shishantbiswas/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2026-06-02 20:48:20 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
f135ffdb3a65763572344f3e4f6067d14fff4412
coder/helm/coder
T
History
blinkagent[bot] 892b226837 fix(helm): allow overriding CODER_PPROF_ADDRESS and CODER_PROMETHEUS_ADDRESS (#21714) 
## Summary

Previously, `CODER_PPROF_ADDRESS` and `CODER_PROMETHEUS_ADDRESS` were
hardcoded in the Helm chart template to `0.0.0.0:6060` and
`0.0.0.0:2112` respectively. These values could not be overridden via
`coder.env` values because the hardcoded values were set first in the
template, and Kubernetes uses the first occurrence of duplicate env
vars.

This was a security concern because binding to `0.0.0.0` exposes these
endpoints to any pod in the cluster:
- **pprof** can expose sensitive runtime information (goroutine stacks,
heap profiles, CPU profiles that may contain memory contents)
- **Prometheus metrics** may contain sensitive operational data

## Changes

1. **`helm/coder/templates/_coder.tpl`**: Added logic to check if the
user has set `CODER_PPROF_ADDRESS` or `CODER_PROMETHEUS_ADDRESS` in
`coder.env` before applying the default values. If the user provides a
value, the hardcoded default is skipped.

2. **`helm/coder/values.yaml`**: Updated documentation to:
   - Remove these vars from the "cannot be overridden" list
- Add them to a new "can be overridden" section with security
recommendations

3. **Tests**: Added test cases for both override scenarios with
corresponding golden files.

## Usage

Users can now restrict pprof and prometheus to localhost only:

```yaml
coder:
  env:
    - name: CODER_PPROF_ADDRESS
      value: "127.0.0.1:6060"
    - name: CODER_PROMETHEUS_ADDRESS  
      value: "127.0.0.1:2112"
```

## Local Testing

To verify the fix locally:

```bash
# Update helm dependencies
cd helm/coder && helm dependency update

# Test default behavior (should show 0.0.0.0)
helm template coder . -f tests/testdata/default_values.yaml --namespace default | grep -A1 'CODER_PPROF_ADDRESS\|CODER_PROMETHEUS_ADDRESS'

# Test pprof override (should show 127.0.0.1:6060)
helm template coder . -f tests/testdata/pprof_address_override.yaml --namespace default | grep -A1 'CODER_PPROF_ADDRESS'

# Test prometheus override (should show 127.0.0.1:2112)
helm template coder . -f tests/testdata/prometheus_address_override.yaml --namespace default | grep -A1 'CODER_PROMETHEUS_ADDRESS'

# Run Go tests
cd tests && go test . -v
```

Fixes #21713

---------
Co-authored-by: blink-so[bot] <211532188+blink-so[bot]@users.noreply.github.com>
Co-authored-by: uzair-coder07 <uzair@coder.com>
2026-02-02 19:03:06 -06:00
..
templates
fix(helm): allow overriding CODER_PPROF_ADDRESS and CODER_PROMETHEUS_ADDRESS (#21714)
2026-02-02 19:03:06 -06:00
tests
fix(helm): allow overriding CODER_PPROF_ADDRESS and CODER_PROMETHEUS_ADDRESS (#21714)
2026-02-02 19:03:06 -06:00
.helmignore
feat: add external provisioner daemon helm chart (#8939)
2023-08-10 13:59:43 +04:00
Chart.lock
feat: add external provisioner daemon helm chart (#8939)
2023-08-10 13:59:43 +04:00
Chart.yaml
feat: add external provisioner daemon helm chart (#8939)
2023-08-10 13:59:43 +04:00
README.md
docs: suggest disabling the default GitHub OAuth2 provider on k8s (#16758)
2025-03-03 12:32:27 +01:00
values.yaml
fix(helm): allow overriding CODER_PPROF_ADDRESS and CODER_PROMETHEUS_ADDRESS (#21714)
2026-02-02 19:03:06 -06:00

README.md

Coder Helm Chart

This directory contains the Helm chart used to deploy Coder onto a Kubernetes cluster. It contains the minimum required components to run Coder on Kubernetes, and notably (compared to Coder Classic) does not include a database server.

Getting Started

Warning

: The main branch in this repository does not represent the latest release of Coder. Please reference our installation docs for instructions on a tagged release.

View our docs for detailed installation instructions.

Values

Please refer to values.yaml for available Helm values and their defaults.

A good starting point for your values file is:

coder:
  # You can specify any environment variables you'd like to pass to Coder
  # here. Coder consumes environment variables listed in
  # `coder server --help`, and these environment variables are also passed
  # to the workspace provisioner (so you can consume them in your Terraform
  # templates for auth keys etc.).
  #
  # Please keep in mind that you should not set `CODER_HTTP_ADDRESS`,
  # `CODER_TLS_ENABLE`, `CODER_TLS_CERT_FILE` or `CODER_TLS_KEY_FILE` as
  # they are already set by the Helm chart and will cause conflicts.
  env:
    - name: CODER_ACCESS_URL
      value: "https://coder.example.com"
    - name: CODER_PG_CONNECTION_URL
      valueFrom:
        secretKeyRef:
          # You'll need to create a secret called coder-db-url with your
          # Postgres connection URL like:
          # postgres://coder:password@postgres:5432/coder?sslmode=disable
          name: coder-db-url
          key: url

    # This env enables the Prometheus metrics endpoint.
    - name: CODER_PROMETHEUS_ADDRESS
      value: "0.0.0.0:2112"
    # For production deployments, we recommend configuring your own GitHub
    # OAuth2 provider and disabling the default one.
    - name: CODER_OAUTH2_GITHUB_DEFAULT_PROVIDER_ENABLE
      value: "false"
  tls:
    secretNames:
      - my-tls-secret-name
Reference in New Issue View Git Blame Copy Permalink