mirror of https://github.com/coder/coder.git
350 lines
15 KiB
YAML
350 lines
15 KiB
YAML
# coder -- Primary configuration for `coder server`.
|
|
coder:
|
|
# coder.env -- The environment variables to set for Coder. These can be used
|
|
# to configure all aspects of `coder server`. Please see `coder server --help`
|
|
# for information about what environment variables can be set.
|
|
# Note: The following environment variables are set by default and cannot be
|
|
# overridden:
|
|
# - CODER_HTTP_ADDRESS: set to 0.0.0.0:8080 and cannot be changed.
|
|
# - CODER_TLS_ADDRESS: set to 0.0.0.0:8443 if tls.secretName is not empty.
|
|
# - CODER_TLS_ENABLE: set if tls.secretName is not empty.
|
|
# - CODER_TLS_CERT_FILE: set if tls.secretName is not empty.
|
|
# - CODER_TLS_KEY_FILE: set if tls.secretName is not empty.
|
|
# - CODER_PROMETHEUS_ADDRESS: set to 0.0.0.0:2112 and cannot be changed.
|
|
# Prometheus must still be enabled by setting CODER_PROMETHEUS_ENABLE.
|
|
# - KUBE_POD_IP
|
|
# - CODER_DERP_SERVER_RELAY_URL
|
|
#
|
|
# We will additionally set CODER_ACCESS_URL if unset to the cluster service
|
|
# URL, unless coder.envUseClusterAccessURL is set to false.
|
|
env: []
|
|
# - name: "CODER_ACCESS_URL"
|
|
# value: "https://coder.example.com"
|
|
|
|
# coder.envFrom -- Secrets or ConfigMaps to use for Coder's environment
|
|
# variables. If you want one environment variable read from a secret, then use
|
|
# coder.env valueFrom. See the K8s docs for valueFrom here:
|
|
# https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#define-container-environment-variables-using-secret-data
|
|
#
|
|
# If setting CODER_ACCESS_URL in coder.envFrom, then you must set
|
|
# coder.envUseClusterAccessURL to false.
|
|
envFrom: []
|
|
# - configMapRef:
|
|
# name: coder-config
|
|
# - secretRef:
|
|
# name: coder-config
|
|
|
|
# coder.envUseClusterAccessURL -- Determines whether the CODER_ACCESS_URL env
|
|
# is added to coder.env if it's not already set there. Set this to false if
|
|
# defining CODER_ACCESS_URL in coder.envFrom to avoid conflicts.
|
|
envUseClusterAccessURL: true
|
|
|
|
# coder.image -- The image to use for Coder.
|
|
image:
|
|
# coder.image.repo -- The repository of the image.
|
|
repo: "ghcr.io/coder/coder"
|
|
# coder.image.tag -- The tag of the image, defaults to {{.Chart.AppVersion}}
|
|
# if not set. If you're using the chart directly from git, the default
|
|
# app version will not work and you'll need to set this value. The helm
|
|
# chart helpfully fails quickly in this case.
|
|
tag: ""
|
|
# coder.image.pullPolicy -- The pull policy to use for the image. See:
|
|
# https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy
|
|
pullPolicy: IfNotPresent
|
|
# coder.image.pullSecrets -- The secrets used for pulling the Coder image from
|
|
# a private registry.
|
|
pullSecrets: []
|
|
# - name: "pull-secret"
|
|
|
|
# coder.initContainers -- Init containers for the deployment. See:
|
|
# https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
|
|
initContainers:
|
|
[]
|
|
# - name: init-container
|
|
# image: busybox:1.28
|
|
# command: ['sh', '-c', "sleep 2"]
|
|
|
|
# coder.annotations -- The Deployment annotations. See:
|
|
# https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
|
|
annotations: {}
|
|
|
|
# coder.labels -- The Deployment labels. See:
|
|
# https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
|
|
labels: {}
|
|
|
|
# coder.podAnnotations -- The Coder pod annotations. See:
|
|
# https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
|
|
podAnnotations: {}
|
|
|
|
# coder.podLabels -- The Coder pod labels. See:
|
|
# https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
|
|
podLabels: {}
|
|
|
|
# coder.serviceAccount -- Configuration for the automatically created service
|
|
# account. Creation of the service account cannot be disabled.
|
|
serviceAccount:
|
|
# coder.serviceAccount.workspacePerms -- Whether or not to grant the coder
|
|
# service account permissions to manage workspaces. This includes
|
|
# permission to manage pods and persistent volume claims in the deployment
|
|
# namespace.
|
|
#
|
|
# It is recommended to keep this on if you are using Kubernetes templates
|
|
# within Coder.
|
|
workspacePerms: true
|
|
# coder.serviceAccount.enableDeployments -- Provides the service account
|
|
# permission to manage Kubernetes deployments. Depends on workspacePerms.
|
|
enableDeployments: true
|
|
# coder.serviceAccount.extraRules -- Additional permissions added to the SA
|
|
# role. Depends on workspacePerms.
|
|
extraRules: []
|
|
# - apiGroups: [""]
|
|
# resources: ["services"]
|
|
# verbs:
|
|
# - create
|
|
# - delete
|
|
# - deletecollection
|
|
# - get
|
|
# - list
|
|
# - patch
|
|
# - update
|
|
# - watch
|
|
|
|
# coder.serviceAccount.annotations -- The Coder service account annotations.
|
|
annotations: {}
|
|
# coder.serviceAccount.name -- The service account name
|
|
name: coder
|
|
|
|
# coder.securityContext -- Fields related to the container's security
|
|
# context (as opposed to the pod). Some fields are also present in the pod
|
|
# security context, in which case these values will take precedence.
|
|
securityContext:
|
|
# coder.securityContext.runAsNonRoot -- Requires that the coder container
|
|
# runs as an unprivileged user. If setting runAsUser to 0 (root), this
|
|
# will need to be set to false.
|
|
runAsNonRoot: true
|
|
# coder.securityContext.runAsUser -- Sets the user id of the container.
|
|
# For security reasons, we recommend using a non-root user.
|
|
runAsUser: 1000
|
|
# coder.securityContext.runAsGroup -- Sets the group id of the container.
|
|
# For security reasons, we recommend using a non-root group.
|
|
runAsGroup: 1000
|
|
# coder.securityContext.readOnlyRootFilesystem -- Mounts the container's
|
|
# root filesystem as read-only.
|
|
readOnlyRootFilesystem: null
|
|
# coder.securityContext.seccompProfile -- Sets the seccomp profile for
|
|
# the coder container.
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
# coder.securityContext.allowPrivilegeEscalation -- Controls whether
|
|
# the container can gain additional privileges, such as escalating to
|
|
# root. It is recommended to leave this setting disabled in production.
|
|
allowPrivilegeEscalation: false
|
|
|
|
# coder.volumes -- A list of extra volumes to add to the Coder pod.
|
|
volumes: []
|
|
# - name: "my-volume"
|
|
# emptyDir: {}
|
|
|
|
# coder.volumeMounts -- A list of extra volume mounts to add to the Coder pod.
|
|
volumeMounts: []
|
|
# - name: "my-volume"
|
|
# mountPath: "/mnt/my-volume"
|
|
|
|
# coder.tls -- The TLS configuration for Coder.
|
|
tls:
|
|
# coder.tls.secretNames -- A list of TLS server certificate secrets to mount
|
|
# into the Coder pod. The secrets should exist in the same namespace as the
|
|
# Helm deployment and should be of type "kubernetes.io/tls". The secrets
|
|
# will be automatically mounted into the pod if specified, and the correct
|
|
# "CODER_TLS_*" environment variables will be set for you.
|
|
secretNames: []
|
|
|
|
# coder.replicaCount -- The number of Kubernetes deployment replicas. This
|
|
# should only be increased if High Availability is enabled.
|
|
#
|
|
# This is an Enterprise feature. Contact sales@coder.com.
|
|
replicaCount: 1
|
|
|
|
# coder.workspaceProxy -- Whether or not this deployment of Coder is a Coder
|
|
# Workspace Proxy. Workspace Proxies reduce the latency between the user and
|
|
# their workspace for web connections (workspace apps and web terminal) and
|
|
# proxied connections from the CLI. Workspace Proxies are optional and only
|
|
# recommended for geographically sparse teams.
|
|
#
|
|
# Make sure you set CODER_PRIMARY_ACCESS_URL and CODER_PROXY_SESSION_TOKEN in
|
|
# the environment below. You can get a proxy token using the CLI:
|
|
# coder wsproxy create \
|
|
# --name "proxy-name" \
|
|
# --display-name "Proxy Name" \
|
|
# --icon "/emojis/xyz.png"
|
|
#
|
|
# This is an Enterprise feature. Contact sales@coder.com
|
|
# Docs: https://coder.com/docs/v2/latest/admin/workspace-proxies
|
|
workspaceProxy: false
|
|
|
|
# coder.lifecycle -- container lifecycle handlers for the Coder container, allowing
|
|
# for lifecycle events such as postStart and preStop events
|
|
# See: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/
|
|
lifecycle:
|
|
{}
|
|
# postStart:
|
|
# exec:
|
|
# command: ["/bin/sh", "-c", "echo postStart"]
|
|
# preStop:
|
|
# exec:
|
|
# command: ["/bin/sh","-c","echo preStart"]
|
|
|
|
# coder.resources -- The resources to request for Coder. These are optional
|
|
# and are not set by default.
|
|
resources:
|
|
{}
|
|
# limits:
|
|
# cpu: 2000m
|
|
# memory: 4096Mi
|
|
# requests:
|
|
# cpu: 2000m
|
|
# memory: 4096Mi
|
|
|
|
# coder.certs -- CA bundles to mount inside the Coder pod.
|
|
certs:
|
|
# coder.certs.secrets -- A list of CA bundle secrets to mount into the Coder
|
|
# pod. The secrets should exist in the same namespace as the Helm
|
|
# deployment.
|
|
#
|
|
# The given key in each secret is mounted at
|
|
# `/etc/ssl/certs/{secret_name}.crt`.
|
|
secrets:
|
|
[]
|
|
# - name: "my-ca-bundle"
|
|
# key: "ca-bundle.crt"
|
|
|
|
# coder.affinity -- Allows specifying an affinity rule for the `coder` deployment.
|
|
# The default rule prefers to schedule coder pods on different
|
|
# nodes, which is only applicable if coder.replicaCount is greater than 1.
|
|
affinity:
|
|
podAntiAffinity:
|
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|
- podAffinityTerm:
|
|
labelSelector:
|
|
matchExpressions:
|
|
- key: app.kubernetes.io/instance
|
|
operator: In
|
|
values:
|
|
- "coder"
|
|
topologyKey: kubernetes.io/hostname
|
|
weight: 1
|
|
|
|
# coder.tolerations -- Tolerations for tainted nodes.
|
|
# See: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
|
|
tolerations:
|
|
{}
|
|
# - key: "key"
|
|
# operator: "Equal"
|
|
# value: "value"
|
|
# effect: "NoSchedule"
|
|
|
|
# coder.nodeSelector -- Node labels for constraining coder pods to nodes.
|
|
# See: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
|
|
nodeSelector: {}
|
|
# kubernetes.io/os: linux
|
|
|
|
# coder.service -- The Service object to expose for Coder.
|
|
service:
|
|
# coder.service.enable -- Whether to create the Service object.
|
|
enable: true
|
|
# coder.service.type -- The type of service to expose. See:
|
|
# https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
|
|
type: LoadBalancer
|
|
# coder.service.sessionAffinity -- Must be set to ClientIP or None
|
|
# AWS ELB does not support session stickiness based on ClientIP, so you must set this to None.
|
|
# The error message you might see: "Unsupported load balancer affinity: ClientIP"
|
|
# https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity
|
|
sessionAffinity: None
|
|
# coder.service.externalTrafficPolicy -- The external traffic policy to use.
|
|
# You may need to change this to "Local" to preserve the source IP address
|
|
# in some situations.
|
|
# https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
|
|
externalTrafficPolicy: Cluster
|
|
# coder.service.loadBalancerIP -- The IP address of the LoadBalancer. If not
|
|
# specified, a new IP will be generated each time the load balancer is
|
|
# recreated. It is recommended to manually create a static IP address in
|
|
# your cloud and specify it here in production to avoid accidental IP
|
|
# address changes.
|
|
loadBalancerIP: ""
|
|
# coder.service.annotations -- The service annotations. See:
|
|
# https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
|
|
annotations: {}
|
|
# coder.service.httpNodePort -- Enabled if coder.service.type is set to
|
|
# NodePort. If not set, Kubernetes will allocate a port from the default
|
|
# range, 30000-32767.
|
|
httpNodePort: ""
|
|
# coder.service.httpsNodePort -- Enabled if coder.service.type is set to
|
|
# NodePort. If not set, Kubernetes will allocate a port from the default
|
|
# range, 30000-32767.
|
|
httpsNodePort: ""
|
|
# coder.service.prometheusNodePort -- Enabled if coder.service.type is set
|
|
# to NodePort. If not set, Kubernetes will allocate a port from the default
|
|
# range, 30000-32767. The "prometheus-http" port on the coder service is
|
|
# only exposed if CODER_PROMETHEUS_ENABLE is set to true.
|
|
prometheusNodePort: ""
|
|
|
|
# coder.ingress -- The Ingress object to expose for Coder.
|
|
ingress:
|
|
# coder.ingress.enable -- Whether to create the Ingress object. If using an
|
|
# Ingress, we recommend not specifying coder.tls.secretNames as the Ingress
|
|
# will handle TLS termination.
|
|
enable: false
|
|
# coder.ingress.className -- The name of the Ingress class to use.
|
|
className: ""
|
|
# coder.ingress.host -- The hostname to match on.
|
|
# Be sure to also set CODER_ACCESS_URL within coder.env[]
|
|
host: ""
|
|
# coder.ingress.wildcardHost -- The wildcard hostname to match on. Should be
|
|
# in the form "*.example.com" or "*-suffix.example.com". If you are using a
|
|
# suffix after the wildcard, the suffix will be stripped from the created
|
|
# ingress to ensure that it is a legal ingress host. Optional if not using
|
|
# applications over subdomains.
|
|
# Be sure to also set CODER_WILDCARD_ACCESS_URL within coder.env[]
|
|
wildcardHost: ""
|
|
# coder.ingress.annotations -- The ingress annotations.
|
|
annotations: {}
|
|
# coder.ingress.tls -- The TLS configuration to use for the Ingress.
|
|
tls:
|
|
# coder.ingress.tls.enable -- Whether to enable TLS on the Ingress.
|
|
enable: false
|
|
# coder.ingress.tls.secretName -- The name of the TLS secret to use.
|
|
secretName: ""
|
|
# coder.ingress.tls.wildcardSecretName -- The name of the TLS secret to
|
|
# use for the wildcard host.
|
|
wildcardSecretName: ""
|
|
|
|
# coder.command -- The command to use when running the Coder container. Used
|
|
# for customizing the location of the `coder` binary in your image.
|
|
command:
|
|
- /opt/coder
|
|
|
|
# coder.commandArgs -- Set arguments for the entrypoint command of the Coder pod.
|
|
commandArgs: []
|
|
|
|
# provisionerDaemon -- Configuration for external provisioner daemons.
|
|
#
|
|
# This is an Enterprise feature. Contact sales@coder.com.
|
|
provisionerDaemon:
|
|
# provisionerDaemon.pskSecretName -- The name of the Kubernetes secret that contains the
|
|
# Pre-Shared Key (PSK) to use to authenticate external provisioner daemons with Coder. The
|
|
# secret must be in the same namespace as the Helm deployment, and contain an item called "psk"
|
|
# which contains the pre-shared key.
|
|
pskSecretName: ""
|
|
|
|
# extraTemplates -- Array of extra objects to deploy with the release. Strings
|
|
# are evaluated as a template and can use template expansions and functions. All
|
|
# other objects are used as yaml.
|
|
extraTemplates:
|
|
#- |
|
|
# apiVersion: v1
|
|
# kind: ConfigMap
|
|
# metadata:
|
|
# name: my-configmap
|
|
# data:
|
|
# key: {{ .Values.myCustomValue | quote }}
|