Skip to content

Commit faac753

Browse files
ausbru87ausbru87
authored
feat(helm): add pod-level securityContext support for certificate mounting (#19041)
**Add pod-level securityContext support to Coder Helm chart** Adds `coder.podSecurityContext` field to enable pod-level security settings, primarily to solve TLS certificate mounting permission issues. **Problem**: When mounting TLS certificates from Kubernetes secrets, the Coder process (UID 1000) cannot read the files due to restrictive permissions. **Solution**: Setting `podSecurityContext.fsGroup: 1000` ensures Kubernetes sets group ownership of mounted volumes to GID 1000, allowing the Coder process to read certificate files. **Changes**: - Added `podSecurityContext` field to values.yaml with documentation - Updated `_coder.yaml` template to include pod-level security context - Added test case and golden files - Maintains backward compatibility (opt-in feature) **Usage**: ```yaml coder: podSecurityContext: fsGroup: 1000 # Enables TLS cert access ``` Fixes #19038
1 parent 72b8ab5 commit faac753

File tree

6 files changed

+468
-0
lines changed

6 files changed

+468
-0
lines changed

helm/coder/tests/chart_test.go

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -125,6 +125,10 @@ var testCases = []testCase{
125125
name: "partial_resources",
126126
expectedError: "",
127127
},
128+
{
129+
name: "pod_securitycontext",
130+
expectedError: "",
131+
},
128132
}
129133

130134
type testCase struct {

helm/coder/tests/testdata/pod_securitycontext.golden

Lines changed: 208 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,208 @@
1+
---
2+
# Source: coder/templates/coder.yaml
3+
apiVersion: v1
4+
kind: ServiceAccount
5+
metadata:
6+
annotations: {}
7+
labels:
8+
app.kubernetes.io/instance: release-name
9+
app.kubernetes.io/managed-by: Helm
10+
app.kubernetes.io/name: coder
11+
app.kubernetes.io/part-of: coder
12+
app.kubernetes.io/version: 0.1.0
13+
helm.sh/chart: coder-0.1.0
14+
name: coder
15+
namespace: default
16+
---
17+
# Source: coder/templates/rbac.yaml
18+
apiVersion: rbac.authorization.k8s.io/v1
19+
kind: Role
20+
metadata:
21+
name: coder-workspace-perms
22+
namespace: default
23+
rules:
24+
- apiGroups: [""]
25+
resources: ["pods"]
26+
verbs:
27+
- create
28+
- delete
29+
- deletecollection
30+
- get
31+
- list
32+
- patch
33+
- update
34+
- watch
35+
- apiGroups: [""]
36+
resources: ["persistentvolumeclaims"]
37+
verbs:
38+
- create
39+
- delete
40+
- deletecollection
41+
- get
42+
- list
43+
- patch
44+
- update
45+
- watch
46+
- apiGroups:
47+
- apps
48+
resources:
49+
- deployments
50+
verbs:
51+
- create
52+
- delete
53+
- deletecollection
54+
- get
55+
- list
56+
- patch
57+
- update
58+
- watch
59+
---
60+
# Source: coder/templates/rbac.yaml
61+
apiVersion: rbac.authorization.k8s.io/v1
62+
kind: RoleBinding
63+
metadata:
64+
name: "coder"
65+
namespace: default
66+
subjects:
67+
- kind: ServiceAccount
68+
name: "coder"
69+
roleRef:
70+
apiGroup: rbac.authorization.k8s.io
71+
kind: Role
72+
name: coder-workspace-perms
73+
---
74+
# Source: coder/templates/service.yaml
75+
apiVersion: v1
76+
kind: Service
77+
metadata:
78+
name: coder
79+
namespace: default
80+
labels:
81+
helm.sh/chart: coder-0.1.0
82+
app.kubernetes.io/name: coder
83+
app.kubernetes.io/instance: release-name
84+
app.kubernetes.io/part-of: coder
85+
app.kubernetes.io/version: "0.1.0"
86+
app.kubernetes.io/managed-by: Helm
87+
annotations:
88+
{}
89+
spec:
90+
type: LoadBalancer
91+
sessionAffinity: None
92+
ports:
93+
- name: "http"
94+
port: 80
95+
targetPort: "http"
96+
protocol: TCP
97+
nodePort:
98+
externalTrafficPolicy: "Cluster"
99+
selector:
100+
app.kubernetes.io/name: coder
101+
app.kubernetes.io/instance: release-name
102+
---
103+
# Source: coder/templates/coder.yaml
104+
apiVersion: apps/v1
105+
kind: Deployment
106+
metadata:
107+
annotations: {}
108+
labels:
109+
app.kubernetes.io/instance: release-name
110+
app.kubernetes.io/managed-by: Helm
111+
app.kubernetes.io/name: coder
112+
app.kubernetes.io/part-of: coder
113+
app.kubernetes.io/version: 0.1.0
114+
helm.sh/chart: coder-0.1.0
115+
name: coder
116+
namespace: default
117+
spec:
118+
replicas: 1
119+
selector:
120+
matchLabels:
121+
app.kubernetes.io/instance: release-name
122+
app.kubernetes.io/name: coder
123+
template:
124+
metadata:
125+
annotations: {}
126+
labels:
127+
app.kubernetes.io/instance: release-name
128+
app.kubernetes.io/managed-by: Helm
129+
app.kubernetes.io/name: coder
130+
app.kubernetes.io/part-of: coder
131+
app.kubernetes.io/version: 0.1.0
132+
helm.sh/chart: coder-0.1.0
133+
spec:
134+
affinity:
135+
podAntiAffinity:
136+
preferredDuringSchedulingIgnoredDuringExecution:
137+
- podAffinityTerm:
138+
labelSelector:
139+
matchExpressions:
140+
- key: app.kubernetes.io/instance
141+
operator: In
142+
values:
143+
- coder
144+
topologyKey: kubernetes.io/hostname
145+
weight: 1
146+
containers:
147+
- args:
148+
- server
149+
command:
150+
- /opt/coder
151+
env:
152+
- name: CODER_HTTP_ADDRESS
153+
value: 0.0.0.0:8080
154+
- name: CODER_PROMETHEUS_ADDRESS
155+
value: 0.0.0.0:2112
156+
- name: CODER_ACCESS_URL
157+
value: http://coder.default.svc.cluster.local
158+
- name: KUBE_POD_IP
159+
valueFrom:
160+
fieldRef:
161+
fieldPath: status.podIP
162+
- name: CODER_DERP_SERVER_RELAY_URL
163+
value: http://$(KUBE_POD_IP):8080
164+
image: ghcr.io/coder/coder:latest
165+
imagePullPolicy: IfNotPresent
166+
lifecycle: {}
167+
livenessProbe:
168+
httpGet:
169+
path: /healthz
170+
port: http
171+
scheme: HTTP
172+
initialDelaySeconds: 0
173+
name: coder
174+
ports:
175+
- containerPort: 8080
176+
name: http
177+
protocol: TCP
178+
readinessProbe:
179+
httpGet:
180+
path: /healthz
181+
port: http
182+
scheme: HTTP
183+
initialDelaySeconds: 0
184+
resources:
185+
limits:
186+
cpu: 2000m
187+
memory: 4096Mi
188+
requests:
189+
cpu: 2000m
190+
memory: 4096Mi
191+
securityContext:
192+
allowPrivilegeEscalation: false
193+
readOnlyRootFilesystem: null
194+
runAsGroup: 1000
195+
runAsNonRoot: true
196+
runAsUser: 1000
197+
seccompProfile:
198+
type: RuntimeDefault
199+
volumeMounts: []
200+
restartPolicy: Always
201+
securityContext:
202+
fsgroup: 1000
203+
runAsGroup: 1000
204+
runAsNonRoot: true
205+
runAsUser: 1000
206+
serviceAccountName: coder
207+
terminationGracePeriodSeconds: 60
208+
volumes: []

helm/coder/tests/testdata/pod_securitycontext.yaml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
coder:
2+
image:
3+
tag: latest
4+
podSecurityContext:
5+
fsgroup: 1000
6+
runAsUser: 1000
7+
runAsGroup: 1000
8+
runAsNonRoot: true

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy