# coder -- Primary configuration for `coder server`. #check html for fix dns, that goddam thing again coder: # coder.env -- The environment variables to set for Coder. These can be used # to configure all aspects of `coder server`. Please see `coder server --help` # for information about what environment variables can be set. # Note: The following environment variables are set by default and cannot be # overridden: # - CODER_HTTP_ADDRESS: set to 0.0.0.0:8080 and cannot be changed. # - CODER_TLS_ADDRESS: set to 0.0.0.0:8443 if tls.secretName is not empty. # - CODER_TLS_ENABLE: set if tls.secretName is not empty. # - CODER_TLS_CERT_FILE: set if tls.secretName is not empty. # - CODER_TLS_KEY_FILE: set if tls.secretName is not empty. # - CODER_PROMETHEUS_ADDRESS: set to 0.0.0.0:2112 and cannot be changed. # Prometheus must still be enabled by setting CODER_PROMETHEUS_ENABLE. # - KUBE_POD_IP # - CODER_DERP_SERVER_RELAY_URL # # We will additionally set CODER_ACCESS_URL if unset to the cluster service # URL, unless coder.envUseClusterAccessURL is set to false. env: [] # - name: "CODER_ACCESS_URL" # value: "https://coder.example.com" # coder.envFrom -- Secrets or ConfigMaps to use for Coder's environment # variables. If you want one environment variable read from a secret, then use # coder.env valueFrom. See the K8s docs for valueFrom here: # https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#define-container-environment-variables-using-secret-data # # If setting CODER_ACCESS_URL in coder.envFrom, then you must set # coder.envUseClusterAccessURL to false. envFrom: # - configMapRef: # name: coder-config - secretRef: name: env-coder # coder.envUseClusterAccessURL -- Determines whether the CODER_ACCESS_URL env # is added to coder.env if it's not already set there. Set this to false if # defining CODER_ACCESS_URL in coder.envFrom to avoid conflicts. envUseClusterAccessURL: false # coder.image -- The image to use for Coder. image: # coder.image.repo -- The repository of the image. repo: "ghcr.io/coder/coder" # coder.image.tag -- The tag of the image, defaults to {{.Chart.AppVersion}} # if not set. If you're using the chart directly from git, the default # app version will not work and you'll need to set this value. The helm # chart helpfully fails quickly in this case. tag: "" # coder.image.pullPolicy -- The pull policy to use for the image. See: # https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy pullPolicy: IfNotPresent # coder.image.pullSecrets -- The secrets used for pulling the Coder image from # a private registry. pullSecrets: [] # - name: "pull-secret" # coder.initContainers -- Init containers for the deployment. See: # https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ initContainers: [] # - name: init-container # image: busybox:1.28 # command: ['sh', '-c', "sleep 2"] # coder.annotations -- The Deployment annotations. See: # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ annotations: keel.sh/policy: force keel.sh/match-tag: "regexp:^[0-9]+\\.[0-9]+\\.[0-9]+$" keel.sh/trigger: poll keel.sh/pollSchedule: '@daily' keel.sh/notify: mail # coder.labels -- The Deployment labels. See: # https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ labels: {} # coder.podAnnotations -- The Coder pod annotations. See: # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ podAnnotations: {} # coder.podLabels -- The Coder pod labels. See: # https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ podLabels: {} # coder.serviceAccount -- Configuration for the automatically created service # account. Creation of the service account cannot be disabled. serviceAccount: # coder.serviceAccount.workspacePerms -- Whether or not to grant the coder # service account permissions to manage workspaces. This includes # permission to manage pods and persistent volume claims in the deployment # namespace. # # It is recommended to keep this on if you are using Kubernetes templates # within Coder. workspacePerms: true # coder.serviceAccount.enableDeployments -- Provides the service account # permission to manage Kubernetes deployments. Depends on workspacePerms. enableDeployments: true # coder.serviceAccount.extraRules -- Additional permissions added to the SA # role. Depends on workspacePerms. extraRules: - apiGroups: [""] resources: ["configmaps"] verbs: ["get","list","watch","create","update","patch","delete"] # allow Terraform to manage Services in namespace 'coder' - apiGroups: [""] resources: ["services"] verbs: ["get","list","watch","create","update","patch","delete"] # allow Terraform to manage Ingresses in namespace 'coder' - apiGroups: ["networking.k8s.io"] resources: ["ingresses"] verbs: ["get","list","watch","create","update","patch","delete"] # coder.serviceAccount.annotations -- The Coder service account annotations. annotations: {} # coder.serviceAccount.name -- The service account name name: coder # coder.serviceAccount.disableCreate -- Whether to create the service account or use existing service account. disableCreate: false # coder.securityContext -- Fields related to the container's security # context (as opposed to the pod). Some fields are also present in the pod # security context, in which case these values will take precedence. securityContext: # coder.securityContext.runAsNonRoot -- Requires that the coder container # runs as an unprivileged user. If setting runAsUser to 0 (root), this # will need to be set to false. runAsNonRoot: true # coder.securityContext.runAsUser -- Sets the user id of the container. # For security reasons, we recommend using a non-root user. runAsUser: 1000 # coder.securityContext.runAsGroup -- Sets the group id of the container. # For security reasons, we recommend using a non-root group. runAsGroup: 1000 # coder.securityContext.readOnlyRootFilesystem -- Mounts the container's # root filesystem as read-only. readOnlyRootFilesystem: null # coder.securityContext.seccompProfile -- Sets the seccomp profile for # the coder container. seccompProfile: type: RuntimeDefault # coder.securityContext.allowPrivilegeEscalation -- Controls whether # the container can gain additional privileges, such as escalating to # root. It is recommended to leave this setting disabled in production. allowPrivilegeEscalation: true # coder.volumes -- A list of extra volumes to add to the Coder pod. volumes: [] # - name: "my-volume" # emptyDir: {} # coder.volumeMounts -- A list of extra volume mounts to add to the Coder pod. volumeMounts: [] # - name: "my-volume" # mountPath: "/mnt/my-volume" # coder.tls -- The TLS configuration for Coder. tls: # coder.tls.secretNames -- A list of TLS server certificate secrets to mount # into the Coder pod. The secrets should exist in the same namespace as the # Helm deployment and should be of type "kubernetes.io/tls". The secrets # will be automatically mounted into the pod if specified, and the correct # "CODER_TLS_*" environment variables will be set for you. secretNames: [] # coder.replicaCount -- The number of Kubernetes deployment replicas. This # should only be increased if High Availability is enabled. # # This is an Enterprise feature. Contact sales@coder.com. replicaCount: 1 # coder.workspaceProxy -- Whether or not this deployment of Coder is a Coder # Workspace Proxy. Workspace Proxies reduce the latency between the user and # their workspace for web connections (workspace apps and web terminal) and # proxied connections from the CLI. Workspace Proxies are optional and only # recommended for geographically sparse teams. # # Make sure you set CODER_PRIMARY_ACCESS_URL and CODER_PROXY_SESSION_TOKEN in # the environment below. You can get a proxy token using the CLI: # coder wsproxy create \ # --name "proxy-name" \ # --display-name "Proxy Name" \ # --icon "/emojis/xyz.png" # # This is an Enterprise feature. Contact sales@coder.com # Docs: https://coder.com/docs/admin/workspace-proxies workspaceProxy: false # coder.lifecycle -- container lifecycle handlers for the Coder container, allowing # for lifecycle events such as postStart and preStop events # See: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/ lifecycle: {} # postStart: # exec: # command: ["/bin/sh", "-c", "echo postStart"] # preStop: # exec: # command: ["/bin/sh","-c","echo preStart"] # coder.resources -- The resources to request for Coder. The below values are # defaults and can be overridden. resources: limits: cpu: 2000m memory: 4096Mi requests: cpu: 200m memory: 4096Mi # coder.certs -- CA bundles to mount inside the Coder pod. certs: # coder.certs.secrets -- A list of CA bundle secrets to mount into the Coder # pod. The secrets should exist in the same namespace as the Helm # deployment. # # The given key in each secret is mounted at # `/etc/ssl/certs/{secret_name}.crt`. secrets: [] # - name: "my-ca-bundle" # key: "ca-bundle.crt" # coder.affinity -- Allows specifying an affinity rule for the `coder` deployment. # The default rule prefers to schedule coder pods on different # nodes, which is only applicable if coder.replicaCount is greater than 1. affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - podAffinityTerm: labelSelector: matchExpressions: - key: app.kubernetes.io/instance operator: In values: - "coder" topologyKey: kubernetes.io/hostname weight: 1 topologySpreadConstraints: # - maxSkew: 1 # topologyKey: kubernetes.io/hostname # whenUnsatisfiable: DoNotSchedule # labelSelector: # matchLabels: # app.kubernetes.io/instance: coder # coder.tolerations -- Tolerations for tainted nodes. # See: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ tolerations: [] # - key: "key" # operator: "Equal" # value: "value" # effect: "NoSchedule" # coder.nodeSelector -- Node labels for constraining coder pods to nodes. # See: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector nodeSelector: {} # kubernetes.io/os: linux # coder.service -- The Service object to expose for Coder. service: # coder.service.enable -- Whether to create the Service object. enable: true # coder.service.type -- The type of service to expose. See: # https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types type: NodePort # coder.service.sessionAffinity -- Must be set to ClientIP or None # AWS ELB does not support session stickiness based on ClientIP, so you must set this to None. # The error message you might see: "Unsupported load balancer affinity: ClientIP" # https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity sessionAffinity: None # coder.service.externalTrafficPolicy -- The external traffic policy to use. # You may need to change this to "Local" to preserve the source IP address # in some situations. # https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip externalTrafficPolicy: Cluster # coder.service.loadBalancerIP -- The IP address of the LoadBalancer. If not # specified, a new IP will be generated each time the load balancer is # recreated. It is recommended to manually create a static IP address in # your cloud and specify it here in production to avoid accidental IP # address changes. loadBalancerIP: "" # coder.service.loadBalancerClass -- The class name of the LoadBalancer. See: # https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class loadBalancerClass: "" # coder.service.annotations -- The service annotations. See: # https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer annotations: {} # coder.service.httpNodePort -- Enabled if coder.service.type is set to # NodePort or LoadBalancer. If not set, Kubernetes will allocate a port from the default # range, 30000-32767. httpNodePort: "32707" # coder.service.httpsNodePort -- Enabled if coder.service.type is set to # NodePort or LoadBalancer. If not set, Kubernetes will allocate a port from the default # range, 30000-32767. httpsNodePort: "32707" # coder.ingress -- The Ingress object to expose for Coder. ingress: # coder.ingress.enable -- Whether to create the Ingress object. If using an # Ingress, we recommend not specifying coder.tls.secretNames as the Ingress # will handle TLS termination. enable: true # coder.ingress.className -- The name of the Ingress class to use. className: "traefik" # coder.ingress.host -- The hostname to match on. # Be sure to also set CODER_ACCESS_URL within coder.env[] host: "vscode.my.domain" # coder.ingress.wildcardHost -- The wildcard hostname to match on. Should be # in the form "*.example.com" or "*-suffix.example.com". If you are using a # suffix after the wildcard, the suffix will be stripped from the created # ingress to ensure that it is a legal ingress host. Optional if not using # applications over subdomains. # Be sure to also set CODER_WILDCARD_ACCESS_URL within coder.env[] wildcardHost: "*.vscode.my.domain" # coder.ingress.annotations -- The ingress annotations. annotations: traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.tls.certresolver: caresolver traefik.ingress.kubernetes.io/router.tls: 'true' traefik.ingress.kubernetes.io/websocket: "true" # coder.ingress.tls -- The TLS configuration to use for the Ingress. tls: # coder.ingress.tls.enable -- Whether to enable TLS on the Ingress. enable: false # coder.ingress.tls.secretName -- The name of the TLS secret to use. secretName: "" # coder.ingress.tls.wildcardSecretName -- The name of the TLS secret to # use for the wildcard host. wildcardSecretName: "" # coder.command -- The command to use when running the Coder container. Used # for customizing the location of the `coder` binary in your image. command: - /opt/coder # coder.commandArgs -- Set arguments for the entrypoint command of the Coder pod. commandArgs: [] # provisionerDaemon -- Configuration for external provisioner daemons. # # This is an Enterprise feature. Contact sales@coder.com. provisionerDaemon: # provisionerDaemon.pskSecretName -- The name of the Kubernetes secret that contains the # Pre-Shared Key (PSK) to use to authenticate external provisioner daemons with Coder. The # secret must be in the same namespace as the Helm deployment, and contain an item called "psk" # which contains the pre-shared key. pskSecretName: "" # extraTemplates -- Array of extra objects to deploy with the release. Strings # are evaluated as a template and can use template expansions and functions. All # other objects are used as yaml. extraTemplates: #- | # apiVersion: v1 # kind: ConfigMap # metadata: # name: my-configmap # data: # key: {{ .Values.myCustomValue | quote }}