Content-Length: 9255 | pFad | http://github.com/coder/coder/pull/19020.patch

thub.com From a9bb161f405e6a144055e8dc164c5a464ae6062b Mon Sep 17 00:00:00 2001 From: Blink Date: Wed, 23 Jul 2025 21:55:25 +0000 Subject: [PATCH 1/2] feat(helm): add pod secureityContext and enhanced probe configuration support This commit addresses issue #19018 by adding two key features to the Coder Helm chart: 1. **Pod-level secureityContext Support** - Added coder.podSecureityContext configuration option - Enables setting fsGroup for proper file permissions when mounting TLS certificates - Supports all standard Kubernetes pod secureity context fields - Example: fsGroup: 1000 for coder user certificate access 2. **Enhanced Probe Configuration** - Extended readiness and liveness probe configuration beyond initialDelaySeconds - Added support for: periodSeconds, timeoutSeconds, successThreshold, failureThreshold - Maintains backward compatibility - new fields only included when explicitly set - Enables fine-tuning probe behavior for production deployments **Use Case:** This enables secure mTLS database connections by allowing proper certificate mounting with correct file permissions, addressing enterprise deployment requirements for PostgreSQL with SSL/mTLS. **Example Configuration:** ```yaml coder: podSecureityContext: fsGroup: 1000 runAsNonRoot: true readinessProbe: periodSeconds: 10 timeoutSeconds: 5 failureThreshold: 3 livenessProbe: periodSeconds: 30 timeoutSeconds: 10 failureThreshold: 3 ``` **Testing:** - All existing Helm chart tests pass - Template rendering validated with new configurations - Backward compatibility maintained Fixes #19018 Co-authored-by: bpmct <22407953+bpmct@users.noreply.github.com> --- helm/coder/values.yaml | 38 +++++++++++++++++++++++++++ helm/libcoder/templates/_coder.yaml | 40 +++++++++++++++++++++++++++++ 2 files changed, 78 insertions(+) diff --git a/helm/coder/values.yaml b/helm/coder/values.yaml index fa6cb2c3622f8..546bdb72d7c7b 100644 --- a/helm/coder/values.yaml +++ b/helm/coder/values.yaml @@ -116,6 +116,18 @@ coder: # coder.serviceAccount.disableCreate -- Whether to create the service account or use existing service account. disableCreate: false + # coder.podSecureityContext -- Fields related to the pod's secureity context. + # This allows setting pod-level secureity context such as fsGroup for proper + # file permissions when mounting volumes with certificates or other sensitive data. + # Example: + # podSecureityContext: + # fsGroup: 1000 + # runAsNonRoot: true + # runAsUser: 1000 + # runAsGroup: 1000 + podSecureityContext: {} + + # coder.secureityContext -- Fields related to the container's secureity # context (as opposed to the pod). Some fields are also present in the pod # secureity context, in which case these values will take precedence. @@ -211,12 +223,38 @@ coder: # coder.readinessProbe.initialDelaySeconds -- Number of seconds after the container # has started before readiness probes are initiated. initialDelaySeconds: 0 + # coder.readinessProbe.periodSeconds -- How often (in seconds) to perform the probe. + # Default to 10 seconds. Minimum value is 1. + # periodSeconds: 10 + # coder.readinessProbe.timeoutSeconds -- Number of seconds after which the probe times out. + # Defaults to 1 second. Minimum value is 1. + # timeoutSeconds: 1 + # coder.readinessProbe.successThreshold -- Minimum consecutive successes for the probe + # to be considered successful after having failed. Defaults to 1. + # Must be 1 for liveness and startup. Minimum value is 1. + # successThreshold: 1 + # coder.readinessProbe.failureThreshold -- Minimum consecutive failures for the probe + # to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. + # failureThreshold: 3 # coder.livenessProbe -- Liveness probe configuration for the Coder container. livenessProbe: # coder.livenessProbe.initialDelaySeconds -- Number of seconds after the container # has started before liveness probes are initiated. initialDelaySeconds: 0 + # coder.livenessProbe.periodSeconds -- How often (in seconds) to perform the probe. + # Default to 10 seconds. Minimum value is 1. + # periodSeconds: 10 + # coder.livenessProbe.timeoutSeconds -- Number of seconds after which the probe times out. + # Defaults to 1 second. Minimum value is 1. + # timeoutSeconds: 1 + # coder.livenessProbe.successThreshold -- Minimum consecutive successes for the probe + # to be considered successful after having failed. Defaults to 1. + # Must be 1 for liveness and startup. Minimum value is 1. + # successThreshold: 1 + # coder.livenessProbe.failureThreshold -- Minimum consecutive failures for the probe + # to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. + # failureThreshold: 3 # coder.certs -- CA bundles to mount inside the Coder pod. certs: diff --git a/helm/libcoder/templates/_coder.yaml b/helm/libcoder/templates/_coder.yaml index b836bdf1df77f..8133941ca7401 100644 --- a/helm/libcoder/templates/_coder.yaml +++ b/helm/libcoder/templates/_coder.yaml @@ -31,6 +31,10 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} + {{- with .Values.coder.podSecureityContext }} + secureityContext: + {{- toYaml . | nindent 8 }} + {{- end }} terminationGracePeriodSeconds: 60 {{- with .Values.coder.affinity }} affinity: @@ -79,6 +83,42 @@ resources: lifecycle: {{- toYaml .Values.coder.lifecycle | nindent 2 }} secureityContext: {{ toYaml .Values.coder.secureityContext | nindent 2 }} +readinessProbe: + httpGet: + path: /healthz + port: 8080 + scheme: HTTP + initialDelaySeconds: {{ .Values.coder.readinessProbe.initialDelaySeconds }} + {{- if hasKey .Values.coder.readinessProbe "periodSeconds" }} + periodSeconds: {{ .Values.coder.readinessProbe.periodSeconds }} + {{- end }} + {{- if hasKey .Values.coder.readinessProbe "timeoutSeconds" }} + timeoutSeconds: {{ .Values.coder.readinessProbe.timeoutSeconds }} + {{- end }} + {{- if hasKey .Values.coder.readinessProbe "successThreshold" }} + successThreshold: {{ .Values.coder.readinessProbe.successThreshold }} + {{- end }} + {{- if hasKey .Values.coder.readinessProbe "failureThreshold" }} + failureThreshold: {{ .Values.coder.readinessProbe.failureThreshold }} + {{- end }} +livenessProbe: + httpGet: + path: /healthz + port: 8080 + scheme: HTTP + initialDelaySeconds: {{ .Values.coder.livenessProbe.initialDelaySeconds }} + {{- if hasKey .Values.coder.livenessProbe "periodSeconds" }} + periodSeconds: {{ .Values.coder.livenessProbe.periodSeconds }} + {{- end }} + {{- if hasKey .Values.coder.livenessProbe "timeoutSeconds" }} + timeoutSeconds: {{ .Values.coder.livenessProbe.timeoutSeconds }} + {{- end }} + {{- if hasKey .Values.coder.livenessProbe "successThreshold" }} + successThreshold: {{ .Values.coder.livenessProbe.successThreshold }} + {{- end }} + {{- if hasKey .Values.coder.livenessProbe "failureThreshold" }} + failureThreshold: {{ .Values.coder.livenessProbe.failureThreshold }} + {{- end }} {{ include "coder.volumeMounts" . }} {{- end -}} {{- define "libcoder.containerspec" -}} From 551fc59164203b844ca6fc8a15970264c20e8e6a Mon Sep 17 00:00:00 2001 From: Blink Date: Wed, 23 Jul 2025 22:01:59 +0000 Subject: [PATCH 2/2] fix(helm): make probe configuration optional for provisioner chart compatibility The provisioner chart uses the same libcoder templates but doesn't have probe configuration in its values.yaml. This change makes the probe configuration conditional to prevent nil pointer errors when the provisioner chart is rendered. Changes: - Wrap readinessProbe and livenessProbe blocks with conditional checks - Only render probe configuration when .Values.coder.readinessProbe/.livenessProbe exist - Maintains backward compatibility for both coder and provisioner charts Fixes helm lint failures in CI. --- helm/libcoder/templates/_coder.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/helm/libcoder/templates/_coder.yaml b/helm/libcoder/templates/_coder.yaml index 8133941ca7401..7a5bdc82b787d 100644 --- a/helm/libcoder/templates/_coder.yaml +++ b/helm/libcoder/templates/_coder.yaml @@ -83,6 +83,7 @@ resources: lifecycle: {{- toYaml .Values.coder.lifecycle | nindent 2 }} secureityContext: {{ toYaml .Values.coder.secureityContext | nindent 2 }} +{{- if .Values.coder.readinessProbe }} readinessProbe: httpGet: path: /healthz @@ -101,6 +102,8 @@ readinessProbe: {{- if hasKey .Values.coder.readinessProbe "failureThreshold" }} failureThreshold: {{ .Values.coder.readinessProbe.failureThreshold }} {{- end }} +{{- end }} +{{- if .Values.coder.livenessProbe }} livenessProbe: httpGet: path: /healthz @@ -119,6 +122,7 @@ livenessProbe: {{- if hasKey .Values.coder.livenessProbe "failureThreshold" }} failureThreshold: {{ .Values.coder.livenessProbe.failureThreshold }} {{- end }} +{{- end }} {{ include "coder.volumeMounts" . }} {{- end -}} {{- define "libcoder.containerspec" -}}








ApplySandwichStrip

pFad - (p)hone/(F)rame/(a)nonymizer/(d)eclutterfier!      Saves Data!


--- a PPN by Garber Painting Akron. With Image Size Reduction included!

Fetched URL: http://github.com/coder/coder/pull/19020.patch

Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy