codeintel-service-def (#62870)

Add service definition for Code Intel into appliance.
2026-02-06 18:51:59 +00:00 · 2024-05-23 15:14:42 -04:00 · 2024-05-23 15:14:42 -04:00 · 23759ca369
commit 23759ca369
parent d485d76ee9
14 changed files with 906 additions and 25 deletions
--- a/internal/appliance/config/BUILD.bazel
+++ b/internal/appliance/config/BUILD.bazel
@ -11,7 +11,10 @@ go_library(
        "embed.go",
        "spec.go",
    ],
-    embedsrcs = ["pgsql/postgresql.conf"],
+    embedsrcs = [
+        "postgres/codeintel.conf",
+        "postgres/pgsql.conf",
+    ],
    importpath = "github.com/sourcegraph/sourcegraph/internal/appliance/config",
    visibility = ["//:__subpackages__"],
    deps = [
--- a/internal/appliance/config/defaults.go
+++ b/internal/appliance/config/defaults.go
@ -7,7 +7,7 @@ import (
 	"github.com/sourcegraph/sourcegraph/lib/pointers"
 )

-// Default
+// NewDefaultConfig
 //
 // Warning: never extract `ptr.To(thing)` into a package-level variable! If you
 // do this, reconciling a config that overrides a default value for that
@ -80,6 +80,19 @@ func NewDefaultConfig() Sourcegraph {
 				NumWorkers: 4,
 				Replicas:   2,
 			},
+			CodeIntel: CodeIntelSpec{
+				StandardConfig: StandardConfig{
+					PrometheusPort: pointers.Ptr(9187),
+				},
+				StorageSize: "200Gi",
+				DatabaseConnection: &DatabaseConnectionSpec{
+					Host:     "codeintel-db",
+					Port:     "5432",
+					User:     "sg",
+					Password: "password",
+					Database: "sg",
+				},
+			},
 		},
 	}
 }
@ -94,6 +107,7 @@ var defaultImages = map[string]map[string]string{
 var defaultImagesForVersion_5_3_9104 = map[string]string{
 	"alpine":                    "alpine-3.14:5.3.2@sha256:982220e0fd8ce55a73798fa7e814a482c4807c412f054c8440c5970b610239b7",
 	"blobstore":                 "blobstore:5.3.2@sha256:d625be1eefe61cc42f94498e3c588bf212c4159c8b20c519db84eae4ff715efa",
+	"codeintel-db":              "codeintel-db:5.3.2@sha256:1e0e93661a65c832b9697048c797f9894dfb502e2e1da2b8209f0018a6632b79",
 	"gitserver":                 "gitserver:5.3.2@sha256:6c6042cf3e5f3f16de9b82e3d4ab1647f8bb924cd315245bd7a3162f5489e8c4",
 	"pgsql":                     "postgres-12-alpine:5.3.2@sha256:1e0e93661a65c832b9697048c797f9894dfb502e2e1da2b8209f0018a6632b79",
 	"pgsql-exporter":            "postgres_exporter:5.3.2@sha256:b9fa66fbcb4cc2d466487259db4ae2deacd7651dac4a9e28c9c7fc36523699d0",
--- a/internal/appliance/config/embed.go
+++ b/internal/appliance/config/embed.go
@ -5,16 +5,17 @@ import (
 )

 var (
-	//go:embed pgsql/postgresql.conf
+	//go:embed postgres/*
 	fs embed.FS

-	pgsqlConfig []byte
+	PgsqlConfig     []byte
+	CodeIntelConfig []byte
 )

 func init() {
-	pgsqlConfig, _ = fs.ReadFile("pgsql/postgresql.conf")
+	PgsqlConfig, _ = fs.ReadFile("postgres/pgsql.conf")
 }

-func DefaultPGSQLConfig() string {
-	return string(pgsqlConfig)
+func init() {
+	CodeIntelConfig, _ = fs.ReadFile("postgres/codeintel.conf")
 }
--- a/internal/appliance/config/postgres/codeintel.conf
+++ b/internal/appliance/config/postgres/codeintel.conf
@ -0,0 +1,56 @@
+#------------------------------------------------------------------------------
+# POSTGRESQL DEFAULT CONFIGURATION
+#------------------------------------------------------------------------------
+
+# Below is PostgreSQL default configuration.
+# You should apply your own customization in the CUSTOMIZED OPTIONS section below
+# to avoid merge conflict in the future.
+
+listen_addresses = '*'
+max_connections = 100
+shared_buffers = 128MB
+dynamic_shared_memory_type = posix
+max_wal_size = 1GB
+min_wal_size = 80MB
+log_timezone = 'UTC'
+datestyle = 'iso, mdy'
+timezone = 'UTC'
+lc_messages = 'en_US.utf8'
+lc_monetary = 'en_US.utf8'
+lc_numeric = 'en_US.utf8'
+lc_time = 'en_US.utf8'
+default_text_search_config = 'pg_catalog.english'
+
+
+#------------------------------------------------------------------------------
+# SOURCEGRAPH RECOMMENDED OPTIONS
+#------------------------------------------------------------------------------
+
+# Below is Sourcegraph recommended Postgres configuration based on the default resource configuration.
+# You should apply your own customization in the CUSTOMIZED OPTIONS section below
+# to avoid merge conflict in the future.
+
+shared_buffers = 1GB
+work_mem = 5MB
+maintenance_work_mem = 250MB
+temp_file_limit = 20GB
+bgwriter_delay = 50ms
+bgwriter_lru_maxpages = 200
+effective_io_concurrency = 200
+max_worker_processes = 4
+max_parallel_maintenance_workers = 4
+max_parallel_workers_per_gather = 2
+max_parallel_workers = 4
+wal_buffers = 16MB
+max_wal_size = 8GB
+min_wal_size = 2GB
+random_page_cost = 1.1
+effective_cache_size = 3GB
+
+
+#------------------------------------------------------------------------------
+# CUSTOMIZED OPTIONS
+#------------------------------------------------------------------------------
+
+# Add your customization by using 'codeIntelDB.additionalConfig' in your override file.
+# Learn more: https://docs.sourcegraph.com/admin/config/postgres-conf
--- a/internal/appliance/config/pgsql/postgresql.conf
+++ b/internal/appliance/config/pgsql/postgresql.conf
--- a/internal/appliance/config/spec.go
+++ b/internal/appliance/config/spec.go
@ -54,24 +54,16 @@ type CodeInsightsDBSpec struct {
 	Resources *corev1.ResourceList `json:"resources,omitempty"`
 }

-// CodeIntelDBSpec defines the desired state of Code Intel database.
-type CodeIntelDBSpec struct {
-	// Disabled defines if Code Intel is enabled or not.
-	// Default: false
-	Disabled bool `json:"disabled,omitempty"`
-
-	// ExistingSecret is the name of an existing secret to use for CodeIntel DB credentials.
-	ExistingSecret string `json:"existingSecret,omitempty"`
+// CodeIntelSpec defines the desired state of Code Intel database.
+type CodeIntelSpec struct {
+	StandardConfig

 	// Database allows for custom database connection details.
-	Database *DatabaseConnectionSpec `json:"database,omitempty"`
+	DatabaseConnection *DatabaseConnectionSpec `json:"database,omitempty"`

 	// StorageSize defines the requested amount of storage for the PVC.
 	// Default: 200Gi
 	StorageSize string `json:"storageSize,omitempty"`
-
-	// Resources allows for custom resource limits and requests.
-	Resources *corev1.ResourceList `json:"resources,omitempty"`
 }

 type IngressSpec struct {
@ -269,7 +261,7 @@ type SourcegraphSpec struct {
 	CodeInsights CodeInsightsDBSpec `json:"codeInsights,omitempty"`

 	// CodeIntel defines the desired state of the Code Intel service.
-	CodeIntel CodeIntelDBSpec `json:"codeIntel,omitempty"`
+	CodeIntel CodeIntelSpec `json:"codeIntel,omitempty"`

 	// Frontend defines the desired state of the Sourcegraph Frontend.
 	Frontend FrontendSpec `json:"frontend,omitempty"`
--- a/internal/appliance/reconciler/BUILD.bazel
+++ b/internal/appliance/reconciler/BUILD.bazel
@ -5,6 +5,7 @@ go_library(
    name = "reconciler",
    srcs = [
        "blobstore.go",
+        "codeintel.go",
        "gitserver.go",
        "kubernetes.go",
        "pgsql.go",
@ -56,6 +57,7 @@ go_test(
    name = "reconciler_test",
    srcs = [
        "blobstore_test.go",
+        "codeintel_test.go",
        "gitserver_test.go",
        "golden_test.go",
        "helpers_test.go",
--- a/internal/appliance/reconciler/codeintel.go
+++ b/internal/appliance/reconciler/codeintel.go
@ -0,0 +1,247 @@
+package reconciler
+
+import (
+	"context"
+
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/util/intstr"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	"github.com/sourcegraph/sourcegraph/internal/appliance/config"
+	"github.com/sourcegraph/sourcegraph/internal/k8s/resource/configmap"
+	"github.com/sourcegraph/sourcegraph/internal/k8s/resource/container"
+	"github.com/sourcegraph/sourcegraph/internal/k8s/resource/pod"
+	"github.com/sourcegraph/sourcegraph/internal/k8s/resource/pvc"
+	"github.com/sourcegraph/sourcegraph/internal/k8s/resource/secret"
+	"github.com/sourcegraph/sourcegraph/internal/k8s/resource/service"
+	"github.com/sourcegraph/sourcegraph/internal/k8s/resource/serviceaccount"
+	"github.com/sourcegraph/sourcegraph/internal/k8s/resource/statefulset"
+	"github.com/sourcegraph/sourcegraph/lib/errors"
+	"github.com/sourcegraph/sourcegraph/lib/pointers"
+)
+
+func (r *Reconciler) reconcileCodeIntel(ctx context.Context, sg *config.Sourcegraph, owner client.Object) error {
+	if err := r.reconcileCodeIntelStatefulSet(ctx, sg, owner); err != nil {
+		return err
+	}
+	if err := r.reconcileCodeIntelPersistentVolumeClaim(ctx, sg, owner); err != nil {
+		return err
+	}
+	if err := r.reconcileCodeIntelConfigMap(ctx, sg, owner); err != nil {
+		return err
+	}
+	if err := r.reconcileCodeIntelSecret(ctx, sg, owner); err != nil {
+		return err
+	}
+	if err := r.reconcileCodeIntelService(ctx, sg, owner); err != nil {
+		return err
+	}
+	if err := r.reconcileCodeIntelServiceAccount(ctx, sg, owner); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (r *Reconciler) reconcileCodeIntelStatefulSet(ctx context.Context, sg *config.Sourcegraph, owner client.Object) error {
+	cfg := sg.Spec.CodeIntel
+	name := "codeintel-db"
+
+	ctrImage, err := config.GetDefaultImage(sg, name)
+	if err != nil {
+		return err
+	}
+
+	ctr := container.NewContainer(name, cfg, config.ContainerConfig{
+		Image: ctrImage,
+		Resources: &corev1.ResourceRequirements{
+			Requests: corev1.ResourceList{
+				corev1.ResourceCPU:    resource.MustParse("4"),
+				corev1.ResourceMemory: resource.MustParse("4Gi"),
+			},
+			Limits: corev1.ResourceList{
+				corev1.ResourceCPU:    resource.MustParse("4"),
+				corev1.ResourceMemory: resource.MustParse("4Gi"),
+			},
+		},
+	})
+	ctr.SecurityContext = &corev1.SecurityContext{
+		RunAsUser:                pointers.Ptr[int64](999),
+		RunAsGroup:               pointers.Ptr[int64](999),
+		AllowPrivilegeEscalation: pointers.Ptr(false),
+		ReadOnlyRootFilesystem:   pointers.Ptr(true),
+	}
+
+	databaseSecretName := "codeintel-db-auth"
+	ctr.Env = append(ctr.Env, container.EnvVarsPostgres(databaseSecretName)...)
+	ctr.Ports = []corev1.ContainerPort{{Name: "pgsql", ContainerPort: 5432}}
+	ctr.LivenessProbe = &corev1.Probe{
+		ProbeHandler: corev1.ProbeHandler{
+			Exec: &corev1.ExecAction{
+				Command: []string{"/liveness.sh"},
+			},
+		},
+		InitialDelaySeconds: 15,
+	}
+	ctr.ReadinessProbe = &corev1.Probe{
+		ProbeHandler: corev1.ProbeHandler{
+			Exec: &corev1.ExecAction{
+				Command: []string{"/ready.sh"},
+			},
+		},
+	}
+	ctr.StartupProbe = &corev1.Probe{
+		ProbeHandler: corev1.ProbeHandler{
+			Exec: &corev1.ExecAction{
+				Command: []string{"/liveness.sh"},
+			},
+		},
+		FailureThreshold: 360,
+		PeriodSeconds:    10,
+	}
+	ctr.VolumeMounts = []corev1.VolumeMount{
+		{Name: "disk", MountPath: "/data"},
+		{Name: "pgsql-conf", MountPath: "/conf"},
+		{Name: "lockdir", MountPath: "/var/run/postgresql"},
+	}
+
+	initCtrImage, err := config.GetDefaultImage(sg, "alpine")
+	if err != nil {
+		return err
+	}
+
+	initCtr := container.NewContainer("correct-data-dir-permissions", cfg, config.ContainerConfig{
+		Image: initCtrImage,
+		Resources: &corev1.ResourceRequirements{
+			Requests: corev1.ResourceList{
+				corev1.ResourceCPU:    resource.MustParse("10m"),
+				corev1.ResourceMemory: resource.MustParse("50M"),
+			},
+			Limits: corev1.ResourceList{
+				corev1.ResourceCPU:    resource.MustParse("10m"),
+				corev1.ResourceMemory: resource.MustParse("50M"),
+			},
+		},
+	})
+	initCtr.SecurityContext = &corev1.SecurityContext{
+		RunAsUser:                pointers.Ptr[int64](999),
+		RunAsGroup:               pointers.Ptr[int64](999),
+		AllowPrivilegeEscalation: pointers.Ptr(false),
+		ReadOnlyRootFilesystem:   pointers.Ptr(true),
+	}
+	initCtr.VolumeMounts = []corev1.VolumeMount{{Name: "disk", MountPath: "/data"}}
+	initCtr.Command = []string{"sh", "-c", "if [ -d /data/pgdata-12 ]; then chmod 750 /data/pgdata-12; fi"}
+
+	pgExpCtrImage, err := config.GetDefaultImage(sg, "pgsql-exporter")
+	if err != nil {
+		return err
+	}
+
+	pgExpCtr := container.NewContainer("pgsql-exporter", cfg, config.ContainerConfig{
+		Image: pgExpCtrImage,
+		Resources: &corev1.ResourceRequirements{
+			Requests: corev1.ResourceList{
+				corev1.ResourceCPU:    resource.MustParse("10m"),
+				corev1.ResourceMemory: resource.MustParse("50M"),
+			},
+			Limits: corev1.ResourceList{
+				corev1.ResourceCPU:    resource.MustParse("10m"),
+				corev1.ResourceMemory: resource.MustParse("50M"),
+			},
+		},
+	})
+	pgExpCtr.SecurityContext = &corev1.SecurityContext{
+		RunAsUser:                pointers.Ptr[int64](999),
+		RunAsGroup:               pointers.Ptr[int64](999),
+		AllowPrivilegeEscalation: pointers.Ptr(false),
+		ReadOnlyRootFilesystem:   pointers.Ptr(true),
+	}
+	pgExpCtr.Env = append(pgExpCtr.Env, container.EnvVarsPostgresExporter(databaseSecretName)...)
+	pgExpCtr.Env = append(pgExpCtr.Env, corev1.EnvVar{
+		Name: "PG_EXPORTER_EXTEND_QUERY_PATH", Value: "/config/code_intel_queries.yaml",
+	})
+
+	podVolumes := []corev1.Volume{
+		pod.NewVolumeEmptyDir("lockdir"),
+		{Name: "disk", VolumeSource: corev1.VolumeSource{
+			PersistentVolumeClaim: &corev1.PersistentVolumeClaimVolumeSource{
+				ClaimName: "codeintel-db",
+			},
+		}},
+		{Name: "pgsql-conf", VolumeSource: corev1.VolumeSource{
+			ConfigMap: &corev1.ConfigMapVolumeSource{
+				DefaultMode: pointers.Ptr[int32](0777),
+				LocalObjectReference: corev1.LocalObjectReference{
+					Name: "codeintel-db-conf",
+				},
+			},
+		}},
+	}
+
+	podTemplate := pod.NewPodTemplate(name, cfg)
+	podTemplate.Template.Spec.TerminationGracePeriodSeconds = pointers.Ptr[int64](120)
+	podTemplate.Template.Spec.InitContainers = []corev1.Container{initCtr}
+	podTemplate.Template.Spec.Containers = []corev1.Container{ctr, pgExpCtr}
+	podTemplate.Template.Spec.ServiceAccountName = name
+	podTemplate.Template.Spec.Volumes = podVolumes
+	podTemplate.Template.Spec.SecurityContext = &corev1.PodSecurityContext{
+		FSGroup:             pointers.Ptr[int64](999),
+		RunAsUser:           pointers.Ptr[int64](999),
+		RunAsGroup:          pointers.Ptr[int64](999),
+		FSGroupChangePolicy: pointers.Ptr(corev1.FSGroupChangeOnRootMismatch),
+	}
+
+	sset := statefulset.NewStatefulSet(name, sg.Namespace, sg.Spec.RequestedVersion)
+	sset.Spec.Template = podTemplate.Template
+
+	return reconcileObject(ctx, r, sg.Spec.CodeIntel, &sset, &appsv1.StatefulSet{}, sg, owner)
+}
+
+func (r *Reconciler) reconcileCodeIntelPersistentVolumeClaim(ctx context.Context, sg *config.Sourcegraph, owner client.Object) error {
+	cfg := sg.Spec.CodeIntel
+	storageSize, err := resource.ParseQuantity(cfg.StorageSize)
+	if err != nil {
+		return errors.Wrap(err, "parsing storage size")
+	}
+
+	p := pvc.NewPersistentVolumeClaim("codeintel-db", sg.Namespace, storageSize, sg.Spec.StorageClass.Name)
+
+	return reconcileObject(ctx, r, sg.Spec.CodeIntel, &p, &corev1.PersistentVolumeClaim{}, sg, owner)
+}
+
+func (r *Reconciler) reconcileCodeIntelConfigMap(ctx context.Context, sg *config.Sourcegraph, owner client.Object) error {
+	cm := configmap.NewConfigMap("codeintel-db-conf", sg.Namespace)
+	cm.Data = map[string]string{"postgresql.conf": string(config.CodeIntelConfig)}
+
+	return reconcileObject(ctx, r, sg.Spec.CodeIntel, &cm, &corev1.ConfigMap{}, sg, owner)
+}
+
+func (r *Reconciler) reconcileCodeIntelSecret(ctx context.Context, sg *config.Sourcegraph, owner client.Object) error {
+	scrt := secret.NewSecret("codeintel-db-auth", sg.Namespace, sg.Spec.RequestedVersion)
+
+	cn := sg.Spec.CodeIntel.DatabaseConnection
+	scrt.Data = map[string][]byte{
+		"host":     []byte(cn.Host),
+		"port":     []byte(cn.Port),
+		"user":     []byte(cn.User),
+		"password": []byte(cn.Password),
+		"database": []byte(cn.Database),
+	}
+
+	return reconcileObject(ctx, r, sg.Spec.CodeIntel, &scrt, &corev1.Secret{}, sg, owner)
+}
+
+func (r *Reconciler) reconcileCodeIntelService(ctx context.Context, sg *config.Sourcegraph, owner client.Object) error {
+	svc := service.NewService("codeintel-db", sg.Namespace, sg.Spec.CodeIntel)
+	svc.Spec.Ports = []corev1.ServicePort{{Name: "pgsql", TargetPort: intstr.FromString("pgsql"), Port: 5432}}
+	svc.Spec.Selector = map[string]string{"app": "codeintel-db"}
+
+	return reconcileObject(ctx, r, sg.Spec.CodeIntel, &svc, &corev1.Service{}, sg, owner)
+}
+
+func (r *Reconciler) reconcileCodeIntelServiceAccount(ctx context.Context, sg *config.Sourcegraph, owner client.Object) error {
+	cfg := sg.Spec.CodeIntel
+	sa := serviceaccount.NewServiceAccount("codeintel", sg.Namespace, cfg)
+	return reconcileObject(ctx, r, sg.Spec.CodeIntel, &sa, &corev1.ServiceAccount{}, sg, owner)
+}
--- a/internal/appliance/reconciler/codeintel_test.go
+++ b/internal/appliance/reconciler/codeintel_test.go
@ -0,0 +1,22 @@
+package reconciler
+
+import "time"
+
+func (suite *ApplianceTestSuite) TestDeployCodeIntel() {
+	for _, tc := range []struct {
+		name string
+	}{
+		{name: "codeintel/default"},
+	} {
+		suite.Run(tc.name, func() {
+			namespace := suite.createConfigMap(tc.name)
+
+			// Wait for reconciliation to be finished.
+			suite.Require().Eventually(func() bool {
+				return suite.getConfigMapReconcileEventCount(namespace) > 0
+			}, time.Second*10, time.Millisecond*200)
+
+			suite.makeGoldenAssertions(namespace, tc.name)
+		})
+	}
+}
--- a/internal/appliance/reconciler/pgsql.go
+++ b/internal/appliance/reconciler/pgsql.go
@ -159,6 +159,9 @@ func (r *Reconciler) reconcilePGSQLStatefulSet(ctx context.Context, sg *config.S
 		ReadOnlyRootFilesystem:   pointers.Ptr(true),
 	}
 	pgExpCtr.Env = append(pgExpCtr.Env, container.EnvVarsPostgresExporter(databaseSecretName)...)
+	pgExpCtr.Env = append(pgExpCtr.Env, corev1.EnvVar{
+		Name: "PG_EXPORTER_EXTEND_QUERY_PATH", Value: "/config/queries.yaml",
+	})

 	podVolumes := []corev1.Volume{
 		pod.NewVolumeEmptyDir("lockdir"),
@ -216,7 +219,7 @@ func (r *Reconciler) reconcilePGSQLPersistentVolumeClaim(ctx context.Context, sg

 func (r *Reconciler) reconcilePGSQLConfigMap(ctx context.Context, sg *config.Sourcegraph, owner client.Object) error {
 	cm := configmap.NewConfigMap("pgsql-conf", sg.Namespace)
-	cm.Data = map[string]string{"postgresql.conf": config.DefaultPGSQLConfig()}
+	cm.Data = map[string]string{"postgresql.conf": string(config.PgsqlConfig)}

 	return reconcileObject(ctx, r, sg.Spec.PGSQL, &cm, &corev1.ConfigMap{}, sg, owner)
 }
--- a/internal/appliance/reconciler/reconcile.go
+++ b/internal/appliance/reconciler/reconcile.go
@ -96,6 +96,9 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Resu
 	if err := r.reconcilePreciseCodeIntel(ctx, &sourcegraph, &applianceSpec); err != nil {
 		return ctrl.Result{}, errors.Newf("failed to reconcile precise code intel: %w", err)
 	}
+	if err := r.reconcileCodeIntel(ctx, &sourcegraph, &applianceSpec); err != nil {
+		return ctrl.Result{}, errors.Newf("failed to reconcile precise code intel: %w", err)
+	}

 	// Set the current version annotation in case migration logic depends on it.
 	applianceSpec.Annotations[config.AnnotationKeyCurrentVersion] = sourcegraph.Spec.RequestedVersion
--- a/internal/appliance/reconciler/testdata/golden-fixtures/codeintel/default.yaml
+++ b/internal/appliance/reconciler/testdata/golden-fixtures/codeintel/default.yaml
@ -0,0 +1,487 @@
+resources:
+- apiVersion: apps/v1
+  kind: StatefulSet
+  metadata:
+    annotations:
+      appliance.sourcegraph.com/configHash: 08a9f89fce0d5a0784d40c635aac4b63182af3bcf52068f2e8bc5941aa9706df
+    creationTimestamp: "2024-04-19T00:00:00Z"
+    generation: 1
+    labels:
+      app.kubernetes.io/component: codeintel-db
+      app.kubernetes.io/name: sourcegraph
+      app.kubernetes.io/version: 5.3.9104
+      deploy: sourcegraph
+    name: codeintel-db
+    namespace: NORMALIZED_FOR_TESTING
+    ownerReferences:
+    - apiVersion: v1
+      blockOwnerDeletion: true
+      controller: true
+      kind: ConfigMap
+      name: sg
+      uid: NORMALIZED_FOR_TESTING
+    resourceVersion: NORMALIZED_FOR_TESTING
+    uid: NORMALIZED_FOR_TESTING
+  spec:
+    minReadySeconds: 10
+    persistentVolumeClaimRetentionPolicy:
+      whenDeleted: Retain
+      whenScaled: Retain
+    podManagementPolicy: OrderedReady
+    replicas: 1
+    revisionHistoryLimit: 10
+    selector:
+      matchLabels:
+        app: codeintel-db
+    serviceName: codeintel-db
+    template:
+      metadata:
+        annotations:
+          kubectl.kubernetes.io/default-container: codeintel-db
+        creationTimestamp: null
+        labels:
+          app: codeintel-db
+          deploy: sourcegraph
+        name: codeintel-db
+      spec:
+        containers:
+        - env:
+          - name: POSTGRES_DATABASE
+            valueFrom:
+              secretKeyRef:
+                key: database
+                name: codeintel-db-auth
+          - name: POSTGRES_HOST
+            valueFrom:
+              secretKeyRef:
+                key: host
+                name: codeintel-db-auth
+          - name: POSTGRES_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                key: password
+                name: codeintel-db-auth
+          - name: POSTGRES_PORT
+            valueFrom:
+              secretKeyRef:
+                key: port
+                name: codeintel-db-auth
+          - name: POSTGRES_USER
+            valueFrom:
+              secretKeyRef:
+                key: user
+                name: codeintel-db-auth
+          - name: POSTGRES_DB
+            value: $(POSTGRES_DATABASE)
+          image: index.docker.io/sourcegraph/codeintel-db:5.3.2@sha256:1e0e93661a65c832b9697048c797f9894dfb502e2e1da2b8209f0018a6632b79
+          imagePullPolicy: IfNotPresent
+          livenessProbe:
+            exec:
+              command:
+              - /liveness.sh
+            failureThreshold: 3
+            initialDelaySeconds: 15
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 1
+          name: codeintel-db
+          ports:
+          - containerPort: 5432
+            name: pgsql
+            protocol: TCP
+          readinessProbe:
+            exec:
+              command:
+              - /ready.sh
+            failureThreshold: 3
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 1
+          resources:
+            limits:
+              cpu: "4"
+              memory: 4Gi
+            requests:
+              cpu: "4"
+              memory: 4Gi
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 999
+            runAsUser: 999
+          startupProbe:
+            exec:
+              command:
+              - /liveness.sh
+            failureThreshold: 360
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 1
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: FallbackToLogsOnError
+          volumeMounts:
+          - mountPath: /data
+            name: disk
+          - mountPath: /conf
+            name: pgsql-conf
+          - mountPath: /var/run/postgresql
+            name: lockdir
+        - env:
+          - name: DATA_SOURCE_DB
+            valueFrom:
+              secretKeyRef:
+                key: database
+                name: codeintel-db-auth
+          - name: DATA_SOURCE_PASS
+            valueFrom:
+              secretKeyRef:
+                key: password
+                name: codeintel-db-auth
+          - name: DATA_SOURCE_PORT
+            valueFrom:
+              secretKeyRef:
+                key: port
+                name: codeintel-db-auth
+          - name: DATA_SOURCE_USER
+            valueFrom:
+              secretKeyRef:
+                key: user
+                name: codeintel-db-auth
+          - name: DATA_SOURCE_URI
+            value: 127.0.0.1:$(DATA_SOURCE_PORT)/$(DATA_SOURCE_DB)?sslmode=disable
+          - name: PG_EXPORTER_EXTEND_QUERY_PATH
+            value: /config/code_intel_queries.yaml
+          image: index.docker.io/sourcegraph/postgres_exporter:5.3.2@sha256:b9fa66fbcb4cc2d466487259db4ae2deacd7651dac4a9e28c9c7fc36523699d0
+          imagePullPolicy: IfNotPresent
+          name: pgsql-exporter
+          resources:
+            limits:
+              cpu: 10m
+              memory: 50M
+            requests:
+              cpu: 10m
+              memory: 50M
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 999
+            runAsUser: 999
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: FallbackToLogsOnError
+        dnsPolicy: ClusterFirst
+        initContainers:
+        - command:
+          - sh
+          - -c
+          - if [ -d /data/pgdata-12 ]; then chmod 750 /data/pgdata-12; fi
+          image: index.docker.io/sourcegraph/alpine-3.14:5.3.2@sha256:982220e0fd8ce55a73798fa7e814a482c4807c412f054c8440c5970b610239b7
+          imagePullPolicy: IfNotPresent
+          name: correct-data-dir-permissions
+          resources:
+            limits:
+              cpu: 10m
+              memory: 50M
+            requests:
+              cpu: 10m
+              memory: 50M
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 999
+            runAsUser: 999
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: FallbackToLogsOnError
+          volumeMounts:
+          - mountPath: /data
+            name: disk
+        restartPolicy: Always
+        schedulerName: default-scheduler
+        securityContext:
+          fsGroup: 999
+          fsGroupChangePolicy: OnRootMismatch
+          runAsGroup: 999
+          runAsUser: 999
+        serviceAccount: codeintel-db
+        serviceAccountName: codeintel-db
+        terminationGracePeriodSeconds: 120
+        volumes:
+        - emptyDir: {}
+          name: lockdir
+        - name: disk
+          persistentVolumeClaim:
+            claimName: codeintel-db
+        - configMap:
+            defaultMode: 511
+            name: codeintel-db-conf
+          name: pgsql-conf
+    updateStrategy:
+      type: RollingUpdate
+  status:
+    availableReplicas: 0
+    replicas: 0
+- apiVersion: v1
+  data:
+    postgresql.conf: |
+      #------------------------------------------------------------------------------
+      # POSTGRESQL DEFAULT CONFIGURATION
+      #------------------------------------------------------------------------------
+
+      # Below is PostgreSQL default configuration.
+      # You should apply your own customization in the CUSTOMIZED OPTIONS section below
+      # to avoid merge conflict in the future.
+
+      listen_addresses = '*'
+      max_connections = 100
+      shared_buffers = 128MB
+      dynamic_shared_memory_type = posix
+      max_wal_size = 1GB
+      min_wal_size = 80MB
+      log_timezone = 'UTC'
+      datestyle = 'iso, mdy'
+      timezone = 'UTC'
+      lc_messages = 'en_US.utf8'
+      lc_monetary = 'en_US.utf8'
+      lc_numeric = 'en_US.utf8'
+      lc_time = 'en_US.utf8'
+      default_text_search_config = 'pg_catalog.english'
+
+
+      #------------------------------------------------------------------------------
+      # SOURCEGRAPH RECOMMENDED OPTIONS
+      #------------------------------------------------------------------------------
+
+      # Below is Sourcegraph recommended Postgres configuration based on the default resource configuration.
+      # You should apply your own customization in the CUSTOMIZED OPTIONS section below
+      # to avoid merge conflict in the future.
+
+      shared_buffers = 1GB
+      work_mem = 5MB
+      maintenance_work_mem = 250MB
+      temp_file_limit = 20GB
+      bgwriter_delay = 50ms
+      bgwriter_lru_maxpages = 200
+      effective_io_concurrency = 200
+      max_worker_processes = 4
+      max_parallel_maintenance_workers = 4
+      max_parallel_workers_per_gather = 2
+      max_parallel_workers = 4
+      wal_buffers = 16MB
+      max_wal_size = 8GB
+      min_wal_size = 2GB
+      random_page_cost = 1.1
+      effective_cache_size = 3GB
+
+
+      #------------------------------------------------------------------------------
+      # CUSTOMIZED OPTIONS
+      #------------------------------------------------------------------------------
+
+      # Add your customization by using 'codeIntelDB.additionalConfig' in your override file.
+      # Learn more: https://docs.sourcegraph.com/admin/config/postgres-conf
+  immutable: false
+  kind: ConfigMap
+  metadata:
+    annotations:
+      appliance.sourcegraph.com/configHash: 08a9f89fce0d5a0784d40c635aac4b63182af3bcf52068f2e8bc5941aa9706df
+    creationTimestamp: "2024-04-19T00:00:00Z"
+    labels:
+      deploy: sourcegraph
+    name: codeintel-db-conf
+    namespace: NORMALIZED_FOR_TESTING
+    ownerReferences:
+    - apiVersion: v1
+      blockOwnerDeletion: true
+      controller: true
+      kind: ConfigMap
+      name: sg
+      uid: NORMALIZED_FOR_TESTING
+    resourceVersion: NORMALIZED_FOR_TESTING
+    uid: NORMALIZED_FOR_TESTING
+- apiVersion: v1
+  data:
+    spec: |
+      spec:
+        requestedVersion: "5.3.9104"
+
+        blobstore:
+          disabled: true
+
+        codeInsights:
+          disabled: true
+
+        codeIntel: {}
+
+        frontend:
+          disabled: true
+
+        gitServer:
+          disabled: true
+
+        indexedSearch:
+          disabled: true
+
+        indexedSearchIndexer:
+          disabled: true
+
+        pgsql:
+          disabled: true
+
+        postgresExporter:
+          disabled: true
+
+        preciseCodeIntel:
+          disabled: true
+
+        redisCache:
+          disabled: true
+
+        redisExporter:
+          disabled: true
+
+        redisStore:
+          disabled: true
+
+        repoUpdater:
+          disabled: true
+
+        searcher:
+          disabled: true
+
+        symbols:
+          disabled: true
+
+        syntectServer:
+          disabled: true
+
+        worker:
+          disabled: true
+  kind: ConfigMap
+  metadata:
+    annotations:
+      appliance.sourcegraph.com/currentVersion: 5.3.9104
+      appliance.sourcegraph.com/managed: "true"
+    creationTimestamp: "2024-04-19T00:00:00Z"
+    name: sg
+    namespace: NORMALIZED_FOR_TESTING
+    resourceVersion: NORMALIZED_FOR_TESTING
+    uid: NORMALIZED_FOR_TESTING
+- apiVersion: v1
+  kind: PersistentVolumeClaim
+  metadata:
+    annotations:
+      appliance.sourcegraph.com/configHash: 08a9f89fce0d5a0784d40c635aac4b63182af3bcf52068f2e8bc5941aa9706df
+    creationTimestamp: "2024-04-19T00:00:00Z"
+    finalizers:
+    - kubernetes.io/pvc-protection
+    labels:
+      deploy: sourcegraph
+    name: codeintel-db
+    namespace: NORMALIZED_FOR_TESTING
+    ownerReferences:
+    - apiVersion: v1
+      blockOwnerDeletion: true
+      controller: true
+      kind: ConfigMap
+      name: sg
+      uid: NORMALIZED_FOR_TESTING
+    resourceVersion: NORMALIZED_FOR_TESTING
+    uid: NORMALIZED_FOR_TESTING
+  spec:
+    accessModes:
+    - ReadWriteOnce
+    resources:
+      requests:
+        storage: 200Gi
+    volumeMode: Filesystem
+  status:
+    phase: Pending
+- apiVersion: v1
+  data:
+    database: c2c=
+    host: Y29kZWludGVsLWRi
+    password: cGFzc3dvcmQ=
+    port: NTQzMg==
+    user: c2c=
+  kind: Secret
+  metadata:
+    annotations:
+      appliance.sourcegraph.com/configHash: 08a9f89fce0d5a0784d40c635aac4b63182af3bcf52068f2e8bc5941aa9706df
+    creationTimestamp: "2024-04-19T00:00:00Z"
+    labels:
+      app.kubernetes.io/component: codeintel-db-auth
+      app.kubernetes.io/name: sourcegraph
+      app.kubernetes.io/version: 5.3.9104
+      deploy: sourcegraph
+    name: codeintel-db-auth
+    namespace: NORMALIZED_FOR_TESTING
+    ownerReferences:
+    - apiVersion: v1
+      blockOwnerDeletion: true
+      controller: true
+      kind: ConfigMap
+      name: sg
+      uid: NORMALIZED_FOR_TESTING
+    resourceVersion: NORMALIZED_FOR_TESTING
+    uid: NORMALIZED_FOR_TESTING
+  type: Opaque
+- apiVersion: v1
+  kind: ServiceAccount
+  metadata:
+    annotations:
+      appliance.sourcegraph.com/configHash: 08a9f89fce0d5a0784d40c635aac4b63182af3bcf52068f2e8bc5941aa9706df
+    creationTimestamp: "2024-04-19T00:00:00Z"
+    labels:
+      deploy: sourcegraph
+    name: codeintel
+    namespace: NORMALIZED_FOR_TESTING
+    ownerReferences:
+    - apiVersion: v1
+      blockOwnerDeletion: true
+      controller: true
+      kind: ConfigMap
+      name: sg
+      uid: NORMALIZED_FOR_TESTING
+    resourceVersion: NORMALIZED_FOR_TESTING
+    uid: NORMALIZED_FOR_TESTING
+- apiVersion: v1
+  kind: Service
+  metadata:
+    annotations:
+      appliance.sourcegraph.com/configHash: 08a9f89fce0d5a0784d40c635aac4b63182af3bcf52068f2e8bc5941aa9706df
+      prometheus.io/port: "9187"
+      sourcegraph.prometheus/scrape: "true"
+    creationTimestamp: "2024-04-19T00:00:00Z"
+    labels:
+      app: codeintel-db
+      app.kubernetes.io/component: codeintel-db
+      deploy: sourcegraph
+    name: codeintel-db
+    namespace: NORMALIZED_FOR_TESTING
+    ownerReferences:
+    - apiVersion: v1
+      blockOwnerDeletion: true
+      controller: true
+      kind: ConfigMap
+      name: sg
+      uid: NORMALIZED_FOR_TESTING
+    resourceVersion: NORMALIZED_FOR_TESTING
+    uid: NORMALIZED_FOR_TESTING
+  spec:
+    clusterIP: NORMALIZED_FOR_TESTING
+    clusterIPs:
+    - NORMALIZED_FOR_TESTING
+    internalTrafficPolicy: Cluster
+    ipFamilies:
+    - IPv4
+    ipFamilyPolicy: SingleStack
+    ports:
+    - name: pgsql
+      port: 5432
+      protocol: TCP
+      targetPort: pgsql
+    selector:
+      app: codeintel-db
+    sessionAffinity: None
+    type: ClusterIP
+  status:
+    loadBalancer: {}
--- a/internal/appliance/reconciler/testdata/sg/codeintel/default.yaml
+++ b/internal/appliance/reconciler/testdata/sg/codeintel/default.yaml
@ -0,0 +1,55 @@
+spec:
+  requestedVersion: "5.3.9104"
+
+  blobstore:
+    disabled: true
+
+  codeInsights:
+    disabled: true
+
+  codeIntel: {}
+
+  frontend:
+    disabled: true
+
+  gitServer:
+    disabled: true
+
+  indexedSearch:
+    disabled: true
+
+  indexedSearchIndexer:
+    disabled: true
+
+  pgsql:
+    disabled: true
+
+  postgresExporter:
+    disabled: true
+
+  preciseCodeIntel:
+    disabled: true
+
+  redisCache:
+    disabled: true
+
+  redisExporter:
+    disabled: true
+
+  redisStore:
+    disabled: true
+
+  repoUpdater:
+    disabled: true
+
+  searcher:
+    disabled: true
+
+  symbols:
+    disabled: true
+
+  syntectServer:
+    disabled: true
+
+  worker:
+    disabled: true
--- a/internal/k8s/resource/container/container.go
+++ b/internal/k8s/resource/container/container.go
@ -144,10 +144,6 @@ func EnvVarsPostgresExporter(secretName string) []corev1.EnvVar {
 			Name:  "DATA_SOURCE_URI",
 			Value: "127.0.0.1:$(DATA_SOURCE_PORT)/$(DATA_SOURCE_DB)?sslmode=disable",
 		},
-		{
-			Name:  "PG_EXPORTER_EXTEND_QUERY_PATH",
-			Value: "/config/queries.yaml",
-		},
 	}
 }