Prerequisites
Before proceeding, ensure you have the following prerequisites in place:
-
Create two kubernetes node groups (for application & analysis workloads) and label the nodes in the node groups (eg: workload: deepsource-application & workload: deepsource-analysis)
-
The minimum specifications for the nodes are as follows:
-
Application Node group
- CPU:
16 Cores
- Memory:
32 GiB
- Disk:
128 GiB
-
Analysis Node group
- CPU:
16 Cores
- Memory:
32 GiB
- Disk:
256 GiB
-
Create two namespaces
deepsource-application - kubectl create ns deepsource-applicationdeepsource-analysis - kubectl create ns deepsource-analysis
-
Create an external database using the following guide: /docs/enterprise-server-configuration#bring-your-own-database. You can skip this step for pilot installation.
-
Obtain a license by reaching out to sales@deepsource.io
-
Make sure to use at least helm v3.8.0, prior versions require HELM_EXPERIMENTAL_OCI=1environment variable to be set.
Install
- Login to the helm registry using the obtained credentials
- Obtain the default values.yaml file from the chart and write to a file
- Make the necessary changes to the newly created values.yaml file by following the configuration guide.
- Install DeepSource Enterprise Server
Upgrade
-
Login to the registry using the obtained credential
-
Upgrade DeepSource Enterprise Server using your existing values.yaml
Go through the changelog.md in the helm package to make sure there aren’t any breaking changes.
Configuration
- All the values with
changeme as the default value must be changed and are considered a security risk if left unchanged.
- Wherever applicable, If you have a value that contains newlines (for example, a private key), use a multi-line literal style yaml string (starts with |).
- The Persistent Volumes (PVs) don’t get cleaned up automatically when the chart is uninstalled. You need to manually delete the PVs if you want to clean up the data.
Global configuration creation parameters
| Name | Description | Value |
|---|
global.secret.create | Determines whether to create a secret. Set to true to create. Set to false if you want to manage secrets yourself (using the external-secrets operator, for example). | true |
global.cm.create | Determines whether to create a configuration map. Set to true to create. Do not set it to false unless you really know what you are doing. | true |
Cluster Settings configuration parameters
Analysis node group configuration parameters
| Name | Description | Value |
|---|
global.clusterSettings.analysis.namespace | Namespace for analysis jobs | deepsource-analysis |
global.clusterSettings.analysis.nodeSelector | Node selector for analysis nodes | {} |
global.clusterSettings.analysis.tolerations | Tolerations for analysis nodes | {} |
global.clusterSettings.analysis.affinity | Affinity settings for analysis nodes | {} |
Application node group configuration parameters
| Name | Description | Value |
|---|
global.clusterSettings.application.namespace | Namespace for application | deepsource-application |
global.clusterSettings.application.nodeSelector | Node selector for application nodes | {} |
global.clusterSettings.application.tolerations | Tolerations for application nodes | {} |
global.clusterSettings.application.affinity | Affinity settings for application nodes | {} |
Version Control System (VCS) configuration parameters
Github configuration parameters
| Name | Description | Value |
|---|
global.vcs.github.enabled | Determines whether GitHub integration is enabled. Learn how to configure the application here. | false |
global.vcs.github.secret.appId | The App ID for your GitHub App. You can find this in your GitHub App settings. | "" |
global.vcs.github.secret.appSlug | GitHub generates a slug for each app based on its name. It is the last part of the public link of your app. | "" |
global.vcs.github.secret.clientId | The Client ID for your GitHub App. | "" |
global.vcs.github.secret.secretKey | The client secret for your GitHub App. | "" |
global.vcs.github.secret.webhookSecret | Enter the webhook secret you supplied while creating the app. | "" |
global.vcs.github.secret.privateKey | After creating the app, generate a private key for token requests and paste it here as a multi-line literal style yaml string | "" |
Github Enterprise configuration parameters
| Name | Description | Value |
|---|
global.vcs.githubEnterprise.enabled | Determines whether GitHub Enterprise integration is enabled. Learn how to configure the application here. | false |
global.vcs.githubEnterprise.secret.hostDomain | Enter the hostname of your GitHub instance, e.g., github.example.com. | "" |
global.vcs.githubEnterprise.secret.appId | The App ID for your GitHub Enterprise App. | "" |
global.vcs.githubEnterprise.secret.appSlug | GitHub generates a slug for each app based on its name. It is the last part of the public link of your app. | "" |
global.vcs.githubEnterprise.secret.clientId | The Client ID for your GitHub Enterprise App. | "" |
global.vcs.githubEnterprise.secret.secretKey | The client secret for your GitHub Enterprise App. | "" |
global.vcs.githubEnterprise.secret.webhookSecret | Enter the webhook secret you supplied while creating the app. | "" |
global.vcs.githubEnterprise.secret.privateKey | After creating the app, generate a private key for token requests and paste it here as a multi-line literal style yaml string | "" |
Gitlab configuration parameters
| Name | Description | Value |
|---|
global.vcs.gitlab.enabled | Determines whether GitLab integration is enabled. Learn how to configure the application here. | false |
global.vcs.gitlab.cm.version | Set the Gitlab Server version you are currently using, if it is the self-hosted version. | "" |
global.vcs.gitlab.secret.hostDomain | Enter the hostname of your GitLab instance, e.g., gitlab.example.com. | "" |
global.vcs.gitlab.secret.appId | Enter the generated Application ID for your GitLab App. | "" |
global.vcs.gitlab.secret.appName | The name of your GitLab App. | "" |
global.vcs.gitlab.secret.appSecret | Secret generated by GitLab on creation of the app. | "" |
global.vcs.gitlab.secret.webhookSecret | Enter a desired webhook secret for GitLab. Ensure that the secret matches the value you configured here. | changeme |
Bitbucket configuration parameters
| Name | Description | Value |
|---|
global.vcs.bitbucket.enabled | Determines whether Bitbucket integration is enabled. Learn how to configure the application here. | false |
global.vcs.bitbucket.secret.addonClientId | The client ID of your Bitbucket app. | "" |
global.vcs.bitbucket.secret.addonSecret | The secret of your Bitbucket app. | "" |
global.vcs.bitbucket.secret.oAuthClientId | The Bitbucket OAuth consumer key. | "" |
global.vcs.bitbucket.secret.oAuthSecret | The Bitbucket OAuth consumer secret. | "" |
Bitbucket Data Center configuration parameters
| Name | Description | Value |
|---|
global.vcs.bitbucketDataCenter.enabled | Determines whether Bitbucket Data Center integration is enabled. Learn how to configure the application here. | false |
global.vcs.bitbucketDataCenter.cm.hostScheme | HTTP scheme of your Bitbucket Data Center instance (options: http or https). | https |
global.vcs.bitbucketDataCenter.cm.hostDomain | hostname of your Bitbucket Data Center instance (e.g. bitbucket.acme.com). | "" |
global.vcs.bitbucketDataCenter.secret.oAuth2Key | Client ID generated by Bitbucket Data Center on creation of the OAuth2 app. | "" |
global.vcs.bitbucketDataCenter.secret.oAuth2Secret | Client secret generated by Bitbucket Data Center on creation of the OAuth2 app. | "" |
global.vcs.bitbucketDataCenter.secret.webhookSecret | A desired webhook secret for Bitbucket Data Center. | changeme |
AzureDevOps configuration parameters
| Name | Description | Value |
|---|
global.vcs.azureDevOps.enabled | Determines whether Azure DevOps integration is enabled. Learn how to configure the application here. | false |
global.vcs.azureDevOps.secret.hostDomain | The domain of your Azure DevOps instance. | "" |
global.vcs.azureDevOps.secret.authorityHost | The authority host for Azure DevOps. | "" |
global.vcs.azureDevOps.secret.applicationId | The Application ID for Azure DevOps. | "" |
global.vcs.azureDevOps.secret.applicationSecret | The Application Secret for Azure DevOps. | "" |
global.vcs.azureDevOps.secret.webhookSecret | Enter the webhook secret for Azure DevOps. | "" |
GSR configuration parameters
| Name | Description | Value |
|---|
global.vcs.gsr.enabled | Determines whether GSR integration is enabled. Learn how to configure the application here. | false |
global.vcs.gsr.secret.cliendId | GSR Client ID. | "" |
global.vcs.gsr.secret.clientSecret | GSR Client Secret. | "" |
global.vcs.gsr.secret.webhookAudience | String entered in the Audience section for authentication of webhooks. | "" |
Backend Services/Dependencies configuration parameters
RabbitMQ configuration parameters
| Name | Description | Value |
|---|
global.backendServices.rabbitmq.embedded.deploy | Set to true if RabbitMQ should be deployed. | true |
global.backendServices.rabbitmq.secret.host | Hostname for RabbitMQ. | rabbitmq.deepsource-application |
global.backendServices.rabbitmq.secret.port | Port for RabbitMQ. | 5672 |
global.backendServices.rabbitmq.secret.protocol | Protocol for RabbitMQ. | amqp |
global.backendServices.rabbitmq.secret.erlangCookie | Erlang Cookie for RabbitMQ. | changeme |
global.backendServices.rabbitmq.secret.services.atlas.username | Username for the Atlas RabbitMQ user. | atlas |
global.backendServices.rabbitmq.secret.services.atlas.password | Password for the Atlas RabbitMQ user. | changeme |
global.backendServices.rabbitmq.secret.services.asgard.username | Username for the Asgard RabbitMQ user. | asgard |
global.backendServices.rabbitmq.secret.services.asgard.password | Password for the Asgard RabbitMQ user. | changeme |
global.backendServices.rabbitmq.secret.services.janus.username | Username for the Janus RabbitMQ user. | janus |
global.backendServices.rabbitmq.secret.services.janus.password | Password for the Janus RabbitMQ user. | changeme |
global.backendServices.rabbitmq.secret.services.mater.username | Username for the Mater RabbitMQ user. | mater |
global.backendServices.rabbitmq.secret.services.mater.password | Password for the Mater RabbitMQ user. | changeme |
global.backendServices.rabbitmq.secret.services.admin.username | Username for the Admin RabbitMQ user. | admin |
global.backendServices.rabbitmq.secret.services.admin.password | Password for the Admin RabbitMQ user. | changeme |
Redis configuration parameters
| Name | Description | Value |
|---|
global.backendServices.redis.embedded.deploy | Set to true if Redis should be deployed. | true |
global.backendServices.redis.secret.host | Hostname for Redis. (Change the Host if namespace is different from deepsource-application) | redis-haproxy.deepsource-application |
global.backendServices.redis.secret.port | Port for Redis. | 6379 |
global.backendServices.redis.secret.protocol | Protocol for Redis. | redis |
global.backendServices.redis.services.atlas.machinery.database | Database for the Atlas Redis user. | 3 |
global.backendServices.redis.services.atlas.publish.database | Database for the Atlas Redis publish user. | 0 |
global.backendServices.redis.services.asgard.database | Database for the Asgard Redis user. | 0 |
global.backendServices.redis.services.janus.machinery.database | Database for the Janus Redis machinery user. | 3 |
global.backendServices.redis.services.janus.hub.database | Database for the Janus Redis hub user. | 4 |
global.backendServices.redis.services.janus.auth.database | Database for the Janus Redis auth user. | 1 |
global.backendServices.redis.services.janus.auth.keyPrefix | Key prefix for the Janus Redis auth user. | :1:contrib.sessions.custom_cached_db |
PostgreSQL configuration parameters
- When using embedded PostgreSQL, the values once set are not changed. If you want to change the values, you need to delete the PostgreSQL PVCs & PVs and then change the values.
- To configure your PostgreSQL database, follow the guide.
| Name | Description | Value |
|---|
global.backendServices.postgresql.embedded.deploy | Set to true if PostgreSQL should be deployed. | true |
global.backendServices.postgresql.connectionPooler.deploy | Determines whether to deploy the connection pooler (PgBouncer). | true |
global.backendServices.postgresql.secret.host | Hostname for PostgreSQL. (Change the Host if namespace is different from deepsource-application OR if you are bringing your own database) | postgresql.deepsource-application |
global.backendServices.postgresql.secret.port | Port for PostgreSQL. | 5432 |
global.backendServices.postgresql.secret.database | Name for the PostgreSQL database. | asgard |
global.backendServices.postgresql.secret.user | User for PostgreSQL database. | asgard |
global.backendServices.postgresql.secret.password | Password for the PostgreSQL database. | changeme |
Minio/S3 Compatible Storage configuration parameters
| Name | Description | Value |
|---|
global.backendServices.minio.embedded.deploy | Set to true if Minio should be deployed. | true |
global.backendServices.minio.secret.accessKey | Access key for Minio/S3. | deepsource |
global.backendServices.minio.secret.secretKey | Secret key for Minio/S3. | changeme |
global.backendServices.minio.secret.endpoint | Endpoint for Minio/S3. (Change the Host if namespace is different from deepsource-application) | minio.deepsource-application:9000 |
global.backendServices.minio.secret.signature | Signature type for Minio/S3. | s3v2 |
global.backendServices.minio.secret.useSSL | Determines whether to use SSL for Minio. (If bringing your own minio) | false |
global.backendServices.minio.cm.buckets.artifacts.name | Name for the Minio artifacts bucket. | asgard-artifacts |
global.backendServices.minio.cm.buckets.staticFiles.name | Name for the Minio static files bucket. | prod-asgard-static |
global.backendServices.minio.cm.buckets.codeCache.name | Name for the Minio code cache bucket. | analysis-code-cache |
global.backendServices.minio.cm.buckets.logs.name | Name for the Minio logs bucket. | deepsource-logs |
Auth configuration parameters
| Name | Description | Value |
|---|
global.auth.admins | Comma separated emails of users who should be promoted to “Enterprise Admins” and will have access to the Enterprise Control Panel which will allow them to manage other users and view installation-wide audit logs and reports. | [admin@example.org] |
SAML configuration parameters
| Name | Description | Value |
|---|
global.auth.saml.enabled | Determines whether SAML authentication is enabled. | false |
global.auth.saml.idpMetadataUrl | IdP metadata URL, follow the guide for your respective Identity Provider to get this value. | "" |
SCIM configuration parameters
| Name | Description | Value |
|---|
global.auth.scim.enabled | Enable SCIM provisioning. | false |
global.auth.scim.authToken | Enter a strong secret for SCIM provisioning. | "" |
global.auth.socialAuth.enabled | Determines whether social authentication is enabled. | false |
Networking configuration parameters
| Name | Description | Value |
|---|
global.networking.primaryDomain | Hostname at which the DeepSource dashboard would be accessible, e.g. deepsource.example.com | deepsource.example.com |
global.networking.customAllowedHosts | Comma-separated list of internal hostnames/IPs that will access the DeepSource Dashboard (other than the “Primary Domain” already set above). | "" |
global.networking.redirectUriHostname | Custom hostname to use for OAuth redirect URIs | "" |
Ingress configuration parameters
Controller configuration parameters
| Name | Description | Value |
|---|
global.networking.ingress.controller.embedded.deploy | Set to true if there is no Ingress controller in your cluster or false if your cluster already has an existing ingress controller | false |
global.networking.ingress.controller.className | Class name of the Ingress controller | nginx |
global.networking.ingress.controller.annotations | Annotations for the Ingress controller. Add your own annotations if you are bringing your own Ingress controller, otherwise use the annotations from the values.yaml file given. | {} |
TLS configuration parameters
| Name | Description | Value |
|---|
global.networking.ingress.tls.enabled | Enable TLS for Ingress | true |
global.networking.ingress.tls.certManager.deploy | Set to true if cert-manager should be deployed for certificate management | false |
global.networking.ingress.tls.secret.tlsCrt | Secret containing the TLS certificate | "" |
global.networking.ingress.tls.secret.tlsKey | Secret containing the TLS private key | "" |
global.networking.ingress.tls.secret.tlsEmail | Email used for registering TLS certificate (if using cert-manager) | "" |
CustomCA configuration parameters
| Name | Description | Value |
|---|
global.networking.customCA.upload | Set to true if using a custom CA for TLS | false |
global.networking.customCA.secret.caBundle | Secret containing the custom CA bundle, make sure it is in PEM format and full chain | "" |
Integrations configuration parameters
Slack integration configuration parameters
| Name | Description | Value |
|---|
global.integrations.slack.enabled | Enable Slack integration | false |
global.integrations.slack.secret.clientId | Client ID for Slack integration | "" |
global.integrations.slack.secret.clientSecret | Client Secret for Slack integration | "" |
global.integrations.slack.secret.signingSecret | Signing Secret for Slack integration | "" |
Jira integration configuration parameters
| Name | Description | Value |
|---|
global.integrations.jira.enabled | Enable Jira integration | false |
global.integrations.jira.secret.clientId | Client ID for Jira integration | "" |
global.integrations.jira.secret.clientSecret | Client Secret for Jira integration | "" |
Deployment Settings configuration parameters
| Name | Description | Value |
|---|
global.deploymentSettings.image.repository | OCI image repository | registry.deepsource.com/images/deepsource-production |
global.deploymentSettings.image.pullPolicy | Image pull policy | IfNotPresent |
global.deploymentSettings.imagePullSecrets | Image pull secrets | undefined |
global.deploymentSettings.logging.verbose.enabled | Enable verbose logging | false |
global.deploymentSettings.beta.enabled | Enable beta features | false |
global.deploymentSettings.airgap.enabled | Enable airgap deployment | false |
global.deploymentSettings.secret.cacheMasterKey | Secret for cache master key | changeme |
global.deploymentSettings.secret.accessTokenSalt | Salt for access token generation, should be 22 characters long with no ’$’ symbol | changeme |
global.deploymentSettings.podAnnotations | Common annotations for pods | undefined |
External Registry configuration parameters
Currently we support Sonatype Nexus as an external registry.
| Name | Description | Value |
|---|
global.deploymentSettings.externalRegistry.sonatypeNexus.secret.username | Username for external registry | "" |
global.deploymentSettings.externalRegistry.sonatypeNexus.secret.host | Host for external registry | "" |
global.deploymentSettings.externalRegistry.sonatypeNexus.secret.password | Password for external registry | "" |
global.deploymentSettings.externalRegistry.sonatypeNexus.secret.protocol | Protocol for external registry (e.g., https) | http |
global.deploymentSettings.externalRegistry.sonatypeNexus.languageRegistry.python.path | Path for Python packages in the external registry | "" |
global.deploymentSettings.externalRegistry.sonatypeNexus.languageRegistry.go.path | Path for Go packages in the external registry | "" |
global.deploymentSettings.externalRegistry.sonatypeNexus.languageRegistry.kotlin.path | Path for Kotlin packages in the external registry | "" |
Reporting configuration parameters
| Name | Description | Value |
|---|
global.reporting.error.enabled | Enable error reporting | false |
License configuration parameters
| Name | Description | Value |
|---|
global.license.token | License token as a string | "" |
Troubleshooting
Generate support-bundle
-
Make sure yq is installed on your system. To Install. yq follow the installation guide: https://mikefarah.gitbook.io/yq/v/v3.x/
-
We use kubectl support-bundle plugin from troubleshoot.sh. To install support-bundle follow this guide:
- Install krew for your system from https://krew.sigs.k8s.io/docs/user-guide/setup/install/
- Once krew is installed and working run the following command
-
Generate the support-bundle by running the following command:
Admin permission issues during initial setup
If you are having permission issues despite your email being in the global.auth.admins block in values file, run the following command after making sure all the DeepSource application pods are up and running.
Manually running the migration
During installation or upgrade, the migrate job that runs post-install might fail due to various reasons after the backoff-limit is reached. To manually trigger the migration process run the following command
