[Backport 6.11.x] Add priorityClassName to remaining pods (#785)

Linear issue [FEIE-297: Add `priorityClassName` to remaining
pods](https://linear.app/sourcegraph/issue/FEIE-297/add-priorityclassname-to-remaining-pods)

- Customer's Kubernetes cluster policy blocks pods from starting if they do not have a priorityClassName in their config.
- We already had support for priorityClassName, but only for ~5 pods, need to add this for all remaining pods
- Added logic so that priorityClassName could be defined once, under the `sourcegraph` top level key, and / or under each pod's top-level key, which would override the config on the `sourcegraph` top level key, so the customer could configure:

```yaml
sourcegraph:
  priorityClassName: p2

pgsql:
  priorityClassName: p1
```

### Checklist

- [x] Follow the [manual testing
process](https://github.com/sourcegraph/deploy-sourcegraph-helm/blob/main/TEST.md)
- [ ] Update
[changelog](https://github.com/sourcegraph/deploy-sourcegraph-helm/blob/main/charts/sourcegraph/CHANGELOG.md)
- [ ] Update [Kubernetes update
doc](https://docs.sourcegraph.com/admin/updates/kubernetes)

### Test plan

- Tested with Helm template
- Followed the manual testing process
- Deployed it on my test cluster, with the following override file:

```yaml
priorityClasses:
- name: test
  value: 100
  preemptionPolicy: Never
  description: "test"
- name: test2
  value: 102
  preemptionPolicy: Never
  description: "test2"

sourcegraph:
  image:
    defaultTag: 6.10.3349
    useGlobalTagAsDefault: true
  priorityClassName: test
```

- Then re-applied, adding:

```yaml
gitserver:
  priorityClassName: test2
```

- Both worked, output:

```
[2025-12-15 03:58:52] config % kubectl get pods -o custom-columns=NAME:.metadata.name,PRIORITY_CLASS:.spec.priorityClassName,PRIORITY_VALUE:.spec.priority
NAME                                         PRIORITY_CLASS   PRIORITY_VALUE
blobstore-579cbc4cb9-2gn69                   test             100
codeinsights-db-0                            test             100
codeintel-db-0                               test             100
gitserver-0                                  test2            102
gitserver-1                                  test2            102
grafana-0                                    test             100
indexed-search-0                             test             100
pgsql-0                                      test             100
precise-code-intel-worker-5b6bd8d898-9zrbg   test             100
prometheus-65468d765d-j4rgw                  test             100
redis-cache-595c746f84-2wxtf                 test             100
redis-store-5f4b87dbf4-8n24m                 test             100
searcher-0                                   test             100
sourcegraph-frontend-677d647479-77zrl        test             100
syntect-server-657b89b6f4-p59x6              test             100
worker-6d68db5b5c-twxkk                      test             100
``` 

<br> Backport a49fce2 from #778

Co-authored-by: Marc <7050295+marcleblanc2@users.noreply.github.com>

Author: sourcegraph-release-bot

TEST.md

@@ -23,7 +23,7 @@ helm plugin install https://github.com/helm-unittest/helm-unittest
 Once the plugin is installed, you can run the unit tests using the following:
 
 ```bash
-helm unittest --helm3 ./charts/sourcegraph/.
+helm unittest ./charts/sourcegraph
 ```
 
 We currently do not have testing best practices or require unit tests for new changes, so add test cases at your best judgement if possible.
@@ -59,7 +59,7 @@ Make sure you test both enabled and disabled toggles. For example, if you added
 You have two options to target specificy Sourcegraph version. Add the below to your `override.yaml`:
 
 ```yaml
-sourcegraph: 
+sourcegraph:
   image:
     defaultTag: "6.10.0"
     useGlobalTagAsDefault: true

charts/sourcegraph-executor/dind/README.md

@@ -79,6 +79,7 @@ In addition to the documented values, the `executor` and `private-docker-registr
 | sourcegraph.nodeSelector | object | `{}` | NodeSelector, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) |
 | sourcegraph.podAnnotations | object | `{}` | Add extra annotations to attach to all pods |
 | sourcegraph.podLabels | object | `{}` | Add extra labels to attach to all pods |
+| sourcegraph.priorityClassName | string | `""` | Assign a priorityClass to all pods (daemonSets, deployments, and statefulSets) |
 | sourcegraph.tolerations | list | `[]` | Tolerations, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) |
 | storageClass.allowedTopologies | object | `{}` | Persistent volumes topology configuration, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/storage/storage-classes/#allowed-topologies) |
 | storageClass.create | bool | `false` | Enable creation of storageClass. Defaults to Google Cloud Platform. Disable if you have your own existing storage class |

charts/sourcegraph-executor/dind/templates/_helpers/_priorityClassName.tpl

@@ -0,0 +1,20 @@
+{{/*
+
+Allow customers to assign a priorityClassName to all resources which create pods (ex. DaemonSets, Deployments, StatefulSets)
+
+Customers can configure an instance-wide default priorty class name at .Values.sourcegraph.priorityClassName,
+and can override it for individual services, if needed, at .Values.<service>.priorityClassName
+
+*/}}
+
+{{- define "sourcegraph.priorityClassName" -}}
+{{- $top := index . 0 }}
+{{- $service := index . 1 }}
+{{- $globalPriorityClassName := (index $top.Values "sourcegraph" "priorityClassName") }}
+{{- $servicePriorityClassName := (index $top.Values $service "priorityClassName") }}
+{{- if $servicePriorityClassName }}
+priorityClassName: {{ $servicePriorityClassName | toYaml | trim }}
+{{- else if $globalPriorityClassName }}
+priorityClassName: {{ $globalPriorityClassName | toYaml | trim }}
+{{- end }}
+{{- end }}

charts/sourcegraph-executor/dind/templates/executor/executor.Deployment.yaml

@@ -130,6 +130,7 @@ spec:
       affinity:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with include "sourcegraph.priorityClassName" (list . "executor") | trim }}{{ . | nindent 6 }}{{- end }}
       {{- with .Values.sourcegraph.tolerations }}
       tolerations:
         {{- toYaml . | nindent 8 }}

charts/sourcegraph-executor/dind/templates/private-docker-registry/private-docker-registry.Deployment.yaml

@@ -74,6 +74,7 @@ spec:
       affinity:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with include "sourcegraph.priorityClassName" (list . "privateDockerRegistry") | trim }}{{ . | nindent 6 }}{{- end }}
       {{- with .Values.sourcegraph.tolerations }}
       tolerations:
         {{- toYaml . | nindent 8 }}

charts/sourcegraph-executor/dind/values.yaml

@@ -30,6 +30,8 @@ sourcegraph:
   podAnnotations: {}
   # -- Add extra labels to attach to all pods
   podLabels: {}
+  # -- Assign a priorityClass to all pods (daemonSets, deployments, and statefulSets)
+  priorityClassName: ""
 
 
 storageClass:

charts/sourcegraph-executor/k8s/README.md

@@ -60,16 +60,16 @@ In addition to the documented values, the `executor` and `private-docker-registr
 | executor.extraEnv | string | `nil` | Sets extra environment variables on the executor deployment. See `values.yaml` for the format. |
 | executor.frontendExistingSecret | string | `""` | Name of existing k8s Secret to use for frontend password The name of the secret must match `executor.name`, i.e., the name of the helm release used to deploy the helm chart. The k8s Secret must contain the key `EXECUTOR_FRONTEND_PASSWORD` matching the site config `executors.accessToken` value. `executor.frontendPassword` is ignored if this is enabled. |
 | executor.frontendPassword | string | `""` | The shared secret configured in the Sourcegraph instance site config under executors.accessToken. Required if `executor.frontendExistingSecret`` is not configured. |
-| executor.frontendUrl | string | `""` | The external URL of the Sourcegraph instance. Required. **Recommended:** set to the internal service endpoint (e.g. `http://sourcegraph-frontend.sourcegraph.svc.cluster.local:30080` if Sourcegraph is deployed in the `sourcegraph` namespace).  This will avoid unnecessary network charges as traffic will stay within the local network. |
+| executor.frontendUrl | string | `""` | The external URL of the Sourcegraph instance. Required. **Recommended:** set to the internal service endpoint (e.g. `http://sourcegraph-frontend.sourcegraph.svc.cluster.local:30080` if Sourcegraph is deployed in the `sourcegraph` namespace). This will avoid unnecessary network charges as traffic will stay within the local network. |
 | executor.image.defaultTag | string | `"6.0.0@sha256:6dc771a0c281a41ef676213f2f84a63d99045cf2e58d43022554a8022070ed65"` |  |
 | executor.image.name | string | `"executor-kubernetes"` |  |
 | executor.kubeconfigPath | string | `""` | The path to the kubeconfig file. If not specified, the in-cluster config is used. |
 | executor.kubernetesJob.deadline | string | `"1200"` | The number of seconds after which a Kubernetes job will be terminated. |
-| executor.kubernetesJob.fsGroup | string | `"1000"` | The group ID which is set on the job PVC file system.  |
-| executor.kubernetesJob.node.name | string | `""` | The name of the Kubernetes Node to create job pods on. If not specified, the pods are created on the first available node.  |
+| executor.kubernetesJob.fsGroup | string | `"1000"` | The group ID which is set on the job PVC file system. |
+| executor.kubernetesJob.node.name | string | `""` | The name of the Kubernetes Node to create job pods on. If not specified, the pods are created on the first available node. |
 | executor.kubernetesJob.node.requiredAffinityMatchExpressions | string | `""` | The JSON encoded required affinity match expressions for Kubernetes Jobs. e.g. '[{\"key\":\"foo\",\"operator\":\"In\",\"values\":[\"bar\"]}]' |
 | executor.kubernetesJob.node.requiredAffinityMatchFields | string | `""` | The JSON encoded required affinity match fields for Kubernetes Jobs. e.g. '[{\"key\":\"foo\",\"operator\":\"In\",\"values\":[\"bar\"]}]' |
-| executor.kubernetesJob.node.selector | string | `""` | A comma separated list of values to use as a node selector for Kubernetes Jobs. e.g. `foo=bar,app=my-app`  |
+| executor.kubernetesJob.node.selector | string | `""` | A comma separated list of values to use as a node selector for Kubernetes Jobs. e.g. `foo=bar,app=my-app` |
 | executor.kubernetesJob.node.tolerations | string | `""` | The JSON encoded tolerations for Kubernetes Jobs. e.g. '[{\"key\":\"foo\",\"operator\":\"Equal\",\"value\":\"bar\",\"effect\":\"NoSchedule\"}]' |
 | executor.kubernetesJob.pod.affinity | string | `""` | The JSON encoded pod affinity for Kubernetes Jobs. e.g. '[{\"labelSelector\": {\"matchExpressions\": [{\"key\": \"foo\",\"operator\": \"In\",\"values\": [\"bar\"]}]},\"topologyKey\": \"kubernetes.io/hostname\"}]' |
 | executor.kubernetesJob.pod.antiAffinity | string | `""` | The JSON encoded pod anti-affinity for Kubernetes Jobs. e.g. '[{\"labelSelector\": {\"matchExpressions\": [{\"key\": \"foo\",\"operator\": \"In\",\"values\": [\"bar\"]}]},\"topologyKey\": \"kubernetes.io/hostname\"}]' |
@@ -108,6 +108,7 @@ In addition to the documented values, the `executor` and `private-docker-registr
 | sourcegraph.nodeSelector | object | `{}` | NodeSelector, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) |
 | sourcegraph.podAnnotations | object | `{}` | Add extra annotations to attach to all pods |
 | sourcegraph.podLabels | object | `{}` | Add extra labels to attach to all pods |
+| sourcegraph.priorityClassName | string | `""` | Assign a priorityClass to all pods (daemonSets, deployments, and statefulSets) |
 | sourcegraph.tolerations | list | `[]` | Tolerations, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) |
 | storageClass.allowedTopologies | object | `{}` | Persistent volumes topology configuration, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/storage/storage-classes/#allowed-topologies) |
 | storageClass.create | bool | `false` | Enable creation of storageClass. Defaults to Google Cloud Platform. Disable if you have your own existing storage class |

charts/sourcegraph-executor/k8s/templates/_helpers/_priorityClassName.tpl

@@ -0,0 +1,20 @@
+{{/*
+
+Allow customers to assign a priorityClassName to all resources which create pods (ex. DaemonSets, Deployments, StatefulSets)
+
+Customers can configure an instance-wide default priorty class name at .Values.sourcegraph.priorityClassName,
+and can override it for individual services, if needed, at .Values.<service>.priorityClassName
+
+*/}}
+
+{{- define "sourcegraph.priorityClassName" -}}
+{{- $top := index . 0 }}
+{{- $service := index . 1 }}
+{{- $globalPriorityClassName := (index $top.Values "sourcegraph" "priorityClassName") }}
+{{- $servicePriorityClassName := (index $top.Values $service "priorityClassName") }}
+{{- if $servicePriorityClassName }}
+priorityClassName: {{ $servicePriorityClassName | toYaml | trim }}
+{{- else if $globalPriorityClassName }}
+priorityClassName: {{ $globalPriorityClassName | toYaml | trim }}
+{{- end }}
+{{- end }}

charts/sourcegraph-executor/k8s/templates/executor.Deployment.yaml

@@ -99,6 +99,7 @@ spec:
       affinity:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with include "sourcegraph.priorityClassName" (list . "executor") | trim }}{{ . | nindent 6 }}{{- end }}
       {{- with .Values.executor.tolerations }}
       tolerations:
         {{- toYaml . | nindent 8 }}

charts/sourcegraph-executor/k8s/values.yaml

@@ -32,6 +32,8 @@ sourcegraph:
   podAnnotations: { }
   # -- Add extra labels to attach to all pods
   podLabels: { }
+  # -- Assign a priorityClass to all pods (daemonSets, deployments, and statefulSets)
+  priorityClassName: ""
 
 
 storageClass:
@@ -68,7 +70,7 @@ executor:
     requests:
       cpu: 500m
       memory: 200Mi
-  # -- The external URL of the Sourcegraph instance. Required. **Recommended:** set to the internal service endpoint (e.g. `http://sourcegraph-frontend.sourcegraph.svc.cluster.local:30080` if Sourcegraph is deployed in the `sourcegraph` namespace). 
+  # -- The external URL of the Sourcegraph instance. Required. **Recommended:** set to the internal service endpoint (e.g. `http://sourcegraph-frontend.sourcegraph.svc.cluster.local:30080` if Sourcegraph is deployed in the `sourcegraph` namespace).
   # This will avoid unnecessary network charges as traffic will stay within the local network.
   frontendUrl: ""
   # -- Name of existing k8s Secret to use for frontend password
@@ -86,13 +88,13 @@ executor:
   maximumNumJobs: 10
   # - The maximum wall time that can be spent on a single job.
   maximumRuntimePerJob: "30m"
-  
+
   log:
     # -- Possible values are `dbug`, `info`, `warn`, `eror`, `crit`.
     level: "warn"
     format: "condensed"
     trace: "false"
-  
+
   # -- The storage size of the PVC attached to the executor deployment.
   storageSize: 10Gi
   # -- The namespace in which jobs are generated by the executor.
@@ -102,24 +104,24 @@ executor:
   # -- The containerSecurityContext for the executor image
   securityContext:
     # @default -- nil; accepts [0, 2147483647]
-    runAsUser: 
+    runAsUser:
     # @default -- nil; accepts [0, 2147483647]
-    runAsGroup: 
+    runAsGroup:
     # @default -- nil; accepts [0, 2147483647]
     fsGroup:
     # @default -- false; accepts [true, false]
     privileged: false
-  
+
   kubernetesJob:
     # -- The number of seconds after which a Kubernetes job will be terminated.
     deadline: "1200"
     # -- (int) The user ID to run Kubernetes jobs as.
     # @default -- `nil`; accepts [0, 2147483647]
-    runAsUser: 
+    runAsUser:
     # -- (int) The group ID to run Kubernetes jobs as.
     # @default -- `nil`; accepts [0, 2147483647]
-    runAsGroup: 
-    # -- The group ID which is set on the job PVC file system. 
+    runAsGroup:
+    # -- The group ID which is set on the job PVC file system.
     fsGroup: "1000"
     resources:
       requests:
@@ -132,11 +134,11 @@ executor:
         cpu: ""
         # -- The maximum memory for a job.
         memory: "12Gi"
-    
+
     node:
-      # -- The name of the Kubernetes Node to create job pods on. If not specified, the pods are created on the first available node. 
+      # -- The name of the Kubernetes Node to create job pods on. If not specified, the pods are created on the first available node.
       name: ""
-      # -- A comma separated list of values to use as a node selector for Kubernetes Jobs. e.g. `foo=bar,app=my-app` 
+      # -- A comma separated list of values to use as a node selector for Kubernetes Jobs. e.g. `foo=bar,app=my-app`
       selector: ""
       # -- The JSON encoded tolerations for Kubernetes Jobs. e.g. '[{\"key\":\"foo\",\"operator\":\"Equal\",\"value\":\"bar\",\"effect\":\"NoSchedule\"}]'
       tolerations: ""
@@ -150,28 +152,28 @@ executor:
       affinity: ""
       # -- The JSON encoded pod anti-affinity for Kubernetes Jobs. e.g. '[{\"labelSelector\": {\"matchExpressions\": [{\"key\": \"foo\",\"operator\": \"In\",\"values\": [\"bar\"]}]},\"topologyKey\": \"kubernetes.io/hostname\"}]'
       antiAffinity: ""
-  
+
   debug:
     # -- If true, Kubernetes jobs will not be deleted after they complete. Not recommended for production use as it can hit cluster limits.
     keepJobs: "false"
     keepWorkspaces: "false"
-  
+
   # -- Affinity,
   # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity)
   affinity: { }
-  
+
   # -- NodeSelector,
   # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector)
   nodeSelector: { }
-  
+
   # -- Tolerations,
   # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)
   tolerations: [ ]
-  
+
   # -- Sets extra environment variables on the executor deployment. See `values.yaml` for the format.
   extraEnv:
 #   - name: MY_ENV
 #     value: my_value
-  
+
   # -- For local deployments the host is 'host.docker.internal' and this needs to be true
   dockerAddHostGateway: "false"