache.Secret.yaml
+++ b/charts/sourcegraph/templates/redis/redis-cache.Secret.yaml
@@ -1,4 +1,4 @@
-{{- if not .Values.redisCache.connection.existingSecret }}
+{{- if and (not .Values.sourcegraph.disableKubernetesSecrets) (not .Values.redisCache.connection.existingSecret) -}}
 apiVersion: v1
 kind: Secret
 metadata:
diff --git a/charts/sourcegraph/templates/redis/redis-store.Secret.yaml b/charts/sourcegraph/templates/redis/redis-store.Secret.yaml
index 7d0d313e..ab3124ee 100644
--- a/charts/sourcegraph/templates/redis/redis-store.Secret.yaml
+++ b/charts/sourcegraph/templates/redis/redis-store.Secret.yaml
@@ -1,4 +1,4 @@
-{{- if not .Values.redisStore.connection.existingSecret }}
+{{- if and (not .Values.sourcegraph.disableKubernetesSecrets) (not .Values.redisStore.connection.existingSecret) -}}
 apiVersion: v1
 kind: Secret
 metadata:
diff --git a/charts/sourcegraph/values.yaml b/charts/sourcegraph/values.yaml
index 71d99506..84bfb841 100644
--- a/charts/sourcegraph/values.yaml
+++ b/charts/sourcegraph/values.yaml
@@ -38,6 +38,8 @@ sourcegraph:
   revisionHistoryLimit: 10
   # -- Add extra labels to all services
   serviceLabels: {}
+  # -- Disable the creation of Kubernetes secrets objects
+  disableKubernetesSecrets: false
 
 # Generic application configuration options, used by most applications below
 # app: # Generally matches directory name
@@ -893,6 +895,8 @@ prometheus:
   name: "prometheus"
   # -- Enable RBAC for `prometheus`
   privileged: true
+  # -- Disable the creation of a RoleBinding object, for customers who block all RBAC resource creation
+  createRoleBinding: true
   # -- Resource requests & limits for the `prometheus` container,
   # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/)
   # Prometheus is relied upon to monitor services for sending alerts to site admins when
@@ -1258,7 +1262,7 @@ worker:
 # -- Additional resources to include in the rendered manifest. Templates are supported.
 extraResources: []
 
-# -- Additional priorityClasses minimise re-scheduling downtime for StatefulSets. Each StatefulSets might use different priority class.
+# -- Additional priorityClasses minimize re-scheduling downtime for StatefulSets. Each StatefulSets might use different priority class.
 # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass)
 # Sample class definition:
 # - name: gitserver-class