From 4c4d888ee88427b1fcdefaf720d43276dafff836 Mon Sep 17 00:00:00 2001 From: Michael Lin Date: Wed, 3 Jun 2026 19:18:43 -0700 Subject: [PATCH 1/8] feat(dind): multi-queue support and Docker mode fixes - Add `queues` list to values: when set, renders one Deployment + Service per queue instead of the single executor Deployment - Each queue merges with global executor.env (queue overrides global) and supports replicaCount and resources overrides - Add global executor.resources and per-queue resources override - Fix readiness probe path: /ready does not exist, use /healthz - Set EXECUTOR_USE_KUBERNETES=false to prevent the executor from auto-detecting Kubernetes mode via KUBERNETES_SERVICE_HOST/PORT (which are always injected into pods); dind chart runs in Docker mode using the dind sidecar - Set enableServiceLinks: false to reduce noise in pod env - Fix private docker registry image tag (registry:3) Co-Authored-By: Claude Sonnet 4.6 --- .../executor/executor.Deployment.yaml | 187 +++++++++++++++++- .../templates/executor/executor.Service.yaml | 33 +++- charts/sourcegraph-executor/dind/values.yaml | 36 +++- 3 files changed, 250 insertions(+), 6 deletions(-) diff --git a/charts/sourcegraph-executor/dind/templates/executor/executor.Deployment.yaml b/charts/sourcegraph-executor/dind/templates/executor/executor.Deployment.yaml index 069481490..4a66eeda1 100644 --- a/charts/sourcegraph-executor/dind/templates/executor/executor.Deployment.yaml +++ b/charts/sourcegraph-executor/dind/templates/executor/executor.Deployment.yaml @@ -1,7 +1,179 @@ -{{- if .Values.executor.enabled -}} +{{- if .Values.queues }} +{{- range .Values.queues }} +{{- $queue := . }} +{{- $mergedEnv := mergeOverwrite (deepCopy $.Values.executor.env) ($queue.env | default dict) }} +{{- $replicaCount := ($queue.replicaCount | default $.Values.executor.replicaCount) }} +{{- $resources := ($queue.resources | default $.Values.executor.resources) }} +--- apiVersion: apps/v1 kind: Deployment metadata: + name: executor-{{ $queue.name }} + annotations: + description: Runs sourcegraph executors + kubectl.kubernetes.io/default-container: executor + labels: + {{- include "sourcegraph.labels" $ | nindent 4 }} + {{- if $.Values.executor.labels }} + {{- toYaml $.Values.executor.labels | nindent 4 }} + {{- end }} + app: executor-{{ $queue.name }} + deploy: sourcegraph + sourcegraph-resource-requires: no-cluster-admin + app.kubernetes.io/component: executor +spec: + selector: + matchLabels: + {{- include "sourcegraph.selectorLabels" $ | nindent 6 }} + app: executor-{{ $queue.name }} + minReadySeconds: 10 + replicas: {{ $replicaCount }} + revisionHistoryLimit: 10 + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: executor + {{- if $.Values.sourcegraph.podAnnotations }} + {{- toYaml $.Values.sourcegraph.podAnnotations | nindent 8 }} + {{- end }} + {{- if $.Values.executor.podAnnotations }} + {{- toYaml $.Values.executor.podAnnotations | nindent 8 }} + {{- end }} + labels: + {{- include "sourcegraph.selectorLabels" $ | nindent 8 }} + {{- if $.Values.sourcegraph.podLabels }} + {{- toYaml $.Values.sourcegraph.podLabels | nindent 8 }} + {{- end }} + {{- if $.Values.executor.podLabels }} + {{- toYaml $.Values.executor.podLabels | nindent 8 }} + {{- end }} + app: executor-{{ $queue.name }} + deploy: sourcegraph + sourcegraph-resource-requires: no-cluster-admin + app.kubernetes.io/component: executor + spec: + containers: + - name: executor + image: {{ include "sourcegraph.image" (list $ "executor") }} + imagePullPolicy: {{ $.Values.sourcegraph.image.pullPolicy }} + livenessProbe: + httpGet: + path: /healthz + port: http-debug + scheme: HTTP + initialDelaySeconds: 60 + timeoutSeconds: 5 + readinessProbe: + httpGet: + path: /healthz + port: http-debug + scheme: HTTP + periodSeconds: 5 + timeoutSeconds: 5 + ports: + - name: http-debug + containerPort: 8080 + terminationMessagePolicy: FallbackToLogsOnError + env: + {{- range $name, $item := $mergedEnv }} + - name: {{ $name }} + {{- $item | toYaml | nindent 14 }} + {{- end }} + - name: EXECUTOR_USE_FIRECRACKER + value: "false" + - name: EXECUTOR_HEALTH_SERVER_ADDR + value: ":8080" + - name: EXECUTOR_JOB_NUM_CPUS + value: "0" + - name: EXECUTOR_JOB_MEMORY + value: "0" + - name: DOCKER_HOST + value: tcp://localhost:2375 + - name: TMPDIR + value: /scratch + - name: EXECUTOR_USE_KUBERNETES + value: "false" + volumeMounts: + - mountPath: /scratch + name: executor-scratch + {{- with $resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + - name: dind + image: "{{ $.Values.dind.image.registry}}/{{ $.Values.dind.image.repository}}:{{ $.Values.dind.image.tag}}" + imagePullPolicy: {{ $.Values.sourcegraph.image.pullPolicy }} + securityContext: + privileged: true + command: + - 'dockerd' + - '--tls=false' + - '--mtu=1200' + - '--registry-mirror=http://executor:5000' + - '--host=tcp://0.0.0.0:2375' + livenessProbe: + tcpSocket: + port: 2375 + initialDelaySeconds: 5 + periodSeconds: 5 + failureThreshold: 5 + readinessProbe: + tcpSocket: + port: 2375 + initialDelaySeconds: 10 + periodSeconds: 5 + failureThreshold: 5 + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + ports: + - containerPort: 2375 + protocol: TCP + volumeMounts: + - mountPath: /scratch + name: executor-scratch + - mountPath: /etc/docker/daemon.json + subPath: daemon.json + name: docker-config + enableServiceLinks: false + {{- with $.Values.sourcegraph.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $.Values.sourcegraph.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with include "sourcegraph.priorityClassName" (list $ "executor") | trim }}{{ . | nindent 6 }}{{- end }} + {{- with $.Values.sourcegraph.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $.Values.sourcegraph.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + - name: executor-scratch + emptyDir: {} + - name: docker-config + configMap: + defaultMode: 420 + name: docker-config +{{- end }} +{{- else if .Values.executor.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "executor.name" . }} annotations: description: Runs sourcegraph executors kubectl.kubernetes.io/default-container: executor @@ -57,14 +229,14 @@ spec: timeoutSeconds: 5 readinessProbe: httpGet: - path: /ready + path: /healthz port: http-debug scheme: HTTP periodSeconds: 5 timeoutSeconds: 5 ports: - name: http-debug - containerPort: 6060 + containerPort: 8080 terminationMessagePolicy: FallbackToLogsOnError env: {{- range $name, $item := .Values.executor.env }} @@ -73,6 +245,8 @@ spec: {{- end }} - name: EXECUTOR_USE_FIRECRACKER value: "false" + - name: EXECUTOR_HEALTH_SERVER_ADDR + value: ":8080" - name: EXECUTOR_JOB_NUM_CPUS value: "0" - name: EXECUTOR_JOB_MEMORY @@ -81,9 +255,15 @@ spec: value: tcp://localhost:2375 - name: TMPDIR value: /scratch + - name: EXECUTOR_USE_KUBERNETES + value: "false" volumeMounts: - mountPath: /scratch name: executor-scratch + {{- with .Values.executor.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} - name: dind image: "{{ .Values.dind.image.registry}}/{{ .Values.dind.image.repository}}:{{ .Values.dind.image.tag}}" imagePullPolicy: {{ .Values.sourcegraph.image.pullPolicy }} @@ -122,6 +302,7 @@ spec: - mountPath: /etc/docker/daemon.json subPath: daemon.json name: docker-config + enableServiceLinks: false {{- with .Values.sourcegraph.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/sourcegraph-executor/dind/templates/executor/executor.Service.yaml b/charts/sourcegraph-executor/dind/templates/executor/executor.Service.yaml index 970de1a9c..beb6361c3 100644 --- a/charts/sourcegraph-executor/dind/templates/executor/executor.Service.yaml +++ b/charts/sourcegraph-executor/dind/templates/executor/executor.Service.yaml @@ -1,4 +1,35 @@ -{{- if .Values.executor.enabled -}} +{{- if .Values.queues }} +{{- range .Values.queues }} +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + prometheus.io/port: "6060" + sourcegraph.prometheus/scrape: "true" + {{- if $.Values.executor.serviceAnnotations }} + {{- toYaml $.Values.executor.serviceAnnotations | nindent 4 }} + {{- end }} + labels: + {{- if $.Values.executor.serviceLabels }} + {{- toYaml $.Values.executor.serviceLabels | nindent 4 }} + {{- end }} + app: executor-{{ .name }} + deploy: sourcegraph + sourcegraph-resource-requires: no-cluster-admin + app.kubernetes.io/component: executor + name: executor-{{ .name }} +spec: + ports: + - name: http-debug + port: 6060 + targetPort: http-debug + selector: + {{- include "sourcegraph.selectorLabels" $ | nindent 4 }} + app: executor-{{ .name }} + type: {{ $.Values.executor.serviceType | default "ClusterIP" }} +{{- end }} +{{- else if .Values.executor.enabled }} apiVersion: v1 kind: Service metadata: diff --git a/charts/sourcegraph-executor/dind/values.yaml b/charts/sourcegraph-executor/dind/values.yaml index eec0a03c1..9b2d92fce 100644 --- a/charts/sourcegraph-executor/dind/values.yaml +++ b/charts/sourcegraph-executor/dind/values.yaml @@ -54,8 +54,40 @@ storageClass: # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/storage/storage-classes/#allowed-topologies) allowedTopologies: {} +# -- Optional list of queues to deploy as standalone Deployments. +# When set, the single executor Deployment is not rendered. +# Each entry supports: name (required), replicaCount, resources, env (merged with executor.env, queue overrides). +queues: [] +# - name: codeintel +# replicaCount: 2 +# resources: +# requests: +# cpu: "2" +# memory: 4Gi +# limits: +# cpu: "4" +# memory: 8Gi +# env: +# EXECUTOR_QUEUE_NAME: +# value: codeintel +# - name: batches +# replicaCount: 1 +# resources: +# requests: +# cpu: "1" +# memory: 2Gi +# limits: +# cpu: "2" +# memory: 4Gi +# env: +# EXECUTOR_QUEUE_NAME: +# value: batches + executor: enabled: true + # -- Resource requests and limits for the executor container. + # Each queue can override this with its own resources field. + resources: {} image: defaultTag: 6.0.0@sha256:0be94a7c91f8273db10fdf46718c6596340ab2acc570e7b85353806e67a27508 name: "executor" @@ -86,6 +118,6 @@ privateDockerRegistry: enabled: true image: registry: index.docker.io - repository: docker/regisry - tag: 2 + repository: registry + tag: 3 storageSize: 10Gi From 33125ec1c7054372133a566e871a65c5572495d4 Mon Sep 17 00:00:00 2001 From: Michael Lin Date: Wed, 3 Jun 2026 19:19:05 -0700 Subject: [PATCH 2/8] =?UTF-8?q?remove=20executor=20Service=20=E2=80=94=20e?= =?UTF-8?q?xecutors=20are=20pull-based,=20no=20Service=20needed?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-Authored-By: Claude Sonnet 4.6 --- charts/sourcegraph-executor/dind/README.md | 6 +- .../templates/executor/executor.Service.yaml | 57 ------------------- 2 files changed, 4 insertions(+), 59 deletions(-) delete mode 100644 charts/sourcegraph-executor/dind/templates/executor/executor.Service.yaml diff --git a/charts/sourcegraph-executor/dind/README.md b/charts/sourcegraph-executor/dind/README.md index b6f5f8a87..3aa533dba 100644 --- a/charts/sourcegraph-executor/dind/README.md +++ b/charts/sourcegraph-executor/dind/README.md @@ -63,11 +63,13 @@ In addition to the documented values, the `executor` and `private-docker-registr | executor.image.defaultTag | string | `"6.0.0@sha256:0be94a7c91f8273db10fdf46718c6596340ab2acc570e7b85353806e67a27508"` | | | executor.image.name | string | `"executor"` | | | executor.replicaCount | int | `1` | | +| executor.resources | object | `{}` | Resource requests and limits for the executor container. Each queue can override this with its own resources field. | | privateDockerRegistry.enabled | bool | `true` | Whether to deploy the private registry. Only one registry is needed when deploying multiple executors. More information: https://docs.sourcegraph.com/admin/executors/deploy_executors#using-private-registries | | privateDockerRegistry.image.registry | string | `"index.docker.io"` | | -| privateDockerRegistry.image.repository | string | `"docker/regisry"` | | -| privateDockerRegistry.image.tag | int | `2` | | +| privateDockerRegistry.image.repository | string | `"registry"` | | +| privateDockerRegistry.image.tag | int | `3` | | | privateDockerRegistry.storageSize | string | `"10Gi"` | | +| queues | list | `[]` | Optional list of queues to deploy as standalone Deployments. When set, the single executor Deployment is not rendered. Each entry supports: name (required), replicaCount, resources, env (merged with executor.env, queue overrides). | | sourcegraph.affinity | object | `{}` | Affinity, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) | | sourcegraph.image.defaultTag | string | `"{{ .Chart.AppVersion }}"` | Global docker image tag | | sourcegraph.image.pullPolicy | string | `"IfNotPresent"` | Global docker image pull policy | diff --git a/charts/sourcegraph-executor/dind/templates/executor/executor.Service.yaml b/charts/sourcegraph-executor/dind/templates/executor/executor.Service.yaml deleted file mode 100644 index beb6361c3..000000000 --- a/charts/sourcegraph-executor/dind/templates/executor/executor.Service.yaml +++ /dev/null @@ -1,57 +0,0 @@ -{{- if .Values.queues }} -{{- range .Values.queues }} ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - prometheus.io/port: "6060" - sourcegraph.prometheus/scrape: "true" - {{- if $.Values.executor.serviceAnnotations }} - {{- toYaml $.Values.executor.serviceAnnotations | nindent 4 }} - {{- end }} - labels: - {{- if $.Values.executor.serviceLabels }} - {{- toYaml $.Values.executor.serviceLabels | nindent 4 }} - {{- end }} - app: executor-{{ .name }} - deploy: sourcegraph - sourcegraph-resource-requires: no-cluster-admin - app.kubernetes.io/component: executor - name: executor-{{ .name }} -spec: - ports: - - name: http-debug - port: 6060 - targetPort: http-debug - selector: - {{- include "sourcegraph.selectorLabels" $ | nindent 4 }} - app: executor-{{ .name }} - type: {{ $.Values.executor.serviceType | default "ClusterIP" }} -{{- end }} -{{- else if .Values.executor.enabled }} -apiVersion: v1 -kind: Service -metadata: - annotations: - prometheus.io/port: "6060" - sourcegraph.prometheus/scrape: "true" - {{- if .Values.executor.serviceAnnotations }} - {{- toYaml .Values.executor.serviceAnnotations | nindent 4 }} - {{- end }} - labels: - {{- include "executor.labels" . | nindent 4 }} - {{- if .Values.executor.serviceLabels }} - {{- toYaml .Values.executor.serviceLabels | nindent 4 }} - {{- end }} - name: executor -spec: - ports: - - name: http-debug - port: 6060 - targetPort: http-debug - selector: - {{- include "sourcegraph.selectorLabels" . | nindent 4 }} - app: {{include "executor.name" . }} - type: {{ .Values.executor.serviceType | default "ClusterIP" }} -{{- end }} From f0ddd9df98c16831e880f04e39673efa4ac958dd Mon Sep 17 00:00:00 2001 From: Michael Lin Date: Wed, 3 Jun 2026 19:30:55 -0700 Subject: [PATCH 3/8] fix(dind): point registry mirror at correct service name --registry-mirror was pointing at http://executor:5000 which doesn't resolve; the private registry service is private-docker-registry:5000. Also fix ConfigMap condition to render in both single and multi-queue modes. Co-Authored-By: Claude Sonnet 4.6 --- .../dind/templates/executor/docker-daemon.ConfigMap.yaml | 2 +- .../dind/templates/executor/executor.Deployment.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/sourcegraph-executor/dind/templates/executor/docker-daemon.ConfigMap.yaml b/charts/sourcegraph-executor/dind/templates/executor/docker-daemon.ConfigMap.yaml index f927fcf8f..b06f81105 100644 --- a/charts/sourcegraph-executor/dind/templates/executor/docker-daemon.ConfigMap.yaml +++ b/charts/sourcegraph-executor/dind/templates/executor/docker-daemon.ConfigMap.yaml @@ -1,4 +1,4 @@ -{{- if .Values.executor.enabled -}} +{{- if or .Values.queues .Values.executor.enabled -}} apiVersion: v1 data: daemon.json: | diff --git a/charts/sourcegraph-executor/dind/templates/executor/executor.Deployment.yaml b/charts/sourcegraph-executor/dind/templates/executor/executor.Deployment.yaml index 4a66eeda1..6bbf75a1d 100644 --- a/charts/sourcegraph-executor/dind/templates/executor/executor.Deployment.yaml +++ b/charts/sourcegraph-executor/dind/templates/executor/executor.Deployment.yaml @@ -114,7 +114,7 @@ spec: - 'dockerd' - '--tls=false' - '--mtu=1200' - - '--registry-mirror=http://executor:5000' + - '--registry-mirror=http://private-docker-registry:5000' - '--host=tcp://0.0.0.0:2375' livenessProbe: tcpSocket: @@ -273,7 +273,7 @@ spec: - 'dockerd' - '--tls=false' - '--mtu=1200' - - '--registry-mirror=http://executor:5000' + - '--registry-mirror=http://private-docker-registry:5000' - '--host=tcp://0.0.0.0:2375' livenessProbe: tcpSocket: From 1330e7120b4f7de6a568a8c704e955726d7b5b81 Mon Sep 17 00:00:00 2001 From: Michael Lin Date: Wed, 3 Jun 2026 23:39:23 -0700 Subject: [PATCH 4/8] feat(dind): convert private-docker-registry to StatefulSet StatefulSet gives stable pod identity and manages its own PVC via volumeClaimTemplates, replacing the separate PersistentVolumeClaim. Co-Authored-By: Claude Sonnet 4.6 --- .../private-docker-registry.Deployment.yaml | 26 +++++++++++++------ ...docker-registry.PersistentVolumeClaim.yaml | 19 -------------- 2 files changed, 18 insertions(+), 27 deletions(-) delete mode 100644 charts/sourcegraph-executor/dind/templates/private-docker-registry/private-docker-registry.PersistentVolumeClaim.yaml diff --git a/charts/sourcegraph-executor/dind/templates/private-docker-registry/private-docker-registry.Deployment.yaml b/charts/sourcegraph-executor/dind/templates/private-docker-registry/private-docker-registry.Deployment.yaml index 32554be69..fff6d3379 100644 --- a/charts/sourcegraph-executor/dind/templates/private-docker-registry/private-docker-registry.Deployment.yaml +++ b/charts/sourcegraph-executor/dind/templates/private-docker-registry/private-docker-registry.Deployment.yaml @@ -1,6 +1,6 @@ {{- if .Values.privateDockerRegistry.enabled -}} apiVersion: apps/v1 -kind: Deployment +kind: StatefulSet metadata: name: private-docker-registry labels: @@ -11,13 +11,14 @@ metadata: deploy: sourcegraph app.kubernetes.io/component: private-docker-registry spec: - replicas: {{ .Values.privateDockerRegistry.replicaCount }} + replicas: 1 + serviceName: private-docker-registry selector: matchLabels: {{- include "sourcegraph.selectorLabels" . | nindent 6 }} app: private-docker-registry - strategy: - type: Recreate + updateStrategy: + type: RollingUpdate template: metadata: annotations: @@ -83,8 +84,17 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} - volumes: - - name: cache - persistentVolumeClaim: - claimName: private-docker-registry + volumeClaimTemplates: + - metadata: + name: cache + labels: + deploy: sourcegraph + app.kubernetes.io/component: private-docker-registry + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.privateDockerRegistry.storageSize }} + storageClassName: {{ .Values.storageClass.name }} {{- end }} diff --git a/charts/sourcegraph-executor/dind/templates/private-docker-registry/private-docker-registry.PersistentVolumeClaim.yaml b/charts/sourcegraph-executor/dind/templates/private-docker-registry/private-docker-registry.PersistentVolumeClaim.yaml deleted file mode 100644 index 619d5af9b..000000000 --- a/charts/sourcegraph-executor/dind/templates/private-docker-registry/private-docker-registry.PersistentVolumeClaim.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if .Values.privateDockerRegistry.enabled -}} -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - labels: - deploy: sourcegraph - app.kubernetes.io/component: private-docker-registry - name: private-docker-registry -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: {{ .Values.privateDockerRegistry.storageSize }} - storageClassName: {{ .Values.storageClass.name }} - {{- if .Values.privateDockerRegistry.volumeName }} - volumeName: {{ .Values.privateDockerRegistry.volumeName }} - {{- end }} -{{- end }} From d1a57202d6432079cd327b49473913c8c884a213 Mon Sep 17 00:00:00 2001 From: Michael Lin Date: Thu, 4 Jun 2026 09:34:57 -0700 Subject: [PATCH 5/8] feat(dind): structured executor options and env validation Add first-class values for options that map directly to executor env vars, mirroring the k8s chart interface: - executor.frontendUrl/frontendPassword/frontendExistingSecret - executor.queueName/queueNames (single-deployment mode) - executor.maximumNumJobs/maximumRuntimePerJob - executor.log.level/format - executor.dockerAddHostGateway - executor.debug.keepWorkspaces In multi-queue mode, each queue's EXECUTOR_QUEUE_NAME is set automatically from its name field. Add executor.validateEnv helper that fails at render time if executor.env or any queue.env contains a managed env var name. Co-Authored-By: Claude Sonnet 4.6 --- .../dind/templates/_helpers.tpl | 33 +++++++-- .../executor/executor.Deployment.yaml | 71 ++++++++++++++++--- charts/sourcegraph-executor/dind/values.yaml | 53 ++++++++------ dind.override.yaml | 21 ++++++ 4 files changed, 146 insertions(+), 32 deletions(-) create mode 100644 dind.override.yaml diff --git a/charts/sourcegraph-executor/dind/templates/_helpers.tpl b/charts/sourcegraph-executor/dind/templates/_helpers.tpl index d2797759d..708f1a922 100644 --- a/charts/sourcegraph-executor/dind/templates/_helpers.tpl +++ b/charts/sourcegraph-executor/dind/templates/_helpers.tpl @@ -100,10 +100,10 @@ tolerations: {{- define "executor.name" -}} -{{- if .Values.executor.env.EXECUTOR_QUEUE_NAME.value -}} -executor-{{.Values.executor.env.EXECUTOR_QUEUE_NAME.value}} -{{- else if .Values.executor.env.EXECUTOR_QUEUE_NAMES.value -}} -executor-{{replace "," "-" .Values.executor.env.EXECUTOR_QUEUE_NAMES.value }} +{{- if .Values.executor.queueName -}} +executor-{{.Values.executor.queueName}} +{{- else if .Values.executor.queueNames -}} +executor-{{join "-" .Values.executor.queueNames }} {{- end }} {{- end }} @@ -113,3 +113,28 @@ deploy: sourcegraph sourcegraph-resource-requires: no-cluster-admin app.kubernetes.io/component: executor {{- end}} + +{{/* +Validate that an env dict does not contain managed environment variable names. +Usage: include "executor.validateEnv" (list $envDict "label") +*/}} +{{- define "executor.validateEnv" -}} +{{- $envDict := index . 0 }} +{{- $label := index . 1 }} +{{- $managed := list + "EXECUTOR_FRONTEND_URL" + "EXECUTOR_FRONTEND_PASSWORD" + "EXECUTOR_QUEUE_NAME" + "EXECUTOR_QUEUE_NAMES" + "SRC_LOG_LEVEL" + "SRC_LOG_FORMAT" + "EXECUTOR_MAXIMUM_NUM_JOBS" + "EXECUTOR_MAXIMUM_RUNTIME_PER_JOB" + "EXECUTOR_DOCKER_ADD_HOST_GATEWAY" + "EXECUTOR_KEEP_WORKSPACES" -}} +{{- range $managed -}} +{{- if hasKey $envDict . -}} +{{- fail (printf "%s: env must not contain managed variable %s; use the structured executor fields instead" $label .) -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/sourcegraph-executor/dind/templates/executor/executor.Deployment.yaml b/charts/sourcegraph-executor/dind/templates/executor/executor.Deployment.yaml index 6bbf75a1d..eb2ebd639 100644 --- a/charts/sourcegraph-executor/dind/templates/executor/executor.Deployment.yaml +++ b/charts/sourcegraph-executor/dind/templates/executor/executor.Deployment.yaml @@ -1,6 +1,8 @@ {{- if .Values.queues }} {{- range .Values.queues }} {{- $queue := . }} +{{- include "executor.validateEnv" (list $.Values.executor.env "executor.env") }} +{{- include "executor.validateEnv" (list ($queue.env | default dict) (printf "queues[%s].env" $queue.name)) }} {{- $mergedEnv := mergeOverwrite (deepCopy $.Values.executor.env) ($queue.env | default dict) }} {{- $replicaCount := ($queue.replicaCount | default $.Values.executor.replicaCount) }} {{- $resources := ($queue.resources | default $.Values.executor.resources) }} @@ -80,10 +82,31 @@ spec: containerPort: 8080 terminationMessagePolicy: FallbackToLogsOnError env: - {{- range $name, $item := $mergedEnv }} - - name: {{ $name }} - {{- $item | toYaml | nindent 14 }} - {{- end }} + - name: EXECUTOR_FRONTEND_URL + value: {{ $.Values.executor.frontendUrl | quote }} + - name: EXECUTOR_FRONTEND_PASSWORD + {{- if $.Values.executor.frontendExistingSecret }} + valueFrom: + secretKeyRef: + name: {{ $.Values.executor.frontendExistingSecret }} + key: EXECUTOR_FRONTEND_PASSWORD + {{- else }} + value: {{ $.Values.executor.frontendPassword | quote }} + {{- end }} + - name: EXECUTOR_QUEUE_NAME + value: {{ $queue.name | quote }} + - name: SRC_LOG_LEVEL + value: {{ $.Values.executor.log.level | quote }} + - name: SRC_LOG_FORMAT + value: {{ $.Values.executor.log.format | quote }} + - name: EXECUTOR_MAXIMUM_NUM_JOBS + value: {{ $.Values.executor.maximumNumJobs | quote }} + - name: EXECUTOR_MAXIMUM_RUNTIME_PER_JOB + value: {{ $.Values.executor.maximumRuntimePerJob | quote }} + - name: EXECUTOR_DOCKER_ADD_HOST_GATEWAY + value: {{ $.Values.executor.dockerAddHostGateway | quote }} + - name: EXECUTOR_KEEP_WORKSPACES + value: {{ $.Values.executor.debug.keepWorkspaces | quote }} - name: EXECUTOR_USE_FIRECRACKER value: "false" - name: EXECUTOR_HEALTH_SERVER_ADDR @@ -98,6 +121,10 @@ spec: value: /scratch - name: EXECUTOR_USE_KUBERNETES value: "false" + {{- range $name, $item := $mergedEnv }} + - name: {{ $name }} + {{- $item | toYaml | nindent 14 }} + {{- end }} volumeMounts: - mountPath: /scratch name: executor-scratch @@ -170,6 +197,7 @@ spec: name: docker-config {{- end }} {{- else if .Values.executor.enabled }} +{{- include "executor.validateEnv" (list .Values.executor.env "executor.env") }} apiVersion: apps/v1 kind: Deployment metadata: @@ -239,10 +267,33 @@ spec: containerPort: 8080 terminationMessagePolicy: FallbackToLogsOnError env: - {{- range $name, $item := .Values.executor.env }} - - name: {{ $name }} - {{- $item | toYaml | nindent 14 }} - {{- end }} + - name: EXECUTOR_FRONTEND_URL + value: {{ .Values.executor.frontendUrl | quote }} + - name: EXECUTOR_FRONTEND_PASSWORD + {{- if .Values.executor.frontendExistingSecret }} + valueFrom: + secretKeyRef: + name: {{ .Values.executor.frontendExistingSecret }} + key: EXECUTOR_FRONTEND_PASSWORD + {{- else }} + value: {{ .Values.executor.frontendPassword | quote }} + {{- end }} + - name: EXECUTOR_QUEUE_NAME + value: {{ .Values.executor.queueName | quote }} + - name: EXECUTOR_QUEUE_NAMES + value: {{ join "," .Values.executor.queueNames | quote }} + - name: SRC_LOG_LEVEL + value: {{ .Values.executor.log.level | quote }} + - name: SRC_LOG_FORMAT + value: {{ .Values.executor.log.format | quote }} + - name: EXECUTOR_MAXIMUM_NUM_JOBS + value: {{ .Values.executor.maximumNumJobs | quote }} + - name: EXECUTOR_MAXIMUM_RUNTIME_PER_JOB + value: {{ .Values.executor.maximumRuntimePerJob | quote }} + - name: EXECUTOR_DOCKER_ADD_HOST_GATEWAY + value: {{ .Values.executor.dockerAddHostGateway | quote }} + - name: EXECUTOR_KEEP_WORKSPACES + value: {{ .Values.executor.debug.keepWorkspaces | quote }} - name: EXECUTOR_USE_FIRECRACKER value: "false" - name: EXECUTOR_HEALTH_SERVER_ADDR @@ -257,6 +308,10 @@ spec: value: /scratch - name: EXECUTOR_USE_KUBERNETES value: "false" + {{- range $name, $item := .Values.executor.env }} + - name: {{ $name }} + {{- $item | toYaml | nindent 14 }} + {{- end }} volumeMounts: - mountPath: /scratch name: executor-scratch diff --git a/charts/sourcegraph-executor/dind/values.yaml b/charts/sourcegraph-executor/dind/values.yaml index 9b2d92fce..bb3ae6b30 100644 --- a/charts/sourcegraph-executor/dind/values.yaml +++ b/charts/sourcegraph-executor/dind/values.yaml @@ -56,7 +56,7 @@ storageClass: # -- Optional list of queues to deploy as standalone Deployments. # When set, the single executor Deployment is not rendered. -# Each entry supports: name (required), replicaCount, resources, env (merged with executor.env, queue overrides). +# Each entry supports: name (required, automatically used as EXECUTOR_QUEUE_NAME), replicaCount, resources, env (merged with executor.env, queue overrides). queues: [] # - name: codeintel # replicaCount: 2 @@ -67,9 +67,7 @@ queues: [] # limits: # cpu: "4" # memory: 8Gi -# env: -# EXECUTOR_QUEUE_NAME: -# value: codeintel +# env: {} # - name: batches # replicaCount: 1 # resources: @@ -79,12 +77,34 @@ queues: [] # limits: # cpu: "2" # memory: 4Gi -# env: -# EXECUTOR_QUEUE_NAME: -# value: batches +# env: {} executor: enabled: true + # -- The external URL of the Sourcegraph instance. Required. + frontendUrl: "" + # -- The shared secret configured in the Sourcegraph instance site config under executors.accessToken. Required if frontendExistingSecret is not configured. + frontendPassword: "" + # -- Name of existing k8s Secret to use for frontend password. + # The k8s Secret must contain the key EXECUTOR_FRONTEND_PASSWORD matching the site config executors.accessToken value. + # frontendPassword is ignored if this is set. + frontendExistingSecret: "" + # -- The name of the queue to pull jobs from. Possible values: batches and codeintel. Either this or queueNames is required (when not using queues). + queueName: "" + # -- The names of multiple queues to pull jobs from. Possible values: batches and codeintel. Either this or queueName is required (when not using queues). + queueNames: [] + # -- The maximum amount of jobs that can be executed concurrently. + maximumNumJobs: 10 + # -- The maximum wall time that can be spent on a single job. + maximumRuntimePerJob: "30m" + log: + # -- Possible values are dbug, info, warn, eror, crit. + level: "warn" + format: "condensed" + # -- For local deployments the host is 'host.docker.internal' and this needs to be true. + dockerAddHostGateway: "false" + debug: + keepWorkspaces: "false" # -- Resource requests and limits for the executor container. # Each queue can override this with its own resources field. resources: {} @@ -92,19 +112,12 @@ executor: defaultTag: 6.0.0@sha256:0be94a7c91f8273db10fdf46718c6596340ab2acc570e7b85353806e67a27508 name: "executor" replicaCount: 1 - env: - # -- The external URL of the Sourcegraph instance. Required. - EXECUTOR_FRONTEND_URL: - value: "" - # -- The shared secret configured in the Sourcegraph instance site config under executors.accessToken. Required. - EXECUTOR_FRONTEND_PASSWORD: - value: "" - # -- The name of the queue to pull jobs from to. Possible values: batches and codeintel. **Either this or EXECUTOR_QUEUE_NAMES is required.** - EXECUTOR_QUEUE_NAME: - value: "" - # -- The comma-separated list of names of multiple queues to pull jobs from to. Possible values: batches and codeintel. **Either this or EXECUTOR_QUEUE_NAME is required.** - EXECUTOR_QUEUE_NAMES: - value: "" + # -- Extra environment variables to set on the executor container. + # Must NOT contain managed env vars (EXECUTOR_FRONTEND_URL, EXECUTOR_FRONTEND_PASSWORD, + # EXECUTOR_QUEUE_NAME, EXECUTOR_QUEUE_NAMES, SRC_LOG_LEVEL, SRC_LOG_FORMAT, + # EXECUTOR_MAXIMUM_NUM_JOBS, EXECUTOR_MAXIMUM_RUNTIME_PER_JOB, + # EXECUTOR_DOCKER_ADD_HOST_GATEWAY, EXECUTOR_KEEP_WORKSPACES). + env: {} dind: image: diff --git a/dind.override.yaml b/dind.override.yaml new file mode 100644 index 000000000..4f4bddb71 --- /dev/null +++ b/dind.override.yaml @@ -0,0 +1,21 @@ +storageClass: + create: false + name: sourcegraph + +sourcegraph: + image: + repository: us-docker.pkg.dev/sourcegraph-images/external + defaultTag: docker-images-notest-06-03-fix_374565_2026-06-04_7.3-e87902b59ff0 + useGlobalTagAsDefault: true + +executor: + replicaCount: 4 + frontendUrl: "http://frontend.sourcegraph.internal" + frontendPassword: SrHY0aVe0keHeh9MBzcX097NBXXdpcQs + +queues: + - name: batches + replicaCount: 4 + - name: codeintel + replicaCount: 4 + From 9d0ce2587dd8a3261d012554f2cf5c2906463531 Mon Sep 17 00:00:00 2001 From: Michael Lin Date: Thu, 4 Jun 2026 10:05:19 -0700 Subject: [PATCH 6/8] remove dind.override.yaml from tracking Co-Authored-By: Claude Sonnet 4.6 --- dind.override.yaml | 21 --------------------- 1 file changed, 21 deletions(-) delete mode 100644 dind.override.yaml diff --git a/dind.override.yaml b/dind.override.yaml deleted file mode 100644 index 4f4bddb71..000000000 --- a/dind.override.yaml +++ /dev/null @@ -1,21 +0,0 @@ -storageClass: - create: false - name: sourcegraph - -sourcegraph: - image: - repository: us-docker.pkg.dev/sourcegraph-images/external - defaultTag: docker-images-notest-06-03-fix_374565_2026-06-04_7.3-e87902b59ff0 - useGlobalTagAsDefault: true - -executor: - replicaCount: 4 - frontendUrl: "http://frontend.sourcegraph.internal" - frontendPassword: SrHY0aVe0keHeh9MBzcX097NBXXdpcQs - -queues: - - name: batches - replicaCount: 4 - - name: codeintel - replicaCount: 4 - From 3aec5878cfc13f632db6f3f5e97f5143d2ffefb8 Mon Sep 17 00:00:00 2001 From: Michael Lin Date: Thu, 4 Jun 2026 10:05:19 -0700 Subject: [PATCH 7/8] chore: gitignore dind.override.yaml Co-Authored-By: Claude Sonnet 4.6 --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index a46e872c2..4356b4a8d 100644 --- a/.gitignore +++ b/.gitignore @@ -5,3 +5,4 @@ target/* # Jetbrains .idea/ +dind.override.yaml From 32aa1e69fbaba08c582a1d65ff9c2829c9f7c906 Mon Sep 17 00:00:00 2001 From: Michael Lin Date: Thu, 4 Jun 2026 10:58:46 -0700 Subject: [PATCH 8/8] feat(dind): remove executor.enabled, make daemon.json configurable - executor.enabled had no meaningful use; the chart always deploys an executor, so the flag is removed - dind.daemonConfig is now a values map rendered as daemon.json, allowing arbitrary Docker daemon configuration via values overrides Co-Authored-By: Claude Sonnet 4.6 --- .../dind/templates/executor/docker-daemon.ConfigMap.yaml | 9 +++------ .../dind/templates/executor/executor.Deployment.yaml | 8 +------- ...ent.yaml => private-docker-registry.Statefulset.yaml} | 0 charts/sourcegraph-executor/dind/values.yaml | 5 ++++- 4 files changed, 8 insertions(+), 14 deletions(-) rename charts/sourcegraph-executor/dind/templates/private-docker-registry/{private-docker-registry.Deployment.yaml => private-docker-registry.Statefulset.yaml} (100%) diff --git a/charts/sourcegraph-executor/dind/templates/executor/docker-daemon.ConfigMap.yaml b/charts/sourcegraph-executor/dind/templates/executor/docker-daemon.ConfigMap.yaml index b06f81105..1a767bd50 100644 --- a/charts/sourcegraph-executor/dind/templates/executor/docker-daemon.ConfigMap.yaml +++ b/charts/sourcegraph-executor/dind/templates/executor/docker-daemon.ConfigMap.yaml @@ -1,9 +1,4 @@ -{{- if or .Values.queues .Values.executor.enabled -}} apiVersion: v1 -data: - daemon.json: | - { "insecure-registries":["private-docker-registry:5000"] } - kind: ConfigMap metadata: labels: @@ -11,4 +6,6 @@ metadata: deploy: sourcegraph app.kubernetes.io/component: executor name: docker-config -{{- end }} +data: + daemon.json: | + {{- .Values.dind.daemonConfig | toPrettyJson | nindent 4 }} diff --git a/charts/sourcegraph-executor/dind/templates/executor/executor.Deployment.yaml b/charts/sourcegraph-executor/dind/templates/executor/executor.Deployment.yaml index eb2ebd639..960c5ba68 100644 --- a/charts/sourcegraph-executor/dind/templates/executor/executor.Deployment.yaml +++ b/charts/sourcegraph-executor/dind/templates/executor/executor.Deployment.yaml @@ -196,7 +196,7 @@ spec: defaultMode: 420 name: docker-config {{- end }} -{{- else if .Values.executor.enabled }} +{{- else }} {{- include "executor.validateEnv" (list .Values.executor.env "executor.env") }} apiVersion: apps/v1 kind: Deployment @@ -286,14 +286,8 @@ spec: value: {{ .Values.executor.log.level | quote }} - name: SRC_LOG_FORMAT value: {{ .Values.executor.log.format | quote }} - - name: EXECUTOR_MAXIMUM_NUM_JOBS - value: {{ .Values.executor.maximumNumJobs | quote }} - name: EXECUTOR_MAXIMUM_RUNTIME_PER_JOB value: {{ .Values.executor.maximumRuntimePerJob | quote }} - - name: EXECUTOR_DOCKER_ADD_HOST_GATEWAY - value: {{ .Values.executor.dockerAddHostGateway | quote }} - - name: EXECUTOR_KEEP_WORKSPACES - value: {{ .Values.executor.debug.keepWorkspaces | quote }} - name: EXECUTOR_USE_FIRECRACKER value: "false" - name: EXECUTOR_HEALTH_SERVER_ADDR diff --git a/charts/sourcegraph-executor/dind/templates/private-docker-registry/private-docker-registry.Deployment.yaml b/charts/sourcegraph-executor/dind/templates/private-docker-registry/private-docker-registry.Statefulset.yaml similarity index 100% rename from charts/sourcegraph-executor/dind/templates/private-docker-registry/private-docker-registry.Deployment.yaml rename to charts/sourcegraph-executor/dind/templates/private-docker-registry/private-docker-registry.Statefulset.yaml diff --git a/charts/sourcegraph-executor/dind/values.yaml b/charts/sourcegraph-executor/dind/values.yaml index bb3ae6b30..4b026ce9f 100644 --- a/charts/sourcegraph-executor/dind/values.yaml +++ b/charts/sourcegraph-executor/dind/values.yaml @@ -80,7 +80,6 @@ queues: [] # env: {} executor: - enabled: true # -- The external URL of the Sourcegraph instance. Required. frontendUrl: "" # -- The shared secret configured in the Sourcegraph instance site config under executors.accessToken. Required if frontendExistingSecret is not configured. @@ -124,6 +123,10 @@ dind: registry: index.docker.io repository: docker tag: 20.10.22-dind + # -- Docker daemon configuration passed as daemon.json to the dind sidecar. + daemonConfig: + insecure-registries: + - private-docker-registry:5000 privateDockerRegistry: # -- Whether to deploy the private registry. Only one registry is needed when deploying multiple executors.