feat(appliance): deploy frontend (#63158)

client/web/src/jscontext.ts

@@ -5,7 +5,14 @@ import type { BatchChangesLicenseInfo } from '@sourcegraph/shared/src/testing/ba
 
 import type { TemporarySettingsResult } from './graphql-operations'
 
-export type DeployType = 'kubernetes' | 'docker-container' | 'docker-compose' | 'pure-docker' | 'dev' | 'helm'
+export type DeployType =
+    | 'kubernetes'
+    | 'docker-container'
+    | 'docker-compose'
+    | 'pure-docker'
+    | 'dev'
+    | 'helm'
+    | 'appliance'
 
 /**
  * Defined in cmd/frontend/internal/app/jscontext/jscontext.go JSContext struct

internal/appliance/config/defaults.go

@@ -143,6 +143,25 @@ func NewDefaultConfig() Sourcegraph {
 				},
 				Replicas: 1,
 			},
+			Frontend: FrontendSpec{
+				StandardConfig: StandardConfig{
+					PrometheusPort: pointers.Ptr(6060),
+				},
+				Replicas: 2,
+				Migrator: true,
+			},
+
+			// Grafana and Jaeger are opt-in
+			Grafana: GrafanaSpec{
+				StandardConfig: StandardConfig{
+					Disabled: true,
+				},
+			},
+			Jaeger: JaegerSpec{
+				StandardConfig: StandardConfig{
+					Disabled: true,
+				},
+			},
 		},
 	}
 }

internal/appliance/config/spec.go

@@ -42,10 +42,9 @@ type CodeDBSpec struct {
 }
 
 type IngressSpec struct {
-	Disabled         bool              `json:"enabled,omitempty"`
 	Annotations      map[string]string `json:"annotations,omitempty"`
 	Host             string            `json:"host,omitempty"`
-	IngressClassName string            `json:"ingressClassName,omitempty"`
+	IngressClassName *string           `json:"ingressClassName,omitempty"`
 	TLSSecret        string            `json:"tlsSecret,omitempty"`
 }
 
@@ -53,20 +52,17 @@ type EmbeddingsSpec struct {
 	StandardConfig
 }
 
-// FrontendSpec defines the desired state of Frontend.
 type FrontendSpec struct {
+	StandardConfig
+
+	Migrator bool `json:"migrator,omitempty"`
+
 	// Replicas defines the number of Frontend pod replicas.
 	// Default: 2
 	Replicas int32 `json:"replicas,omitempty"`
 
 	// Ingress allows for changes to the custom Sourcegraph ingress.
 	Ingress *IngressSpec `json:"ingress,omitempty"`
-
-	// ExistingSecret is the name of an existing secret to use for Postgres credentials.
-	ExistingSecret string `json:"existingSecret,omitempty"`
-
-	// Resources allows for custom resource limits and requests.
-	Resources *corev1.ResourceList `json:"resources,omitempty"`
 }
 
 // GitServerSpec defines the desired state of GitServer.
@@ -82,6 +78,10 @@ type GitServerSpec struct {
 	SSHSecret string `json:"sshSecret,omitempty"`
 }
 
+type GrafanaSpec struct {
+	StandardConfig
+}
+
 // IndexedSearchSpec defines the desired state of Index Search.
 type IndexedSearchSpec struct {
 	// Replicas defines the number of Index Search pod replicas.
@@ -98,6 +98,10 @@ type IndexedSearchIndexerSpec struct {
 	Resources *corev1.ResourceList `json:"resources,omitempty"`
 }
 
+type JaegerSpec struct {
+	StandardConfig
+}
+
 // PGSQLSpec defines the desired state of the Postgres server.
 type PGSQLSpec struct {
 	StandardConfig
@@ -231,12 +235,16 @@ type SourcegraphSpec struct {
 	// GitServer defines the desired state of the GitServer service.
 	GitServer GitServerSpec `json:"gitServer,omitempty"`
 
+	Grafana GrafanaSpec `json:"grafana,omitempty"`
+
 	// IndexedSearch defines the desired state of the Indexed Search service.
 	IndexedSearch IndexedSearchSpec `json:"indexedSearch,omitempty"`
 
 	// IndexedSearchIndexer defines the desired state of the Indexed Search Indexer service.
 	IndexedSearchIndexer IndexedSearchIndexerSpec `json:"indexedSearchIndexer,omitempty"`
 
+	Jaeger JaegerSpec `json:"jaeger,omitempty"`
+
 	// PGSQL defines the desired state of the PostgreSQL database.
 	PGSQL PGSQLSpec `json:"pgsql,omitempty"`
 

internal/appliance/reconciler/BUILD.bazel

@@ -8,6 +8,7 @@ go_library(
         "cadvisor.go",
         "codeinsights.go",
         "codeintel.go",
+        "frontend.go",
         "gitserver.go",
         "kubernetes.go",
         "pgsql.go",
@@ -29,6 +30,7 @@ go_library(
         "//internal/k8s/resource/container",
         "//internal/k8s/resource/daemonset",
         "//internal/k8s/resource/deployment",
+        "//internal/k8s/resource/ingress",
         "//internal/k8s/resource/pod",
         "//internal/k8s/resource/pvc",
         "//internal/k8s/resource/role",
@@ -41,6 +43,7 @@ go_library(
         "//lib/pointers",
         "@io_k8s_api//apps/v1:apps",
         "@io_k8s_api//core/v1:core",
+        "@io_k8s_api//networking/v1:networking",
         "@io_k8s_api//rbac/v1:rbac",
         "@io_k8s_apimachinery//pkg/api/errors",
         "@io_k8s_apimachinery//pkg/api/resource",
@@ -69,6 +72,7 @@ go_test(
         "cadvisor_test.go",
         "codeinsights_test.go",
         "codeintel_test.go",
+        "frontend_test.go",
         "gitserver_test.go",
         "golden_test.go",
         "helpers_test.go",

internal/appliance/reconciler/frontend.go

@@ -0,0 +1,304 @@
+package reconciler
+
+import (
+	"context"
+
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+	netv1 "k8s.io/api/networking/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/util/intstr"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	"github.com/sourcegraph/sourcegraph/internal/appliance/config"
+	"github.com/sourcegraph/sourcegraph/internal/k8s/resource/container"
+	"github.com/sourcegraph/sourcegraph/internal/k8s/resource/deployment"
+	"github.com/sourcegraph/sourcegraph/internal/k8s/resource/ingress"
+	"github.com/sourcegraph/sourcegraph/internal/k8s/resource/pod"
+	"github.com/sourcegraph/sourcegraph/internal/k8s/resource/role"
+	"github.com/sourcegraph/sourcegraph/internal/k8s/resource/rolebinding"
+	"github.com/sourcegraph/sourcegraph/internal/k8s/resource/service"
+	"github.com/sourcegraph/sourcegraph/internal/k8s/resource/serviceaccount"
+	"github.com/sourcegraph/sourcegraph/lib/errors"
+	"github.com/sourcegraph/sourcegraph/lib/pointers"
+)
+
+const (
+	pgsqlSecretName          = "pgsql-auth"
+	codeInsightsDBSecretName = "codeinsights-db-auth"
+	codeIntelDBSecretName    = "codeintel-db-auth"
+)
+
+func (r *Reconciler) reconcileFrontend(ctx context.Context, sg *config.Sourcegraph, owner client.Object) error {
+	if err := r.reconcileFrontendDeployment(ctx, sg, owner); err != nil {
+		return errors.Wrap(err, "reconciling Deployment")
+	}
+	if err := r.reconcileFrontendService(ctx, sg, owner); err != nil {
+		return errors.Wrap(err, "reconciling Service")
+	}
+	if err := r.reconcileFrontendServiceInternal(ctx, sg, owner); err != nil {
+		return errors.Wrap(err, "reconciling Service (internal)")
+	}
+	if err := r.reconcileFrontendServiceAccount(ctx, sg, owner); err != nil {
+		return errors.Wrap(err, "reconciling ServiceAccount")
+	}
+	if err := r.reconcileFrontendRole(ctx, sg, owner); err != nil {
+		return errors.Wrap(err, "reconciling Role")
+	}
+	if err := r.reconcileFrontendRoleBinding(ctx, sg, owner); err != nil {
+		return errors.Wrap(err, "reconciling RoleBinding")
+	}
+	if err := r.reconcileFrontendIngress(ctx, sg, owner); err != nil {
+		return errors.Wrap(err, "reconciling Ingress")
+	}
+	return nil
+}
+
+func (r *Reconciler) reconcileFrontendDeployment(ctx context.Context, sg *config.Sourcegraph, owner client.Object) error {
+	name := "frontend"
+	cfg := sg.Spec.Frontend
+
+	defaultImage := config.GetDefaultImage(sg, name)
+	ctr := container.NewContainer(name, cfg, config.ContainerConfig{
+		Image: defaultImage,
+		Resources: &corev1.ResourceRequirements{
+			Requests: corev1.ResourceList{
+				corev1.ResourceCPU:              resource.MustParse("2"),
+				corev1.ResourceMemory:           resource.MustParse("2G"),
+				corev1.ResourceEphemeralStorage: resource.MustParse("4Gi"),
+			},
+			Limits: corev1.ResourceList{
+				corev1.ResourceCPU:              resource.MustParse("2"),
+				corev1.ResourceMemory:           resource.MustParse("4G"),
+				corev1.ResourceEphemeralStorage: resource.MustParse("8Gi"),
+			},
+		},
+	})
+
+	ctr.Env = append(ctr.Env, frontendEnvVars(sg)...)
+	ctr.Env = append(ctr.Env, dbAuthVars()...)
+	ctr.Env = append(ctr.Env, container.EnvVarsRedis()...)
+	ctr.Env = append(ctr.Env, container.EnvVarsOtel()...)
+
+	ctr.Args = []string{"serve"}
+
+	ctr.Ports = []corev1.ContainerPort{
+		{Name: "http", ContainerPort: 3080},
+		{Name: "http-internal", ContainerPort: 3090},
+		{Name: "debug", ContainerPort: 6060},
+	}
+
+	ctr.LivenessProbe = &corev1.Probe{
+		ProbeHandler: corev1.ProbeHandler{
+			HTTPGet: &corev1.HTTPGetAction{
+				Path: "/healthz",
+				Port: intstr.FromString("debug"),
+			},
+		},
+		InitialDelaySeconds: 300,
+		TimeoutSeconds:      5,
+	}
+	ctr.ReadinessProbe = &corev1.Probe{
+		ProbeHandler: corev1.ProbeHandler{
+			HTTPGet: &corev1.HTTPGetAction{
+				Path: "/ready",
+				Port: intstr.FromString("debug"),
+			},
+		},
+		PeriodSeconds:  5,
+		TimeoutSeconds: 5,
+	}
+	ctr.VolumeMounts = []corev1.VolumeMount{
+		{Name: "home-dir", MountPath: "/home/sourcegraph"},
+	}
+
+	template := pod.NewPodTemplate("sourcegraph-frontend", cfg)
+	template.Template.Spec.Containers = []corev1.Container{ctr}
+	template.Template.Spec.Volumes = []corev1.Volume{pod.NewVolumeEmptyDir("home-dir")}
+	template.Template.Spec.ServiceAccountName = "sourcegraph-frontend"
+
+	if cfg.Migrator {
+		migratorImage := config.GetDefaultImage(sg, "migrator")
+		migratorCtr := container.NewContainer("migrator", cfg, config.ContainerConfig{
+			Image: migratorImage,
+			Resources: &corev1.ResourceRequirements{
+				Requests: corev1.ResourceList{
+					corev1.ResourceCPU:    resource.MustParse("100m"),
+					corev1.ResourceMemory: resource.MustParse("50M"),
+				},
+				Limits: corev1.ResourceList{
+					corev1.ResourceCPU:    resource.MustParse("500m"),
+					corev1.ResourceMemory: resource.MustParse("100M"),
+				},
+			},
+		})
+		migratorCtr.Args = []string{"up"}
+		migratorCtr.Env = append(migratorCtr.Env, frontendEnvVars(sg)...)
+		migratorCtr.Env = append(migratorCtr.Env, dbAuthVars()...)
+		template.Template.Spec.InitContainers = []corev1.Container{migratorCtr}
+	}
+
+	dep := deployment.NewDeployment("sourcegraph-frontend", sg.Namespace, sg.Spec.RequestedVersion)
+	dep.Spec.Replicas = &cfg.Replicas
+	dep.Spec.Strategy.RollingUpdate = &appsv1.RollingUpdateDeployment{
+		MaxSurge:       pointers.Ptr(intstr.FromInt(2)),
+		MaxUnavailable: pointers.Ptr(intstr.FromInt(0)),
+	}
+	dep.Spec.Template = template.Template
+
+	return reconcileObject(ctx, r, cfg, &dep, &appsv1.Deployment{}, sg, owner)
+}
+
+func (r *Reconciler) reconcileFrontendService(ctx context.Context, sg *config.Sourcegraph, owner client.Object) error {
+	name := "sourcegraph-frontend"
+	cfg := sg.Spec.Frontend
+
+	svc := service.NewService(name, sg.Namespace, cfg)
+	svc.Spec.Ports = []corev1.ServicePort{
+		{Name: "http", Port: 30080, TargetPort: intstr.FromString("http")},
+	}
+	svc.Spec.Selector = map[string]string{
+		"app": name,
+	}
+
+	return reconcileObject(ctx, r, cfg, &svc, &corev1.Service{}, sg, owner)
+}
+
+func (r *Reconciler) reconcileFrontendServiceInternal(ctx context.Context, sg *config.Sourcegraph, owner client.Object) error {
+	cfg := sg.Spec.Frontend
+
+	svc := service.NewService("sourcegraph-frontend-internal", sg.Namespace, nil)
+	svc.Spec.Ports = []corev1.ServicePort{
+		{Name: "http-internal", Port: 80, TargetPort: intstr.FromString("http-internal")},
+	}
+	svc.Spec.Selector = map[string]string{
+		"app": "sourcegraph-frontend",
+	}
+
+	return reconcileObject(ctx, r, cfg, &svc, &corev1.Service{}, sg, owner)
+}
+
+func (r *Reconciler) reconcileFrontendRole(ctx context.Context, sg *config.Sourcegraph, owner client.Object) error {
+	name := "sourcegraph-frontend"
+	cfg := sg.Spec.Frontend
+
+	role := role.NewRole(name, sg.Namespace)
+
+	readVerbs := []string{"get", "list", "watch"}
+	role.Rules = []rbacv1.PolicyRule{
+		{
+			APIGroups: []string{""},
+			Resources: []string{"endpoints", "services"},
+			Verbs:     readVerbs,
+		},
+		{
+			APIGroups: []string{"apps"},
+			Resources: []string{"statefulsets"},
+			Verbs:     readVerbs,
+		},
+	}
+
+	return reconcileObject(ctx, r, cfg, &role, &rbacv1.Role{}, sg, owner)
+}
+
+func (r *Reconciler) reconcileFrontendServiceAccount(ctx context.Context, sg *config.Sourcegraph, owner client.Object) error {
+	cfg := sg.Spec.Frontend
+	sa := serviceaccount.NewServiceAccount("sourcegraph-frontend", sg.Namespace, cfg)
+	return reconcileObject(ctx, r, cfg, &sa, &corev1.ServiceAccount{}, sg, owner)
+}
+
+func (r *Reconciler) reconcileFrontendRoleBinding(ctx context.Context, sg *config.Sourcegraph, owner client.Object) error {
+	name := "sourcegraph-frontend"
+	binding := rolebinding.NewRoleBinding(name, sg.Namespace)
+	binding.RoleRef = rbacv1.RoleRef{
+		Kind: "Role",
+		Name: name,
+	}
+	binding.Subjects = []rbacv1.Subject{
+		{
+			Kind:      "ServiceAccount",
+			Name:      name,
+			Namespace: sg.Namespace,
+		},
+	}
+	return reconcileObject(ctx, r, sg.Spec.Frontend, &binding, &rbacv1.RoleBinding{}, sg, owner)
+}
+
+func (r *Reconciler) reconcileFrontendIngress(ctx context.Context, sg *config.Sourcegraph, owner client.Object) error {
+	name := "sourcegraph-frontend"
+	cfg := sg.Spec.Frontend
+	ingress := ingress.NewIngress(name, sg.Namespace)
+	if cfg.Ingress == nil {
+		return r.ensureObjectDeleted(ctx, &ingress)
+	}
+
+	ingress.SetAnnotations(cfg.Ingress.Annotations)
+
+	if cfg.Ingress.TLSSecret != "" {
+		ingress.Spec.TLS = []netv1.IngressTLS{{
+			Hosts:      []string{cfg.Ingress.Host},
+			SecretName: cfg.Ingress.TLSSecret,
+		}}
+	}
+
+	ingress.Spec.Rules = []netv1.IngressRule{{
+		Host: cfg.Ingress.Host,
+		IngressRuleValue: netv1.IngressRuleValue{
+			HTTP: &netv1.HTTPIngressRuleValue{
+				Paths: []netv1.HTTPIngressPath{{
+					Path:     "/",
+					PathType: pointers.Ptr(netv1.PathTypePrefix),
+					Backend: netv1.IngressBackend{
+						Service: &netv1.IngressServiceBackend{
+							Name: name,
+							Port: netv1.ServiceBackendPort{
+								Number: 30080,
+							},
+						},
+					},
+				}},
+			},
+		},
+	}}
+
+	ingress.Spec.IngressClassName = cfg.Ingress.IngressClassName
+
+	return reconcileObject(ctx, r, sg.Spec.Frontend, &ingress, &netv1.Ingress{}, sg, owner)
+}
+
+func frontendEnvVars(sg *config.Sourcegraph) []corev1.EnvVar {
+	vars := []corev1.EnvVar{
+		{Name: "DEPLOY_TYPE", Value: "appliance"},
+	}
+	if !sg.Spec.Grafana.Disabled {
+		vars = append(vars, corev1.EnvVar{Name: "GRAFANA_SERVER_URL", Value: "http://grafana:30070"})
+	}
+	if !sg.Spec.Jaeger.Disabled {
+		vars = append(vars, corev1.EnvVar{Name: "JAEGER_SERVER_URL", Value: "http://jaeger-query:16686"})
+	}
+	if !sg.Spec.Prometheus.Disabled {
+		vars = append(vars, corev1.EnvVar{Name: "PROMETHEUS_URL", Value: "http://prometheus:30090"})
+	}
+	return vars
+}
+
+func dbAuthVars() []corev1.EnvVar {
+	return []corev1.EnvVar{
+		container.NewEnvVarSecretKeyRef("PGDATABASE", pgsqlSecretName, "database"),
+		container.NewEnvVarSecretKeyRef("PGHOST", pgsqlSecretName, "host"),
+		container.NewEnvVarSecretKeyRef("PGPASSWORD", pgsqlSecretName, "password"),
+		container.NewEnvVarSecretKeyRef("PGPORT", pgsqlSecretName, "port"),
+		container.NewEnvVarSecretKeyRef("PGUSER", pgsqlSecretName, "user"),
+		container.NewEnvVarSecretKeyRef("CODEINTEL_PGDATABASE", codeIntelDBSecretName, "database"),
+		container.NewEnvVarSecretKeyRef("CODEINTEL_PGHOST", codeIntelDBSecretName, "host"),
+		container.NewEnvVarSecretKeyRef("CODEINTEL_PGPASSWORD", codeIntelDBSecretName, "password"),
+		container.NewEnvVarSecretKeyRef("CODEINTEL_PGPORT", codeIntelDBSecretName, "port"),
+		container.NewEnvVarSecretKeyRef("CODEINTEL_PGUSER", codeIntelDBSecretName, "user"),
+		container.NewEnvVarSecretKeyRef("CODEINSIGHTS_PGDATABASE", codeInsightsDBSecretName, "database"),
+		container.NewEnvVarSecretKeyRef("CODEINSIGHTS_PGHOST", codeInsightsDBSecretName, "host"),
+		container.NewEnvVarSecretKeyRef("CODEINSIGHTS_PGPASSWORD", codeInsightsDBSecretName, "password"),
+		container.NewEnvVarSecretKeyRef("CODEINSIGHTS_PGPORT", codeInsightsDBSecretName, "port"),
+		container.NewEnvVarSecretKeyRef("CODEINSIGHTS_PGUSER", codeInsightsDBSecretName, "user"),
+	}
+}

internal/appliance/reconciler/frontend_test.go

@@ -0,0 +1,18 @@
+package reconciler
+
+func (suite *ApplianceTestSuite) TestDeployFrontend() {
+	for _, tc := range []struct {
+		name string
+	}{
+		{name: "frontend/default"},
+		{name: "frontend/with-blobstore"},
+		{name: "frontend/with-ingress"},
+		{name: "frontend/with-ingress-optional-fields"},
+		{name: "frontend/with-overrides"},
+	} {
+		suite.Run(tc.name, func() {
+			namespace := suite.createConfigMapAndAwaitReconciliation(tc.name)
+			suite.makeGoldenAssertions(namespace, tc.name)
+		})
+	}
+}

internal/appliance/reconciler/golden_test.go

@@ -211,6 +211,15 @@ func (suite *ApplianceTestSuite) gatherResources(namespace string) []client.Obje
 		objs = append(objs, &obj)
 	}
 
+	ingresses, err := suite.k8sClient.NetworkingV1().Ingresses(namespace).List(suite.ctx, metav1.ListOptions{})
+	suite.Require().NoError(err)
+	for _, obj := range ingresses.Items {
+		obj := obj
+		obj.SetGroupVersionKind(schema.GroupVersionKind{Group: "networking.k8s.io", Version: "v1", Kind: "Ingress"})
+		normalizeObj(&obj)
+		objs = append(objs, &obj)
+	}
+
 	return objs
 }
 

internal/appliance/reconciler/reconcile.go

@@ -111,6 +111,9 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Resu
 	if err := r.reconcileWorker(ctx, &sourcegraph, &applianceSpec); err != nil {
 		return ctrl.Result{}, errors.Newf("failed to reconcile worker: %w", err)
 	}
+	if err := r.reconcileFrontend(ctx, &sourcegraph, &applianceSpec); err != nil {
+		return ctrl.Result{}, errors.Newf("failed to reconcile frontend: %w", err)
+	}
 
 	// Set the current version annotation in case migration logic depends on it.
 	applianceSpec.Annotations[config.AnnotationKeyCurrentVersion] = sourcegraph.Spec.RequestedVersion

internal/appliance/reconciler/testdata/golden-fixtures/frontend/default.yaml

@@ -0,0 +1,545 @@
+resources:
+  - apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      annotations:
+        appliance.sourcegraph.com/configHash: b5dce290e22d1afb4c9102ac4c245490ab01dd3be13653de391536cfe0e323b0
+      creationTimestamp: "2024-04-19T00:00:00Z"
+      generation: 1
+      labels:
+        app.kubernetes.io/component: sourcegraph-frontend
+        app.kubernetes.io/name: sourcegraph
+        app.kubernetes.io/version: 5.3.9104
+        deploy: sourcegraph
+      name: sourcegraph-frontend
+      namespace: NORMALIZED_FOR_TESTING
+      ownerReferences:
+        - apiVersion: v1
+          blockOwnerDeletion: true
+          controller: true
+          kind: ConfigMap
+          name: sg
+          uid: NORMALIZED_FOR_TESTING
+      resourceVersion: NORMALIZED_FOR_TESTING
+      uid: NORMALIZED_FOR_TESTING
+    spec:
+      minReadySeconds: 10
+      progressDeadlineSeconds: 600
+      replicas: 2
+      revisionHistoryLimit: 10
+      selector:
+        matchLabels:
+          app: sourcegraph-frontend
+      strategy:
+        rollingUpdate:
+          maxSurge: 2
+          maxUnavailable: 0
+        type: RollingUpdate
+      template:
+        metadata:
+          annotations:
+            kubectl.kubernetes.io/default-container: sourcegraph-frontend
+          creationTimestamp: null
+          labels:
+            app: sourcegraph-frontend
+            deploy: sourcegraph
+          name: sourcegraph-frontend
+        spec:
+          containers:
+            - args:
+                - serve
+              env:
+                - name: DEPLOY_TYPE
+                  value: appliance
+                - name: PGDATABASE
+                  valueFrom:
+                    secretKeyRef:
+                      key: database
+                      name: pgsql-auth
+                - name: PGHOST
+                  valueFrom:
+                    secretKeyRef:
+                      key: host
+                      name: pgsql-auth
+                - name: PGPASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      key: password
+                      name: pgsql-auth
+                - name: PGPORT
+                  valueFrom:
+                    secretKeyRef:
+                      key: port
+                      name: pgsql-auth
+                - name: PGUSER
+                  valueFrom:
+                    secretKeyRef:
+                      key: user
+                      name: pgsql-auth
+                - name: CODEINTEL_PGDATABASE
+                  valueFrom:
+                    secretKeyRef:
+                      key: database
+                      name: codeintel-db-auth
+                - name: CODEINTEL_PGHOST
+                  valueFrom:
+                    secretKeyRef:
+                      key: host
+                      name: codeintel-db-auth
+                - name: CODEINTEL_PGPASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      key: password
+                      name: codeintel-db-auth
+                - name: CODEINTEL_PGPORT
+                  valueFrom:
+                    secretKeyRef:
+                      key: port
+                      name: codeintel-db-auth
+                - name: CODEINTEL_PGUSER
+                  valueFrom:
+                    secretKeyRef:
+                      key: user
+                      name: codeintel-db-auth
+                - name: CODEINSIGHTS_PGDATABASE
+                  valueFrom:
+                    secretKeyRef:
+                      key: database
+                      name: codeinsights-db-auth
+                - name: CODEINSIGHTS_PGHOST
+                  valueFrom:
+                    secretKeyRef:
+                      key: host
+                      name: codeinsights-db-auth
+                - name: CODEINSIGHTS_PGPASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      key: password
+                      name: codeinsights-db-auth
+                - name: CODEINSIGHTS_PGPORT
+                  valueFrom:
+                    secretKeyRef:
+                      key: port
+                      name: codeinsights-db-auth
+                - name: CODEINSIGHTS_PGUSER
+                  valueFrom:
+                    secretKeyRef:
+                      key: user
+                      name: codeinsights-db-auth
+                - name: REDIS_CACHE_ENDPOINT
+                  valueFrom:
+                    secretKeyRef:
+                      key: endpoint
+                      name: redis-cache
+                - name: REDIS_STORE_ENDPOINT
+                  valueFrom:
+                    secretKeyRef:
+                      key: endpoint
+                      name: redis-store
+                - name: OTEL_AGENT_HOST
+                  valueFrom:
+                    fieldRef:
+                      apiVersion: v1
+                      fieldPath: status.hostIP
+                - name: OTEL_EXPORTER_OTLP_ENDPOINT
+                  value: http://$(OTEL_AGENT_HOST):4317
+              image: index.docker.io/sourcegraph/frontend:5.3.9104
+              imagePullPolicy: IfNotPresent
+              livenessProbe:
+                failureThreshold: 3
+                httpGet:
+                  path: /healthz
+                  port: debug
+                  scheme: HTTP
+                initialDelaySeconds: 300
+                periodSeconds: 10
+                successThreshold: 1
+                timeoutSeconds: 5
+              name: frontend
+              ports:
+                - containerPort: 3080
+                  name: http
+                  protocol: TCP
+                - containerPort: 3090
+                  name: http-internal
+                  protocol: TCP
+                - containerPort: 6060
+                  name: debug
+                  protocol: TCP
+              readinessProbe:
+                failureThreshold: 3
+                httpGet:
+                  path: /ready
+                  port: debug
+                  scheme: HTTP
+                periodSeconds: 5
+                successThreshold: 1
+                timeoutSeconds: 5
+              resources:
+                limits:
+                  cpu: "2"
+                  ephemeral-storage: 8Gi
+                  memory: 4G
+                requests:
+                  cpu: "2"
+                  ephemeral-storage: 4Gi
+                  memory: 2G
+              securityContext:
+                allowPrivilegeEscalation: false
+                readOnlyRootFilesystem: true
+                runAsGroup: 101
+                runAsUser: 100
+              terminationMessagePath: /dev/termination-log
+              terminationMessagePolicy: FallbackToLogsOnError
+              volumeMounts:
+                - mountPath: /home/sourcegraph
+                  name: home-dir
+          dnsPolicy: ClusterFirst
+          initContainers:
+            - args:
+                - up
+              env:
+                - name: DEPLOY_TYPE
+                  value: appliance
+                - name: PGDATABASE
+                  valueFrom:
+                    secretKeyRef:
+                      key: database
+                      name: pgsql-auth
+                - name: PGHOST
+                  valueFrom:
+                    secretKeyRef:
+                      key: host
+                      name: pgsql-auth
+                - name: PGPASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      key: password
+                      name: pgsql-auth
+                - name: PGPORT
+                  valueFrom:
+                    secretKeyRef:
+                      key: port
+                      name: pgsql-auth
+                - name: PGUSER
+                  valueFrom:
+                    secretKeyRef:
+                      key: user
+                      name: pgsql-auth
+                - name: CODEINTEL_PGDATABASE
+                  valueFrom:
+                    secretKeyRef:
+                      key: database
+                      name: codeintel-db-auth
+                - name: CODEINTEL_PGHOST
+                  valueFrom:
+                    secretKeyRef:
+                      key: host
+                      name: codeintel-db-auth
+                - name: CODEINTEL_PGPASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      key: password
+                      name: codeintel-db-auth
+                - name: CODEINTEL_PGPORT
+                  valueFrom:
+                    secretKeyRef:
+                      key: port
+                      name: codeintel-db-auth
+                - name: CODEINTEL_PGUSER
+                  valueFrom:
+                    secretKeyRef:
+                      key: user
+                      name: codeintel-db-auth
+                - name: CODEINSIGHTS_PGDATABASE
+                  valueFrom:
+                    secretKeyRef:
+                      key: database
+                      name: codeinsights-db-auth
+                - name: CODEINSIGHTS_PGHOST
+                  valueFrom:
+                    secretKeyRef:
+                      key: host
+                      name: codeinsights-db-auth
+                - name: CODEINSIGHTS_PGPASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      key: password
+                      name: codeinsights-db-auth
+                - name: CODEINSIGHTS_PGPORT
+                  valueFrom:
+                    secretKeyRef:
+                      key: port
+                      name: codeinsights-db-auth
+                - name: CODEINSIGHTS_PGUSER
+                  valueFrom:
+                    secretKeyRef:
+                      key: user
+                      name: codeinsights-db-auth
+              image: index.docker.io/sourcegraph/migrator:5.3.9104
+              imagePullPolicy: IfNotPresent
+              name: migrator
+              resources:
+                limits:
+                  cpu: 500m
+                  memory: 100M
+                requests:
+                  cpu: 100m
+                  memory: 50M
+              securityContext:
+                allowPrivilegeEscalation: false
+                readOnlyRootFilesystem: true
+                runAsGroup: 101
+                runAsUser: 100
+              terminationMessagePath: /dev/termination-log
+              terminationMessagePolicy: FallbackToLogsOnError
+          restartPolicy: Always
+          schedulerName: default-scheduler
+          securityContext:
+            fsGroup: 101
+            fsGroupChangePolicy: OnRootMismatch
+            runAsGroup: 101
+            runAsUser: 100
+          serviceAccount: sourcegraph-frontend
+          serviceAccountName: sourcegraph-frontend
+          terminationGracePeriodSeconds: 30
+          volumes:
+            - emptyDir: {}
+              name: home-dir
+    status: {}
+  - apiVersion: v1
+    data:
+      spec: |
+        spec:
+          requestedVersion: "5.3.9104"
+
+          blobstore:
+            disabled: true
+
+          codeInsights:
+            disabled: true
+
+          codeIntel:
+            disabled: true
+
+          frontend: {}
+
+          gitServer:
+            disabled: true
+
+          indexedSearch:
+            disabled: true
+
+          indexedSearchIndexer:
+            disabled: true
+
+          pgsql:
+            disabled: true
+
+          postgresExporter:
+            disabled: true
+
+          preciseCodeIntel:
+            disabled: true
+
+          redisCache:
+            disabled: true
+
+          redisStore:
+            disabled: true
+
+          repoUpdater:
+            disabled: true
+
+          searcher:
+            disabled: true
+
+          symbols:
+            disabled: true
+
+          syntectServer:
+            disabled: true
+
+          worker:
+            disabled: true
+
+          prometheus:
+            disabled: true
+
+          embeddings:
+            disabled: true
+    kind: ConfigMap
+    metadata:
+      annotations:
+        appliance.sourcegraph.com/currentVersion: 5.3.9104
+        appliance.sourcegraph.com/managed: "true"
+      creationTimestamp: "2024-04-19T00:00:00Z"
+      name: sg
+      namespace: NORMALIZED_FOR_TESTING
+      resourceVersion: NORMALIZED_FOR_TESTING
+      uid: NORMALIZED_FOR_TESTING
+  - apiVersion: rbac.authorization.k8s.io/v1
+    kind: Role
+    metadata:
+      annotations:
+        appliance.sourcegraph.com/configHash: b5dce290e22d1afb4c9102ac4c245490ab01dd3be13653de391536cfe0e323b0
+      creationTimestamp: "2024-04-19T00:00:00Z"
+      labels:
+        deploy: sourcegraph
+      name: sourcegraph-frontend
+      namespace: NORMALIZED_FOR_TESTING
+      ownerReferences:
+        - apiVersion: v1
+          blockOwnerDeletion: true
+          controller: true
+          kind: ConfigMap
+          name: sg
+          uid: NORMALIZED_FOR_TESTING
+      resourceVersion: NORMALIZED_FOR_TESTING
+      uid: NORMALIZED_FOR_TESTING
+    rules:
+      - apiGroups:
+          - ""
+        resources:
+          - endpoints
+          - services
+        verbs:
+          - get
+          - list
+          - watch
+      - apiGroups:
+          - apps
+        resources:
+          - statefulsets
+        verbs:
+          - get
+          - list
+          - watch
+  - apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      annotations:
+        appliance.sourcegraph.com/configHash: b5dce290e22d1afb4c9102ac4c245490ab01dd3be13653de391536cfe0e323b0
+      creationTimestamp: "2024-04-19T00:00:00Z"
+      labels:
+        deploy: sourcegraph
+      name: sourcegraph-frontend
+      namespace: NORMALIZED_FOR_TESTING
+      ownerReferences:
+        - apiVersion: v1
+          blockOwnerDeletion: true
+          controller: true
+          kind: ConfigMap
+          name: sg
+          uid: NORMALIZED_FOR_TESTING
+      resourceVersion: NORMALIZED_FOR_TESTING
+      uid: NORMALIZED_FOR_TESTING
+    roleRef:
+      apiGroup: rbac.authorization.k8s.io
+      kind: Role
+      name: sourcegraph-frontend
+    subjects:
+      - kind: ServiceAccount
+        name: sourcegraph-frontend
+        namespace: NORMALIZED_FOR_TESTING
+  - apiVersion: v1
+    kind: ServiceAccount
+    metadata:
+      annotations:
+        appliance.sourcegraph.com/configHash: b5dce290e22d1afb4c9102ac4c245490ab01dd3be13653de391536cfe0e323b0
+      creationTimestamp: "2024-04-19T00:00:00Z"
+      labels:
+        deploy: sourcegraph
+      name: sourcegraph-frontend
+      namespace: NORMALIZED_FOR_TESTING
+      ownerReferences:
+        - apiVersion: v1
+          blockOwnerDeletion: true
+          controller: true
+          kind: ConfigMap
+          name: sg
+          uid: NORMALIZED_FOR_TESTING
+      resourceVersion: NORMALIZED_FOR_TESTING
+      uid: NORMALIZED_FOR_TESTING
+  - apiVersion: v1
+    kind: Service
+    metadata:
+      annotations:
+        appliance.sourcegraph.com/configHash: b5dce290e22d1afb4c9102ac4c245490ab01dd3be13653de391536cfe0e323b0
+        prometheus.io/port: "6060"
+        sourcegraph.prometheus/scrape: "true"
+      creationTimestamp: "2024-04-19T00:00:00Z"
+      labels:
+        app: sourcegraph-frontend
+        app.kubernetes.io/component: sourcegraph-frontend
+        deploy: sourcegraph
+      name: sourcegraph-frontend
+      namespace: NORMALIZED_FOR_TESTING
+      ownerReferences:
+        - apiVersion: v1
+          blockOwnerDeletion: true
+          controller: true
+          kind: ConfigMap
+          name: sg
+          uid: NORMALIZED_FOR_TESTING
+      resourceVersion: NORMALIZED_FOR_TESTING
+      uid: NORMALIZED_FOR_TESTING
+    spec:
+      clusterIP: NORMALIZED_FOR_TESTING
+      clusterIPs:
+        - NORMALIZED_FOR_TESTING
+      internalTrafficPolicy: Cluster
+      ipFamilies:
+        - IPv4
+      ipFamilyPolicy: SingleStack
+      ports:
+        - name: http
+          port: 30080
+          protocol: TCP
+          targetPort: http
+      selector:
+        app: sourcegraph-frontend
+      sessionAffinity: None
+      type: ClusterIP
+    status:
+      loadBalancer: {}
+  - apiVersion: v1
+    kind: Service
+    metadata:
+      annotations:
+        appliance.sourcegraph.com/configHash: b5dce290e22d1afb4c9102ac4c245490ab01dd3be13653de391536cfe0e323b0
+      creationTimestamp: "2024-04-19T00:00:00Z"
+      labels:
+        app: sourcegraph-frontend-internal
+        app.kubernetes.io/component: sourcegraph-frontend-internal
+        deploy: sourcegraph
+      name: sourcegraph-frontend-internal
+      namespace: NORMALIZED_FOR_TESTING
+      ownerReferences:
+        - apiVersion: v1
+          blockOwnerDeletion: true
+          controller: true
+          kind: ConfigMap
+          name: sg
+          uid: NORMALIZED_FOR_TESTING
+      resourceVersion: NORMALIZED_FOR_TESTING
+      uid: NORMALIZED_FOR_TESTING
+    spec:
+      clusterIP: NORMALIZED_FOR_TESTING
+      clusterIPs:
+        - NORMALIZED_FOR_TESTING
+      internalTrafficPolicy: Cluster
+      ipFamilies:
+        - IPv4
+      ipFamilyPolicy: SingleStack
+      ports:
+        - name: http-internal
+          port: 80
+          protocol: TCP
+          targetPort: http-internal
+      selector:
+        app: sourcegraph-frontend
+      sessionAffinity: None
+      type: ClusterIP
+    status:
+      loadBalancer: {}

internal/appliance/reconciler/testdata/golden-fixtures/frontend/with-blobstore.yaml

@@ -0,0 +1,703 @@
+resources:
+  - apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      annotations:
+        appliance.sourcegraph.com/configHash: 2b72058f008a684f7fa052f8ad33d0226af4cfb7973242c9103d6d1900da355e
+      creationTimestamp: "2024-04-19T00:00:00Z"
+      generation: 1
+      labels:
+        app.kubernetes.io/component: blobstore
+        app.kubernetes.io/name: sourcegraph
+        app.kubernetes.io/version: 5.3.9104
+        deploy: sourcegraph
+      name: blobstore
+      namespace: NORMALIZED_FOR_TESTING
+      ownerReferences:
+        - apiVersion: v1
+          blockOwnerDeletion: true
+          controller: true
+          kind: ConfigMap
+          name: sg
+          uid: NORMALIZED_FOR_TESTING
+      resourceVersion: NORMALIZED_FOR_TESTING
+      uid: NORMALIZED_FOR_TESTING
+    spec:
+      minReadySeconds: 10
+      progressDeadlineSeconds: 600
+      replicas: 1
+      revisionHistoryLimit: 10
+      selector:
+        matchLabels:
+          app: blobstore
+      strategy:
+        rollingUpdate:
+          maxSurge: 25%
+          maxUnavailable: 25%
+        type: RollingUpdate
+      template:
+        metadata:
+          annotations:
+            kubectl.kubernetes.io/default-container: blobstore
+          creationTimestamp: null
+          labels:
+            app: blobstore
+            deploy: sourcegraph
+          name: blobstore
+        spec:
+          containers:
+            - image: index.docker.io/sourcegraph/blobstore:5.3.9104
+              imagePullPolicy: IfNotPresent
+              name: blobstore
+              ports:
+                - containerPort: 9000
+                  name: blobstore
+                  protocol: TCP
+              resources:
+                limits:
+                  cpu: "1"
+                  memory: 500M
+                requests:
+                  cpu: "1"
+                  memory: 500M
+              securityContext:
+                allowPrivilegeEscalation: false
+                readOnlyRootFilesystem: true
+                runAsGroup: 101
+                runAsUser: 100
+              terminationMessagePath: /dev/termination-log
+              terminationMessagePolicy: FallbackToLogsOnError
+              volumeMounts:
+                - mountPath: /blobstore
+                  name: blobstore
+                - mountPath: /data
+                  name: blobstore-data
+          dnsPolicy: ClusterFirst
+          restartPolicy: Always
+          schedulerName: default-scheduler
+          securityContext:
+            fsGroup: 101
+            fsGroupChangePolicy: OnRootMismatch
+            runAsGroup: 101
+            runAsUser: 100
+          terminationGracePeriodSeconds: 30
+          volumes:
+            - emptyDir: {}
+              name: blobstore
+            - name: blobstore-data
+              persistentVolumeClaim:
+                claimName: blobstore
+    status: {}
+  - apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      annotations:
+        appliance.sourcegraph.com/configHash: b5dce290e22d1afb4c9102ac4c245490ab01dd3be13653de391536cfe0e323b0
+      creationTimestamp: "2024-04-19T00:00:00Z"
+      generation: 1
+      labels:
+        app.kubernetes.io/component: sourcegraph-frontend
+        app.kubernetes.io/name: sourcegraph
+        app.kubernetes.io/version: 5.3.9104
+        deploy: sourcegraph
+      name: sourcegraph-frontend
+      namespace: NORMALIZED_FOR_TESTING
+      ownerReferences:
+        - apiVersion: v1
+          blockOwnerDeletion: true
+          controller: true
+          kind: ConfigMap
+          name: sg
+          uid: NORMALIZED_FOR_TESTING
+      resourceVersion: NORMALIZED_FOR_TESTING
+      uid: NORMALIZED_FOR_TESTING
+    spec:
+      minReadySeconds: 10
+      progressDeadlineSeconds: 600
+      replicas: 2
+      revisionHistoryLimit: 10
+      selector:
+        matchLabels:
+          app: sourcegraph-frontend
+      strategy:
+        rollingUpdate:
+          maxSurge: 2
+          maxUnavailable: 0
+        type: RollingUpdate
+      template:
+        metadata:
+          annotations:
+            kubectl.kubernetes.io/default-container: sourcegraph-frontend
+          creationTimestamp: null
+          labels:
+            app: sourcegraph-frontend
+            deploy: sourcegraph
+          name: sourcegraph-frontend
+        spec:
+          containers:
+            - args:
+                - serve
+              env:
+                - name: DEPLOY_TYPE
+                  value: appliance
+                - name: PGDATABASE
+                  valueFrom:
+                    secretKeyRef:
+                      key: database
+                      name: pgsql-auth
+                - name: PGHOST
+                  valueFrom:
+                    secretKeyRef:
+                      key: host
+                      name: pgsql-auth
+                - name: PGPASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      key: password
+                      name: pgsql-auth
+                - name: PGPORT
+                  valueFrom:
+                    secretKeyRef:
+                      key: port
+                      name: pgsql-auth
+                - name: PGUSER
+                  valueFrom:
+                    secretKeyRef:
+                      key: user
+                      name: pgsql-auth
+                - name: CODEINTEL_PGDATABASE
+                  valueFrom:
+                    secretKeyRef:
+                      key: database
+                      name: codeintel-db-auth
+                - name: CODEINTEL_PGHOST
+                  valueFrom:
+                    secretKeyRef:
+                      key: host
+                      name: codeintel-db-auth
+                - name: CODEINTEL_PGPASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      key: password
+                      name: codeintel-db-auth
+                - name: CODEINTEL_PGPORT
+                  valueFrom:
+                    secretKeyRef:
+                      key: port
+                      name: codeintel-db-auth
+                - name: CODEINTEL_PGUSER
+                  valueFrom:
+                    secretKeyRef:
+                      key: user
+                      name: codeintel-db-auth
+                - name: CODEINSIGHTS_PGDATABASE
+                  valueFrom:
+                    secretKeyRef:
+                      key: database
+                      name: codeinsights-db-auth
+                - name: CODEINSIGHTS_PGHOST
+                  valueFrom:
+                    secretKeyRef:
+                      key: host
+                      name: codeinsights-db-auth
+                - name: CODEINSIGHTS_PGPASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      key: password
+                      name: codeinsights-db-auth
+                - name: CODEINSIGHTS_PGPORT
+                  valueFrom:
+                    secretKeyRef:
+                      key: port
+                      name: codeinsights-db-auth
+                - name: CODEINSIGHTS_PGUSER
+                  valueFrom:
+                    secretKeyRef:
+                      key: user
+                      name: codeinsights-db-auth
+                - name: REDIS_CACHE_ENDPOINT
+                  valueFrom:
+                    secretKeyRef:
+                      key: endpoint
+                      name: redis-cache
+                - name: REDIS_STORE_ENDPOINT
+                  valueFrom:
+                    secretKeyRef:
+                      key: endpoint
+                      name: redis-store
+                - name: OTEL_AGENT_HOST
+                  valueFrom:
+                    fieldRef:
+                      apiVersion: v1
+                      fieldPath: status.hostIP
+                - name: OTEL_EXPORTER_OTLP_ENDPOINT
+                  value: http://$(OTEL_AGENT_HOST):4317
+              image: index.docker.io/sourcegraph/frontend:5.3.9104
+              imagePullPolicy: IfNotPresent
+              livenessProbe:
+                failureThreshold: 3
+                httpGet:
+                  path: /healthz
+                  port: debug
+                  scheme: HTTP
+                initialDelaySeconds: 300
+                periodSeconds: 10
+                successThreshold: 1
+                timeoutSeconds: 5
+              name: frontend
+              ports:
+                - containerPort: 3080
+                  name: http
+                  protocol: TCP
+                - containerPort: 3090
+                  name: http-internal
+                  protocol: TCP
+                - containerPort: 6060
+                  name: debug
+                  protocol: TCP
+              readinessProbe:
+                failureThreshold: 3
+                httpGet:
+                  path: /ready
+                  port: debug
+                  scheme: HTTP
+                periodSeconds: 5
+                successThreshold: 1
+                timeoutSeconds: 5
+              resources:
+                limits:
+                  cpu: "2"
+                  ephemeral-storage: 8Gi
+                  memory: 4G
+                requests:
+                  cpu: "2"
+                  ephemeral-storage: 4Gi
+                  memory: 2G
+              securityContext:
+                allowPrivilegeEscalation: false
+                readOnlyRootFilesystem: true
+                runAsGroup: 101
+                runAsUser: 100
+              terminationMessagePath: /dev/termination-log
+              terminationMessagePolicy: FallbackToLogsOnError
+              volumeMounts:
+                - mountPath: /home/sourcegraph
+                  name: home-dir
+          dnsPolicy: ClusterFirst
+          initContainers:
+            - args:
+                - up
+              env:
+                - name: DEPLOY_TYPE
+                  value: appliance
+                - name: PGDATABASE
+                  valueFrom:
+                    secretKeyRef:
+                      key: database
+                      name: pgsql-auth
+                - name: PGHOST
+                  valueFrom:
+                    secretKeyRef:
+                      key: host
+                      name: pgsql-auth
+                - name: PGPASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      key: password
+                      name: pgsql-auth
+                - name: PGPORT
+                  valueFrom:
+                    secretKeyRef:
+                      key: port
+                      name: pgsql-auth
+                - name: PGUSER
+                  valueFrom:
+                    secretKeyRef:
+                      key: user
+                      name: pgsql-auth
+                - name: CODEINTEL_PGDATABASE
+                  valueFrom:
+                    secretKeyRef:
+                      key: database
+                      name: codeintel-db-auth
+                - name: CODEINTEL_PGHOST
+                  valueFrom:
+                    secretKeyRef:
+                      key: host
+                      name: codeintel-db-auth
+                - name: CODEINTEL_PGPASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      key: password
+                      name: codeintel-db-auth
+                - name: CODEINTEL_PGPORT
+                  valueFrom:
+                    secretKeyRef:
+                      key: port
+                      name: codeintel-db-auth
+                - name: CODEINTEL_PGUSER
+                  valueFrom:
+                    secretKeyRef:
+                      key: user
+                      name: codeintel-db-auth
+                - name: CODEINSIGHTS_PGDATABASE
+                  valueFrom:
+                    secretKeyRef:
+                      key: database
+                      name: codeinsights-db-auth
+                - name: CODEINSIGHTS_PGHOST
+                  valueFrom:
+                    secretKeyRef:
+                      key: host
+                      name: codeinsights-db-auth
+                - name: CODEINSIGHTS_PGPASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      key: password
+                      name: codeinsights-db-auth
+                - name: CODEINSIGHTS_PGPORT
+                  valueFrom:
+                    secretKeyRef:
+                      key: port
+                      name: codeinsights-db-auth
+                - name: CODEINSIGHTS_PGUSER
+                  valueFrom:
+                    secretKeyRef:
+                      key: user
+                      name: codeinsights-db-auth
+              image: index.docker.io/sourcegraph/migrator:5.3.9104
+              imagePullPolicy: IfNotPresent
+              name: migrator
+              resources:
+                limits:
+                  cpu: 500m
+                  memory: 100M
+                requests:
+                  cpu: 100m
+                  memory: 50M
+              securityContext:
+                allowPrivilegeEscalation: false
+                readOnlyRootFilesystem: true
+                runAsGroup: 101
+                runAsUser: 100
+              terminationMessagePath: /dev/termination-log
+              terminationMessagePolicy: FallbackToLogsOnError
+          restartPolicy: Always
+          schedulerName: default-scheduler
+          securityContext:
+            fsGroup: 101
+            fsGroupChangePolicy: OnRootMismatch
+            runAsGroup: 101
+            runAsUser: 100
+          serviceAccount: sourcegraph-frontend
+          serviceAccountName: sourcegraph-frontend
+          terminationGracePeriodSeconds: 30
+          volumes:
+            - emptyDir: {}
+              name: home-dir
+    status: {}
+  - apiVersion: v1
+    data:
+      spec: |
+        spec:
+          requestedVersion: "5.3.9104"
+
+          blobstore: {}
+
+          codeInsights:
+            disabled: true
+
+          codeIntel:
+            disabled: true
+
+          frontend: {}
+
+          gitServer:
+            disabled: true
+
+          indexedSearch:
+            disabled: true
+
+          indexedSearchIndexer:
+            disabled: true
+
+          pgsql:
+            disabled: true
+
+          postgresExporter:
+            disabled: true
+
+          preciseCodeIntel:
+            disabled: true
+
+          redisCache:
+            disabled: true
+
+          redisStore:
+            disabled: true
+
+          repoUpdater:
+            disabled: true
+
+          searcher:
+            disabled: true
+
+          symbols:
+            disabled: true
+
+          syntectServer:
+            disabled: true
+
+          worker:
+            disabled: true
+
+          prometheus:
+            disabled: true
+
+          embeddings:
+            disabled: true
+    kind: ConfigMap
+    metadata:
+      annotations:
+        appliance.sourcegraph.com/currentVersion: 5.3.9104
+        appliance.sourcegraph.com/managed: "true"
+      creationTimestamp: "2024-04-19T00:00:00Z"
+      name: sg
+      namespace: NORMALIZED_FOR_TESTING
+      resourceVersion: NORMALIZED_FOR_TESTING
+      uid: NORMALIZED_FOR_TESTING
+  - apiVersion: v1
+    kind: PersistentVolumeClaim
+    metadata:
+      annotations:
+        appliance.sourcegraph.com/configHash: 2b72058f008a684f7fa052f8ad33d0226af4cfb7973242c9103d6d1900da355e
+      creationTimestamp: "2024-04-19T00:00:00Z"
+      finalizers:
+        - kubernetes.io/pvc-protection
+      labels:
+        deploy: sourcegraph
+      name: blobstore
+      namespace: NORMALIZED_FOR_TESTING
+      ownerReferences:
+        - apiVersion: v1
+          blockOwnerDeletion: true
+          controller: true
+          kind: ConfigMap
+          name: sg
+          uid: NORMALIZED_FOR_TESTING
+      resourceVersion: NORMALIZED_FOR_TESTING
+      uid: NORMALIZED_FOR_TESTING
+    spec:
+      accessModes:
+        - ReadWriteOnce
+      resources:
+        requests:
+          storage: 100Gi
+      volumeMode: Filesystem
+    status:
+      phase: Pending
+  - apiVersion: rbac.authorization.k8s.io/v1
+    kind: Role
+    metadata:
+      annotations:
+        appliance.sourcegraph.com/configHash: b5dce290e22d1afb4c9102ac4c245490ab01dd3be13653de391536cfe0e323b0
+      creationTimestamp: "2024-04-19T00:00:00Z"
+      labels:
+        deploy: sourcegraph
+      name: sourcegraph-frontend
+      namespace: NORMALIZED_FOR_TESTING
+      ownerReferences:
+        - apiVersion: v1
+          blockOwnerDeletion: true
+          controller: true
+          kind: ConfigMap
+          name: sg
+          uid: NORMALIZED_FOR_TESTING
+      resourceVersion: NORMALIZED_FOR_TESTING
+      uid: NORMALIZED_FOR_TESTING
+    rules:
+      - apiGroups:
+          - ""
+        resources:
+          - endpoints
+          - services
+        verbs:
+          - get
+          - list
+          - watch
+      - apiGroups:
+          - apps
+        resources:
+          - statefulsets
+        verbs:
+          - get
+          - list
+          - watch
+  - apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      annotations:
+        appliance.sourcegraph.com/configHash: b5dce290e22d1afb4c9102ac4c245490ab01dd3be13653de391536cfe0e323b0
+      creationTimestamp: "2024-04-19T00:00:00Z"
+      labels:
+        deploy: sourcegraph
+      name: sourcegraph-frontend
+      namespace: NORMALIZED_FOR_TESTING
+      ownerReferences:
+        - apiVersion: v1
+          blockOwnerDeletion: true
+          controller: true
+          kind: ConfigMap
+          name: sg
+          uid: NORMALIZED_FOR_TESTING
+      resourceVersion: NORMALIZED_FOR_TESTING
+      uid: NORMALIZED_FOR_TESTING
+    roleRef:
+      apiGroup: rbac.authorization.k8s.io
+      kind: Role
+      name: sourcegraph-frontend
+    subjects:
+      - kind: ServiceAccount
+        name: sourcegraph-frontend
+        namespace: NORMALIZED_FOR_TESTING
+  - apiVersion: v1
+    kind: ServiceAccount
+    metadata:
+      annotations:
+        appliance.sourcegraph.com/configHash: b5dce290e22d1afb4c9102ac4c245490ab01dd3be13653de391536cfe0e323b0
+      creationTimestamp: "2024-04-19T00:00:00Z"
+      labels:
+        deploy: sourcegraph
+      name: sourcegraph-frontend
+      namespace: NORMALIZED_FOR_TESTING
+      ownerReferences:
+        - apiVersion: v1
+          blockOwnerDeletion: true
+          controller: true
+          kind: ConfigMap
+          name: sg
+          uid: NORMALIZED_FOR_TESTING
+      resourceVersion: NORMALIZED_FOR_TESTING
+      uid: NORMALIZED_FOR_TESTING
+  - apiVersion: v1
+    kind: Service
+    metadata:
+      annotations:
+        appliance.sourcegraph.com/configHash: 2b72058f008a684f7fa052f8ad33d0226af4cfb7973242c9103d6d1900da355e
+      creationTimestamp: "2024-04-19T00:00:00Z"
+      labels:
+        app: blobstore
+        app.kubernetes.io/component: blobstore
+        deploy: sourcegraph
+      name: blobstore
+      namespace: NORMALIZED_FOR_TESTING
+      ownerReferences:
+        - apiVersion: v1
+          blockOwnerDeletion: true
+          controller: true
+          kind: ConfigMap
+          name: sg
+          uid: NORMALIZED_FOR_TESTING
+      resourceVersion: NORMALIZED_FOR_TESTING
+      uid: NORMALIZED_FOR_TESTING
+    spec:
+      clusterIP: NORMALIZED_FOR_TESTING
+      clusterIPs:
+        - NORMALIZED_FOR_TESTING
+      internalTrafficPolicy: Cluster
+      ipFamilies:
+        - IPv4
+      ipFamilyPolicy: SingleStack
+      ports:
+        - name: blobstore
+          port: 9000
+          protocol: TCP
+          targetPort: blobstore
+      selector:
+        app: blobstore
+      sessionAffinity: None
+      type: ClusterIP
+    status:
+      loadBalancer: {}
+  - apiVersion: v1
+    kind: Service
+    metadata:
+      annotations:
+        appliance.sourcegraph.com/configHash: b5dce290e22d1afb4c9102ac4c245490ab01dd3be13653de391536cfe0e323b0
+        prometheus.io/port: "6060"
+        sourcegraph.prometheus/scrape: "true"
+      creationTimestamp: "2024-04-19T00:00:00Z"
+      labels:
+        app: sourcegraph-frontend
+        app.kubernetes.io/component: sourcegraph-frontend
+        deploy: sourcegraph
+      name: sourcegraph-frontend
+      namespace: NORMALIZED_FOR_TESTING
+      ownerReferences:
+        - apiVersion: v1
+          blockOwnerDeletion: true
+          controller: true
+          kind: ConfigMap
+          name: sg
+          uid: NORMALIZED_FOR_TESTING
+      resourceVersion: NORMALIZED_FOR_TESTING
+      uid: NORMALIZED_FOR_TESTING
+    spec:
+      clusterIP: NORMALIZED_FOR_TESTING
+      clusterIPs:
+        - NORMALIZED_FOR_TESTING
+      internalTrafficPolicy: Cluster
+      ipFamilies:
+        - IPv4
+      ipFamilyPolicy: SingleStack
+      ports:
+        - name: http
+          port: 30080
+          protocol: TCP
+          targetPort: http
+      selector:
+        app: sourcegraph-frontend
+      sessionAffinity: None
+      type: ClusterIP
+    status:
+      loadBalancer: {}
+  - apiVersion: v1
+    kind: Service
+    metadata:
+      annotations:
+        appliance.sourcegraph.com/configHash: b5dce290e22d1afb4c9102ac4c245490ab01dd3be13653de391536cfe0e323b0
+      creationTimestamp: "2024-04-19T00:00:00Z"
+      labels:
+        app: sourcegraph-frontend-internal
+        app.kubernetes.io/component: sourcegraph-frontend-internal
+        deploy: sourcegraph
+      name: sourcegraph-frontend-internal
+      namespace: NORMALIZED_FOR_TESTING
+      ownerReferences:
+        - apiVersion: v1
+          blockOwnerDeletion: true
+          controller: true
+          kind: ConfigMap
+          name: sg
+          uid: NORMALIZED_FOR_TESTING
+      resourceVersion: NORMALIZED_FOR_TESTING
+      uid: NORMALIZED_FOR_TESTING
+    spec:
+      clusterIP: NORMALIZED_FOR_TESTING
+      clusterIPs:
+        - NORMALIZED_FOR_TESTING
+      internalTrafficPolicy: Cluster
+      ipFamilies:
+        - IPv4
+      ipFamilyPolicy: SingleStack
+      ports:
+        - name: http-internal
+          port: 80
+          protocol: TCP
+          targetPort: http-internal
+      selector:
+        app: sourcegraph-frontend
+      sessionAffinity: None
+      type: ClusterIP
+    status:
+      loadBalancer: {}

internal/appliance/reconciler/testdata/golden-fixtures/frontend/with-ingress-optional-fields.yaml

@@ -0,0 +1,591 @@
+resources:
+  - apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      annotations:
+        appliance.sourcegraph.com/configHash: 7caff941f7756c1a8aa77fb1604c7c1d191868889bbe1ca514eac63a4c1aafc8
+      creationTimestamp: "2024-04-19T00:00:00Z"
+      generation: 1
+      labels:
+        app.kubernetes.io/component: sourcegraph-frontend
+        app.kubernetes.io/name: sourcegraph
+        app.kubernetes.io/version: 5.3.9104
+        deploy: sourcegraph
+      name: sourcegraph-frontend
+      namespace: NORMALIZED_FOR_TESTING
+      ownerReferences:
+        - apiVersion: v1
+          blockOwnerDeletion: true
+          controller: true
+          kind: ConfigMap
+          name: sg
+          uid: NORMALIZED_FOR_TESTING
+      resourceVersion: NORMALIZED_FOR_TESTING
+      uid: NORMALIZED_FOR_TESTING
+    spec:
+      minReadySeconds: 10
+      progressDeadlineSeconds: 600
+      replicas: 2
+      revisionHistoryLimit: 10
+      selector:
+        matchLabels:
+          app: sourcegraph-frontend
+      strategy:
+        rollingUpdate:
+          maxSurge: 2
+          maxUnavailable: 0
+        type: RollingUpdate
+      template:
+        metadata:
+          annotations:
+            kubectl.kubernetes.io/default-container: sourcegraph-frontend
+          creationTimestamp: null
+          labels:
+            app: sourcegraph-frontend
+            deploy: sourcegraph
+          name: sourcegraph-frontend
+        spec:
+          containers:
+            - args:
+                - serve
+              env:
+                - name: DEPLOY_TYPE
+                  value: appliance
+                - name: PGDATABASE
+                  valueFrom:
+                    secretKeyRef:
+                      key: database
+                      name: pgsql-auth
+                - name: PGHOST
+                  valueFrom:
+                    secretKeyRef:
+                      key: host
+                      name: pgsql-auth
+                - name: PGPASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      key: password
+                      name: pgsql-auth
+                - name: PGPORT
+                  valueFrom:
+                    secretKeyRef:
+                      key: port
+                      name: pgsql-auth
+                - name: PGUSER
+                  valueFrom:
+                    secretKeyRef:
+                      key: user
+                      name: pgsql-auth
+                - name: CODEINTEL_PGDATABASE
+                  valueFrom:
+                    secretKeyRef:
+                      key: database
+                      name: codeintel-db-auth
+                - name: CODEINTEL_PGHOST
+                  valueFrom:
+                    secretKeyRef:
+                      key: host
+                      name: codeintel-db-auth
+                - name: CODEINTEL_PGPASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      key: password
+                      name: codeintel-db-auth
+                - name: CODEINTEL_PGPORT
+                  valueFrom:
+                    secretKeyRef:
+                      key: port
+                      name: codeintel-db-auth
+                - name: CODEINTEL_PGUSER
+                  valueFrom:
+                    secretKeyRef:
+                      key: user
+                      name: codeintel-db-auth
+                - name: CODEINSIGHTS_PGDATABASE
+                  valueFrom:
+                    secretKeyRef:
+                      key: database
+                      name: codeinsights-db-auth
+                - name: CODEINSIGHTS_PGHOST
+                  valueFrom:
+                    secretKeyRef:
+                      key: host
+                      name: codeinsights-db-auth
+                - name: CODEINSIGHTS_PGPASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      key: password
+                      name: codeinsights-db-auth
+                - name: CODEINSIGHTS_PGPORT
+                  valueFrom:
+                    secretKeyRef:
+                      key: port
+                      name: codeinsights-db-auth
+                - name: CODEINSIGHTS_PGUSER
+                  valueFrom:
+                    secretKeyRef:
+                      key: user
+                      name: codeinsights-db-auth
+                - name: REDIS_CACHE_ENDPOINT
+                  valueFrom:
+                    secretKeyRef:
+                      key: endpoint
+                      name: redis-cache
+                - name: REDIS_STORE_ENDPOINT
+                  valueFrom:
+                    secretKeyRef:
+                      key: endpoint
+                      name: redis-store
+                - name: OTEL_AGENT_HOST
+                  valueFrom:
+                    fieldRef:
+                      apiVersion: v1
+                      fieldPath: status.hostIP
+                - name: OTEL_EXPORTER_OTLP_ENDPOINT
+                  value: http://$(OTEL_AGENT_HOST):4317
+              image: index.docker.io/sourcegraph/frontend:5.3.9104
+              imagePullPolicy: IfNotPresent
+              livenessProbe:
+                failureThreshold: 3
+                httpGet:
+                  path: /healthz
+                  port: debug
+                  scheme: HTTP
+                initialDelaySeconds: 300
+                periodSeconds: 10
+                successThreshold: 1
+                timeoutSeconds: 5
+              name: frontend
+              ports:
+                - containerPort: 3080
+                  name: http
+                  protocol: TCP
+                - containerPort: 3090
+                  name: http-internal
+                  protocol: TCP
+                - containerPort: 6060
+                  name: debug
+                  protocol: TCP
+              readinessProbe:
+                failureThreshold: 3
+                httpGet:
+                  path: /ready
+                  port: debug
+                  scheme: HTTP
+                periodSeconds: 5
+                successThreshold: 1
+                timeoutSeconds: 5
+              resources:
+                limits:
+                  cpu: "2"
+                  ephemeral-storage: 8Gi
+                  memory: 4G
+                requests:
+                  cpu: "2"
+                  ephemeral-storage: 4Gi
+                  memory: 2G
+              securityContext:
+                allowPrivilegeEscalation: false
+                readOnlyRootFilesystem: true
+                runAsGroup: 101
+                runAsUser: 100
+              terminationMessagePath: /dev/termination-log
+              terminationMessagePolicy: FallbackToLogsOnError
+              volumeMounts:
+                - mountPath: /home/sourcegraph
+                  name: home-dir
+          dnsPolicy: ClusterFirst
+          initContainers:
+            - args:
+                - up
+              env:
+                - name: DEPLOY_TYPE
+                  value: appliance
+                - name: PGDATABASE
+                  valueFrom:
+                    secretKeyRef:
+                      key: database
+                      name: pgsql-auth
+                - name: PGHOST
+                  valueFrom:
+                    secretKeyRef:
+                      key: host
+                      name: pgsql-auth
+                - name: PGPASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      key: password
+                      name: pgsql-auth
+                - name: PGPORT
+                  valueFrom:
+                    secretKeyRef:
+                      key: port
+                      name: pgsql-auth
+                - name: PGUSER
+                  valueFrom:
+                    secretKeyRef:
+                      key: user
+                      name: pgsql-auth
+                - name: CODEINTEL_PGDATABASE
+                  valueFrom:
+                    secretKeyRef:
+                      key: database
+                      name: codeintel-db-auth
+                - name: CODEINTEL_PGHOST
+                  valueFrom:
+                    secretKeyRef:
+                      key: host
+                      name: codeintel-db-auth
+                - name: CODEINTEL_PGPASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      key: password
+                      name: codeintel-db-auth
+                - name: CODEINTEL_PGPORT
+                  valueFrom:
+                    secretKeyRef:
+                      key: port
+                      name: codeintel-db-auth
+                - name: CODEINTEL_PGUSER
+                  valueFrom:
+                    secretKeyRef:
+                      key: user
+                      name: codeintel-db-auth
+                - name: CODEINSIGHTS_PGDATABASE
+                  valueFrom:
+                    secretKeyRef:
+                      key: database
+                      name: codeinsights-db-auth
+                - name: CODEINSIGHTS_PGHOST
+                  valueFrom:
+                    secretKeyRef:
+                      key: host
+                      name: codeinsights-db-auth
+                - name: CODEINSIGHTS_PGPASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      key: password
+                      name: codeinsights-db-auth
+                - name: CODEINSIGHTS_PGPORT
+                  valueFrom:
+                    secretKeyRef:
+                      key: port
+                      name: codeinsights-db-auth
+                - name: CODEINSIGHTS_PGUSER
+                  valueFrom:
+                    secretKeyRef:
+                      key: user
+                      name: codeinsights-db-auth
+              image: index.docker.io/sourcegraph/migrator:5.3.9104
+              imagePullPolicy: IfNotPresent
+              name: migrator
+              resources:
+                limits:
+                  cpu: 500m
+                  memory: 100M
+                requests:
+                  cpu: 100m
+                  memory: 50M
+              securityContext:
+                allowPrivilegeEscalation: false
+                readOnlyRootFilesystem: true
+                runAsGroup: 101
+                runAsUser: 100
+              terminationMessagePath: /dev/termination-log
+              terminationMessagePolicy: FallbackToLogsOnError
+          restartPolicy: Always
+          schedulerName: default-scheduler
+          securityContext:
+            fsGroup: 101
+            fsGroupChangePolicy: OnRootMismatch
+            runAsGroup: 101
+            runAsUser: 100
+          serviceAccount: sourcegraph-frontend
+          serviceAccountName: sourcegraph-frontend
+          terminationGracePeriodSeconds: 30
+          volumes:
+            - emptyDir: {}
+              name: home-dir
+    status: {}
+  - apiVersion: v1
+    data:
+      spec: |
+        spec:
+          requestedVersion: "5.3.9104"
+
+          blobstore:
+            disabled: true
+
+          codeInsights:
+            disabled: true
+
+          codeIntel:
+            disabled: true
+
+          frontend:
+            ingress:
+              host: example.com
+              annotations:
+                foo: bar
+              ingressClassName: an-ingress-class
+              tlsSecret: ingress-tls-secret
+
+          gitServer:
+            disabled: true
+
+          indexedSearch:
+            disabled: true
+
+          indexedSearchIndexer:
+            disabled: true
+
+          pgsql:
+            disabled: true
+
+          postgresExporter:
+            disabled: true
+
+          preciseCodeIntel:
+            disabled: true
+
+          redisCache:
+            disabled: true
+
+          redisStore:
+            disabled: true
+
+          repoUpdater:
+            disabled: true
+
+          searcher:
+            disabled: true
+
+          symbols:
+            disabled: true
+
+          syntectServer:
+            disabled: true
+
+          worker:
+            disabled: true
+
+          prometheus:
+            disabled: true
+
+          embeddings:
+            disabled: true
+    kind: ConfigMap
+    metadata:
+      annotations:
+        appliance.sourcegraph.com/currentVersion: 5.3.9104
+        appliance.sourcegraph.com/managed: "true"
+      creationTimestamp: "2024-04-19T00:00:00Z"
+      name: sg
+      namespace: NORMALIZED_FOR_TESTING
+      resourceVersion: NORMALIZED_FOR_TESTING
+      uid: NORMALIZED_FOR_TESTING
+  - apiVersion: rbac.authorization.k8s.io/v1
+    kind: Role
+    metadata:
+      annotations:
+        appliance.sourcegraph.com/configHash: 7caff941f7756c1a8aa77fb1604c7c1d191868889bbe1ca514eac63a4c1aafc8
+      creationTimestamp: "2024-04-19T00:00:00Z"
+      labels:
+        deploy: sourcegraph
+      name: sourcegraph-frontend
+      namespace: NORMALIZED_FOR_TESTING
+      ownerReferences:
+        - apiVersion: v1
+          blockOwnerDeletion: true
+          controller: true
+          kind: ConfigMap
+          name: sg
+          uid: NORMALIZED_FOR_TESTING
+      resourceVersion: NORMALIZED_FOR_TESTING
+      uid: NORMALIZED_FOR_TESTING
+    rules:
+      - apiGroups:
+          - ""
+        resources:
+          - endpoints
+          - services
+        verbs:
+          - get
+          - list
+          - watch
+      - apiGroups:
+          - apps
+        resources:
+          - statefulsets
+        verbs:
+          - get
+          - list
+          - watch
+  - apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      annotations:
+        appliance.sourcegraph.com/configHash: 7caff941f7756c1a8aa77fb1604c7c1d191868889bbe1ca514eac63a4c1aafc8
+      creationTimestamp: "2024-04-19T00:00:00Z"
+      labels:
+        deploy: sourcegraph
+      name: sourcegraph-frontend
+      namespace: NORMALIZED_FOR_TESTING
+      ownerReferences:
+        - apiVersion: v1
+          blockOwnerDeletion: true
+          controller: true
+          kind: ConfigMap
+          name: sg
+          uid: NORMALIZED_FOR_TESTING
+      resourceVersion: NORMALIZED_FOR_TESTING
+      uid: NORMALIZED_FOR_TESTING
+    roleRef:
+      apiGroup: rbac.authorization.k8s.io
+      kind: Role
+      name: sourcegraph-frontend
+    subjects:
+      - kind: ServiceAccount
+        name: sourcegraph-frontend
+        namespace: NORMALIZED_FOR_TESTING
+  - apiVersion: v1
+    kind: ServiceAccount
+    metadata:
+      annotations:
+        appliance.sourcegraph.com/configHash: 7caff941f7756c1a8aa77fb1604c7c1d191868889bbe1ca514eac63a4c1aafc8
+      creationTimestamp: "2024-04-19T00:00:00Z"
+      labels:
+        deploy: sourcegraph
+      name: sourcegraph-frontend
+      namespace: NORMALIZED_FOR_TESTING
+      ownerReferences:
+        - apiVersion: v1
+          blockOwnerDeletion: true
+          controller: true
+          kind: ConfigMap
+          name: sg
+          uid: NORMALIZED_FOR_TESTING
+      resourceVersion: NORMALIZED_FOR_TESTING
+      uid: NORMALIZED_FOR_TESTING
+  - apiVersion: v1
+    kind: Service
+    metadata:
+      annotations:
+        appliance.sourcegraph.com/configHash: 7caff941f7756c1a8aa77fb1604c7c1d191868889bbe1ca514eac63a4c1aafc8
+        prometheus.io/port: "6060"
+        sourcegraph.prometheus/scrape: "true"
+      creationTimestamp: "2024-04-19T00:00:00Z"
+      labels:
+        app: sourcegraph-frontend
+        app.kubernetes.io/component: sourcegraph-frontend
+        deploy: sourcegraph
+      name: sourcegraph-frontend
+      namespace: NORMALIZED_FOR_TESTING
+      ownerReferences:
+        - apiVersion: v1
+          blockOwnerDeletion: true
+          controller: true
+          kind: ConfigMap
+          name: sg
+          uid: NORMALIZED_FOR_TESTING
+      resourceVersion: NORMALIZED_FOR_TESTING
+      uid: NORMALIZED_FOR_TESTING
+    spec:
+      clusterIP: NORMALIZED_FOR_TESTING
+      clusterIPs:
+        - NORMALIZED_FOR_TESTING
+      internalTrafficPolicy: Cluster
+      ipFamilies:
+        - IPv4
+      ipFamilyPolicy: SingleStack
+      ports:
+        - name: http
+          port: 30080
+          protocol: TCP
+          targetPort: http
+      selector:
+        app: sourcegraph-frontend
+      sessionAffinity: None
+      type: ClusterIP
+    status:
+      loadBalancer: {}
+  - apiVersion: v1
+    kind: Service
+    metadata:
+      annotations:
+        appliance.sourcegraph.com/configHash: 7caff941f7756c1a8aa77fb1604c7c1d191868889bbe1ca514eac63a4c1aafc8
+      creationTimestamp: "2024-04-19T00:00:00Z"
+      labels:
+        app: sourcegraph-frontend-internal
+        app.kubernetes.io/component: sourcegraph-frontend-internal
+        deploy: sourcegraph
+      name: sourcegraph-frontend-internal
+      namespace: NORMALIZED_FOR_TESTING
+      ownerReferences:
+        - apiVersion: v1
+          blockOwnerDeletion: true
+          controller: true
+          kind: ConfigMap
+          name: sg
+          uid: NORMALIZED_FOR_TESTING
+      resourceVersion: NORMALIZED_FOR_TESTING
+      uid: NORMALIZED_FOR_TESTING
+    spec:
+      clusterIP: NORMALIZED_FOR_TESTING
+      clusterIPs:
+        - NORMALIZED_FOR_TESTING
+      internalTrafficPolicy: Cluster
+      ipFamilies:
+        - IPv4
+      ipFamilyPolicy: SingleStack
+      ports:
+        - name: http-internal
+          port: 80
+          protocol: TCP
+          targetPort: http-internal
+      selector:
+        app: sourcegraph-frontend
+      sessionAffinity: None
+      type: ClusterIP
+    status:
+      loadBalancer: {}
+  - apiVersion: networking.k8s.io/v1
+    kind: Ingress
+    metadata:
+      annotations:
+        appliance.sourcegraph.com/configHash: 7caff941f7756c1a8aa77fb1604c7c1d191868889bbe1ca514eac63a4c1aafc8
+        foo: bar
+      creationTimestamp: "2024-04-19T00:00:00Z"
+      generation: 1
+      labels:
+        deploy: sourcegraph
+      name: sourcegraph-frontend
+      namespace: NORMALIZED_FOR_TESTING
+      ownerReferences:
+        - apiVersion: v1
+          blockOwnerDeletion: true
+          controller: true
+          kind: ConfigMap
+          name: sg
+          uid: NORMALIZED_FOR_TESTING
+      resourceVersion: NORMALIZED_FOR_TESTING
+      uid: NORMALIZED_FOR_TESTING
+    spec:
+      ingressClassName: an-ingress-class
+      rules:
+        - host: example.com
+          http:
+            paths:
+              - backend:
+                  service:
+                    name: sourcegraph-frontend
+                    port:
+                      number: 30080
+                path: /
+                pathType: Prefix
+      tls:
+        - hosts:
+            - example.com
+          secretName: ingress-tls-secret
+    status:
+      loadBalancer: {}

internal/appliance/reconciler/testdata/golden-fixtures/frontend/with-ingress.yaml

@@ -0,0 +1,579 @@
+resources:
+  - apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      annotations:
+        appliance.sourcegraph.com/configHash: d3eb623947fedba566dfc56adc4733ff5ef1b2887a5cb63d75dbc1df452b0b5c
+      creationTimestamp: "2024-04-19T00:00:00Z"
+      generation: 1
+      labels:
+        app.kubernetes.io/component: sourcegraph-frontend
+        app.kubernetes.io/name: sourcegraph
+        app.kubernetes.io/version: 5.3.9104
+        deploy: sourcegraph
+      name: sourcegraph-frontend
+      namespace: NORMALIZED_FOR_TESTING
+      ownerReferences:
+        - apiVersion: v1
+          blockOwnerDeletion: true
+          controller: true
+          kind: ConfigMap
+          name: sg
+          uid: NORMALIZED_FOR_TESTING
+      resourceVersion: NORMALIZED_FOR_TESTING
+      uid: NORMALIZED_FOR_TESTING
+    spec:
+      minReadySeconds: 10
+      progressDeadlineSeconds: 600
+      replicas: 2
+      revisionHistoryLimit: 10
+      selector:
+        matchLabels:
+          app: sourcegraph-frontend
+      strategy:
+        rollingUpdate:
+          maxSurge: 2
+          maxUnavailable: 0
+        type: RollingUpdate
+      template:
+        metadata:
+          annotations:
+            kubectl.kubernetes.io/default-container: sourcegraph-frontend
+          creationTimestamp: null
+          labels:
+            app: sourcegraph-frontend
+            deploy: sourcegraph
+          name: sourcegraph-frontend
+        spec:
+          containers:
+            - args:
+                - serve
+              env:
+                - name: DEPLOY_TYPE
+                  value: appliance
+                - name: PGDATABASE
+                  valueFrom:
+                    secretKeyRef:
+                      key: database
+                      name: pgsql-auth
+                - name: PGHOST
+                  valueFrom:
+                    secretKeyRef:
+                      key: host
+                      name: pgsql-auth
+                - name: PGPASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      key: password
+                      name: pgsql-auth
+                - name: PGPORT
+                  valueFrom:
+                    secretKeyRef:
+                      key: port
+                      name: pgsql-auth
+                - name: PGUSER
+                  valueFrom:
+                    secretKeyRef:
+                      key: user
+                      name: pgsql-auth
+                - name: CODEINTEL_PGDATABASE
+                  valueFrom:
+                    secretKeyRef:
+                      key: database
+                      name: codeintel-db-auth
+                - name: CODEINTEL_PGHOST
+                  valueFrom:
+                    secretKeyRef:
+                      key: host
+                      name: codeintel-db-auth
+                - name: CODEINTEL_PGPASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      key: password
+                      name: codeintel-db-auth
+                - name: CODEINTEL_PGPORT
+                  valueFrom:
+                    secretKeyRef:
+                      key: port
+                      name: codeintel-db-auth
+                - name: CODEINTEL_PGUSER
+                  valueFrom:
+                    secretKeyRef:
+                      key: user
+                      name: codeintel-db-auth
+                - name: CODEINSIGHTS_PGDATABASE
+                  valueFrom:
+                    secretKeyRef:
+                      key: database
+                      name: codeinsights-db-auth
+                - name: CODEINSIGHTS_PGHOST
+                  valueFrom:
+                    secretKeyRef:
+                      key: host
+                      name: codeinsights-db-auth
+                - name: CODEINSIGHTS_PGPASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      key: password
+                      name: codeinsights-db-auth
+                - name: CODEINSIGHTS_PGPORT
+                  valueFrom:
+                    secretKeyRef:
+                      key: port
+                      name: codeinsights-db-auth
+                - name: CODEINSIGHTS_PGUSER
+                  valueFrom:
+                    secretKeyRef:
+                      key: user
+                      name: codeinsights-db-auth
+                - name: REDIS_CACHE_ENDPOINT
+                  valueFrom:
+                    secretKeyRef:
+                      key: endpoint
+                      name: redis-cache
+                - name: REDIS_STORE_ENDPOINT
+                  valueFrom:
+                    secretKeyRef:
+                      key: endpoint
+                      name: redis-store
+                - name: OTEL_AGENT_HOST
+                  valueFrom:
+                    fieldRef:
+                      apiVersion: v1
+                      fieldPath: status.hostIP
+                - name: OTEL_EXPORTER_OTLP_ENDPOINT
+                  value: http://$(OTEL_AGENT_HOST):4317
+              image: index.docker.io/sourcegraph/frontend:5.3.9104
+              imagePullPolicy: IfNotPresent
+              livenessProbe:
+                failureThreshold: 3
+                httpGet:
+                  path: /healthz
+                  port: debug
+                  scheme: HTTP
+                initialDelaySeconds: 300
+                periodSeconds: 10
+                successThreshold: 1
+                timeoutSeconds: 5
+              name: frontend
+              ports:
+                - containerPort: 3080
+                  name: http
+                  protocol: TCP
+                - containerPort: 3090
+                  name: http-internal
+                  protocol: TCP
+                - containerPort: 6060
+                  name: debug
+                  protocol: TCP
+              readinessProbe:
+                failureThreshold: 3
+                httpGet:
+                  path: /ready
+                  port: debug
+                  scheme: HTTP
+                periodSeconds: 5
+                successThreshold: 1
+                timeoutSeconds: 5
+              resources:
+                limits:
+                  cpu: "2"
+                  ephemeral-storage: 8Gi
+                  memory: 4G
+                requests:
+                  cpu: "2"
+                  ephemeral-storage: 4Gi
+                  memory: 2G
+              securityContext:
+                allowPrivilegeEscalation: false
+                readOnlyRootFilesystem: true
+                runAsGroup: 101
+                runAsUser: 100
+              terminationMessagePath: /dev/termination-log
+              terminationMessagePolicy: FallbackToLogsOnError
+              volumeMounts:
+                - mountPath: /home/sourcegraph
+                  name: home-dir
+          dnsPolicy: ClusterFirst
+          initContainers:
+            - args:
+                - up
+              env:
+                - name: DEPLOY_TYPE
+                  value: appliance
+                - name: PGDATABASE
+                  valueFrom:
+                    secretKeyRef:
+                      key: database
+                      name: pgsql-auth
+                - name: PGHOST
+                  valueFrom:
+                    secretKeyRef:
+                      key: host
+                      name: pgsql-auth
+                - name: PGPASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      key: password
+                      name: pgsql-auth
+                - name: PGPORT
+                  valueFrom:
+                    secretKeyRef:
+                      key: port
+                      name: pgsql-auth
+                - name: PGUSER
+                  valueFrom:
+                    secretKeyRef:
+                      key: user
+                      name: pgsql-auth
+                - name: CODEINTEL_PGDATABASE
+                  valueFrom:
+                    secretKeyRef:
+                      key: database
+                      name: codeintel-db-auth
+                - name: CODEINTEL_PGHOST
+                  valueFrom:
+                    secretKeyRef:
+                      key: host
+                      name: codeintel-db-auth
+                - name: CODEINTEL_PGPASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      key: password
+                      name: codeintel-db-auth
+                - name: CODEINTEL_PGPORT
+                  valueFrom:
+                    secretKeyRef:
+                      key: port
+                      name: codeintel-db-auth
+                - name: CODEINTEL_PGUSER
+                  valueFrom:
+                    secretKeyRef:
+                      key: user
+                      name: codeintel-db-auth
+                - name: CODEINSIGHTS_PGDATABASE
+                  valueFrom:
+                    secretKeyRef:
+                      key: database
+                      name: codeinsights-db-auth
+                - name: CODEINSIGHTS_PGHOST
+                  valueFrom:
+                    secretKeyRef:
+                      key: host
+                      name: codeinsights-db-auth
+                - name: CODEINSIGHTS_PGPASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      key: password
+                      name: codeinsights-db-auth
+                - name: CODEINSIGHTS_PGPORT
+                  valueFrom:
+                    secretKeyRef:
+                      key: port
+                      name: codeinsights-db-auth
+                - name: CODEINSIGHTS_PGUSER
+                  valueFrom:
+                    secretKeyRef:
+                      key: user
+                      name: codeinsights-db-auth
+              image: index.docker.io/sourcegraph/migrator:5.3.9104
+              imagePullPolicy: IfNotPresent
+              name: migrator
+              resources:
+                limits:
+                  cpu: 500m
+                  memory: 100M
+                requests:
+                  cpu: 100m
+                  memory: 50M
+              securityContext:
+                allowPrivilegeEscalation: false
+                readOnlyRootFilesystem: true
+                runAsGroup: 101
+                runAsUser: 100
+              terminationMessagePath: /dev/termination-log
+              terminationMessagePolicy: FallbackToLogsOnError
+          restartPolicy: Always
+          schedulerName: default-scheduler
+          securityContext:
+            fsGroup: 101
+            fsGroupChangePolicy: OnRootMismatch
+            runAsGroup: 101
+            runAsUser: 100
+          serviceAccount: sourcegraph-frontend
+          serviceAccountName: sourcegraph-frontend
+          terminationGracePeriodSeconds: 30
+          volumes:
+            - emptyDir: {}
+              name: home-dir
+    status: {}
+  - apiVersion: v1
+    data:
+      spec: |
+        spec:
+          requestedVersion: "5.3.9104"
+
+          blobstore:
+            disabled: true
+
+          codeInsights:
+            disabled: true
+
+          codeIntel:
+            disabled: true
+
+          frontend:
+            ingress: {}
+
+          gitServer:
+            disabled: true
+
+          indexedSearch:
+            disabled: true
+
+          indexedSearchIndexer:
+            disabled: true
+
+          pgsql:
+            disabled: true
+
+          postgresExporter:
+            disabled: true
+
+          preciseCodeIntel:
+            disabled: true
+
+          redisCache:
+            disabled: true
+
+          redisStore:
+            disabled: true
+
+          repoUpdater:
+            disabled: true
+
+          searcher:
+            disabled: true
+
+          symbols:
+            disabled: true
+
+          syntectServer:
+            disabled: true
+
+          worker:
+            disabled: true
+
+          prometheus:
+            disabled: true
+
+          embeddings:
+            disabled: true
+    kind: ConfigMap
+    metadata:
+      annotations:
+        appliance.sourcegraph.com/currentVersion: 5.3.9104
+        appliance.sourcegraph.com/managed: "true"
+      creationTimestamp: "2024-04-19T00:00:00Z"
+      name: sg
+      namespace: NORMALIZED_FOR_TESTING
+      resourceVersion: NORMALIZED_FOR_TESTING
+      uid: NORMALIZED_FOR_TESTING
+  - apiVersion: rbac.authorization.k8s.io/v1
+    kind: Role
+    metadata:
+      annotations:
+        appliance.sourcegraph.com/configHash: d3eb623947fedba566dfc56adc4733ff5ef1b2887a5cb63d75dbc1df452b0b5c
+      creationTimestamp: "2024-04-19T00:00:00Z"
+      labels:
+        deploy: sourcegraph
+      name: sourcegraph-frontend
+      namespace: NORMALIZED_FOR_TESTING
+      ownerReferences:
+        - apiVersion: v1
+          blockOwnerDeletion: true
+          controller: true
+          kind: ConfigMap
+          name: sg
+          uid: NORMALIZED_FOR_TESTING
+      resourceVersion: NORMALIZED_FOR_TESTING
+      uid: NORMALIZED_FOR_TESTING
+    rules:
+      - apiGroups:
+          - ""
+        resources:
+          - endpoints
+          - services
+        verbs:
+          - get
+          - list
+          - watch
+      - apiGroups:
+          - apps
+        resources:
+          - statefulsets
+        verbs:
+          - get
+          - list
+          - watch
+  - apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      annotations:
+        appliance.sourcegraph.com/configHash: d3eb623947fedba566dfc56adc4733ff5ef1b2887a5cb63d75dbc1df452b0b5c
+      creationTimestamp: "2024-04-19T00:00:00Z"
+      labels:
+        deploy: sourcegraph
+      name: sourcegraph-frontend
+      namespace: NORMALIZED_FOR_TESTING
+      ownerReferences:
+        - apiVersion: v1
+          blockOwnerDeletion: true
+          controller: true
+          kind: ConfigMap
+          name: sg
+          uid: NORMALIZED_FOR_TESTING
+      resourceVersion: NORMALIZED_FOR_TESTING
+      uid: NORMALIZED_FOR_TESTING
+    roleRef:
+      apiGroup: rbac.authorization.k8s.io
+      kind: Role
+      name: sourcegraph-frontend
+    subjects:
+      - kind: ServiceAccount
+        name: sourcegraph-frontend
+        namespace: NORMALIZED_FOR_TESTING
+  - apiVersion: v1
+    kind: ServiceAccount
+    metadata:
+      annotations:
+        appliance.sourcegraph.com/configHash: d3eb623947fedba566dfc56adc4733ff5ef1b2887a5cb63d75dbc1df452b0b5c
+      creationTimestamp: "2024-04-19T00:00:00Z"
+      labels:
+        deploy: sourcegraph
+      name: sourcegraph-frontend
+      namespace: NORMALIZED_FOR_TESTING
+      ownerReferences:
+        - apiVersion: v1
+          blockOwnerDeletion: true
+          controller: true
+          kind: ConfigMap
+          name: sg
+          uid: NORMALIZED_FOR_TESTING
+      resourceVersion: NORMALIZED_FOR_TESTING
+      uid: NORMALIZED_FOR_TESTING
+  - apiVersion: v1
+    kind: Service
+    metadata:
+      annotations:
+        appliance.sourcegraph.com/configHash: d3eb623947fedba566dfc56adc4733ff5ef1b2887a5cb63d75dbc1df452b0b5c
+        prometheus.io/port: "6060"
+        sourcegraph.prometheus/scrape: "true"
+      creationTimestamp: "2024-04-19T00:00:00Z"
+      labels:
+        app: sourcegraph-frontend
+        app.kubernetes.io/component: sourcegraph-frontend
+        deploy: sourcegraph
+      name: sourcegraph-frontend
+      namespace: NORMALIZED_FOR_TESTING
+      ownerReferences:
+        - apiVersion: v1
+          blockOwnerDeletion: true
+          controller: true
+          kind: ConfigMap
+          name: sg
+          uid: NORMALIZED_FOR_TESTING
+      resourceVersion: NORMALIZED_FOR_TESTING
+      uid: NORMALIZED_FOR_TESTING
+    spec:
+      clusterIP: NORMALIZED_FOR_TESTING
+      clusterIPs:
+        - NORMALIZED_FOR_TESTING
+      internalTrafficPolicy: Cluster
+      ipFamilies:
+        - IPv4
+      ipFamilyPolicy: SingleStack
+      ports:
+        - name: http
+          port: 30080
+          protocol: TCP
+          targetPort: http
+      selector:
+        app: sourcegraph-frontend
+      sessionAffinity: None
+      type: ClusterIP
+    status:
+      loadBalancer: {}
+  - apiVersion: v1
+    kind: Service
+    metadata:
+      annotations:
+        appliance.sourcegraph.com/configHash: d3eb623947fedba566dfc56adc4733ff5ef1b2887a5cb63d75dbc1df452b0b5c
+      creationTimestamp: "2024-04-19T00:00:00Z"
+      labels:
+        app: sourcegraph-frontend-internal
+        app.kubernetes.io/component: sourcegraph-frontend-internal
+        deploy: sourcegraph
+      name: sourcegraph-frontend-internal
+      namespace: NORMALIZED_FOR_TESTING
+      ownerReferences:
+        - apiVersion: v1
+          blockOwnerDeletion: true
+          controller: true
+          kind: ConfigMap
+          name: sg
+          uid: NORMALIZED_FOR_TESTING
+      resourceVersion: NORMALIZED_FOR_TESTING
+      uid: NORMALIZED_FOR_TESTING
+    spec:
+      clusterIP: NORMALIZED_FOR_TESTING
+      clusterIPs:
+        - NORMALIZED_FOR_TESTING
+      internalTrafficPolicy: Cluster
+      ipFamilies:
+        - IPv4
+      ipFamilyPolicy: SingleStack
+      ports:
+        - name: http-internal
+          port: 80
+          protocol: TCP
+          targetPort: http-internal
+      selector:
+        app: sourcegraph-frontend
+      sessionAffinity: None
+      type: ClusterIP
+    status:
+      loadBalancer: {}
+  - apiVersion: networking.k8s.io/v1
+    kind: Ingress
+    metadata:
+      annotations:
+        appliance.sourcegraph.com/configHash: d3eb623947fedba566dfc56adc4733ff5ef1b2887a5cb63d75dbc1df452b0b5c
+      creationTimestamp: "2024-04-19T00:00:00Z"
+      generation: 1
+      labels:
+        deploy: sourcegraph
+      name: sourcegraph-frontend
+      namespace: NORMALIZED_FOR_TESTING
+      ownerReferences:
+        - apiVersion: v1
+          blockOwnerDeletion: true
+          controller: true
+          kind: ConfigMap
+          name: sg
+          uid: NORMALIZED_FOR_TESTING
+      resourceVersion: NORMALIZED_FOR_TESTING
+      uid: NORMALIZED_FOR_TESTING
+    spec:
+      rules:
+        - http:
+            paths:
+              - backend:
+                  service:
+                    name: sourcegraph-frontend
+                    port:
+                      number: 30080
+                path: /
+                pathType: Prefix
+    status:
+      loadBalancer: {}

internal/appliance/reconciler/testdata/golden-fixtures/frontend/with-overrides.yaml

@@ -0,0 +1,449 @@
+resources:
+  - apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      annotations:
+        appliance.sourcegraph.com/configHash: f6325ffd3262b0ff8bdb406ba80aabad2daea7ecc342353fabd7bbda7ea1f4a9
+      creationTimestamp: "2024-04-19T00:00:00Z"
+      generation: 1
+      labels:
+        app.kubernetes.io/component: sourcegraph-frontend
+        app.kubernetes.io/name: sourcegraph
+        app.kubernetes.io/version: 5.3.9104
+        deploy: sourcegraph
+      name: sourcegraph-frontend
+      namespace: NORMALIZED_FOR_TESTING
+      ownerReferences:
+        - apiVersion: v1
+          blockOwnerDeletion: true
+          controller: true
+          kind: ConfigMap
+          name: sg
+          uid: NORMALIZED_FOR_TESTING
+      resourceVersion: NORMALIZED_FOR_TESTING
+      uid: NORMALIZED_FOR_TESTING
+    spec:
+      minReadySeconds: 10
+      progressDeadlineSeconds: 600
+      replicas: 9
+      revisionHistoryLimit: 10
+      selector:
+        matchLabels:
+          app: sourcegraph-frontend
+      strategy:
+        rollingUpdate:
+          maxSurge: 2
+          maxUnavailable: 0
+        type: RollingUpdate
+      template:
+        metadata:
+          annotations:
+            kubectl.kubernetes.io/default-container: sourcegraph-frontend
+          creationTimestamp: null
+          labels:
+            app: sourcegraph-frontend
+            deploy: sourcegraph
+          name: sourcegraph-frontend
+        spec:
+          containers:
+            - args:
+                - serve
+              env:
+                - name: DEPLOY_TYPE
+                  value: appliance
+                - name: PGDATABASE
+                  valueFrom:
+                    secretKeyRef:
+                      key: database
+                      name: pgsql-auth
+                - name: PGHOST
+                  valueFrom:
+                    secretKeyRef:
+                      key: host
+                      name: pgsql-auth
+                - name: PGPASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      key: password
+                      name: pgsql-auth
+                - name: PGPORT
+                  valueFrom:
+                    secretKeyRef:
+                      key: port
+                      name: pgsql-auth
+                - name: PGUSER
+                  valueFrom:
+                    secretKeyRef:
+                      key: user
+                      name: pgsql-auth
+                - name: CODEINTEL_PGDATABASE
+                  valueFrom:
+                    secretKeyRef:
+                      key: database
+                      name: codeintel-db-auth
+                - name: CODEINTEL_PGHOST
+                  valueFrom:
+                    secretKeyRef:
+                      key: host
+                      name: codeintel-db-auth
+                - name: CODEINTEL_PGPASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      key: password
+                      name: codeintel-db-auth
+                - name: CODEINTEL_PGPORT
+                  valueFrom:
+                    secretKeyRef:
+                      key: port
+                      name: codeintel-db-auth
+                - name: CODEINTEL_PGUSER
+                  valueFrom:
+                    secretKeyRef:
+                      key: user
+                      name: codeintel-db-auth
+                - name: CODEINSIGHTS_PGDATABASE
+                  valueFrom:
+                    secretKeyRef:
+                      key: database
+                      name: codeinsights-db-auth
+                - name: CODEINSIGHTS_PGHOST
+                  valueFrom:
+                    secretKeyRef:
+                      key: host
+                      name: codeinsights-db-auth
+                - name: CODEINSIGHTS_PGPASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      key: password
+                      name: codeinsights-db-auth
+                - name: CODEINSIGHTS_PGPORT
+                  valueFrom:
+                    secretKeyRef:
+                      key: port
+                      name: codeinsights-db-auth
+                - name: CODEINSIGHTS_PGUSER
+                  valueFrom:
+                    secretKeyRef:
+                      key: user
+                      name: codeinsights-db-auth
+                - name: REDIS_CACHE_ENDPOINT
+                  valueFrom:
+                    secretKeyRef:
+                      key: endpoint
+                      name: redis-cache
+                - name: REDIS_STORE_ENDPOINT
+                  valueFrom:
+                    secretKeyRef:
+                      key: endpoint
+                      name: redis-store
+                - name: OTEL_AGENT_HOST
+                  valueFrom:
+                    fieldRef:
+                      apiVersion: v1
+                      fieldPath: status.hostIP
+                - name: OTEL_EXPORTER_OTLP_ENDPOINT
+                  value: http://$(OTEL_AGENT_HOST):4317
+              image: index.docker.io/sourcegraph/frontend:5.3.9104
+              imagePullPolicy: IfNotPresent
+              livenessProbe:
+                failureThreshold: 3
+                httpGet:
+                  path: /healthz
+                  port: debug
+                  scheme: HTTP
+                initialDelaySeconds: 300
+                periodSeconds: 10
+                successThreshold: 1
+                timeoutSeconds: 5
+              name: frontend
+              ports:
+                - containerPort: 3080
+                  name: http
+                  protocol: TCP
+                - containerPort: 3090
+                  name: http-internal
+                  protocol: TCP
+                - containerPort: 6060
+                  name: debug
+                  protocol: TCP
+              readinessProbe:
+                failureThreshold: 3
+                httpGet:
+                  path: /ready
+                  port: debug
+                  scheme: HTTP
+                periodSeconds: 5
+                successThreshold: 1
+                timeoutSeconds: 5
+              resources:
+                limits:
+                  cpu: "2"
+                  ephemeral-storage: 8Gi
+                  memory: 4G
+                requests:
+                  cpu: "2"
+                  ephemeral-storage: 4Gi
+                  memory: 2G
+              securityContext:
+                allowPrivilegeEscalation: false
+                readOnlyRootFilesystem: true
+                runAsGroup: 101
+                runAsUser: 100
+              terminationMessagePath: /dev/termination-log
+              terminationMessagePolicy: FallbackToLogsOnError
+              volumeMounts:
+                - mountPath: /home/sourcegraph
+                  name: home-dir
+          dnsPolicy: ClusterFirst
+          restartPolicy: Always
+          schedulerName: default-scheduler
+          securityContext:
+            fsGroup: 101
+            fsGroupChangePolicy: OnRootMismatch
+            runAsGroup: 101
+            runAsUser: 100
+          serviceAccount: sourcegraph-frontend
+          serviceAccountName: sourcegraph-frontend
+          terminationGracePeriodSeconds: 30
+          volumes:
+            - emptyDir: {}
+              name: home-dir
+    status: {}
+  - apiVersion: v1
+    data:
+      spec: |
+        spec:
+          requestedVersion: "5.3.9104"
+
+          blobstore:
+            disabled: true
+
+          codeInsights:
+            disabled: true
+
+          codeIntel:
+            disabled: true
+
+          frontend:
+            replicas: 9
+            migrator: false
+
+          gitServer:
+            disabled: true
+
+          indexedSearch:
+            disabled: true
+
+          indexedSearchIndexer:
+            disabled: true
+
+          pgsql:
+            disabled: true
+
+          postgresExporter:
+            disabled: true
+
+          preciseCodeIntel:
+            disabled: true
+
+          redisCache:
+            disabled: true
+
+          redisStore:
+            disabled: true
+
+          repoUpdater:
+            disabled: true
+
+          searcher:
+            disabled: true
+
+          symbols:
+            disabled: true
+
+          syntectServer:
+            disabled: true
+
+          worker:
+            disabled: true
+
+          prometheus:
+            disabled: true
+
+          embeddings:
+            disabled: true
+    kind: ConfigMap
+    metadata:
+      annotations:
+        appliance.sourcegraph.com/currentVersion: 5.3.9104
+        appliance.sourcegraph.com/managed: "true"
+      creationTimestamp: "2024-04-19T00:00:00Z"
+      name: sg
+      namespace: NORMALIZED_FOR_TESTING
+      resourceVersion: NORMALIZED_FOR_TESTING
+      uid: NORMALIZED_FOR_TESTING
+  - apiVersion: rbac.authorization.k8s.io/v1
+    kind: Role
+    metadata:
+      annotations:
+        appliance.sourcegraph.com/configHash: f6325ffd3262b0ff8bdb406ba80aabad2daea7ecc342353fabd7bbda7ea1f4a9
+      creationTimestamp: "2024-04-19T00:00:00Z"
+      labels:
+        deploy: sourcegraph
+      name: sourcegraph-frontend
+      namespace: NORMALIZED_FOR_TESTING
+      ownerReferences:
+        - apiVersion: v1
+          blockOwnerDeletion: true
+          controller: true
+          kind: ConfigMap
+          name: sg
+          uid: NORMALIZED_FOR_TESTING
+      resourceVersion: NORMALIZED_FOR_TESTING
+      uid: NORMALIZED_FOR_TESTING
+    rules:
+      - apiGroups:
+          - ""
+        resources:
+          - endpoints
+          - services
+        verbs:
+          - get
+          - list
+          - watch
+      - apiGroups:
+          - apps
+        resources:
+          - statefulsets
+        verbs:
+          - get
+          - list
+          - watch
+  - apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      annotations:
+        appliance.sourcegraph.com/configHash: f6325ffd3262b0ff8bdb406ba80aabad2daea7ecc342353fabd7bbda7ea1f4a9
+      creationTimestamp: "2024-04-19T00:00:00Z"
+      labels:
+        deploy: sourcegraph
+      name: sourcegraph-frontend
+      namespace: NORMALIZED_FOR_TESTING
+      ownerReferences:
+        - apiVersion: v1
+          blockOwnerDeletion: true
+          controller: true
+          kind: ConfigMap
+          name: sg
+          uid: NORMALIZED_FOR_TESTING
+      resourceVersion: NORMALIZED_FOR_TESTING
+      uid: NORMALIZED_FOR_TESTING
+    roleRef:
+      apiGroup: rbac.authorization.k8s.io
+      kind: Role
+      name: sourcegraph-frontend
+    subjects:
+      - kind: ServiceAccount
+        name: sourcegraph-frontend
+        namespace: NORMALIZED_FOR_TESTING
+  - apiVersion: v1
+    kind: ServiceAccount
+    metadata:
+      annotations:
+        appliance.sourcegraph.com/configHash: f6325ffd3262b0ff8bdb406ba80aabad2daea7ecc342353fabd7bbda7ea1f4a9
+      creationTimestamp: "2024-04-19T00:00:00Z"
+      labels:
+        deploy: sourcegraph
+      name: sourcegraph-frontend
+      namespace: NORMALIZED_FOR_TESTING
+      ownerReferences:
+        - apiVersion: v1
+          blockOwnerDeletion: true
+          controller: true
+          kind: ConfigMap
+          name: sg
+          uid: NORMALIZED_FOR_TESTING
+      resourceVersion: NORMALIZED_FOR_TESTING
+      uid: NORMALIZED_FOR_TESTING
+  - apiVersion: v1
+    kind: Service
+    metadata:
+      annotations:
+        appliance.sourcegraph.com/configHash: f6325ffd3262b0ff8bdb406ba80aabad2daea7ecc342353fabd7bbda7ea1f4a9
+        prometheus.io/port: "6060"
+        sourcegraph.prometheus/scrape: "true"
+      creationTimestamp: "2024-04-19T00:00:00Z"
+      labels:
+        app: sourcegraph-frontend
+        app.kubernetes.io/component: sourcegraph-frontend
+        deploy: sourcegraph
+      name: sourcegraph-frontend
+      namespace: NORMALIZED_FOR_TESTING
+      ownerReferences:
+        - apiVersion: v1
+          blockOwnerDeletion: true
+          controller: true
+          kind: ConfigMap
+          name: sg
+          uid: NORMALIZED_FOR_TESTING
+      resourceVersion: NORMALIZED_FOR_TESTING
+      uid: NORMALIZED_FOR_TESTING
+    spec:
+      clusterIP: NORMALIZED_FOR_TESTING
+      clusterIPs:
+        - NORMALIZED_FOR_TESTING
+      internalTrafficPolicy: Cluster
+      ipFamilies:
+        - IPv4
+      ipFamilyPolicy: SingleStack
+      ports:
+        - name: http
+          port: 30080
+          protocol: TCP
+          targetPort: http
+      selector:
+        app: sourcegraph-frontend
+      sessionAffinity: None
+      type: ClusterIP
+    status:
+      loadBalancer: {}
+  - apiVersion: v1
+    kind: Service
+    metadata:
+      annotations:
+        appliance.sourcegraph.com/configHash: f6325ffd3262b0ff8bdb406ba80aabad2daea7ecc342353fabd7bbda7ea1f4a9
+      creationTimestamp: "2024-04-19T00:00:00Z"
+      labels:
+        app: sourcegraph-frontend-internal
+        app.kubernetes.io/component: sourcegraph-frontend-internal
+        deploy: sourcegraph
+      name: sourcegraph-frontend-internal
+      namespace: NORMALIZED_FOR_TESTING
+      ownerReferences:
+        - apiVersion: v1
+          blockOwnerDeletion: true
+          controller: true
+          kind: ConfigMap
+          name: sg
+          uid: NORMALIZED_FOR_TESTING
+      resourceVersion: NORMALIZED_FOR_TESTING
+      uid: NORMALIZED_FOR_TESTING
+    spec:
+      clusterIP: NORMALIZED_FOR_TESTING
+      clusterIPs:
+        - NORMALIZED_FOR_TESTING
+      internalTrafficPolicy: Cluster
+      ipFamilies:
+        - IPv4
+      ipFamilyPolicy: SingleStack
+      ports:
+        - name: http-internal
+          port: 80
+          protocol: TCP
+          targetPort: http-internal
+      selector:
+        app: sourcegraph-frontend
+      sessionAffinity: None
+      type: ClusterIP
+    status:
+      loadBalancer: {}

internal/appliance/reconciler/testdata/sg/frontend/default.yaml

@@ -0,0 +1,58 @@
+spec:
+  requestedVersion: "5.3.9104"
+
+  blobstore:
+    disabled: true
+
+  codeInsights:
+    disabled: true
+
+  codeIntel:
+    disabled: true
+
+  frontend: {}
+
+  gitServer:
+    disabled: true
+
+  indexedSearch:
+    disabled: true
+
+  indexedSearchIndexer:
+    disabled: true
+
+  pgsql:
+    disabled: true
+
+  postgresExporter:
+    disabled: true
+
+  preciseCodeIntel:
+    disabled: true
+
+  redisCache:
+    disabled: true
+
+  redisStore:
+    disabled: true
+
+  repoUpdater:
+    disabled: true
+
+  searcher:
+    disabled: true
+
+  symbols:
+    disabled: true
+
+  syntectServer:
+    disabled: true
+
+  worker:
+    disabled: true
+
+  prometheus:
+    disabled: true
+
+  embeddings:
+    disabled: true

internal/appliance/reconciler/testdata/sg/frontend/with-blobstore.yaml

@@ -0,0 +1,57 @@
+spec:
+  requestedVersion: "5.3.9104"
+
+  blobstore: {}
+
+  codeInsights:
+    disabled: true
+
+  codeIntel:
+    disabled: true
+
+  frontend: {}
+
+  gitServer:
+    disabled: true
+
+  indexedSearch:
+    disabled: true
+
+  indexedSearchIndexer:
+    disabled: true
+
+  pgsql:
+    disabled: true
+
+  postgresExporter:
+    disabled: true
+
+  preciseCodeIntel:
+    disabled: true
+
+  redisCache:
+    disabled: true
+
+  redisStore:
+    disabled: true
+
+  repoUpdater:
+    disabled: true
+
+  searcher:
+    disabled: true
+
+  symbols:
+    disabled: true
+
+  syntectServer:
+    disabled: true
+
+  worker:
+    disabled: true
+
+  prometheus:
+    disabled: true
+
+  embeddings:
+    disabled: true

internal/appliance/reconciler/testdata/sg/frontend/with-ingress-optional-fields.yaml

@@ -0,0 +1,64 @@
+spec:
+  requestedVersion: "5.3.9104"
+
+  blobstore:
+    disabled: true
+
+  codeInsights:
+    disabled: true
+
+  codeIntel:
+    disabled: true
+
+  frontend:
+    ingress:
+      host: example.com
+      annotations:
+        foo: bar
+      ingressClassName: an-ingress-class
+      tlsSecret: ingress-tls-secret
+
+  gitServer:
+    disabled: true
+
+  indexedSearch:
+    disabled: true
+
+  indexedSearchIndexer:
+    disabled: true
+
+  pgsql:
+    disabled: true
+
+  postgresExporter:
+    disabled: true
+
+  preciseCodeIntel:
+    disabled: true
+
+  redisCache:
+    disabled: true
+
+  redisStore:
+    disabled: true
+
+  repoUpdater:
+    disabled: true
+
+  searcher:
+    disabled: true
+
+  symbols:
+    disabled: true
+
+  syntectServer:
+    disabled: true
+
+  worker:
+    disabled: true
+
+  prometheus:
+    disabled: true
+
+  embeddings:
+    disabled: true

internal/appliance/reconciler/testdata/sg/frontend/with-ingress.yaml

@@ -0,0 +1,59 @@
+spec:
+  requestedVersion: "5.3.9104"
+
+  blobstore:
+    disabled: true
+
+  codeInsights:
+    disabled: true
+
+  codeIntel:
+    disabled: true
+
+  frontend:
+    ingress: {}
+
+  gitServer:
+    disabled: true
+
+  indexedSearch:
+    disabled: true
+
+  indexedSearchIndexer:
+    disabled: true
+
+  pgsql:
+    disabled: true
+
+  postgresExporter:
+    disabled: true
+
+  preciseCodeIntel:
+    disabled: true
+
+  redisCache:
+    disabled: true
+
+  redisStore:
+    disabled: true
+
+  repoUpdater:
+    disabled: true
+
+  searcher:
+    disabled: true
+
+  symbols:
+    disabled: true
+
+  syntectServer:
+    disabled: true
+
+  worker:
+    disabled: true
+
+  prometheus:
+    disabled: true
+
+  embeddings:
+    disabled: true

internal/appliance/reconciler/testdata/sg/frontend/with-overrides.yaml

@@ -0,0 +1,60 @@
+spec:
+  requestedVersion: "5.3.9104"
+
+  blobstore:
+    disabled: true
+
+  codeInsights:
+    disabled: true
+
+  codeIntel:
+    disabled: true
+
+  frontend:
+    replicas: 9
+    migrator: false
+
+  gitServer:
+    disabled: true
+
+  indexedSearch:
+    disabled: true
+
+  indexedSearchIndexer:
+    disabled: true
+
+  pgsql:
+    disabled: true
+
+  postgresExporter:
+    disabled: true
+
+  preciseCodeIntel:
+    disabled: true
+
+  redisCache:
+    disabled: true
+
+  redisStore:
+    disabled: true
+
+  repoUpdater:
+    disabled: true
+
+  searcher:
+    disabled: true
+
+  symbols:
+    disabled: true
+
+  syntectServer:
+    disabled: true
+
+  worker:
+    disabled: true
+
+  prometheus:
+    disabled: true
+
+  embeddings:
+    disabled: true

internal/conf/deploy/deploytype.go

@@ -15,6 +15,7 @@ const (
 	Helm          = "helm"
 	Kustomize     = "kustomize"
 	K3s           = "k3s"
+	Appliance     = "appliance"
 )
 
 var mock string
@@ -46,7 +47,7 @@ func Mock(val string) {
 func IsDeployTypeKubernetes(deployType string) bool {
 	switch deployType {
 	// includes older Kubernetes aliases for backwards compatibility
-	case "k8s", "cluster", Kubernetes, Helm, Kustomize, K3s:
+	case "k8s", "cluster", Kubernetes, Helm, Kustomize, K3s, Appliance:
 		return true
 	}