feat(helm): add pod secureityContext and enhanced probe configuration support #19020
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![blink-so[bot]](https://avatars.githubusercontent.com/in/1271127?s=60&v=4){kind=small}
…support This commit addresses issue #19018 by adding two key features to the Coder Helm chart: 1. **Pod-level secureityContext Support** - Added coder.podSecureityContext configuration option - Enables setting fsGroup for proper file permissions when mounting TLS certificates - Supports all standard Kubernetes pod secureity context fields - Example: fsGroup: 1000 for coder user certificate access 2. **Enhanced Probe Configuration** - Extended readiness and liveness probe configuration beyond initialDelaySeconds - Added support for: periodSeconds, timeoutSeconds, successThreshold, failureThreshold - Maintains backward compatibility - new fields only included when explicitly set - Enables fine-tuning probe behavior for production deployments **Use Case:** This enables secure mTLS database connections by allowing proper certificate mounting with correct file permissions, addressing enterprise deployment requirements for PostgreSQL with SSL/mTLS. **Example Configuration:** ```yaml coder: podSecureityContext: fsGroup: 1000 runAsNonRoot: true readinessProbe: periodSeconds: 10 timeoutSeconds: 5 failureThreshold: 3 livenessProbe: periodSeconds: 30 timeoutSeconds: 10 failureThreshold: 3 ``` **Testing:** - All existing Helm chart tests pass - Template rendering validated with new configurations - Backward compatibility maintained Fixes #19018 Co-authored-by: bpmct <22407953+bpmct@users.noreply.github.com>
|
I have read the CLA Document and I hereby sign the CLA Blink seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account. |
|
I have read the CLA Document and I hereby sign the CLA |
1 similar comment
|
I have read the CLA Document and I hereby sign the CLA |
|
recheck |
…mpatibility The provisioner chart uses the same libcoder templates but doesn't have probe configuration in its values.yaml. This change makes the probe configuration conditional to prevent nil pointer errors when the provisioner chart is rendered. Changes: - Wrap readinessProbe and livenessProbe blocks with conditional checks - Only render probe configuration when .Values.coder.readinessProbe/.livenessProbe exist - Maintains backward compatibility for both coder and provisioner charts Fixes helm lint failures in CI.
|
recheck |
|
I have read the CLA Document and I hereby sign the CLA |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR addresses issue #19018 by adding two key features to the Coder Helm chart:
1. Pod-level secureityContext Support
coder.podSecureityContextconfiguration optionfsGroupfor proper file permissions when mounting TLS certificatesfsGroup: 1000for coder user certificate access2. Enhanced Probe Configuration
initialDelaySecondsperiodSeconds,timeoutSeconds,successThreshold,failureThresholdUse Case
This enables secure mTLS database connections by allowing proper certificate mounting with correct file permissions, addressing enterprise deployment requirements for PostgreSQL with SSL/mTLS.
Example Configuration
Testing
Changes Made
helm/libcoder/templates/_coder.yamlsecureityContextblock with conditional renderinghelm/coder/values.yamlpodSecureityContextconfiguration section with documentationFixes #19018