From 872fb511d82844059a4fe22c4e52413bcc4422b5 Mon Sep 17 00:00:00 2001
From: Marc <7050295+marcleblanc2@users.noreply.github.com>
Date: Sat, 22 Nov 2025 00:36:41 -0700
Subject: [PATCH 1/4] Update AWS example for RDS IAM auth docs

Will reference this example on the doc site for configuring AWS RDS IAM auth
---
 charts/sourcegraph/examples/aws/override.yaml | 27 ++++++++++++-------
 1 file changed, 17 insertions(+), 10 deletions(-)

diff --git a/charts/sourcegraph/examples/aws/override.yaml b/charts/sourcegraph/examples/aws/override.yaml
index 5134877a..cb11342b 100644
--- a/charts/sourcegraph/examples/aws/override.yaml
+++ b/charts/sourcegraph/examples/aws/override.yaml
@@ -1,16 +1,23 @@
+storageClass:
+  create: true
+  provisioner: ebs.csi.aws.com
+  reclaimPolicy: Retain
+  type: gp3
+  volumeBindingMode: WaitForFirstConsumer
+
 frontend:
   ingress:
     enabled: true
     annotations:
-      kubernetes.io/ingress.class: alb # aws load balancer controller ingressClass name
-      # additional aws alb ingress controller supported annotations
+      kubernetes.io/ingress.class: null # Unset deprecated annotation
+      # Additional AWS ALB ingress controller annotations
       # ...
-    # replace with your actual domain
-    host: sourcegraph.company.com
+    host: sourcegraph.company.com # Replace with your actual hostname
+    ingressClassName: alb
 
-storageClass:
-  create: true
-  type: gp3 # This configures SSDs (recommended).
-  provisioner: ebs.csi.aws.com
-  volumeBindingMode: WaitForFirstConsumer
-  reclaimPolicy: Retain
+  # Uncomment if using AWS RDS with IAM authentication
+  # env:
+  #   PG_CONNECTION_UPDATER:
+  #     value: EC2_ROLE_CREDENTIALS
+  #   AWS_STS_REGIONAL_ENDPOINTS:
+  #     value: regional

From 0c642f3b13b4e109d32096b1e010b05623d00598 Mon Sep 17 00:00:00 2001
From: Marc <7050295+marcleblanc2@users.noreply.github.com>
Date: Sat, 22 Nov 2025 00:39:09 -0700
Subject: [PATCH 2/4] Separating IAM auth to separate example

Removed commented-out configuration for AWS RDS IAM authentication.
---
 charts/sourcegraph/examples/aws/override.yaml | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/charts/sourcegraph/examples/aws/override.yaml b/charts/sourcegraph/examples/aws/override.yaml
index cb11342b..949dbd03 100644
--- a/charts/sourcegraph/examples/aws/override.yaml
+++ b/charts/sourcegraph/examples/aws/override.yaml
@@ -14,10 +14,3 @@ frontend:
       # ...
     host: sourcegraph.company.com # Replace with your actual hostname
     ingressClassName: alb
-
-  # Uncomment if using AWS RDS with IAM authentication
-  # env:
-  #   PG_CONNECTION_UPDATER:
-  #     value: EC2_ROLE_CREDENTIALS
-  #   AWS_STS_REGIONAL_ENDPOINTS:
-  #     value: regional

From 5b557c858bce9ee54c090e2a99513addd5ec2699 Mon Sep 17 00:00:00 2001
From: Marc <7050295+marcleblanc2@users.noreply.github.com>
Date: Sat, 22 Nov 2025 05:15:43 -0700
Subject: [PATCH 3/4] Showing AWS examples in AWS example

Added environment variables for AWS RDS IAM authentication.
---
 charts/sourcegraph/examples/aws/override.yaml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/charts/sourcegraph/examples/aws/override.yaml b/charts/sourcegraph/examples/aws/override.yaml
index 949dbd03..59208b4c 100644
--- a/charts/sourcegraph/examples/aws/override.yaml
+++ b/charts/sourcegraph/examples/aws/override.yaml
@@ -14,3 +14,18 @@ frontend:
       # ...
     host: sourcegraph.company.com # Replace with your actual hostname
     ingressClassName: alb
+  env:
+    # If using databases in AWS RDS, with IAM authentication
+    PG_CONNECTION_UPDATER:
+      value: EC2_ROLE_CREDENTIALS
+    # If using databases in AWS RDS, with IAM authentication, with regional endpoints
+    AWS_STS_REGIONAL_ENDPOINTS:
+      value: regional
+
+migrator:
+    # If using databases in AWS RDS, with IAM authentication
+    PG_CONNECTION_UPDATER:
+      value: EC2_ROLE_CREDENTIALS
+    # If using databases in AWS RDS, with IAM authentication, with regional endpoints
+    AWS_STS_REGIONAL_ENDPOINTS:
+      value: regional

From c6ec46084292ff3f0f5eaf73d5c48a3391bacc7c Mon Sep 17 00:00:00 2001
From: Marc LeBlanc <marc.leblanc@sourcegraph.com>
Date: Thu, 27 Nov 2025 00:46:07 -0700
Subject: [PATCH 4/4] Adding examples from cusotmers

---
 charts/sourcegraph/examples/aws/override.yaml | 163 +++++++++++++++++-
 1 file changed, 156 insertions(+), 7 deletions(-)

diff --git a/charts/sourcegraph/examples/aws/override.yaml b/charts/sourcegraph/examples/aws/override.yaml
index 59208b4c..058f04e9 100644
--- a/charts/sourcegraph/examples/aws/override.yaml
+++ b/charts/sourcegraph/examples/aws/override.yaml
@@ -1,31 +1,180 @@
+# Example Helm override file for deploying on AWS EKS
+
+# Using:
+# ALB Ingress Controller EKS add-on
+# RDS databases, with IAM authentication
+# Customer-manged encryption key for EBS storage volumes for persistent volumes
+# Not EKS Auto Mode, but with comments for changes required for Auto Mode
+# Kubernetes-native Executors, in the same namespace
+
+################################################################################
+# Sourcegraph-wide configuration
+################################################################################
+
 storageClass:
   create: true
-  provisioner: ebs.csi.aws.com
+  provisioner: ebs.csi.aws.com # If using the EBS CSI EKS add-on
+  # provisioner: ebs.csi.eks.amazonaws.com # If using an AWS EKS "Auto mode" cluster, need use its storage provisioner
   reclaimPolicy: Retain
   type: gp3
   volumeBindingMode: WaitForFirstConsumer
+  parameters:
+    # If using CMK encryption for EBS volumes for persistent storage
+    encrypted: "true"
+    kmsKeyId: arn:aws:kms:region:account-id:key/key-id # Full ARN of the key
+
+################################################################################
+# Databases
+# Using external DBs, on RDS, with IAM auth
+################################################################################
+
+codeInsightsDB:
+  enabled: false
+  auth:
+    database: "sg"
+    host: codeinsights.rds.amazon.com
+    password: "" # Empty password for IAM auth
+    port: "5432"
+    sslmode: require
+    user: "sg"
+
+codeIntelDB:
+  enabled: false
+  auth:
+    database: "sg"
+    host: codeintel.rds.amazon.com
+    password: "" # Empty password for IAM auth
+    port: "5432"
+    sslmode: require
+    user: "sg"
+
+pgsql:
+  enabled: false
+  auth:
+    database: "sg"
+    host: pgsql.rds.amazon.com
+    password: "" # Empty password for IAM auth
+    port: "5432"
+    sslmode: require
+    user: "sg"
+
+################################################################################
+# Frontend / ingress
+################################################################################
 
 frontend:
+
   ingress:
     enabled: true
     annotations:
-      kubernetes.io/ingress.class: null # Unset deprecated annotation
-      # Additional AWS ALB ingress controller annotations
-      # ...
-    host: sourcegraph.company.com # Replace with your actual hostname
+      # Unset deprecated annotation to hide warning
+      kubernetes.io/ingress.class: null
+
+      # AWS ALB ingress controller annotations
+      alb.ingress.kubernetes.io/healthcheck-path: /healthz
+      alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'
+      alb.ingress.kubernetes.io/ssl-redirect: '443'
+
+    # Replace with your actual hostname, for TLS cert lookup, and ALB Ingress Controller, and ExternalDNS
+    host: sourcegraph.example.com
     ingressClassName: alb
+
   env:
     # If using databases in AWS RDS, with IAM authentication
     PG_CONNECTION_UPDATER:
       value: EC2_ROLE_CREDENTIALS
-    # If using databases in AWS RDS, with IAM authentication, with regional endpoints
+    # If using databases in AWS RDS, with IAM authentication, and regional endpoints
     AWS_STS_REGIONAL_ENDPOINTS:
       value: regional
 
+################################################################################
+# Migrator
+################################################################################
+
 migrator:
+
+  # Need to duplicate these environment variables on migrator, however, other pods will pull them from frontend
+  env:
     # If using databases in AWS RDS, with IAM authentication
     PG_CONNECTION_UPDATER:
       value: EC2_ROLE_CREDENTIALS
-    # If using databases in AWS RDS, with IAM authentication, with regional endpoints
+    # If using databases in AWS RDS, with IAM authentication, and regional endpoints
     AWS_STS_REGIONAL_ENDPOINTS:
       value: regional
+
+  ### Use the args list to operate migrator commands, if needed
+  ### Available commands can be found at
+  ### https://sourcegraph.com/docs/admin/updates/migrator/migrator-operations#commands
+
+  ### Manually mark migrations as completed
+  # After installing the Postgres extensions on fresh, new RDS databases via Terraform / other means
+  # Run these one at a time, then run again with them all commented out for a normal startup
+  # args:
+  #   - add-log
+  #   - --db=frontend
+  #   - --version=1680296731
+
+  # args:
+  #   - add-log
+  #   - --db=codeintel
+  #   - --version=1679010276
+
+  # args:
+  #   - add-log
+  #   - --db=codeinsights
+  #   - --version=1675347548
+
+  ### Drift check
+  # args:
+  # - drift
+  # - -version=v6.8.0
+
+  ### Multi-version upgrades
+  ### https://sourcegraph.com/docs/admin/deploy/kubernetes#multi-version-upgrades
+  # args:
+  # - upgrade
+  # - -from=v6.8.0
+  # - -to=v6.10.3349
+
+################################################################################
+# Executors
+# If deploying Kubernetes native executors in the same namespace,
+# you can use the same override.yaml file for both Helm charts
+################################################################################
+
+executor:
+  frontendUrl: "http://sourcegraph-frontend:30080" # Use cluster-local DNS name, to avoid paying extra for network traffic
+  frontendPassword: "long_random_password_which_matches_in_site_config"
+  queueNames: [ "batches", "codeintel" ]
+
+################################################################################
+# Extra resources
+################################################################################
+
+# extraResources:
+
+# If using an AWS EKS "Auto mode" cluster, need to create the IngressClass, and IngressClassParams
+# https://docs.aws.amazon.com/eks/latest/userguide/auto-elb-example.html
+# https://docs.aws.amazon.com/eks/latest/userguide/auto-configure-alb.html
+
+# - apiVersion: eks.amazonaws.com/v1
+#   kind: IngressClassParams
+#   metadata:
+#     name: alb
+#   spec:
+#     scheme: internet-facing
+#     # certificateARNs: # ALB seems to be smart enough, and have the needed perms, to find the correct cert based on matching host
+
+# - apiVersion: networking.k8s.io/v1
+#   kind: IngressClass
+#   metadata:
+#     annotations:
+#       ingressclass.kubernetes.io/is-default-class: "true"
+#     name: alb
+#   spec:
+#     # Use the EKS Auto Mode ALB controller
+#     controller: eks.amazonaws.com/alb
+#     parameters:
+#       apiGroup: eks.amazonaws.com
+#       kind: IngressClassParams
+#       name: alb