shishantbiswas/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2026-06-05 14:08:20 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
0900a44ff30eb3a6c0e5d2b93d4cd891a4f42457
coder/helm/coder/values.yaml
T
blinkagent[bot] 892b226837 fix(helm): allow overriding CODER_PPROF_ADDRESS and CODER_PROMETHEUS_ADDRESS (#21714) 
## Summary

Previously, `CODER_PPROF_ADDRESS` and `CODER_PROMETHEUS_ADDRESS` were
hardcoded in the Helm chart template to `0.0.0.0:6060` and
`0.0.0.0:2112` respectively. These values could not be overridden via
`coder.env` values because the hardcoded values were set first in the
template, and Kubernetes uses the first occurrence of duplicate env
vars.

This was a security concern because binding to `0.0.0.0` exposes these
endpoints to any pod in the cluster:
- **pprof** can expose sensitive runtime information (goroutine stacks,
heap profiles, CPU profiles that may contain memory contents)
- **Prometheus metrics** may contain sensitive operational data

## Changes

1. **`helm/coder/templates/_coder.tpl`**: Added logic to check if the
user has set `CODER_PPROF_ADDRESS` or `CODER_PROMETHEUS_ADDRESS` in
`coder.env` before applying the default values. If the user provides a
value, the hardcoded default is skipped.

2. **`helm/coder/values.yaml`**: Updated documentation to:
   - Remove these vars from the "cannot be overridden" list
- Add them to a new "can be overridden" section with security
recommendations

3. **Tests**: Added test cases for both override scenarios with
corresponding golden files.

## Usage

Users can now restrict pprof and prometheus to localhost only:

```yaml
coder:
  env:
    - name: CODER_PPROF_ADDRESS
      value: "127.0.0.1:6060"
    - name: CODER_PROMETHEUS_ADDRESS  
      value: "127.0.0.1:2112"
```

## Local Testing

To verify the fix locally:

```bash
# Update helm dependencies
cd helm/coder && helm dependency update

# Test default behavior (should show 0.0.0.0)
helm template coder . -f tests/testdata/default_values.yaml --namespace default | grep -A1 'CODER_PPROF_ADDRESS\|CODER_PROMETHEUS_ADDRESS'

# Test pprof override (should show 127.0.0.1:6060)
helm template coder . -f tests/testdata/pprof_address_override.yaml --namespace default | grep -A1 'CODER_PPROF_ADDRESS'

# Test prometheus override (should show 127.0.0.1:2112)
helm template coder . -f tests/testdata/prometheus_address_override.yaml --namespace default | grep -A1 'CODER_PROMETHEUS_ADDRESS'

# Run Go tests
cd tests && go test . -v
```

Fixes #21713

---------
Co-authored-by: blink-so[bot] <211532188+blink-so[bot]@users.noreply.github.com>
Co-authored-by: uzair-coder07 <uzair@coder.com>
2026-02-02 19:03:06 -06:00

461 lines
20 KiB
YAML
Raw Blame History

# coder -- Primary configuration for `coder server`.
coder:
# coder.env -- The environment variables to set for Coder. These can be used
# to configure all aspects of `coder server`. Please see `coder server --help`
# for information about what environment variables can be set.
# Note: The following environment variables are set by default and cannot be
# overridden:
# - CODER_HTTP_ADDRESS: set to 0.0.0.0:8080 and cannot be changed.
# - CODER_TLS_ADDRESS: set to 0.0.0.0:8443 if tls.secretName is not empty.
# - CODER_TLS_ENABLE: set if tls.secretName is not empty.
# - CODER_TLS_CERT_FILE: set if tls.secretName is not empty.
# - CODER_TLS_KEY_FILE: set if tls.secretName is not empty.
# - KUBE_POD_IP
# - CODER_DERP_SERVER_RELAY_URL
#
# The following environment variables have defaults but CAN be overridden:
# - CODER_PROMETHEUS_ADDRESS: defaults to 0.0.0.0:2112. Override to restrict
# access (e.g., 127.0.0.1:2112 for localhost only).
# Prometheus must still be enabled by setting CODER_PROMETHEUS_ENABLE.
# - CODER_PPROF_ADDRESS: defaults to 0.0.0.0:6060. Override to restrict access
# (e.g., 127.0.0.1:6060 for localhost only). This is recommended for security
# as pprof can expose sensitive runtime information.
# Profiling must still be enabled by setting CODER_PPROF_ENABLE.
#
# We will additionally set CODER_ACCESS_URL if unset to the cluster service
# URL, unless coder.envUseClusterAccessURL is set to false.
env: []
# - name: "CODER_ACCESS_URL"
# value: "https://coder.example.com"
# coder.envFrom -- Secrets or ConfigMaps to use for Coder's environment
# variables. If you want one environment variable read from a secret, then use
# coder.env valueFrom. See the K8s docs for valueFrom here:
# https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#define-container-environment-variables-using-secret-data
#
# If setting CODER_ACCESS_URL in coder.envFrom, then you must set
# coder.envUseClusterAccessURL to false.
envFrom: []
# - configMapRef:
# name: coder-config
# - secretRef:
# name: coder-config
# coder.envUseClusterAccessURL -- Determines whether the CODER_ACCESS_URL env
# is added to coder.env if it's not already set there. Set this to false if
# defining CODER_ACCESS_URL in coder.envFrom to avoid conflicts.
envUseClusterAccessURL: true
# coder.image -- The image to use for Coder.
image:
# coder.image.repo -- The repository of the image.
repo: "ghcr.io/coder/coder"
# coder.image.tag -- The tag of the image, defaults to {{.Chart.AppVersion}}
# if not set. If you're using the chart directly from git, the default
# app version will not work and you'll need to set this value. The helm
# chart helpfully fails quickly in this case.
tag: ""
# coder.image.pullPolicy -- The pull policy to use for the image. See:
# https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy
pullPolicy: IfNotPresent
# coder.image.pullSecrets -- The secrets used for pulling the Coder image from
# a private registry.
pullSecrets: []
# - name: "pull-secret"
# coder.initContainers -- Init containers for the deployment. See:
# https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
initContainers:
[]
# - name: init-container
# image: busybox:1.28
# command: ['sh', '-c', "sleep 2"]
# coder.annotations -- The Deployment annotations. See:
# https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
annotations: {}
# coder.labels -- The Deployment labels. See:
# https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
labels: {}
# coder.podAnnotations -- The Coder pod annotations. See:
# https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
# Note: The annotation `app.kubernetes.io/component` is automatically added to identify
# the component type (coderd, wsproxy, or provisionerd).
podAnnotations: {}
# coder.podLabels -- The Coder pod labels. See:
# https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
podLabels: {}
# coder.priorityClassName -- The priority class name to assign to the Coder pod. See:
# https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
# The PriorityClass must exist in the cluster prior to deploying Coder with this set.
priorityClassName: ""
# coder.serviceAccount -- Configuration for the automatically created service
# account. Creation of the service account cannot be disabled.
serviceAccount:
# coder.serviceAccount.workspacePerms -- Whether or not to grant the coder
# service account permissions to manage workspaces. This includes
# permission to manage pods and persistent volume claims in the deployment
# namespace.
#
# It is recommended to keep this on if you are using Kubernetes templates
# within Coder.
workspacePerms: true
# coder.serviceAccount.enableDeployments -- Provides the service account
# permission to manage Kubernetes deployments. Depends on workspacePerms.
enableDeployments: true
# coder.serviceAccount.extraRules -- Additional permissions added to the SA
# role. Depends on workspacePerms.
extraRules: []
# - apiGroups: [""]
# resources: ["services"]
# verbs:
# - create
# - delete
# - deletecollection
# - get
# - list
# - patch
# - update
# - watch
# coder.serviceAccount.workspaceNamespaces -- Grant this service account permissions
# to manage Coder workspaces in specific namespaces without using ClusterRoles.
# When specified, Roles and RoleBindings will be created in each listed namespace
# binding to the service account in the release namespace.
# Each item can optionally override the default permissions.
workspaceNamespaces: []
# - name: dev-ws
# workspacePerms: true # Defaults to top-level setting
# enableDeployments: true # Defaults to top-level setting
# extraRules: [] # Defaults to top-level setting
# - name: staging-ws
# coder.serviceAccount.annotations -- The Coder service account annotations.
annotations: {}
# coder.serviceAccount.labels -- The Coder service account labels.
labels: {}
# coder.serviceAccount.name -- The service account name
name: coder
# coder.serviceAccount.disableCreate -- Whether to create the service account or use existing service account.
disableCreate: false
# coder.securityContext -- Fields related to the container's security
# context (as opposed to the pod). Some fields are also present in the pod
# security context, in which case these values will take precedence.
securityContext:
# coder.securityContext.runAsNonRoot -- Requires that the coder container
# runs as an unprivileged user. If setting runAsUser to 0 (root), this
# will need to be set to false.
runAsNonRoot: true
# coder.securityContext.runAsUser -- Sets the user id of the container.
# For security reasons, we recommend using a non-root user.
runAsUser: 1000
# coder.securityContext.runAsGroup -- Sets the group id of the container.
# For security reasons, we recommend using a non-root group.
runAsGroup: 1000
# coder.securityContext.readOnlyRootFilesystem -- Mounts the container's
# root filesystem as read-only.
readOnlyRootFilesystem: null
# coder.securityContext.seccompProfile -- Sets the seccomp profile for
# the coder container.
seccompProfile:
type: RuntimeDefault
# coder.securityContext.allowPrivilegeEscalation -- Controls whether
# the container can gain additional privileges, such as escalating to
# root. It is recommended to leave this setting disabled in production.
allowPrivilegeEscalation: false
# coder.podSecurityContext -- Pod-level security context settings that apply
# to all containers in the pod. This is useful for setting volume ownership
# (fsGroup) when mounting secrets like TLS certificates. These settings are
# applied at the pod level, while coder.securityContext applies at the
# container level. Container-level settings take precedence over pod-level
# settings for overlapping fields. This is opt-in and not set by default.
# Common use case: Set fsGroup to ensure mounted secret volumes have correct
# group ownership for the coder user to read certificate files.
podSecurityContext: {}
# Example configuration for certificate mounting:
# podSecurityContext:
# # Sets group ownership of mounted volumes (e.g., for certificate secrets)
# fsGroup: 1000
# # Additional pod-level security settings (optional)
# runAsUser: 1000
# runAsGroup: 1000
# runAsNonRoot: true
# supplementalGroups: [4000]
# seccompProfile:
# type: RuntimeDefault
# # Note: Avoid conflicts with container-level securityContext settings
# # Container-level settings take precedence over pod-level settings
#
# IMPORTANT: OpenShift Compatibility
# On OpenShift, Security Context Constraints (SCCs) may restrict or override
# these values. If you encounter pod creation failures:
# 1. Check your namespace's assigned SCC with: oc describe scc
# 2. Ensure runAsUser/fsGroup values are within allowed UID/GID ranges
# 3. Consider using 'anyuid' SCC for more flexibility, or
# 4. Omit runAsUser/runAsGroup and only set fsGroup for volume ownership
# 5. OpenShift may automatically assign compatible values if left unset
# coder.volumes -- A list of extra volumes to add to the Coder pod.
volumes: []
# - name: "my-volume"
# emptyDir: {}
# coder.volumeMounts -- A list of extra volume mounts to add to the Coder pod.
volumeMounts: []
# - name: "my-volume"
# mountPath: "/mnt/my-volume"
# coder.tls -- The TLS configuration for Coder.
tls:
# coder.tls.secretNames -- A list of TLS server certificate secrets to mount
# into the Coder pod. The secrets should exist in the same namespace as the
# Helm deployment and should be of type "kubernetes.io/tls". The secrets
# will be automatically mounted into the pod if specified, and the correct
# "CODER_TLS_*" environment variables will be set for you.
# Note: If you encounter permission issues reading mounted certificates,
# consider setting coder.podSecurityContext.fsGroup to match your container
# user (typically 1000) to ensure proper file ownership.
secretNames: []
# coder.replicaCount -- The number of Kubernetes deployment replicas. This
# should only be increased if High Availability is enabled.
#
# This is an Enterprise feature. Contact sales@coder.com.
replicaCount: 1
# coder.workspaceProxy -- Whether or not this deployment of Coder is a Coder
# Workspace Proxy. Workspace Proxies reduce the latency between the user and
# their workspace for web connections (workspace apps and web terminal) and
# proxied connections from the CLI. Workspace Proxies are optional and only
# recommended for geographically sparse teams.
#
# Make sure you set CODER_PRIMARY_ACCESS_URL and CODER_PROXY_SESSION_TOKEN in
# the environment below. You can get a proxy token using the CLI:
# coder wsproxy create \
# --name "proxy-name" \
# --display-name "Proxy Name" \
# --icon "/emojis/xyz.png"
#
# This is an Enterprise feature. Contact sales@coder.com
# Docs: https://coder.com/docs/admin/workspace-proxies
workspaceProxy: false
# coder.lifecycle -- container lifecycle handlers for the Coder container, allowing
# for lifecycle events such as postStart and preStop events
# See: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/
lifecycle:
{}
# postStart:
# exec:
# command: ["/bin/sh", "-c", "echo postStart"]
# preStop:
# exec:
# command: ["/bin/sh","-c","echo preStart"]
# coder.resources -- The resources to request for Coder. The below values are
# defaults and can be overridden.
resources:
# limits:
# cpu: 2000m
# memory: 4096Mi
# requests:
# cpu: 2000m
# memory: 4096Mi
# coder.readinessProbe -- Readiness probe configuration for the Coder container.
# See https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#Probe
# for default values.
readinessProbe:
# coder.readinessProbe.enabled -- Whether to enable the readiness probe.
enabled: true
# coder.readinessProbe.initialDelaySeconds -- Number of seconds after the container
# has started before readiness probes are initiated.
initialDelaySeconds: 0
# coder.readinessProbe.periodSeconds -- How often (in seconds) to perform the probe.
# periodSeconds: 10
# coder.readinessProbe.timeoutSeconds -- Number of seconds after which the probe times out.
# timeoutSeconds: 1
# coder.readinessProbe.successThreshold -- Minimum consecutive successes for the probe
# to be considered successful after having failed.
# successThreshold: 1
# coder.readinessProbe.failureThreshold -- Minimum consecutive failures for the probe
# to be considered failed after having succeeded.
# failureThreshold: 3
# coder.livenessProbe -- Liveness probe configuration for the Coder container.
# See https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#Probe
# for default values.
livenessProbe:
# coder.livenessProbe.enabled -- Whether to enable the liveness probe.
enabled: false
# coder.livenessProbe.initialDelaySeconds -- Number of seconds after the container
# has started before liveness probes are initiated.
initialDelaySeconds: 0
# coder.livenessProbe.periodSeconds -- How often (in seconds) to perform the probe.
# periodSeconds: 10
# coder.livenessProbe.timeoutSeconds -- Number of seconds after which the probe times out.
# timeoutSeconds: 1
# coder.livenessProbe.successThreshold -- Minimum consecutive successes for the probe
# to be considered successful after having failed.
# successThreshold: 1
# coder.livenessProbe.failureThreshold -- Minimum consecutive failures for the probe
# to be considered failed after having succeeded.
# failureThreshold: 3
# coder.certs -- CA bundles to mount inside the Coder pod.
certs:
# coder.certs.secrets -- A list of CA bundle secrets to mount into the Coder
# pod. The secrets should exist in the same namespace as the Helm
# deployment.
#
# The given key in each secret is mounted at
# `/etc/ssl/certs/{secret_name}.crt`.
secrets:
[]
# - name: "my-ca-bundle"
# key: "ca-bundle.crt"
# coder.affinity -- Allows specifying an affinity rule for the `coder` deployment.
# The default rule prefers to schedule coder pods on different
# nodes, which is only applicable if coder.replicaCount is greater than 1.
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/instance
operator: In
values:
- "coder"
topologyKey: kubernetes.io/hostname
weight: 1
topologySpreadConstraints:
# - maxSkew: 1
# topologyKey: kubernetes.io/hostname
# whenUnsatisfiable: DoNotSchedule
# labelSelector:
# matchLabels:
# app.kubernetes.io/instance: coder
# coder.tolerations -- Tolerations for tainted nodes.
# See: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
tolerations:
[]
# - key: "key"
# operator: "Equal"
# value: "value"
# effect: "NoSchedule"
# coder.nodeSelector -- Node labels for constraining coder pods to nodes.
# See: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
nodeSelector: {}
# kubernetes.io/os: linux
# coder.service -- The Service object to expose for Coder.
service:
# coder.service.enable -- Whether to create the Service object.
enable: true
# coder.service.type -- The type of service to expose. See:
# https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
type: LoadBalancer
# coder.service.sessionAffinity -- Must be set to ClientIP or None
# AWS ELB does not support session stickiness based on ClientIP, so you must set this to None.
# The error message you might see: "Unsupported load balancer affinity: ClientIP"
# https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity
sessionAffinity: None
# coder.service.externalTrafficPolicy -- The external traffic policy to use.
# You may need to change this to "Local" to preserve the source IP address
# in some situations.
# https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
externalTrafficPolicy: Cluster
# coder.service.loadBalancerIP -- The IP address of the LoadBalancer. If not
# specified, a new IP will be generated each time the load balancer is
# recreated. It is recommended to manually create a static IP address in
# your cloud and specify it here in production to avoid accidental IP
# address changes.
loadBalancerIP: ""
# coder.service.loadBalancerClass -- The class name of the LoadBalancer. See:
# https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class
loadBalancerClass: ""
# coder.service.annotations -- The service annotations. See:
# https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
annotations: {}
# coder.service.httpNodePort -- Enabled if coder.service.type is set to
# NodePort or LoadBalancer. If not set, Kubernetes will allocate a port from the default
# range, 30000-32767.
httpNodePort: ""
# coder.service.httpsNodePort -- Enabled if coder.service.type is set to
# NodePort or LoadBalancer. If not set, Kubernetes will allocate a port from the default
# range, 30000-32767.
httpsNodePort: ""
# coder.ingress -- The Ingress object to expose for Coder.
ingress:
# coder.ingress.enable -- Whether to create the Ingress object. If using an
# Ingress, we recommend not specifying coder.tls.secretNames as the Ingress
# will handle TLS termination.
enable: false
# coder.ingress.className -- The name of the Ingress class to use.
className: ""
# coder.ingress.host -- The hostname to match on.
# Be sure to also set CODER_ACCESS_URL within coder.env[]
host: ""
# coder.ingress.wildcardHost -- The wildcard hostname to match on. Should be
# in the form "*.example.com" or "*-suffix.example.com". If you are using a
# suffix after the wildcard, the suffix will be stripped from the created
# ingress to ensure that it is a legal ingress host. Optional if not using
# applications over subdomains.
# Be sure to also set CODER_WILDCARD_ACCESS_URL within coder.env[]
wildcardHost: ""
# coder.ingress.annotations -- The ingress annotations.
annotations: {}
# coder.ingress.tls -- The TLS configuration to use for the Ingress.
tls:
# coder.ingress.tls.enable -- Whether to enable TLS on the Ingress.
enable: false
# coder.ingress.tls.secretName -- The name of the TLS secret to use.
secretName: ""
# coder.ingress.tls.wildcardSecretName -- The name of the TLS secret to
# use for the wildcard host.
wildcardSecretName: ""
# coder.command -- The command to use when running the Coder container. Used
# for customizing the location of the `coder` binary in your image.
command:
- /opt/coder
# coder.commandArgs -- Set arguments for the entrypoint command of the Coder pod.
commandArgs: []
# provisionerDaemon -- Configuration for external provisioner daemons.
#
# This is an Enterprise feature. Contact sales@coder.com.
provisionerDaemon:
# provisionerDaemon.pskSecretName -- The name of the Kubernetes secret that contains the
# Pre-Shared Key (PSK) to use to authenticate external provisioner daemons with Coder. The
# secret must be in the same namespace as the Helm deployment, and contain an item called "psk"
# which contains the pre-shared key.
pskSecretName: ""
# extraTemplates -- Array of extra objects to deploy with the release. Strings
# are evaluated as a template and can use template expansions and functions. All
# other objects are used as yaml.
extraTemplates:
#- |
# apiVersion: v1
# kind: ConfigMap
# metadata:
# name: my-configmap
# data:
# key: {{ .Values.myCustomValue | quote }}
Reference in New Issue View Git Blame Copy Permalink