Prerequisites

Before proceeding, ensure you have the following prerequisites in place:

Create two kubernetes node groups (for application & analysis workloads) and label the nodes in the node groups (eg: workload: deepsource-application & workload: deepsource-analysis)
1. The minimum specifications for the nodes are as follows:
  1. Application Node group
    1. CPU: 16 Cores
    2. Memory:32 GiB
    3. Disk:128 GiB
  2. Analysis Node group
    1. CPU:16 Cores
    2. Memory:32 GiB
    3. Disk:256 GiB
Create two namespaces
1. deepsource-application - kubectl create ns deepsource-application
2. deepsource-analysis - kubectl create ns deepsource-analysis
Create an external database using the following guide: https://docs.deepsource.com/docs/enterprise-server-configuration#bring-your-own-database. You can skip this step for pilot installation.
Obtain a license by reaching out to [email protected]
Make sure to use at least helm v3.8.0, prior versions require HELM_EXPERIMENTAL_OCI=1environment variable to be set.

Install

helm registry login registry.deepsource.com --username <username> -—password <password>

Obtain the default values.yaml file from the chart and write to a file

helm show values oci://registry.deepsource.com/helm-charts/deepsource > values.yaml

Make the necessary changes to the newly created values.yaml file by following the configuration guide.

Install DeepSource Enterprise Server

helm install deepsource --set-file global.license.token=<path-to-license-file> -n deepsource-application --timeout 10m0s --debug oci://registry.deepsource.com/helm-charts/deepsource -f values.yaml

Upgrade

helm registry login registry.deepsource.com --username <username> —password <password>

Upgrade DeepSource Enterprise Server using your existing values.yaml

Go through the changelog.md in the helm package to make sure there aren't any breaking changes.

helm upgrade deepsource --set-file global.license.token=./license.txt -n deepsource-application --timeout 10m0s --debug oci://registry.deepsource.com/helm-charts/deepsource --version <version-number> -f values.yaml

Configuration

All the values with changeme as the default value must be changed and are considered a security risk if left unchanged.
Wherever applicable, If you have a value that contains newlines (for example, a private key), use a multi-line literal style yaml string (starts with |).
The Persistent Volumes (PVs) don't get cleaned up automatically when the chart is uninstalled. You need to manually delete the PVs if you want to clean up the data.

Global configuration creation parameters

Name	Description	Value
`global.secret.create`	Determines whether to create a secret. Set to true to create. Set to false if you want to manage secrets yourself (using the external-secrets operator, for example).	`true`
`global.cm.create`	Determines whether to create a configuration map. Set to true to create. Do not set it to false unless you really know what you are doing.	`true`

Cluster Settings configuration parameters

Analysis node group configuration parameters

Name	Description	Value
`global.clusterSettings.analysis.namespace`	Namespace for analysis jobs	`deepsource-analysis`
`global.clusterSettings.analysis.nodeSelector`	Node selector for analysis nodes	`{}`
`global.clusterSettings.analysis.tolerations`	Tolerations for analysis nodes	`{}`
`global.clusterSettings.analysis.affinity`	Affinity settings for analysis nodes	`{}`

Application node group configuration parameters

Name	Description	Value
`global.clusterSettings.application.namespace`	Namespace for application	`deepsource-application`
`global.clusterSettings.application.nodeSelector`	Node selector for application nodes	`{}`
`global.clusterSettings.application.tolerations`	Tolerations for application nodes	`{}`
`global.clusterSettings.application.affinity`	Affinity settings for application nodes	`{}`

Version Control System (VCS) configuration parameters

Github configuration parameters

Name	Description	Value
`global.vcs.github.enabled`	Determines whether GitHub integration is enabled. Learn how to configure the application here.	`false`
`global.vcs.github.secret.appId`	The App ID for your GitHub App. You can find this in your GitHub App settings.	`""`
`global.vcs.github.secret.appSlug`	GitHub generates a slug for each app based on its name. It is the last part of the public link of your app.	`""`
`global.vcs.github.secret.clientId`	The Client ID for your GitHub App.	`""`
`global.vcs.github.secret.secretKey`	The client secret for your GitHub App.	`""`
`global.vcs.github.secret.webhookSecret`	Enter the webhook secret you supplied while creating the app.	`""`
`global.vcs.github.secret.privateKey`	After creating the app, generate a private key for token requests and paste it here as a multi-line literal style yaml string	`""`

Github Enterprise configuration parameters

Name	Description	Value
`global.vcs.githubEnterprise.enabled`	Determines whether GitHub Enterprise integration is enabled. Learn how to configure the application here.	`false`
`global.vcs.githubEnterprise.secret.hostDomain`	Enter the hostname of your GitHub instance, e.g., `github.example.com`.	`""`
`global.vcs.githubEnterprise.secret.appId`	The App ID for your GitHub Enterprise App.	`""`
`global.vcs.githubEnterprise.secret.appSlug`	GitHub generates a slug for each app based on its name. It is the last part of the public link of your app.	`""`
`global.vcs.githubEnterprise.secret.clientId`	The Client ID for your GitHub Enterprise App.	`""`
`global.vcs.githubEnterprise.secret.secretKey`	The client secret for your GitHub Enterprise App.	`""`
`global.vcs.githubEnterprise.secret.webhookSecret`	Enter the webhook secret you supplied while creating the app.	`""`
`global.vcs.githubEnterprise.secret.privateKey`	After creating the app, generate a private key for token requests and paste it here as a multi-line literal style yaml string	`""`

Gitlab configuration parameters

Name	Description	Value
`global.vcs.gitlab.enabled`	Determines whether GitLab integration is enabled. Learn how to configure the application here.	`false`
`global.vcs.gitlab.cm.version`	Set the Gitlab Server version you are currently using, if it is the self-hosted version.	`""`
`global.vcs.gitlab.secret.hostDomain`	Enter the hostname of your GitLab instance, e.g., `gitlab.example.com`.	`""`
`global.vcs.gitlab.secret.appId`	Enter the generated Application ID for your GitLab App.	`""`
`global.vcs.gitlab.secret.appName`	The name of your GitLab App.	`""`
`global.vcs.gitlab.secret.appSecret`	Secret generated by GitLab on creation of the app.	`""`
`global.vcs.gitlab.secret.webhookSecret`	Enter a desired webhook secret for GitLab. Ensure that the secret matches the value you configured here.	`changeme`

Bitbucket configuration parameters

Name	Description	Value
`global.vcs.bitbucket.enabled`	Determines whether Bitbucket integration is enabled. Learn how to configure the application here.	`false`
`global.vcs.bitbucket.secret.addonClientId`	The client ID of your Bitbucket app.	`""`
`global.vcs.bitbucket.secret.addonSecret`	The secret of your Bitbucket app.	`""`
`global.vcs.bitbucket.secret.oAuthClientId`	The Bitbucket OAuth consumer key.	`""`
`global.vcs.bitbucket.secret.oAuthSecret`	The Bitbucket OAuth consumer secret.	`""`

Bitbucket Data Center configuration parameters

Name	Description	Value
`global.vcs.bitbucketDataCenter.enabled`	Determines whether Bitbucket Data Center integration is enabled. Learn how to configure the application here.	`false`
`global.vcs.bitbucketDataCenter.cm.hostScheme`	HTTP scheme of your Bitbucket Data Center instance (options: `http` or `https`).	`https`
`global.vcs.bitbucketDataCenter.cm.hostDomain`	hostname of your Bitbucket Data Center instance (e.g. `bitbucket.acme.com`).	`""`
`global.vcs.bitbucketDataCenter.secret.oAuth2Key`	Client ID generated by Bitbucket Data Center on creation of the OAuth2 app.	`""`
`global.vcs.bitbucketDataCenter.secret.oAuth2Secret`	Client secret generated by Bitbucket Data Center on creation of the OAuth2 app.	`""`
`global.vcs.bitbucketDataCenter.secret.webhookSecret`	A desired webhook secret for Bitbucket Data Center.	`changeme`

AzureDevOps configuration parameters

Name	Description	Value
`global.vcs.azureDevOps.enabled`	Determines whether Azure DevOps integration is enabled. Learn how to configure the application here.	`false`
`global.vcs.azureDevOps.secret.hostDomain`	The domain of your Azure DevOps instance.	`""`
`global.vcs.azureDevOps.secret.authorityHost`	The authority host for Azure DevOps.	`""`
`global.vcs.azureDevOps.secret.applicationId`	The Application ID for Azure DevOps.	`""`
`global.vcs.azureDevOps.secret.applicationSecret`	The Application Secret for Azure DevOps.	`""`
`global.vcs.azureDevOps.secret.webhookSecret`	Enter the webhook secret for Azure DevOps.	`""`

GSR configuration parameters

Name	Description	Value
`global.vcs.gsr.enabled`	Determines whether GSR integration is enabled. Learn how to configure the application here.	`false`
`global.vcs.gsr.secret.cliendId`	GSR Client ID.	`""`
`global.vcs.gsr.secret.clientSecret`	GSR Client Secret.	`""`
`global.vcs.gsr.secret.webhookAudience`	String entered in the Audience section for authentication of webhooks.	`""`

Backend Services/Dependencies configuration parameters

RabbitMQ configuration parameters

Name	Description	Value
`global.backendServices.rabbitmq.embedded.deploy`	Set to true if RabbitMQ should be deployed.	`true`
`global.backendServices.rabbitmq.secret.host`	Hostname for RabbitMQ.	`rabbitmq.deepsource-application`
`global.backendServices.rabbitmq.secret.port`	Port for RabbitMQ.	`5672`
`global.backendServices.rabbitmq.secret.protocol`	Protocol for RabbitMQ.	`amqp`
`global.backendServices.rabbitmq.secret.erlangCookie`	Erlang Cookie for RabbitMQ.	`changeme`
`global.backendServices.rabbitmq.secret.services.atlas.username`	Username for the Atlas RabbitMQ user.	`atlas`
`global.backendServices.rabbitmq.secret.services.atlas.password`	Password for the Atlas RabbitMQ user.	`changeme`
`global.backendServices.rabbitmq.secret.services.asgard.username`	Username for the Asgard RabbitMQ user.	`asgard`
`global.backendServices.rabbitmq.secret.services.asgard.password`	Password for the Asgard RabbitMQ user.	`changeme`
`global.backendServices.rabbitmq.secret.services.janus.username`	Username for the Janus RabbitMQ user.	`janus`
`global.backendServices.rabbitmq.secret.services.janus.password`	Password for the Janus RabbitMQ user.	`changeme`
`global.backendServices.rabbitmq.secret.services.mater.username`	Username for the Mater RabbitMQ user.	`mater`
`global.backendServices.rabbitmq.secret.services.mater.password`	Password for the Mater RabbitMQ user.	`changeme`
`global.backendServices.rabbitmq.secret.services.admin.username`	Username for the Admin RabbitMQ user.	`admin`
`global.backendServices.rabbitmq.secret.services.admin.password`	Password for the Admin RabbitMQ user.	`changeme`

Redis configuration parameters

Name	Description	Value
`global.backendServices.redis.embedded.deploy`	Set to true if Redis should be deployed.	`true`
`global.backendServices.redis.secret.host`	Hostname for Redis. (Change the Host if namespace is different from deepsource-application)	`redis-haproxy.deepsource-application`
`global.backendServices.redis.secret.port`	Port for Redis.	`6379`
`global.backendServices.redis.secret.protocol`	Protocol for Redis.	`redis`
`global.backendServices.redis.services.atlas.machinery.database`	Database for the Atlas Redis user.	`3`
`global.backendServices.redis.services.atlas.publish.database`	Database for the Atlas Redis publish user.	`0`
`global.backendServices.redis.services.asgard.database`	Database for the Asgard Redis user.	`0`
`global.backendServices.redis.services.janus.machinery.database`	Database for the Janus Redis machinery user.	`3`
`global.backendServices.redis.services.janus.hub.database`	Database for the Janus Redis hub user.	`4`
`global.backendServices.redis.services.janus.auth.database`	Database for the Janus Redis auth user.	`1`
`global.backendServices.redis.services.janus.auth.keyPrefix`	Key prefix for the Janus Redis auth user.	`:1:contrib.sessions.custom_cached_db`

PostgreSQL configuration parameters

When using embedded PostgreSQL, the values once set are not changed. If you want to change the values, you need to delete the PostgreSQL PVCs & PVs and then change the values.
To configure your PostgreSQL database, follow the guide.

Name	Description	Value
`global.backendServices.postgresql.embedded.deploy`	Set to true if PostgreSQL should be deployed.	`true`
`global.backendServices.postgresql.connectionPooler.deploy`	Determines whether to deploy the connection pooler (PgBouncer).	`true`
`global.backendServices.postgresql.secret.host`	Hostname for PostgreSQL. (Change the Host if namespace is different from deepsource-application OR if you are bringing your own database)	`postgresql.deepsource-application`
`global.backendServices.postgresql.secret.port`	Port for PostgreSQL.	`5432`
`global.backendServices.postgresql.secret.database`	Name for the PostgreSQL database.	`asgard`
`global.backendServices.postgresql.secret.user`	User for PostgreSQL database.	`asgard`
`global.backendServices.postgresql.secret.password`	Password for the PostgreSQL database.	`changeme`

Minio/S3 Compatible Storage configuration parameters

Name	Description	Value
`global.backendServices.minio.embedded.deploy`	Set to true if Minio should be deployed.	`true`
`global.backendServices.minio.secret.accessKey`	Access key for Minio/S3.	`deepsource`
`global.backendServices.minio.secret.secretKey`	Secret key for Minio/S3.	`changeme`
`global.backendServices.minio.secret.endpoint`	Endpoint for Minio/S3. (Change the Host if namespace is different from deepsource-application)	`minio.deepsource-application:9000`
`global.backendServices.minio.secret.signature`	Signature type for Minio/S3.	`s3v2`
`global.backendServices.minio.secret.useSSL`	Determines whether to use SSL for Minio. (If bringing your own minio)	`false`
`global.backendServices.minio.cm.buckets.artifacts.name`	Name for the Minio artifacts bucket.	`asgard-artifacts`
`global.backendServices.minio.cm.buckets.staticFiles.name`	Name for the Minio static files bucket.	`prod-asgard-static`
`global.backendServices.minio.cm.buckets.codeCache.name`	Name for the Minio code cache bucket.	`analysis-code-cache`
`global.backendServices.minio.cm.buckets.logs.name`	Name for the Minio logs bucket.	`deepsource-logs`

Auth configuration parameters

Name	Description	Value
`global.auth.admins`	Comma separated emails of users who should be promoted to "Enterprise Admins" and will have access to the Enterprise Control Panel which will allow them to manage other users and view installation-wide audit logs and reports.	`[email protected]`

SAML configuration parameters

Name	Description	Value
`global.auth.saml.enabled`	Determines whether SAML authentication is enabled.	`false`
`global.auth.saml.idpMetadataUrl`	IdP metadata URL, follow the guide for your respective Identity Provider to get this value.	`""`

SCIM configuration parameters

Name	Description	Value
`global.auth.scim.enabled`	Enable SCIM provisioning.	`false`
`global.auth.scim.authToken`	Enter a strong secret for SCIM provisioning.	`""`
`global.auth.socialAuth.enabled`	Determines whether social authentication is enabled.	`false`

Networking configuration parameters

Name	Description	Value
`global.networking.primaryDomain`	Hostname at which the DeepSource dashboard would be accessible, e.g. deepsource.example.com	`deepsource.example.com`
`global.networking.customAllowedHosts`	Comma-separated list of internal hostnames/IPs that will access the DeepSource Dashboard (other than the "Primary Domain" already set above).	`""`
`global.networking.redirectUriHostname`	Custom hostname to use for OAuth redirect URIs	`""`

Ingress configuration parameters

Controller configuration parameters

Name	Description	Value
`global.networking.ingress.controller.embedded.deploy`	Set to true if there is no Ingress controller in your cluster or false if your cluster already has an existing ingress controller	`false`
`global.networking.ingress.controller.className`	Class name of the Ingress controller	`nginx`
`global.networking.ingress.controller.annotations`	Annotations for the Ingress controller. Add your own annotations if you are bringing your own Ingress controller, otherwise use the annotations from the values.yaml file given.	`{}`

TLS configuration parameters

Name	Description	Value
`global.networking.ingress.tls.enabled`	Enable TLS for Ingress	`true`
`global.networking.ingress.tls.certManager.deploy`	Set to true if cert-manager should be deployed for certificate management	`false`
`global.networking.ingress.tls.secret.tlsCrt`	Secret containing the TLS certificate	`""`
`global.networking.ingress.tls.secret.tlsKey`	Secret containing the TLS private key	`""`
`global.networking.ingress.tls.secret.tlsEmail`	Email used for registering TLS certificate (if using cert-manager)	`""`

CustomCA configuration parameters

Name	Description	Value
`global.networking.customCA.upload`	Set to true if using a custom CA for TLS	`false`
`global.networking.customCA.secret.caBundle`	Secret containing the custom CA bundle, make sure it is in PEM format and full chain	`""`

Integrations configuration parameters

Slack integration configuration parameters

Name	Description	Value
`global.integrations.slack.enabled`	Enable Slack integration	`false`
`global.integrations.slack.secret.clientId`	Client ID for Slack integration	`""`
`global.integrations.slack.secret.clientSecret`	Client Secret for Slack integration	`""`
`global.integrations.slack.secret.signingSecret`	Signing Secret for Slack integration	`""`

Jira integration configuration parameters

Name	Description	Value
`global.integrations.jira.enabled`	Enable Jira integration	`false`
`global.integrations.jira.secret.clientId`	Client ID for Jira integration	`""`
`global.integrations.jira.secret.clientSecret`	Client Secret for Jira integration	`""`

Deployment Settings configuration parameters

Name	Description	Value
`global.deploymentSettings.image.repository`	OCI image repository	`registry.deepsource.com/images/deepsource-production`
`global.deploymentSettings.image.pullPolicy`	Image pull policy	`IfNotPresent`
`global.deploymentSettings.imagePullSecrets`	Image pull secrets	`undefined`
`global.deploymentSettings.logging.verbose.enabled`	Enable verbose logging	`false`
`global.deploymentSettings.beta.enabled`	Enable beta features	`false`
`global.deploymentSettings.airgap.enabled`	Enable airgap deployment	`false`
`global.deploymentSettings.secret.cacheMasterKey`	Secret for cache master key	`changeme`
`global.deploymentSettings.secret.accessTokenSalt`	Salt for access token generation, should be 22 characters long with no '$' symbol	`changeme`
`global.deploymentSettings.podAnnotations`	Common annotations for pods	`undefined`

External Registry configuration parameters

Currently we support Sonatype Nexus as an external registry.

Name	Description	Value
`global.deploymentSettings.externalRegistry.sonatypeNexus.secret.username`	Username for external registry	`""`
`global.deploymentSettings.externalRegistry.sonatypeNexus.secret.host`	Host for external registry	`""`
`global.deploymentSettings.externalRegistry.sonatypeNexus.secret.password`	Password for external registry	`""`
`global.deploymentSettings.externalRegistry.sonatypeNexus.secret.protocol`	Protocol for external registry (e.g., https)	`http`
`global.deploymentSettings.externalRegistry.sonatypeNexus.languageRegistry.python.path`	Path for Python packages in the external registry	`""`
`global.deploymentSettings.externalRegistry.sonatypeNexus.languageRegistry.go.path`	Path for Go packages in the external registry	`""`
`global.deploymentSettings.externalRegistry.sonatypeNexus.languageRegistry.kotlin.path`	Path for Kotlin packages in the external registry	`""`

Reporting configuration parameters

Name	Description	Value
`global.reporting.error.enabled`	Enable error reporting	`false`

License configuration parameters

Name	Description	Value
`global.license.token`	License token as a string	`""`

Troubleshooting

Generate support-bundle

Make sure yq is installed on your system. To Install. yq follow the installation guide: https://mikefarah.gitbook.io/yq/v/v3.x/
We use kubectl support-bundle plugin from troubleshoot.sh. To install support-bundle follow this guide:
1. Install krew for your system from https://krew.sigs.k8s.io/docs/user-guide/setup/install/
2. Once krew is installed and working run the following command
```
kubectl krew install support-bundle
```

Generate the support-bundle by running the following command:

curl https://assets.enterprise.deepsource.com/generate-support-bundle | sh -s <path-to-values-file>

Admin permission issues during initial setup

If you are having permission issues despite your email being in the global.auth.admins block in values file, run the following command after making sure all the DeepSource application pods are up and running.

APP_NAMESPACE="<deepsource-application-namespace>"; kubectl exec $(kubectl get pods -l app.kubernetes.io/name=asgard-main -n $APP_NAMESPACE -o jsonpath="{.items[0].metadata.name}") -n $APP_NAMESPACE -- python manage.py update_superusers

Manually running the migration

During installation or upgrade, the migrate job that runs post-install might fail due to various reasons after the backoff-limit is reached. To manually trigger the migration process run the following command

APP_NAMESPACE="<deepsource-application-namespace>"; kubectl exec $(kubectl get pods -l app.kubernetes.io/name=asgard-celery-serveanlytics -n $APP_NAMESPACE -o jsonpath="{.items[0].metadata.name}") -n $APP_NAMESPACE -- make bucket compress migrate