feat: non-privileged base cluster with new kustomize

[abeatrix]

New default cluster with improved deployment setup

❌ DO NOT MERGE UNTIL #4215 IS CLOSED ❌

RE: #4213, job fair item

Related PRs: https://github.com/sourcegraph/sourcegraph/pull/46227 https://github.com/sourcegraph/sourcegraph/pull/45862

Introduction

This PR serves to introduce a new base cluster for Sourcegraph, along with a new Kustomize setup for deploying Sourcegraph that aligns with industry standards and provides a better user experience.

Background

The current base cluster includes all resources that may not be suitable for all user environments, resulting in permission issues during deployments and causing delays and a poor customer experience. In an effort to address these issues, we have developed a new base cluster that is tailored to the scaling and security requirements of enterprise customer environments.

New base cluster

The new base cluster is made up of two different stacks:

• Sourcegraph Main Stack (base) includes services that are required to run the Sourcegraph main application.
  • Default to run without RBAC resources
• Sourcegraph Monitoring Stack (monitoring) includes services that are required to run the monitoring services tailored for Sourcegraph.
  • Default to run with RBAC resources
  • Can be deployed separately

Notable changes and improvements

• Default services to run with non-root users
• Default services to run with non-privileged users
• Default resources tested for Size XS instance
• Separate services into "base" and "monitoring" stacks
• Remove all RBAC resources from the main (base) application
• Relocate frontend env vars into a ConfigMap for better visibility
• Work with Kustomize without additional setup or tools
• Introduce new env vars documented in https://github.com/sourcegraph/sourcegraph/pull/45862

New Kustomize setup

The new setup introduces a better deployment experience for everyone, while addressing the following common issues caused by our current Kubernetes deployment method:

• Not applicable to everyone
• Lack of user-friendliness and beginner-friendliness
• Lack of flexibility to remove resources or services
• Dependence on custom scripts that are not a part of traditional methods
• Confusion caused by the use of non-standard custom scripts, result in broken instances
• Dependence on users reading docs

Benefits

The changes we are introducing provide users with higher flexibility to customize their Sourcegraph deployment using the components that are pre-configured by Sourcegraph. This in turn provides us with the ability to control and oversee the changes customers make and prevent incidents where clusters are set up with service-breaking configurations.

It also allows different services to be deployed separately. No one should be blocked due to permission issue

Expectations

The new changes shouldNOT affect current users and existing instances as the new setup uses the same tools that are currently used by our customers who are deploying with the custom scripts (which use Kustomize under the hood). It is also built into kubectl, a tool that is required to perform all Kubernetes deployments.

We hope this new base cluster and deployment method will improve the user experience and provide a more industry-standard approach to deploying Sourcegraph, and more importantly, make deploying Sourcegraph easier for everyone

Decision flow

For users with RBAC-enabled clusters

1. Deploy all Sourcegraph services with privileged

For users without RBAC-enabled cluster

1. Deploy the new base cluster as non-root and non-privileged, which should work on any running clusters with the correct network configurations
2. If RBAC resources are allowed at a later time, they can then deploy RBAC resources for the frontend to enable service discovery

• This method also makes it easier for site admins that do not have permissions to create RBAC resources, as they can now defer to their cluster admin to deploy the services that they do not have permission to install without blocking moving to next steps with Sourcegraph

Progress Updates / Notes

TODO:
[x] Combine current non-privilege and non-privilege-create-cluster overlays into one
[x] Replace searcher deployment and symbols deployment with StatefulSets
[x] Add fsGroupPolicy to replace the old non-privileged-create-cluster overlay
[x] Add commonly-used kustomize overlays and components for the new base cluster
[x] Add component and overlay for k3s deployment
[x] Move all monitoring-related resources into a separate directory
[x] Add component and overlay for instance size - XS
[x] Add component and overlay for instance size - S
[x] Add component and overlay for instance size - M
[x] Add component and overlay for instance size - L
[x] Add component and overlay for instance size - XL
[x] Test searcher and symbols as StatefulSets
[x] Remove all rbac resources from frontend
[x] Remove rolebinding for frontend

Issues:

• Empty dashboards in Grafana: update the configmap for k3s deployments fixed the issue
• Endpoints for each services must be input manually as en var to frontend: address in https://github.com/sourcegraph/sourcegraph/pull/45862

Checklist

• CHANGELOG.md updated
• K8s Upgrade notes updated
• Sister deploy-sourcegraph-docker change:
• All images have a valid tag and SHA256 sum

Test plan

How to test

Instructions to build / deploy the new cluster using the new Kustomize set ups.

1. Start docs site from this PR: https://github.com/sourcegraph/sourcegraph/pull/46227
2. Follow the instructions in the Kustomize section to build and deploy with changes created in this PR

WIP: plugin to generate endpoints at build time

# NOT READY FOR TESTING
 kustomize build --enable-alpha-plugins --enable-exec new/plugins/example -o new/generated-cluster.yaml

[beyang]

Why the change in the CI for the base cluster? I assume this is technically equivalent to before, but I could see the motivation be that we want to test a command that is more directly what we ask users to run.

Would it also make sense to add CI commands for new/base?

[abeatrix]

Why the change in the CI for the base cluster?

this is due to the kustomization files added to the original base that requires kustomize to run, but since we will be setting up a separate repo for the new base, this change will not be necessary.

Would it also make sense to add CI commands for new/base?

It makes sense to me! I've created a new issue for creating tests for the new base https://github.com/orgs/sourcegraph/projects/290?pane=issue&itemId=18056795

[beyang]

Do we need to change the commands for the old base cluster? These seem roughly equivalent, but if that's the case, I would prefer not changing them in case there are subtle differences or if changing this file causes a merge conflict for anyone who has forked this repository.

[abeatrix]

Moved to https://github.com/sourcegraph/deploy-sourcegraph-k8s