Coder: Helm chart and configuration
Change-Id: I43515c289001bf1407aee1f9734151a261a7808a
diff --git a/charts/coder/values.yaml b/charts/coder/values.yaml
new file mode 100644
index 0000000..dcf32c6
--- /dev/null
+++ b/charts/coder/values.yaml
@@ -0,0 +1,344 @@
+# coder -- Primary configuration for `coder server`.
+coder:
+ # coder.env -- The environment variables to set for Coder. These can be used
+ # to configure all aspects of `coder server`. Please see `coder server --help`
+ # for information about what environment variables can be set.
+ # Note: The following environment variables are set by default and cannot be
+ # overridden:
+ # - CODER_HTTP_ADDRESS: set to 0.0.0.0:8080 and cannot be changed.
+ # - CODER_TLS_ADDRESS: set to 0.0.0.0:8443 if tls.secretName is not empty.
+ # - CODER_TLS_ENABLE: set if tls.secretName is not empty.
+ # - CODER_TLS_CERT_FILE: set if tls.secretName is not empty.
+ # - CODER_TLS_KEY_FILE: set if tls.secretName is not empty.
+ # - CODER_PROMETHEUS_ADDRESS: set to 0.0.0.0:2112 and cannot be changed.
+ # Prometheus must still be enabled by setting CODER_PROMETHEUS_ENABLE.
+ # - KUBE_POD_IP
+ # - CODER_DERP_SERVER_RELAY_URL
+ #
+ # We will additionally set CODER_ACCESS_URL if unset to the cluster service
+ # URL, unless coder.envUseClusterAccessURL is set to false.
+ env: []
+ # - name: "CODER_ACCESS_URL"
+ # value: "https://coder.example.com"
+
+ # coder.envFrom -- Secrets or ConfigMaps to use for Coder's environment
+ # variables. If you want one environment variable read from a secret, then use
+ # coder.env valueFrom. See the K8s docs for valueFrom here:
+ # https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#define-container-environment-variables-using-secret-data
+ #
+ # If setting CODER_ACCESS_URL in coder.envFrom, then you must set
+ # coder.envUseClusterAccessURL to false.
+ envFrom: []
+ # - configMapRef:
+ # name: coder-config
+ # - secretRef:
+ # name: coder-config
+
+ # coder.envUseClusterAccessURL -- Determines whether the CODER_ACCESS_URL env
+ # is added to coder.env if it's not already set there. Set this to false if
+ # defining CODER_ACCESS_URL in coder.envFrom to avoid conflicts.
+ envUseClusterAccessURL: true
+
+ # coder.image -- The image to use for Coder.
+ image:
+ # coder.image.repo -- The repository of the image.
+ repo: "ghcr.io/coder/coder"
+ # coder.image.tag -- The tag of the image, defaults to {{.Chart.AppVersion}}
+ # if not set. If you're using the chart directly from git, the default
+ # app version will not work and you'll need to set this value. The helm
+ # chart helpfully fails quickly in this case.
+ tag: ""
+ # coder.image.pullPolicy -- The pull policy to use for the image. See:
+ # https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy
+ pullPolicy: IfNotPresent
+ # coder.image.pullSecrets -- The secrets used for pulling the Coder image from
+ # a private registry.
+ pullSecrets: []
+ # - name: "pull-secret"
+
+ # coder.initContainers -- Init containers for the deployment. See:
+ # https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
+ initContainers:
+ []
+ # - name: init-container
+ # image: busybox:1.28
+ # command: ['sh', '-c', "sleep 2"]
+
+ # coder.annotations -- The Deployment annotations. See:
+ # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+ annotations: {}
+
+ # coder.labels -- The Deployment labels. See:
+ # https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+ labels: {}
+
+ # coder.podAnnotations -- The Coder pod annotations. See:
+ # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+ podAnnotations: {}
+
+ # coder.podLabels -- The Coder pod labels. See:
+ # https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+ podLabels: {}
+
+ # coder.serviceAccount -- Configuration for the automatically created service
+ # account. Creation of the service account cannot be disabled.
+ serviceAccount:
+ # coder.serviceAccount.workspacePerms -- Whether or not to grant the coder
+ # service account permissions to manage workspaces. This includes
+ # permission to manage pods and persistent volume claims in the deployment
+ # namespace.
+ #
+ # It is recommended to keep this on if you are using Kubernetes templates
+ # within Coder.
+ workspacePerms: true
+ # coder.serviceAccount.enableDeployments -- Provides the service account
+ # permission to manage Kubernetes deployments. Depends on workspacePerms.
+ enableDeployments: true
+ # coder.serviceAccount.extraRules -- Additional permissions added to the SA
+ # role. Depends on workspacePerms.
+ extraRules: []
+ # - apiGroups: [""]
+ # resources: ["services"]
+ # verbs:
+ # - create
+ # - delete
+ # - deletecollection
+ # - get
+ # - list
+ # - patch
+ # - update
+ # - watch
+
+ # coder.serviceAccount.annotations -- The Coder service account annotations.
+ annotations: {}
+ # coder.serviceAccount.name -- The service account name
+ name: coder
+
+ # coder.securityContext -- Fields related to the container's security
+ # context (as opposed to the pod). Some fields are also present in the pod
+ # security context, in which case these values will take precedence.
+ securityContext:
+ # coder.securityContext.runAsNonRoot -- Requires that the coder container
+ # runs as an unprivileged user. If setting runAsUser to 0 (root), this
+ # will need to be set to false.
+ runAsNonRoot: true
+ # coder.securityContext.runAsUser -- Sets the user id of the container.
+ # For security reasons, we recommend using a non-root user.
+ runAsUser: 1000
+ # coder.securityContext.runAsGroup -- Sets the group id of the container.
+ # For security reasons, we recommend using a non-root group.
+ runAsGroup: 1000
+ # coder.securityContext.readOnlyRootFilesystem -- Mounts the container's
+ # root filesystem as read-only.
+ readOnlyRootFilesystem: null
+ # coder.securityContext.seccompProfile -- Sets the seccomp profile for
+ # the coder container.
+ seccompProfile:
+ type: RuntimeDefault
+ # coder.securityContext.allowPrivilegeEscalation -- Controls whether
+ # the container can gain additional privileges, such as escalating to
+ # root. It is recommended to leave this setting disabled in production.
+ allowPrivilegeEscalation: false
+
+ # coder.volumes -- A list of extra volumes to add to the Coder pod.
+ volumes: []
+ # - name: "my-volume"
+ # emptyDir: {}
+
+ # coder.volumeMounts -- A list of extra volume mounts to add to the Coder pod.
+ volumeMounts: []
+ # - name: "my-volume"
+ # mountPath: "/mnt/my-volume"
+
+ # coder.tls -- The TLS configuration for Coder.
+ tls:
+ # coder.tls.secretNames -- A list of TLS server certificate secrets to mount
+ # into the Coder pod. The secrets should exist in the same namespace as the
+ # Helm deployment and should be of type "kubernetes.io/tls". The secrets
+ # will be automatically mounted into the pod if specified, and the correct
+ # "CODER_TLS_*" environment variables will be set for you.
+ secretNames: []
+
+ # coder.replicaCount -- The number of Kubernetes deployment replicas. This
+ # should only be increased if High Availability is enabled.
+ #
+ # This is an Enterprise feature. Contact sales@coder.com.
+ replicaCount: 1
+
+ # coder.workspaceProxy -- Whether or not this deployment of Coder is a Coder
+ # Workspace Proxy. Workspace Proxies reduce the latency between the user and
+ # their workspace for web connections (workspace apps and web terminal) and
+ # proxied connections from the CLI. Workspace Proxies are optional and only
+ # recommended for geographically sparse teams.
+ #
+ # Make sure you set CODER_PRIMARY_ACCESS_URL and CODER_PROXY_SESSION_TOKEN in
+ # the environment below. You can get a proxy token using the CLI:
+ # coder wsproxy create \
+ # --name "proxy-name" \
+ # --display-name "Proxy Name" \
+ # --icon "/emojis/xyz.png"
+ #
+ # This is an Enterprise feature. Contact sales@coder.com
+ # Docs: https://coder.com/docs/v2/latest/admin/workspace-proxies
+ workspaceProxy: false
+
+ # coder.lifecycle -- container lifecycle handlers for the Coder container, allowing
+ # for lifecycle events such as postStart and preStop events
+ # See: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/
+ lifecycle:
+ {}
+ # postStart:
+ # exec:
+ # command: ["/bin/sh", "-c", "echo postStart"]
+ # preStop:
+ # exec:
+ # command: ["/bin/sh","-c","echo preStart"]
+
+ # coder.resources -- The resources to request for Coder. These are optional
+ # and are not set by default.
+ resources:
+ {}
+ # limits:
+ # cpu: 2000m
+ # memory: 4096Mi
+ # requests:
+ # cpu: 2000m
+ # memory: 4096Mi
+
+ # coder.certs -- CA bundles to mount inside the Coder pod.
+ certs:
+ # coder.certs.secrets -- A list of CA bundle secrets to mount into the Coder
+ # pod. The secrets should exist in the same namespace as the Helm
+ # deployment.
+ #
+ # The given key in each secret is mounted at
+ # `/etc/ssl/certs/{secret_name}.crt`.
+ secrets:
+ []
+ # - name: "my-ca-bundle"
+ # key: "ca-bundle.crt"
+
+ # coder.affinity -- Allows specifying an affinity rule for the `coder` deployment.
+ # The default rule prefers to schedule coder pods on different
+ # nodes, which is only applicable if coder.replicaCount is greater than 1.
+ affinity:
+ podAntiAffinity:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - podAffinityTerm:
+ labelSelector:
+ matchExpressions:
+ - key: app.kubernetes.io/instance
+ operator: In
+ values:
+ - "coder"
+ topologyKey: kubernetes.io/hostname
+ weight: 1
+
+ # coder.tolerations -- Tolerations for tainted nodes.
+ # See: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+ tolerations:
+ {}
+ # - key: "key"
+ # operator: "Equal"
+ # value: "value"
+ # effect: "NoSchedule"
+
+ # coder.nodeSelector -- Node labels for constraining coder pods to nodes.
+ # See: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
+ nodeSelector: {}
+ # kubernetes.io/os: linux
+
+ # coder.service -- The Service object to expose for Coder.
+ service:
+ # coder.service.enable -- Whether to create the Service object.
+ enable: true
+ # coder.service.type -- The type of service to expose. See:
+ # https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
+ type: LoadBalancer
+ # coder.service.sessionAffinity -- Must be set to ClientIP or None
+ # AWS ELB does not support session stickiness based on ClientIP, so you must set this to None.
+ # The error message you might see: "Unsupported load balancer affinity: ClientIP"
+ # https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity
+ sessionAffinity: None
+ # coder.service.externalTrafficPolicy -- The external traffic policy to use.
+ # You may need to change this to "Local" to preserve the source IP address
+ # in some situations.
+ # https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
+ externalTrafficPolicy: Cluster
+ # coder.service.loadBalancerIP -- The IP address of the LoadBalancer. If not
+ # specified, a new IP will be generated each time the load balancer is
+ # recreated. It is recommended to manually create a static IP address in
+ # your cloud and specify it here in production to avoid accidental IP
+ # address changes.
+ loadBalancerIP: ""
+ # coder.service.annotations -- The service annotations. See:
+ # https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
+ annotations: {}
+ # coder.service.httpNodePort -- Enabled if coder.service.type is set to
+ # NodePort. If not set, Kubernetes will allocate a port from the default
+ # range, 30000-32767.
+ httpNodePort: ""
+ # coder.service.httpsNodePort -- Enabled if coder.service.type is set to
+ # NodePort. If not set, Kubernetes will allocate a port from the default
+ # range, 30000-32767.
+ httpsNodePort: ""
+
+ # coder.ingress -- The Ingress object to expose for Coder.
+ ingress:
+ # coder.ingress.enable -- Whether to create the Ingress object. If using an
+ # Ingress, we recommend not specifying coder.tls.secretNames as the Ingress
+ # will handle TLS termination.
+ enable: false
+ # coder.ingress.className -- The name of the Ingress class to use.
+ className: ""
+ # coder.ingress.host -- The hostname to match on.
+ # Be sure to also set CODER_ACCESS_URL within coder.env[]
+ host: ""
+ # coder.ingress.wildcardHost -- The wildcard hostname to match on. Should be
+ # in the form "*.example.com" or "*-suffix.example.com". If you are using a
+ # suffix after the wildcard, the suffix will be stripped from the created
+ # ingress to ensure that it is a legal ingress host. Optional if not using
+ # applications over subdomains.
+ # Be sure to also set CODER_WILDCARD_ACCESS_URL within coder.env[]
+ wildcardHost: ""
+ # coder.ingress.annotations -- The ingress annotations.
+ annotations: {}
+ # coder.ingress.tls -- The TLS configuration to use for the Ingress.
+ tls:
+ # coder.ingress.tls.enable -- Whether to enable TLS on the Ingress.
+ enable: false
+ # coder.ingress.tls.secretName -- The name of the TLS secret to use.
+ secretName: ""
+ # coder.ingress.tls.wildcardSecretName -- The name of the TLS secret to
+ # use for the wildcard host.
+ wildcardSecretName: ""
+
+ # coder.command -- The command to use when running the Coder container. Used
+ # for customizing the location of the `coder` binary in your image.
+ command:
+ - /opt/coder
+
+ # coder.commandArgs -- Set arguments for the entrypoint command of the Coder pod.
+ commandArgs: []
+
+# provisionerDaemon -- Configuration for external provisioner daemons.
+#
+# This is an Enterprise feature. Contact sales@coder.com.
+provisionerDaemon:
+ # provisionerDaemon.pskSecretName -- The name of the Kubernetes secret that contains the
+ # Pre-Shared Key (PSK) to use to authenticate external provisioner daemons with Coder. The
+ # secret must be in the same namespace as the Helm deployment, and contain an item called "psk"
+ # which contains the pre-shared key.
+ pskSecretName: ""
+
+# extraTemplates -- Array of extra objects to deploy with the release. Strings
+# are evaluated as a template and can use template expansions and functions. All
+# other objects are used as yaml.
+extraTemplates:
+ #- |
+ # apiVersion: v1
+ # kind: ConfigMap
+ # metadata:
+ # name: my-configmap
+ # data:
+ # key: {{ .Values.myCustomValue | quote }}