appliance: deploy symbols service (#62270)

2026-02-06 16:51:55 +00:00 · 2024-04-30 18:23:45 +01:00 · 2024-04-30 18:23:45 +01:00 · eb5123b36c
commit eb5123b36c
parent e9d7e95876
15 changed files with 873 additions and 26 deletions
--- a/internal/appliance/BUILD.bazel
+++ b/internal/appliance/BUILD.bazel
@ -11,6 +11,7 @@ go_library(
        "reconcile.go",
        "repo_updater.go",
        "spec.go",
+        "symbols.go",
    ],
    importpath = "github.com/sourcegraph/sourcegraph/internal/appliance",
    visibility = ["//:__subpackages__"],
@ -23,6 +24,7 @@ go_library(
        "//internal/k8s/resource/pvc",
        "//internal/k8s/resource/service",
        "//internal/k8s/resource/serviceaccount",
+        "//internal/k8s/resource/statefulset",
        "//lib/errors",
        "//lib/pointers",
        "@com_github_masterminds_semver//:semver",
@ -57,6 +59,7 @@ go_test(
        "golden_test.go",
        "helpers_test.go",
        "repo_updater_test.go",
+        "symbols_test.go",
    ],
    data = [
        ":testdata",
--- a/internal/appliance/blobstore.go
+++ b/internal/appliance/blobstore.go
@ -48,17 +48,7 @@ func buildBlobstorePersistentVolumeClaim(sg *Sourcegraph) (corev1.PersistentVolu
 		storageClassName = "sourcegraph"
 	}

-	p := pvc.NewPersistentVolumeClaim("blobstore", sg.Namespace)
-	p.Spec.Resources = corev1.VolumeResourceRequirements{
-		Requests: corev1.ResourceList{
-			corev1.ResourceStorage: resource.MustParse(storage),
-		},
-	}
-
-	// set StorageClass name if a custom storage class is being sgeated.
-	if sg.Spec.StorageClass.Create {
-		p.Spec.StorageClassName = &storageClassName
-	}
+	p := pvc.NewPersistentVolumeClaim("blobstore", sg.Namespace, resource.MustParse(storage), storageClassName)

 	return p, nil
 }
--- a/internal/appliance/reconcile.go
+++ b/internal/appliance/reconcile.go
@ -83,6 +83,9 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Resu
 	if err := r.reconcileRepoUpdater(ctx, &sourcegraph, &applianceSpec); err != nil {
 		return ctrl.Result{}, errors.Newf("failed to reconcile repo updater: %w", err)
 	}
+	if err := r.reconcileSymbols(ctx, &sourcegraph, &applianceSpec); err != nil {
+		return ctrl.Result{}, errors.Newf("failed to reconcile symbols service: %w", err)
+	}

 	// Set the current version annotation in case migration logic depends on it.
 	applianceSpec.Annotations[annotationKeyCurrentVersion] = sourcegraph.Spec.RequestedVersion
--- a/internal/appliance/spec.go
+++ b/internal/appliance/spec.go
@ -287,6 +287,8 @@ type SearcherSpec struct {

 // SymbolsSpec defines the desired state of the Symbols service.
 type SymbolsSpec struct {
+	config.StandardConfig
+
 	// Replicas defines the number of Symbols pod replicas.
 	// Default: 1
 	Replicas int32 `json:"replicas,omitempty"`
@ -295,13 +297,12 @@ type SymbolsSpec struct {
 	// Default: 12Gi
 	StorageSize string `json:"storageSize,omitempty"`

-	// Resources allows for custom resource limits and requests.
-	Resources *corev1.ResourceList `json:"resources,omitempty"`
-
 	// Env defines environment variables for Symbols.
 	Env map[string]string `json:"env,omitempty"`
 }

+func (SymbolsSpec) PrometheusPort() *int { return ptr.To(6060) }
+
 // SyntectServerSpec defines the desired state of the Syntect server service.
 type SyntectServerSpec struct {
 	// Replicas defines the number of Syntect Server pod replicas.
--- a/internal/appliance/symbols.go
+++ b/internal/appliance/symbols.go
@ -0,0 +1,153 @@
+package appliance
+
+import (
+	"context"
+	"fmt"
+	"math"
+
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/util/intstr"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	"github.com/sourcegraph/sourcegraph/internal/k8s/resource/container"
+	"github.com/sourcegraph/sourcegraph/internal/k8s/resource/pod"
+	"github.com/sourcegraph/sourcegraph/internal/k8s/resource/pvc"
+	"github.com/sourcegraph/sourcegraph/internal/k8s/resource/service"
+	"github.com/sourcegraph/sourcegraph/internal/k8s/resource/serviceaccount"
+	"github.com/sourcegraph/sourcegraph/internal/k8s/resource/statefulset"
+	"github.com/sourcegraph/sourcegraph/lib/errors"
+)
+
+func (r *Reconciler) reconcileSymbols(ctx context.Context, sg *Sourcegraph, owner client.Object) error {
+	if err := r.reconcileSymbolsStatefulSet(ctx, sg, owner); err != nil {
+		return err
+	}
+	if err := r.reconcileSymbolsService(ctx, sg, owner); err != nil {
+		return err
+	}
+	if err := r.reconcileSymbolsServiceAccount(ctx, sg, owner); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (r *Reconciler) reconcileSymbolsStatefulSet(ctx context.Context, sg *Sourcegraph, owner client.Object) error {
+	name := "symbols"
+	cfg := sg.Spec.Symbols
+	if cfg.StorageSize == "" {
+		cfg.StorageSize = "12Gi"
+	}
+	if cfg.Replicas == 0 {
+		cfg.Replicas = 1
+	}
+
+	// TODO DRY out across all services
+	storageClassName := sg.Spec.StorageClass.Name
+	if storageClassName == "" {
+		storageClassName = "sourcegraph"
+	}
+
+	ctr := container.NewContainer(name, cfg, corev1.ResourceRequirements{
+		Requests: corev1.ResourceList{
+			corev1.ResourceCPU:    resource.MustParse("500m"),
+			corev1.ResourceMemory: resource.MustParse("500M"),
+		},
+		Limits: corev1.ResourceList{
+			corev1.ResourceCPU:    resource.MustParse("2"),
+			corev1.ResourceMemory: resource.MustParse("2G"),
+		},
+	})
+
+	storageSize, err := resource.ParseQuantity(cfg.StorageSize)
+	if err != nil {
+		return errors.Wrap(err, "parsing storage size")
+	}
+
+	// Cache size is 90% of available attached storage
+	cacheSize := float64(storageSize.Value()) * 0.9
+	cacheSizeMB := int(math.Floor(cacheSize / 1024 / 1024))
+
+	// TODO: https://github.com/sourcegraph/sourcegraph/issues/62076
+	ctr.Image = "index.docker.io/sourcegraph/symbols:5.3.2@sha256:dd7f923bdbd5dbd231b749a7483110d40d59159084477b9fff84afaf58aad98e"
+
+	ctr.Env = []corev1.EnvVar{
+		container.NewEnvVarSecretKeyRef("REDIS_CACHE_ENDPOINT", "redis-cache", "endpoint"),
+		container.NewEnvVarSecretKeyRef("REDIS_STORE_ENDPOINT", "redis-store", "endpoint"),
+
+		{Name: "SYMBOLS_CACHE_SIZE_MB", Value: fmt.Sprintf("%d", cacheSizeMB)},
+
+		container.NewEnvVarFieldRef("POD_NAME", "metadata.name"),
+		{Name: "SYMBOLS_CACHE_DIR", Value: "/mnt/cache/$(POD_NAME)"},
+
+		{Name: "TMPDIR", Value: "/mnt/tmp"},
+
+		// OTEL_AGENT_HOST must be defined before OTEL_EXPORTER_OTLP_ENDPOINT to substitute the node IP on which the DaemonSet pod instance runs in the latter variable
+		container.NewEnvVarFieldRef("OTEL_AGENT_HOST", "status.hostIP"),
+		{Name: "OTEL_EXPORTER_OTLP_ENDPOINT", Value: "http://$(OTEL_AGENT_HOST):4317"},
+	}
+	ctr.Ports = []corev1.ContainerPort{
+		{Name: "http", ContainerPort: 3184},
+		{Name: "debug", ContainerPort: 6060},
+	}
+	ctr.LivenessProbe = &corev1.Probe{
+		ProbeHandler: corev1.ProbeHandler{
+			HTTPGet: &corev1.HTTPGetAction{
+				Path:   "/healthz",
+				Port:   intstr.FromString("http"),
+				Scheme: corev1.URISchemeHTTP,
+			},
+		},
+		InitialDelaySeconds: 60,
+		TimeoutSeconds:      5,
+	}
+	ctr.ReadinessProbe = &corev1.Probe{
+		ProbeHandler: corev1.ProbeHandler{
+			HTTPGet: &corev1.HTTPGetAction{
+				Path:   "/healthz",
+				Port:   intstr.FromString("http"),
+				Scheme: corev1.URISchemeHTTP,
+			},
+		},
+		InitialDelaySeconds: 60,
+		PeriodSeconds:       5,
+	}
+	ctr.VolumeMounts = []corev1.VolumeMount{
+		{Name: "cache", MountPath: "/mnt/cache"},
+		{Name: "tmp", MountPath: "/mnt/tmp"},
+	}
+
+	podTemplate := pod.NewPodTemplate(name)
+	podTemplate.Template.Spec.Containers = []corev1.Container{ctr}
+	podTemplate.Template.Spec.ServiceAccountName = name
+	podTemplate.Template.Spec.Volumes = []corev1.Volume{
+		pod.NewVolumeEmptyDir("tmp"),
+	}
+
+	sset := statefulset.NewStatefulSet(name, sg.Namespace, sg.Spec.RequestedVersion)
+	sset.Spec.Template = podTemplate.Template
+	sset.Spec.VolumeClaimTemplates = []corev1.PersistentVolumeClaim{
+		pvc.NewPersistentVolumeClaimSpecOnly(storageSize, storageClassName),
+	}
+
+	return reconcileObject(ctx, r, sg.Spec.Symbols, &sset, &appsv1.StatefulSet{}, sg, owner)
+}
+
+func (r *Reconciler) reconcileSymbolsService(ctx context.Context, sg *Sourcegraph, owner client.Object) error {
+	svc := service.NewService("symbols", sg.Namespace, sg.Spec.RepoUpdater)
+	svc.Spec.Ports = []corev1.ServicePort{
+		{Name: "http", TargetPort: intstr.FromString("http"), Port: 3184},
+		{Name: "debug", TargetPort: intstr.FromString("debug"), Port: 6060},
+	}
+	svc.Spec.Selector = map[string]string{
+		"app": "symbols",
+	}
+	return reconcileObject(ctx, r, sg.Spec.Symbols, &svc, &corev1.Service{}, sg, owner)
+}
+
+func (r *Reconciler) reconcileSymbolsServiceAccount(ctx context.Context, sg *Sourcegraph, owner client.Object) error {
+	cfg := sg.Spec.Symbols
+	sa := serviceaccount.NewServiceAccount("symbols", sg.Namespace, cfg)
+	return reconcileObject(ctx, r, sg.Spec.Symbols, &sa, &corev1.ServiceAccount{}, sg, owner)
+}
--- a/internal/appliance/symbols_test.go
+++ b/internal/appliance/symbols_test.go
@ -0,0 +1,23 @@
+package appliance
+
+import "time"
+
+func (suite *ApplianceTestSuite) TestDeploySymbols() {
+	for _, tc := range []struct {
+		name string
+	}{
+		{name: "symbols-default"},
+		{name: "symbols-with-storage"},
+	} {
+		suite.Run(tc.name, func() {
+			namespace := suite.createConfigMap(tc.name)
+
+			// Wait for reconciliation to be finished.
+			suite.Require().Eventually(func() bool {
+				return suite.getConfigMapReconcileEventCount(namespace) > 0
+			}, time.Second*10, time.Millisecond*200)
+
+			suite.makeGoldenAssertions(namespace, tc.name)
+		})
+	}
+}
--- a/internal/appliance/testdata/golden-fixtures/blobstore-default.yaml
+++ b/internal/appliance/testdata/golden-fixtures/blobstore-default.yaml
@ -169,6 +169,7 @@ resources:
    resources:
      requests:
        storage: 100Gi
+    storageClassName: sourcegraph
    volumeMode: Filesystem
  status:
    phase: Pending
--- a/internal/appliance/testdata/golden-fixtures/blobstore-subsequent-disable.yaml
+++ b/internal/appliance/testdata/golden-fixtures/blobstore-subsequent-disable.yaml
@ -90,6 +90,7 @@ resources:
    resources:
      requests:
        storage: 100Gi
+    storageClassName: sourcegraph
    volumeMode: Filesystem
  status:
    phase: Pending
--- a/internal/appliance/testdata/golden-fixtures/symbols-default.yaml
+++ b/internal/appliance/testdata/golden-fixtures/symbols-default.yaml
@ -0,0 +1,271 @@
+resources:
+- apiVersion: apps/v1
+  kind: StatefulSet
+  metadata:
+    annotations:
+      appliance.sourcegraph.com/configHash: bd6ab558ec98ed6b2607b80469bb9f209b485fa44a6dd5beaf18c37011340afc
+    creationTimestamp: "2024-04-19T00:00:00Z"
+    generation: 1
+    labels:
+      app.kubernetes.io/component: symbols
+      app.kubernetes.io/name: sourcegraph
+      app.kubernetes.io/version: 5.3.9104
+      deploy: sourcegraph
+    name: symbols
+    namespace: NORMALIZED_FOR_TESTING
+    resourceVersion: NORMALIZED_FOR_TESTING
+    uid: NORMALIZED_FOR_TESTING
+  spec:
+    minReadySeconds: 10
+    persistentVolumeClaimRetentionPolicy:
+      whenDeleted: Retain
+      whenScaled: Retain
+    podManagementPolicy: OrderedReady
+    replicas: 1
+    revisionHistoryLimit: 10
+    selector:
+      matchLabels:
+        app: symbols
+    serviceName: symbols
+    template:
+      metadata:
+        annotations:
+          kubectl.kubernetes.io/default-container: symbols
+        creationTimestamp: null
+        labels:
+          app: symbols
+          deploy: sourcegraph
+        name: symbols
+      spec:
+        containers:
+        - env:
+          - name: REDIS_CACHE_ENDPOINT
+            valueFrom:
+              secretKeyRef:
+                key: endpoint
+                name: redis-cache
+          - name: REDIS_STORE_ENDPOINT
+            valueFrom:
+              secretKeyRef:
+                key: endpoint
+                name: redis-store
+          - name: SYMBOLS_CACHE_SIZE_MB
+            value: "11059"
+          - name: POD_NAME
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: metadata.name
+          - name: SYMBOLS_CACHE_DIR
+            value: /mnt/cache/$(POD_NAME)
+          - name: TMPDIR
+            value: /mnt/tmp
+          - name: OTEL_AGENT_HOST
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: status.hostIP
+          - name: OTEL_EXPORTER_OTLP_ENDPOINT
+            value: http://$(OTEL_AGENT_HOST):4317
+          image: index.docker.io/sourcegraph/symbols:5.3.2@sha256:dd7f923bdbd5dbd231b749a7483110d40d59159084477b9fff84afaf58aad98e
+          imagePullPolicy: IfNotPresent
+          livenessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /healthz
+              port: http
+              scheme: HTTP
+            initialDelaySeconds: 60
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 5
+          name: symbols
+          ports:
+          - containerPort: 3184
+            name: http
+            protocol: TCP
+          - containerPort: 6060
+            name: debug
+            protocol: TCP
+          readinessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /healthz
+              port: http
+              scheme: HTTP
+            initialDelaySeconds: 60
+            periodSeconds: 5
+            successThreshold: 1
+            timeoutSeconds: 1
+          resources:
+            limits:
+              cpu: "2"
+              memory: 2G
+            requests:
+              cpu: 500m
+              memory: 500M
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 101
+            runAsUser: 100
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: FallbackToLogsOnError
+          volumeMounts:
+          - mountPath: /mnt/cache
+            name: cache
+          - mountPath: /mnt/tmp
+            name: tmp
+        dnsPolicy: ClusterFirst
+        restartPolicy: Always
+        schedulerName: default-scheduler
+        securityContext:
+          fsGroup: 101
+          fsGroupChangePolicy: OnRootMismatch
+          runAsGroup: 101
+          runAsUser: 100
+        serviceAccount: symbols
+        serviceAccountName: symbols
+        terminationGracePeriodSeconds: 30
+        volumes:
+        - emptyDir: {}
+          name: tmp
+    updateStrategy:
+      type: RollingUpdate
+    volumeClaimTemplates:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
+        creationTimestamp: null
+      spec:
+        accessModes:
+        - ReadWriteOnce
+        resources:
+          requests:
+            storage: 12Gi
+        storageClassName: sourcegraph
+        volumeMode: Filesystem
+      status:
+        phase: Pending
+  status:
+    availableReplicas: 0
+    replicas: 0
+- apiVersion: v1
+  data:
+    spec: |
+      spec:
+        requestedVersion: "5.3.9104"
+
+        blobstore:
+          disabled: true
+
+        codeInsights:
+          disabled: true
+
+        codeIntel:
+          disabled: true
+
+        frontend:
+          disabled: true
+
+        gitServer:
+          disabled: true
+
+        indexedSearch:
+          disabled: true
+
+        indexedSearchIndexer:
+          disabled: true
+
+        pgsql:
+          disabled: true
+
+        postgresExporter:
+          disabled: true
+
+        preciseCodeIntel:
+          disabled: true
+
+        redisCache:
+          disabled: true
+
+        redisExporter:
+          disabled: true
+
+        redisStore:
+          disabled: true
+
+        repoUpdater:
+          disabled: true
+
+        searcher:
+          disabled: true
+
+        symbols: {}
+
+        syntectServer:
+          disabled: true
+
+        worker:
+          disabled: true
+  kind: ConfigMap
+  metadata:
+    annotations:
+      appliance.sourcegraph.com/currentVersion: 5.3.9104
+      appliance.sourcegraph.com/managed: "true"
+    creationTimestamp: "2024-04-19T00:00:00Z"
+    name: sg
+    namespace: NORMALIZED_FOR_TESTING
+    resourceVersion: NORMALIZED_FOR_TESTING
+    uid: NORMALIZED_FOR_TESTING
+- apiVersion: v1
+  kind: ServiceAccount
+  metadata:
+    annotations:
+      appliance.sourcegraph.com/configHash: bd6ab558ec98ed6b2607b80469bb9f209b485fa44a6dd5beaf18c37011340afc
+    creationTimestamp: "2024-04-19T00:00:00Z"
+    labels:
+      deploy: sourcegraph
+    name: symbols
+    namespace: NORMALIZED_FOR_TESTING
+    resourceVersion: NORMALIZED_FOR_TESTING
+    uid: NORMALIZED_FOR_TESTING
+- apiVersion: v1
+  kind: Service
+  metadata:
+    annotations:
+      appliance.sourcegraph.com/configHash: bd6ab558ec98ed6b2607b80469bb9f209b485fa44a6dd5beaf18c37011340afc
+      prometheus.io/port: "6060"
+      sourcegraph.prometheus/scrape: "true"
+    creationTimestamp: "2024-04-19T00:00:00Z"
+    labels:
+      app: symbols
+      app.kubernetes.io/component: symbols
+      deploy: sourcegraph
+    name: symbols
+    namespace: NORMALIZED_FOR_TESTING
+    resourceVersion: NORMALIZED_FOR_TESTING
+    uid: NORMALIZED_FOR_TESTING
+  spec:
+    clusterIP: NORMALIZED_FOR_TESTING
+    clusterIPs:
+    - NORMALIZED_FOR_TESTING
+    internalTrafficPolicy: Cluster
+    ipFamilies:
+    - IPv4
+    ipFamilyPolicy: SingleStack
+    ports:
+    - name: http
+      port: 3184
+      protocol: TCP
+      targetPort: http
+    - name: debug
+      port: 6060
+      protocol: TCP
+      targetPort: debug
+    selector:
+      app: symbols
+    sessionAffinity: None
+    type: ClusterIP
+  status:
+    loadBalancer: {}
--- a/internal/appliance/testdata/golden-fixtures/symbols-with-storage.yaml
+++ b/internal/appliance/testdata/golden-fixtures/symbols-with-storage.yaml
@ -0,0 +1,272 @@
+resources:
+- apiVersion: apps/v1
+  kind: StatefulSet
+  metadata:
+    annotations:
+      appliance.sourcegraph.com/configHash: d89fe1af0a19ed5d6a4ec2e1c45be18f6aeff38380a90e718e9a15509dfd50cc
+    creationTimestamp: "2024-04-19T00:00:00Z"
+    generation: 1
+    labels:
+      app.kubernetes.io/component: symbols
+      app.kubernetes.io/name: sourcegraph
+      app.kubernetes.io/version: 5.3.9104
+      deploy: sourcegraph
+    name: symbols
+    namespace: NORMALIZED_FOR_TESTING
+    resourceVersion: NORMALIZED_FOR_TESTING
+    uid: NORMALIZED_FOR_TESTING
+  spec:
+    minReadySeconds: 10
+    persistentVolumeClaimRetentionPolicy:
+      whenDeleted: Retain
+      whenScaled: Retain
+    podManagementPolicy: OrderedReady
+    replicas: 1
+    revisionHistoryLimit: 10
+    selector:
+      matchLabels:
+        app: symbols
+    serviceName: symbols
+    template:
+      metadata:
+        annotations:
+          kubectl.kubernetes.io/default-container: symbols
+        creationTimestamp: null
+        labels:
+          app: symbols
+          deploy: sourcegraph
+        name: symbols
+      spec:
+        containers:
+        - env:
+          - name: REDIS_CACHE_ENDPOINT
+            valueFrom:
+              secretKeyRef:
+                key: endpoint
+                name: redis-cache
+          - name: REDIS_STORE_ENDPOINT
+            valueFrom:
+              secretKeyRef:
+                key: endpoint
+                name: redis-store
+          - name: SYMBOLS_CACHE_SIZE_MB
+            value: "92160"
+          - name: POD_NAME
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: metadata.name
+          - name: SYMBOLS_CACHE_DIR
+            value: /mnt/cache/$(POD_NAME)
+          - name: TMPDIR
+            value: /mnt/tmp
+          - name: OTEL_AGENT_HOST
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: status.hostIP
+          - name: OTEL_EXPORTER_OTLP_ENDPOINT
+            value: http://$(OTEL_AGENT_HOST):4317
+          image: index.docker.io/sourcegraph/symbols:5.3.2@sha256:dd7f923bdbd5dbd231b749a7483110d40d59159084477b9fff84afaf58aad98e
+          imagePullPolicy: IfNotPresent
+          livenessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /healthz
+              port: http
+              scheme: HTTP
+            initialDelaySeconds: 60
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 5
+          name: symbols
+          ports:
+          - containerPort: 3184
+            name: http
+            protocol: TCP
+          - containerPort: 6060
+            name: debug
+            protocol: TCP
+          readinessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /healthz
+              port: http
+              scheme: HTTP
+            initialDelaySeconds: 60
+            periodSeconds: 5
+            successThreshold: 1
+            timeoutSeconds: 1
+          resources:
+            limits:
+              cpu: "2"
+              memory: 2G
+            requests:
+              cpu: 500m
+              memory: 500M
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 101
+            runAsUser: 100
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: FallbackToLogsOnError
+          volumeMounts:
+          - mountPath: /mnt/cache
+            name: cache
+          - mountPath: /mnt/tmp
+            name: tmp
+        dnsPolicy: ClusterFirst
+        restartPolicy: Always
+        schedulerName: default-scheduler
+        securityContext:
+          fsGroup: 101
+          fsGroupChangePolicy: OnRootMismatch
+          runAsGroup: 101
+          runAsUser: 100
+        serviceAccount: symbols
+        serviceAccountName: symbols
+        terminationGracePeriodSeconds: 30
+        volumes:
+        - emptyDir: {}
+          name: tmp
+    updateStrategy:
+      type: RollingUpdate
+    volumeClaimTemplates:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
+        creationTimestamp: null
+      spec:
+        accessModes:
+        - ReadWriteOnce
+        resources:
+          requests:
+            storage: 100Gi
+        storageClassName: sourcegraph
+        volumeMode: Filesystem
+      status:
+        phase: Pending
+  status:
+    availableReplicas: 0
+    replicas: 0
+- apiVersion: v1
+  data:
+    spec: |
+      spec:
+        requestedVersion: "5.3.9104"
+
+        blobstore:
+          disabled: true
+
+        codeInsights:
+          disabled: true
+
+        codeIntel:
+          disabled: true
+
+        frontend:
+          disabled: true
+
+        gitServer:
+          disabled: true
+
+        indexedSearch:
+          disabled: true
+
+        indexedSearchIndexer:
+          disabled: true
+
+        pgsql:
+          disabled: true
+
+        postgresExporter:
+          disabled: true
+
+        preciseCodeIntel:
+          disabled: true
+
+        redisCache:
+          disabled: true
+
+        redisExporter:
+          disabled: true
+
+        redisStore:
+          disabled: true
+
+        repoUpdater:
+          disabled: true
+
+        searcher:
+          disabled: true
+
+        symbols:
+          storageSize: "100Gi"
+
+        syntectServer:
+          disabled: true
+
+        worker:
+          disabled: true
+  kind: ConfigMap
+  metadata:
+    annotations:
+      appliance.sourcegraph.com/currentVersion: 5.3.9104
+      appliance.sourcegraph.com/managed: "true"
+    creationTimestamp: "2024-04-19T00:00:00Z"
+    name: sg
+    namespace: NORMALIZED_FOR_TESTING
+    resourceVersion: NORMALIZED_FOR_TESTING
+    uid: NORMALIZED_FOR_TESTING
+- apiVersion: v1
+  kind: ServiceAccount
+  metadata:
+    annotations:
+      appliance.sourcegraph.com/configHash: d89fe1af0a19ed5d6a4ec2e1c45be18f6aeff38380a90e718e9a15509dfd50cc
+    creationTimestamp: "2024-04-19T00:00:00Z"
+    labels:
+      deploy: sourcegraph
+    name: symbols
+    namespace: NORMALIZED_FOR_TESTING
+    resourceVersion: NORMALIZED_FOR_TESTING
+    uid: NORMALIZED_FOR_TESTING
+- apiVersion: v1
+  kind: Service
+  metadata:
+    annotations:
+      appliance.sourcegraph.com/configHash: d89fe1af0a19ed5d6a4ec2e1c45be18f6aeff38380a90e718e9a15509dfd50cc
+      prometheus.io/port: "6060"
+      sourcegraph.prometheus/scrape: "true"
+    creationTimestamp: "2024-04-19T00:00:00Z"
+    labels:
+      app: symbols
+      app.kubernetes.io/component: symbols
+      deploy: sourcegraph
+    name: symbols
+    namespace: NORMALIZED_FOR_TESTING
+    resourceVersion: NORMALIZED_FOR_TESTING
+    uid: NORMALIZED_FOR_TESTING
+  spec:
+    clusterIP: NORMALIZED_FOR_TESTING
+    clusterIPs:
+    - NORMALIZED_FOR_TESTING
+    internalTrafficPolicy: Cluster
+    ipFamilies:
+    - IPv4
+    ipFamilyPolicy: SingleStack
+    ports:
+    - name: http
+      port: 3184
+      protocol: TCP
+      targetPort: http
+    - name: debug
+      port: 6060
+      protocol: TCP
+      targetPort: debug
+    selector:
+      app: symbols
+    sessionAffinity: None
+    type: ClusterIP
+  status:
+    loadBalancer: {}
--- a/internal/appliance/testdata/sg/symbols-default.yaml
+++ b/internal/appliance/testdata/sg/symbols-default.yaml
@ -0,0 +1,55 @@
+spec:
+  requestedVersion: "5.3.9104"
+
+  blobstore:
+    disabled: true
+
+  codeInsights:
+    disabled: true
+
+  codeIntel:
+    disabled: true
+
+  frontend:
+    disabled: true
+
+  gitServer:
+    disabled: true
+
+  indexedSearch:
+    disabled: true
+
+  indexedSearchIndexer:
+    disabled: true
+
+  pgsql:
+    disabled: true
+
+  postgresExporter:
+    disabled: true
+
+  preciseCodeIntel:
+    disabled: true
+
+  redisCache:
+    disabled: true
+
+  redisExporter:
+    disabled: true
+
+  redisStore:
+    disabled: true
+
+  repoUpdater:
+    disabled: true
+
+  searcher:
+    disabled: true
+
+  symbols: {}
+
+  syntectServer:
+    disabled: true
+
+  worker:
+    disabled: true
--- a/internal/appliance/testdata/sg/symbols-with-storage.yaml
+++ b/internal/appliance/testdata/sg/symbols-with-storage.yaml
@ -0,0 +1,56 @@
+spec:
+  requestedVersion: "5.3.9104"
+
+  blobstore:
+    disabled: true
+
+  codeInsights:
+    disabled: true
+
+  codeIntel:
+    disabled: true
+
+  frontend:
+    disabled: true
+
+  gitServer:
+    disabled: true
+
+  indexedSearch:
+    disabled: true
+
+  indexedSearchIndexer:
+    disabled: true
+
+  pgsql:
+    disabled: true
+
+  postgresExporter:
+    disabled: true
+
+  preciseCodeIntel:
+    disabled: true
+
+  redisCache:
+    disabled: true
+
+  redisExporter:
+    disabled: true
+
+  redisStore:
+    disabled: true
+
+  repoUpdater:
+    disabled: true
+
+  searcher:
+    disabled: true
+
+  symbols:
+    storageSize: "100Gi"
+
+  syntectServer:
+    disabled: true
+
+  worker:
+    disabled: true
--- a/internal/k8s/resource/pod/pod.go
+++ b/internal/k8s/resource/pod/pod.go
@ -32,3 +32,12 @@ func NewPodTemplate(name string) corev1.PodTemplate {
 		},
 	}
 }
+
+func NewVolumeEmptyDir(name string) corev1.Volume {
+	return corev1.Volume{
+		Name: name,
+		VolumeSource: corev1.VolumeSource{
+			EmptyDir: &corev1.EmptyDirVolumeSource{},
+		},
+	}
+}
--- a/internal/k8s/resource/pvc/pvc.go
+++ b/internal/k8s/resource/pvc/pvc.go
@ -7,25 +7,31 @@ import (
 )

 // NewPersistentVolumeClaim creates a new k8s PVC with some default values set.
-func NewPersistentVolumeClaim(name, namespace string) corev1.PersistentVolumeClaim {
-	return corev1.PersistentVolumeClaim{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      name,
-			Namespace: namespace,
-			Labels: map[string]string{
-				"deploy": "sourcegraph",
-			},
+func NewPersistentVolumeClaim(name, namespace string, storage resource.Quantity, storageClassName string) corev1.PersistentVolumeClaim {
+	pvc := NewPersistentVolumeClaimSpecOnly(storage, storageClassName)
+	pvc.ObjectMeta = metav1.ObjectMeta{
+		Name:      name,
+		Namespace: namespace,
+		Labels: map[string]string{
+			"deploy": "sourcegraph",
 		},
+	}
+	return pvc
+}
+
+// Useful for statefulsets, that do not require metadata
+func NewPersistentVolumeClaimSpecOnly(storage resource.Quantity, storageClassName string) corev1.PersistentVolumeClaim {
+	return corev1.PersistentVolumeClaim{
 		Spec: corev1.PersistentVolumeClaimSpec{
 			AccessModes: []corev1.PersistentVolumeAccessMode{
 				corev1.ReadWriteOnce,
 			},
 			Resources: corev1.VolumeResourceRequirements{
 				Requests: corev1.ResourceList{
-					corev1.ResourceStorage: resource.MustParse("10Gi"),
+					corev1.ResourceStorage: storage,
 				},
 			},
+			StorageClassName: &storageClassName,
 		},
 	}
-
 }
--- a/internal/k8s/resource/statefulset/statefulset.go
+++ b/internal/k8s/resource/statefulset/statefulset.go
@ -8,13 +8,16 @@ import (
 )

 // NewStatefulSet creates a new k8s StatefulSet with some default values set.
-func NewStatefulSet(name, namespace string) appsv1.StatefulSet {
+func NewStatefulSet(name, namespace, version string) appsv1.StatefulSet {
 	return appsv1.StatefulSet{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
 			Namespace: namespace,
 			Labels: map[string]string{
-				"deploy": "sourcegraph",
+				"app.kubernetes.io/component": name,
+				"app.kubernetes.io/name":      "sourcegraph",
+				"app.kubernetes.io/version":   version,
+				"deploy":                      "sourcegraph",
 			},
 		},
 		Spec: appsv1.StatefulSetSpec{