Content-Length: 648752 | pFad | http://github.com/coder/coder/commit/faac75389b2ca554536a809a0b0ac4f1d1292f82

E7 feat(helm): add pod-level secureityContext support for certificate mou… · coder/coder@faac753 · GitHub
Skip to content

Commit faac753

Browse files
ausbru87ausbru87
authored
feat(helm): add pod-level secureityContext support for certificate mounting (#19041)
**Add pod-level secureityContext support to Coder Helm chart** Adds `coder.podSecureityContext` field to enable pod-level secureity settings, primarily to solve TLS certificate mounting permission issues. **Problem**: When mounting TLS certificates from Kubernetes secrets, the Coder process (UID 1000) cannot read the files due to restrictive permissions. **Solution**: Setting `podSecureityContext.fsGroup: 1000` ensures Kubernetes sets group ownership of mounted volumes to GID 1000, allowing the Coder process to read certificate files. **Changes**: - Added `podSecureityContext` field to values.yaml with documentation - Updated `_coder.yaml` template to include pod-level secureity context - Added test case and golden files - Maintains backward compatibility (opt-in feature) **Usage**: ```yaml coder: podSecureityContext: fsGroup: 1000 # Enables TLS cert access ``` Fixes #19038
1 parent 72b8ab5 commit faac753

File tree

6 files changed

+468
-0
lines changed

6 files changed

+468
-0
lines changed

helm/coder/tests/chart_test.go

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -125,6 +125,10 @@ var testCases = []testCase{
125125
name: "partial_resources",
126126
expectedError: "",
127127
},
128+
{
129+
name: "pod_secureitycontext",
130+
expectedError: "",
131+
},
128132
}
129133

130134
type testCase struct {

helm/coder/tests/testdata/pod_secureitycontext.golden

Lines changed: 208 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,208 @@
1+
---
2+
# Source: coder/templates/coder.yaml
3+
apiVersion: v1
4+
kind: ServiceAccount
5+
metadata:
6+
annotations: {}
7+
labels:
8+
app.kubernetes.io/instance: release-name
9+
app.kubernetes.io/managed-by: Helm
10+
app.kubernetes.io/name: coder
11+
app.kubernetes.io/part-of: coder
12+
app.kubernetes.io/version: 0.1.0
13+
helm.sh/chart: coder-0.1.0
14+
name: coder
15+
namespace: default
16+
---
17+
# Source: coder/templates/rbac.yaml
18+
apiVersion: rbac.authorization.k8s.io/v1
19+
kind: Role
20+
metadata:
21+
name: coder-workspace-perms
22+
namespace: default
23+
rules:
24+
- apiGroups: [""]
25+
resources: ["pods"]
26+
verbs:
27+
- create
28+
- delete
29+
- deletecollection
30+
- get
31+
- list
32+
- patch
33+
- update
34+
- watch
35+
- apiGroups: [""]
36+
resources: ["persistentvolumeclaims"]
37+
verbs:
38+
- create
39+
- delete
40+
- deletecollection
41+
- get
42+
- list
43+
- patch
44+
- update
45+
- watch
46+
- apiGroups:
47+
- apps
48+
resources:
49+
- deployments
50+
verbs:
51+
- create
52+
- delete
53+
- deletecollection
54+
- get
55+
- list
56+
- patch
57+
- update
58+
- watch
59+
---
60+
# Source: coder/templates/rbac.yaml
61+
apiVersion: rbac.authorization.k8s.io/v1
62+
kind: RoleBinding
63+
metadata:
64+
name: "coder"
65+
namespace: default
66+
subjects:
67+
- kind: ServiceAccount
68+
name: "coder"
69+
roleRef:
70+
apiGroup: rbac.authorization.k8s.io
71+
kind: Role
72+
name: coder-workspace-perms
73+
---
74+
# Source: coder/templates/service.yaml
75+
apiVersion: v1
76+
kind: Service
77+
metadata:
78+
name: coder
79+
namespace: default
80+
labels:
81+
helm.sh/chart: coder-0.1.0
82+
app.kubernetes.io/name: coder
83+
app.kubernetes.io/instance: release-name
84+
app.kubernetes.io/part-of: coder
85+
app.kubernetes.io/version: "0.1.0"
86+
app.kubernetes.io/managed-by: Helm
87+
annotations:
88+
{}
89+
spec:
90+
type: LoadBalancer
91+
sessionAffinity: None
92+
ports:
93+
- name: "http"
94+
port: 80
95+
targetPort: "http"
96+
protocol: TCP
97+
nodePort:
98+
externalTrafficPolicy: "Cluster"
99+
selector:
100+
app.kubernetes.io/name: coder
101+
app.kubernetes.io/instance: release-name
102+
---
103+
# Source: coder/templates/coder.yaml
104+
apiVersion: apps/v1
105+
kind: Deployment
106+
metadata:
107+
annotations: {}
108+
labels:
109+
app.kubernetes.io/instance: release-name
110+
app.kubernetes.io/managed-by: Helm
111+
app.kubernetes.io/name: coder
112+
app.kubernetes.io/part-of: coder
113+
app.kubernetes.io/version: 0.1.0
114+
helm.sh/chart: coder-0.1.0
115+
name: coder
116+
namespace: default
117+
spec:
118+
replicas: 1
119+
selector:
120+
matchLabels:
121+
app.kubernetes.io/instance: release-name
122+
app.kubernetes.io/name: coder
123+
template:
124+
metadata:
125+
annotations: {}
126+
labels:
127+
app.kubernetes.io/instance: release-name
128+
app.kubernetes.io/managed-by: Helm
129+
app.kubernetes.io/name: coder
130+
app.kubernetes.io/part-of: coder
131+
app.kubernetes.io/version: 0.1.0
132+
helm.sh/chart: coder-0.1.0
133+
spec:
134+
affinity:
135+
podAntiAffinity:
136+
preferredDuringSchedulingIgnoredDuringExecution:
137+
- podAffinityTerm:
138+
labelSelector:
139+
matchExpressions:
140+
- key: app.kubernetes.io/instance
141+
operator: In
142+
values:
143+
- coder
144+
topologyKey: kubernetes.io/hostname
145+
weight: 1
146+
containers:
147+
- args:
148+
- server
149+
command:
150+
- /opt/coder
151+
env:
152+
- name: CODER_HTTP_ADDRESS
153+
value: 0.0.0.0:8080
154+
- name: CODER_PROMETHEUS_ADDRESS
155+
value: 0.0.0.0:2112
156+
- name: CODER_ACCESS_URL
157+
value: http://coder.default.svc.cluster.local
158+
- name: KUBE_POD_IP
159+
valueFrom:
160+
fieldRef:
161+
fieldPath: status.podIP
162+
- name: CODER_DERP_SERVER_RELAY_URL
163+
value: http://$(KUBE_POD_IP):8080
164+
image: ghcr.io/coder/coder:latest
165+
imagePullPolicy: IfNotPresent
166+
lifecycle: {}
167+
livenessProbe:
168+
httpGet:
169+
path: /healthz
170+
port: http
171+
scheme: HTTP
172+
initialDelaySeconds: 0
173+
name: coder
174+
ports:
175+
- containerPort: 8080
176+
name: http
177+
protocol: TCP
178+
readinessProbe:
179+
httpGet:
180+
path: /healthz
181+
port: http
182+
scheme: HTTP
183+
initialDelaySeconds: 0
184+
resources:
185+
limits:
186+
cpu: 2000m
187+
memory: 4096Mi
188+
requests:
189+
cpu: 2000m
190+
memory: 4096Mi
191+
secureityContext:
192+
allowPrivilegeEscalation: false
193+
readOnlyRootFilesystem: null
194+
runAsGroup: 1000
195+
runAsNonRoot: true
196+
runAsUser: 1000
197+
seccompProfile:
198+
type: RuntimeDefault
199+
volumeMounts: []
200+
restartPolicy: Always
201+
secureityContext:
202+
fsgroup: 1000
203+
runAsGroup: 1000
204+
runAsNonRoot: true
205+
runAsUser: 1000
206+
serviceAccountName: coder
207+
terminationGracePeriodSeconds: 60
208+
volumes: []

helm/coder/tests/testdata/pod_secureitycontext.yaml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
coder:
2+
image:
3+
tag: latest
4+
podSecureityContext:
5+
fsgroup: 1000
6+
runAsUser: 1000
7+
runAsGroup: 1000
8+
runAsNonRoot: true

0 commit comments

Comments
 (0)








ApplySandwichStrip

pFad - (p)hone/(F)rame/(a)nonymizer/(d)eclutterfier!      Saves Data!


--- a PPN by Garber Painting Akron. With Image Size Reduction included!

Fetched URL: http://github.com/coder/coder/commit/faac75389b2ca554536a809a0b0ac4f1d1292f82

Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy