Skip to content

Update AWS example for RDS IAM auth docs #770

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Dec 4, 2025
Merged

Update AWS example for RDS IAM auth docs #770

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
872fb51
Update AWS example for RDS IAM auth docs
marcleblanc2 Nov 22, 2025
0c642f3
Separating IAM auth to separate example
marcleblanc2 Nov 22, 2025
5b557c8
Showing AWS examples in AWS example
marcleblanc2 Nov 22, 2025
c6ec460
Adding examples from cusotmers
marcleblanc2 Nov 27, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
186 changes: 175 additions & 11 deletions charts/sourcegraph/examples/aws/override.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,16 +1,180 @@
# Example Helm override file for deploying on AWS EKS

# Using:
# ALB Ingress Controller EKS add-on
# RDS databases, with IAM authentication
# Customer-manged encryption key for EBS storage volumes for persistent volumes
# Not EKS Auto Mode, but with comments for changes required for Auto Mode
# Kubernetes-native Executors, in the same namespace

################################################################################
# Sourcegraph-wide configuration
################################################################################

storageClass:
create: true
provisioner: ebs.csi.aws.com # If using the EBS CSI EKS add-on
# provisioner: ebs.csi.eks.amazonaws.com # If using an AWS EKS "Auto mode" cluster, need use its storage provisioner
reclaimPolicy: Retain
type: gp3
volumeBindingMode: WaitForFirstConsumer
parameters:
# If using CMK encryption for EBS volumes for persistent storage
encrypted: "true"
kmsKeyId: arn:aws:kms:region:account-id:key/key-id # Full ARN of the key

################################################################################
# Databases
# Using external DBs, on RDS, with IAM auth
################################################################################

codeInsightsDB:
enabled: false
auth:
database: "sg"
host: codeinsights.rds.amazon.com
password: "" # Empty password for IAM auth
port: "5432"
sslmode: require
user: "sg"

codeIntelDB:
enabled: false
auth:
database: "sg"
host: codeintel.rds.amazon.com
password: "" # Empty password for IAM auth
port: "5432"
sslmode: require
user: "sg"

pgsql:
enabled: false
auth:
database: "sg"
host: pgsql.rds.amazon.com
password: "" # Empty password for IAM auth
port: "5432"
sslmode: require
user: "sg"

################################################################################
# Frontend / ingress
################################################################################

frontend:

ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: alb # aws load balancer controller ingressClass name
# additional aws alb ingress controller supported annotations
# ...
# replace with your actual domain
host: sourcegraph.company.com
# Unset deprecated annotation to hide warning
kubernetes.io/ingress.class: null

storageClass:
create: true
type: gp3 # This configures SSDs (recommended).
provisioner: ebs.csi.aws.com
volumeBindingMode: WaitForFirstConsumer
reclaimPolicy: Retain
# AWS ALB ingress controller annotations
alb.ingress.kubernetes.io/healthcheck-path: /healthz
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'
alb.ingress.kubernetes.io/ssl-redirect: '443'

# Replace with your actual hostname, for TLS cert lookup, and ALB Ingress Controller, and ExternalDNS
host: sourcegraph.example.com
ingressClassName: alb

env:
# If using databases in AWS RDS, with IAM authentication
PG_CONNECTION_UPDATER:
value: EC2_ROLE_CREDENTIALS
# If using databases in AWS RDS, with IAM authentication, and regional endpoints
AWS_STS_REGIONAL_ENDPOINTS:
value: regional

################################################################################
# Migrator
################################################################################

migrator:

# Need to duplicate these environment variables on migrator, however, other pods will pull them from frontend
env:
# If using databases in AWS RDS, with IAM authentication
PG_CONNECTION_UPDATER:
value: EC2_ROLE_CREDENTIALS
# If using databases in AWS RDS, with IAM authentication, and regional endpoints
AWS_STS_REGIONAL_ENDPOINTS:
value: regional

### Use the args list to operate migrator commands, if needed
### Available commands can be found at
### https://sourcegraph.com/docs/admin/updates/migrator/migrator-operations#commands

### Manually mark migrations as completed
# After installing the Postgres extensions on fresh, new RDS databases via Terraform / other means
# Run these one at a time, then run again with them all commented out for a normal startup
# args:
# - add-log
# - --db=frontend
# - --version=1680296731

# args:
# - add-log
# - --db=codeintel
# - --version=1679010276

# args:
# - add-log
# - --db=codeinsights
# - --version=1675347548

### Drift check
# args:
# - drift
# - -version=v6.8.0

### Multi-version upgrades
### https://sourcegraph.com/docs/admin/deploy/kubernetes#multi-version-upgrades
# args:
# - upgrade
# - -from=v6.8.0
# - -to=v6.10.3349

################################################################################
# Executors
# If deploying Kubernetes native executors in the same namespace,
# you can use the same override.yaml file for both Helm charts
################################################################################

executor:
frontendUrl: "http://sourcegraph-frontend:30080" # Use cluster-local DNS name, to avoid paying extra for network traffic
frontendPassword: "long_random_password_which_matches_in_site_config"
queueNames: [ "batches", "codeintel" ]

################################################################################
# Extra resources
################################################################################

# extraResources:

# If using an AWS EKS "Auto mode" cluster, need to create the IngressClass, and IngressClassParams
# https://docs.aws.amazon.com/eks/latest/userguide/auto-elb-example.html
# https://docs.aws.amazon.com/eks/latest/userguide/auto-configure-alb.html

# - apiVersion: eks.amazonaws.com/v1
# kind: IngressClassParams
# metadata:
# name: alb
# spec:
# scheme: internet-facing
# # certificateARNs: # ALB seems to be smart enough, and have the needed perms, to find the correct cert based on matching host

# - apiVersion: networking.k8s.io/v1
# kind: IngressClass
# metadata:
# annotations:
# ingressclass.kubernetes.io/is-default-class: "true"
# name: alb
# spec:
# # Use the EKS Auto Mode ALB controller
# controller: eks.amazonaws.com/alb
# parameters:
# apiGroup: eks.amazonaws.com
# kind: IngressClassParams
# name: alb
Loading