shishantbiswas/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2026-06-04 13:38:21 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
ffbfaf2a6f3df72f51c2e417bb8c2bf2d745f7ea
coder/helm/libcoder/templates/_coder.yaml
T
Austen Bruhn faac75389b feat(helm): add pod-level securityContext support for certificate mounting (#19041) 
**Add pod-level securityContext support to Coder Helm chart**

Adds `coder.podSecurityContext` field to enable pod-level security
settings, primarily to solve TLS certificate mounting permission issues.

**Problem**: When mounting TLS certificates from Kubernetes secrets, the
Coder process (UID 1000) cannot read the files due to restrictive
permissions.

**Solution**: Setting `podSecurityContext.fsGroup: 1000` ensures
Kubernetes sets group ownership of mounted volumes to GID 1000, allowing
the Coder process to read certificate files.

**Changes**:
- Added `podSecurityContext` field to values.yaml with documentation
- Updated `_coder.yaml` template to include pod-level security context
- Added test case and golden files
- Maintains backward compatibility (opt-in feature)

**Usage**:
```yaml
coder:
  podSecurityContext:
    fsGroup: 1000  # Enables TLS cert access
```

Fixes #19038
2025-07-28 20:41:32 -04:00

105 lines
3.2 KiB
YAML
Raw Blame History

{{- define "libcoder.deployment.tpl" -}}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "coder.name" .}}
namespace: {{ .Release.Namespace }}
labels:
{{- include "coder.labels" . | nindent 4 }}
{{- with .Values.coder.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations: {{ toYaml .Values.coder.annotations | nindent 4}}
spec:
replicas: {{ .Values.coder.replicaCount }}
selector:
matchLabels:
{{- include "coder.selectorLabels" . | nindent 6 }}
template:
metadata:
labels:
{{- include "coder.labels" . | nindent 8 }}
{{- with .Values.coder.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
annotations:
{{- toYaml .Values.coder.podAnnotations | nindent 8 }}
spec:
serviceAccountName: {{ .Values.coder.serviceAccount.name | quote }}
{{- with .Values.coder.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
restartPolicy: Always
{{- with .Values.coder.image.pullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
terminationGracePeriodSeconds: 60
{{- with .Values.coder.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.coder.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.coder.nodeSelector }}
nodeSelector:
{{ toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.coder.topologySpreadConstraints }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.coder.initContainers }}
initContainers:
{{ toYaml . | nindent 8 }}
{{- end }}
containers: []
{{- include "coder.volumes" . | nindent 6 }}
{{- end -}}
{{- define "libcoder.deployment" -}}
{{- include "libcoder.util.merge" (append . "libcoder.deployment.tpl") -}}
{{- end -}}
{{- define "libcoder.containerspec.tpl" -}}
name: coder
image: {{ include "coder.image" . | quote }}
imagePullPolicy: {{ .Values.coder.image.pullPolicy }}
command:
{{- toYaml .Values.coder.command | nindent 2 }}
resources:
{{- if and (hasKey .Values.coder "resources") (not (empty .Values.coder.resources)) }}
{{- toYaml .Values.coder.resources | nindent 2 }}
{{- else }}
limits:
cpu: 2000m
memory: 4096Mi
requests:
cpu: 2000m
memory: 4096Mi
{{- end }}
lifecycle:
{{- toYaml .Values.coder.lifecycle | nindent 2 }}
securityContext: {{ toYaml .Values.coder.securityContext | nindent 2 }}
{{ include "coder.volumeMounts" . }}
{{- end -}}
{{- define "libcoder.containerspec" -}}
{{- include "libcoder.util.merge" (append . "libcoder.containerspec.tpl") -}}
{{- end -}}
{{- define "libcoder.serviceaccount.tpl" -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.coder.serviceAccount.name | quote }}
namespace: {{ .Release.Namespace }}
annotations: {{ toYaml .Values.coder.serviceAccount.annotations | nindent 4 }}
labels:
{{- include "coder.labels" . | nindent 4 }}
{{- end -}}
{{- define "libcoder.serviceaccount" -}}
{{- include "libcoder.util.merge" (append . "libcoder.serviceaccount.tpl") -}}
{{- end -}}
Reference in New Issue View Git Blame Copy Permalink