…afana sts (#628)

regression from
#617

it's now rendering `_SSLMODE` twice in the grafana sts

### Checklist

- [ ] Follow the [manual testing
process](https://github.com/sourcegraph/deploy-sourcegraph-helm/blob/main/TEST.md)
- [ ] Update
[changelog](https://github.com/sourcegraph/deploy-sourcegraph-helm/blob/main/charts/sourcegraph/CHANGELOG.md)
- [ ] Update [Kubernetes update
doc](https://docs.sourcegraph.com/admin/updates/kubernetes)

### Test plan

CI <br> Backport bb2d4f1 from #627

Co-authored-by: Michael Lin <mlzc@hey.com>

The start of a resolution for
[REL-690](https://linear.app/sourcegraph/issue/REL-690/add-runasuser-runasgroup-fsgroup-to-executor-helm-chart).
Need to test this out to see how it works. There are sample overrides in
[this
thread](https://sourcegraph.slack.com/archives/C0418GDBT7S/p1738581012896529?thread_ts=1738580801.517539&cid=C0418GDBT7S)

### Checklist

- [x] Follow the [manual testing
process](https://github.com/sourcegraph/deploy-sourcegraph-helm/blob/main/TEST.md)
- [ ] Update
[changelog](https://github.com/sourcegraph/deploy-sourcegraph-helm/blob/main/charts/sourcegraph/CHANGELOG.md)
- [ ] Update [Kubernetes update
doc](https://docs.sourcegraph.com/admin/updates/kubernetes)

### Test plan
Run the example overrides from the thread and see if the executor runs
and doesn't fail. In particular we want a _named_ user that is not
privileged.

 <br> Backport 45e5817 from #632

Co-authored-by: Anish Lakhwara <anish+github@lakhwara.com>

…ate main target bug (#702)

Closes REL-1068

## Problem

The release pipeline has been systematically failing in the
`promoteToPublic.finalize` workflow with this error:
```
Warning: 1 uncommitted change
must be on a branch named differently than 'promote/release-v6.4.3889-update-main'
```

## Root Cause

The final `github:pr` step in the `promoteToPublic.finalize` workflow
was incorrectly trying to create a PR from the current branch to itself:

- **Current branch**: `promote/release-{{version}}-update-main`
- **Target branch**: `promote/release-{{version}}-update-main` ❌ (same
branch!)
- **Should target**: `main` ✅

This happened because the variable `internal_branch` was set to the
current branch name instead of the intended target branch.

### Test plan
This will have to be tested on a release <br> Backport
1c06d26 from #699

Co-authored-by: Warren Gifford <warrenbruceg@gmail.com>

…amp registry (#728)

## Problem
The release creation process was failing with 404 errors when trying to
fetch images like cadvisor:6.6.2517 from the legacy internal registry.

## Root Cause
Recent changes in the main sourcegraph repo migrated from legacy
registries to new 'revamp' registries, but the deploy repos were
still hardcoded to use the old registry.

## Solution
- Replace `us-central1-docker.pkg.dev/sourcegraph-ci/rfc795-internal`
with `us-docker.pkg.dev/sourcegraph-images/internal`
- Updated release.yaml with all registry references
- Tested and confirmed images exist in the new registry

## Test Plan
- Validated that cadvisor:6.6.2517 exists in new registry but not in old
registry
- Successfully tested sg ops update-images command with new registry
- Confirmed this fixes the original 404 errors during release creation
<br> Backport 22e639f from #727

Co-authored-by: Warren Gifford <warrenbruceg@gmail.com>
Co-authored-by: Amp <amp@ampcode.com>

- Customer was blocked on an issue with our Helm chart + Istio
- Istio uses the first part of a port name, and service definitions, to
configure its service mesh sidecar proxy containers, based on the
expected traffic type; docs:
https://istio.io/latest/docs/ops/configuration/traffic-management/protocol-selection/#explicit-protocol-selection
- The `http-` prefix in the port name wasn't updated when we
switched to gRPC, so Istio was auto-configuring for http, and failing to
send the gRPC traffic
- There was an old `unused` port in the gitserver service definition,
which I couldn't find any history for, it's been there for 7+
years, so I added gRPC port 3178 in its place
- Making these updates automagically fixes Istio issues, no longer
requiring the Envoy patch in
[charts/sourcegraph/examples/envoy](https://github.com/sourcegraph/deploy-sourcegraph-helm/tree/main/charts/sourcegraph/examples/envoy)

- Helpful background on Istio here
https://istio.io/latest/docs/ops/deployment/architecture/

### Checklist

- [x] Follow the [manual testing
process](https://github.com/sourcegraph/deploy-sourcegraph-helm/blob/main/TEST.md)
- [x] Update
[changelog](https://github.com/sourcegraph/deploy-sourcegraph-helm/blob/main/charts/sourcegraph/CHANGELOG.md)
- [x] Update [Kubernetes update
doc](https://docs.sourcegraph.com/admin/updates/kubernetes)

This change should be invisible, except for customers using the Envoy
patch for gitserver, so it's worth mentioning in release notes,
where do you recommend I mention this?

### Test plan

Developed and tested with a customer, on their self-hosted instance with
Istio

Tested on a k3s instance:
- Deployed the 6.9.0 release
- Upgraded the Helm install with this branch
[marc-test-fix-gitserver-ports-for-istio](https://github.com/sourcegraph/deploy-sourcegraph-helm/tree/marc-test-fix-gitserver-ports-for-istio),
which is the same code changes, but on top of the v6.9.0 release commit
instead of main, to test for any issues for existing customers as they
upgrade
- Configured a code host
- Cloned some repos
- Ran some searches
- Checked pod logs
- No errors / issues

Tested on an AWS EKS instance <br> Backport
0074a7e from #756

## Changelog

- Update port names to re-enable service mesh auto config, after
migration to gRPC
- Self-hosted customers using our Helm chart and a Kubernetes service
mesh (ex. Istio / Envoy) who had to add an Istio
[EnvoyFilter](https://github.com/sourcegraph/deploy-sourcegraph-helm/tree/main/charts/sourcegraph/examples/envoy)
to enable trailers on gitserver may need to remove it, if gitserver can
no longer communicate with other pods after upgrading

Co-authored-by: Marc <7050295+marcleblanc2@users.noreply.github.com>