From 90ac8b61dca25534058c4cb8e0dab424be90d48f Mon Sep 17 00:00:00 2001 From: Jonathan Yu Date: Sat, 13 Nov 2021 22:20:53 +0000 Subject: [PATCH 1/5] chore: remove compatibility for legacy networking --- templates/NOTES.txt | 64 ------ templates/_common.tpl | 99 ++++----- templates/_environments.tpl | 32 +-- templates/_functions.tpl | 12 +- templates/_ingress.tpl | 25 +-- templates/_migrate.tpl | 80 ------- templates/coderd.yaml | 87 +++----- templates/dashboard.yaml | 22 -- templates/ingress.yaml | 412 +----------------------------------- templates/rbac.yaml | 10 +- templates/timescale.yaml | 18 +- 11 files changed, 94 insertions(+), 767 deletions(-) delete mode 100644 templates/_migrate.tpl delete mode 100644 templates/dashboard.yaml diff --git a/templates/NOTES.txt b/templates/NOTES.txt index c89c2cb2..e69de29b 100644 --- a/templates/NOTES.txt +++ b/templates/NOTES.txt @@ -1,64 +0,0 @@ -{{- /* Deprecation notices for moved properties. See _migrate.tpl */}} -{{- $movedMap := fromJson (include "moved" .) }} -{{- $movedList := list }} -{{- range $_, $key := values $movedMap }} - {{- $values := $.Values }} - {{- $found := true }} - {{- range $_, $keypart := splitList "." $key }} - {{- if $found }} - {{- $values = index $values $keypart }} - {{- if kindIs "invalid" $values }} - {{- $found = false }} - {{- end }} - {{- end }} - {{- end }} - {{- if $found }} - {{- range $newKey, $_ := $movedMap }} - {{- if eq (index $movedMap $newKey) $key }} - {{- $item := printf "Move \"%s\" to \"%s\"" $key $newKey }} - {{- $movedList = append $movedList $item }} - {{- end }} - {{- end }} - {{- end }} -{{- end }} -{{- if gt (len $movedList) 0 }} -Deprecated: The Helm values below should be updated to avoid breaking in a future release! -{{- if hasKey .Values "cemanager" }} - ⚠ The "cemanager" Kubernetes Service will be renamed to "coderd". -{{- end }} -{{- $movedList = sortAlpha $movedList }} -{{- range $_, $key := $movedList }} - ↪ {{ $key }} -{{- end }} -{{ end }} - -{{- if eq (include "coder.useServiceNext" .) "true" }} -{{- if gt (len (keys (.Values.dashboard | dict))) 1 }} -Deprecated: The "dashboard" Kubernetes Service has been merged with "coderd". - ✗ All "dashboard.*" values can be safely removed. -{{- if eq (merge .Values dict | dig "ingress" "useDefault" true) false }} - ✗ Custom ingress detected; ensure all traffic directs to "coderd". -{{- end }} -{{ end }} - -{{- if gt (len (keys (.Values.envproxy | dict))) 1 }} -Deprecated: The "envproxy" Kubernetes Service has been merged with "coderd". - ✗ All "envproxy.*" values can be safely removed. - ✗ Ensure that workspaces are rebuilt after this change. -{{ end }} -{{- else }} -{{- if eq (include "coder.hasNginxIngress" .) "true" }} -Deprecated: The "nginx" ingress controller will be removed in a future release. - 🌍 The "coderd" Kubernetes Service now serves TLS certificates. - ⤴ Upgrade now by setting the Helm value "coderd.serviceNext=true". -{{ else }} -Deprecated: The "envproxy" and "dashboard" Kubernetes Services are merging into "coderd" in a future release. To update your custom ingress: - ↪ Rename "cemanager" to "coderd" - ↪ Route traffic from "dashboard" to "coderd" - ↪ Route traffic from "envproxy" to "coderd" - ↪ Move TCP port from 8080 to 80 - ↪ Move TCP port from 8443 to 443 - ⚠ The "coderd" Kubernetes Service will be type "LoadBalancer" by default. Adjust options using "coderd.serviceSpec". - ⤴ Upgrade now by setting the Helm value "coderd.serviceNext=true". -{{- end }} -{{- end }} diff --git a/templates/_common.tpl b/templates/_common.tpl index 5fd8dc89..fe88b04e 100644 --- a/templates/_common.tpl +++ b/templates/_common.tpl @@ -1,21 +1,17 @@ -{{/* - coder.storageClassName adds a storageClassName field to a volume claim - if the 'storageClassName' value is non-empty. -*/}} +# coder.storageClassName adds a storageClassName field to a volume claim +# if the 'storageClassName' value is non-empty. {{- define "coder.storageClassName" }} -{{ $storageClass := include "movedValue" (dict "Values" .Values "Key" "postgres.default.storageClassName") }} -{{- if ne $storageClass "" }} -storageClassName: {{ $storageClass | default "" | quote }} +{{- if .Values.postgres.default.storageClassName }} +storageClassName: {{ .Values.postgres.default.storageClassName | quote }} {{- end }} {{- end }} -{{/* - coder.postgres.env adds environment variables that - specify how to connect to a Postgres instance. -*/}} + +# coder.postgres.env adds environment variables that +# specify how to connect to a Postgres instance. {{- define "coder.postgres.env" }} -{{- if eq (include "movedValue" (dict "Values" .Values "Key" "postgres.default.enable" "Default" true)) "true" }} +{{- if .Values.postgres.default.enable }} - name: DB_HOST - value: timescale.{{ .Release.Namespace }}{{ include "movedValue" (dict "Values" .Values "Key" "services.clusterDomainSuffix") }} + value: timescale.{{ .Release.Namespace }}{{ .Values.services.clusterDomainSuffix }} - name: DB_PORT value: "5432" - name: DB_USER @@ -54,27 +50,26 @@ storageClassName: {{ $storageClass | default "" | quote }} {{- end }} {{- end }} {{- end }} -{{/* - coder.volumes adds a volumes stanza if a cert.secret is provided. -*/}} + +# coder.volumes adds a volumes stanza if a cert.secret is provided. {{- define "coder.volumes" }} volumes: - name: tmp-pgcerts emptyDir: {} -{{- if (merge .Values dict | dig "certs" "secret" "name" false) }} +{{- if .Values.certs.secret.name }} - name: {{ .Values.certs.secret.name | quote }} secret: secretName: {{ .Values.certs.secret.name | quote }} {{- end }} -{{- if ne (include "movedValue" (dict "Values" .Values "Key" "coderd.tls.hostSecretName")) "" }} +{{- if .Values.coderd.tls.hostSecretName }} - name: tls secret: - secretName: {{ include "movedValue" (dict "Values" .Values "Key" "coderd.tls.hostSecretName") }} + secretName: {{ .Values.coderd.tls.hostSecretName | quote }} {{- end }} -{{- if ne (include "movedValue" (dict "Values" .Values "Key" "coderd.tls.devurlsHostSecretName")) "" }} +{{- if .Values.coderd.tls.devurlsHostSecretName }} - name: devurltls secret: - secretName: {{ include "movedValue" (dict "Values" .Values "Key" "coderd.tls.devurlsHostSecretName") }} + secretName: {{ .Values.coderd.tls.devurlsHostSecretName | quote }} {{- end }} {{- if ne .Values.postgres.ssl.certSecret.name "" }} - name: pgcert @@ -93,24 +88,23 @@ volumes: {{- end }} {{- end }} -{{/* - coder.volumeMounts adds a volume mounts stanza if a cert.secret is provided. -*/}} +# coder.volumeMounts adds a volume mounts stanza if a cert.secret is +# provided. {{- define "coder.volumeMounts" }} volumeMounts: - name: tmp-pgcerts mountPath: /tmp/pgcerts -{{- if (merge .Values dict | dig "certs" "secret" "name" false) }} +{{- if .Values.certs.secret.name }} - name: {{ .Values.certs.secret.name | quote }} mountPath: /etc/ssl/certs/{{ .Values.certs.secret.key }} subPath: {{ .Values.certs.secret.key | quote }} {{- end }} -{{- if ne (include "movedValue" (dict "Values" .Values "Key" "coderd.tls.hostSecretName")) "" }} +{{- if .Values.coderd.tls.hostSecretName }} - name: tls mountPath: /etc/ssl/certs/host readOnly: true {{- end }} -{{- if ne (include "movedValue" (dict "Values" .Values "Key" "coderd.tls.devurlsHostSecretName")) "" }} +{{- if .Values.coderd.tls.devurlsHostSecretName }} - name: devurltls mountPath: /etc/ssl/certs/devurls readOnly: true @@ -131,56 +125,37 @@ volumeMounts: readOnly: true {{- end }} {{- end }} -{{/* - coder.serviceTolerations adds tolerations if any are specified to - coder-managed services. -*/}} + +# coder.serviceTolerations adds tolerations if any are specified to +# coder-managed services. {{- define "coder.serviceTolerations" }} -{{- if ne (include "movedValue" (dict "Values" .Values "Key" "services.tolerations")) "" }} -tolerations: -{{ include "movedValue" (dict "Values" .Values "Key" "services.tolerations") }} +{{- if .Values.services.tolerations }} +tolerations: {{ toYaml .Values.services.tolerations | nindent 2 }} {{- end }} {{- end }} -{{/* - coder.accessURL is a URL for accessing the coderd. -*/}} + +# coder.accessURL is a URL for accessing the coderd. {{- define "coder.accessURL" }} -{{- if .Values.cemanager }} -{{- if ne (merge .Values dict | dig "cemanager" "accessURL" "") "" }} -{{- .Values.cemanager.accessURL -}} -{{- else -}} - http://cemanager.{{ .Release.Namespace }}{{ include "movedValue" (dict "Values" .Values "Key" "services.clusterDomainSuffix") }}:8080 -{{- end }} -{{- else -}} -{{- if ne (merge .Values dict | dig "coderd" "accessURL" "") "" }} +{{- if .Values.coderd.accessURL }} {{- .Values.coderd.accessURL -}} {{- else -}} - http://coderd.{{ .Release.Namespace }}{{ include "movedValue" (dict "Values" .Values "Key" "services.clusterDomainSuffix") }}:8080 -{{- end }} +http://coderd.{{ .Release.Namespace }}{{ .Values.services.clusterDomainSuffix }}:8080 {{- end }} {{- end }} -{{/* - coder.cluster.accessURL is a URL for accessing the Kubernetes cluster. -*/}} + +# coder.cluster.accessURL is a URL for accessing the Kubernetes cluster. {{- define "coder.cluster.accessURL" -}} -https://kubernetes.default{{ include "movedValue" (dict "Values" .Values "Key" "services.clusterDomainSuffix") }}:443 +https://kubernetes.default{{ .Values.services.clusterDomainSuffix }}:443 {{- end }} -{{/* - coder.services.nodeSelector adds nodeSelectors if any are specified to - coder-managed services. -*/}} +# coder.services.nodeSelector adds nodeSelectors if any are specified to +# coder-managed services. {{- define "coder.services.nodeSelector" }} {{- if .Values.services.nodeSelector }} -nodeSelector: -{{ toYaml .Values.services.nodeSelector | indent 1 }} +nodeSelector: {{ toYaml .Values.services.nodeSelector | nindent 2 }} {{- end }} {{- end }} -{{- define "coder.serviceName" }} -{{- if hasKey .Values "cemanager" -}} -cemanager -{{- else -}} +{{- define "coder.serviceName" -}} coderd {{- end }} -{{- end }} diff --git a/templates/_environments.tpl b/templates/_environments.tpl index a0d5ef8b..a57adf58 100644 --- a/templates/_environments.tpl +++ b/templates/_environments.tpl @@ -1,24 +1,28 @@ -{{/* - coder.environments.configMap defines configuration that is applied - to user environments. -*/}} -{{- define "coder.environments.configMap" }} -{{- if (merge .Values dict | dig "environments" "tolerations" false) }} +# coder.workspaces.configMap defines configuration that is applied +# to user workspaces. +# +# TODO: rename Values.environments to Values.coderd.workspaces, +# once we verify that it won't hurt backward compatibility +{{- define "coder.workspaces.configMap" }} +{{- if .Values.environments.tolerations }} --- apiVersion: v1 kind: ConfigMap metadata: namespace: {{ .Release.Namespace | quote }} + # TODO: change this to coderd, and store other settings in + # the ConfigMap name: ce-environment-config data: tolerations: {{ toJson .Values.environments.tolerations | b64enc | quote }} -{{- end}} -{{- end}} -{{/* - coder.environments.configMapEnv contains a POD_TOLERATIONS environment variable. - ce-manager uses this environment variable to unmarshal pod toleration objects. -*/}} -{{- define "coder.environments.configMapEnv" }} +{{- end }} +{{- end }} + +# coder.workspaces.configMapEnv contains a POD_TOLERATIONS environment +# variable. +# +# coderd uses this environment variable to unmarshal pod toleration objects. +{{- define "coder.workspaces.configMapEnv" }} {{- if (merge .Values dict | dig "environments" "tolerations" false) }} - name: POD_TOLERATIONS value: {{ toJson .Values.environments.tolerations | b64enc | quote }} @@ -27,4 +31,4 @@ data: - name: POD_NODESELECTOR value: {{ toJson .Values.environments.nodeSelector | b64enc | quote }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/templates/_functions.tpl b/templates/_functions.tpl index a4141922..69a7b179 100644 --- a/templates/_functions.tpl +++ b/templates/_functions.tpl @@ -1,7 +1,5 @@ -{{/* - coder.resources accepts a resource stanza as its scope and returns - resource configuration if any of the values are set. -*/}} +# coder.resources accepts a resource stanza as its scope and returns +# resource configuration if any of the values are set. {{- define "coder.resources" }} {{- if . }} resources: @@ -26,11 +24,7 @@ resources: {{- end }} {{- end }} -{{/* -coder.template.render -- renders a value that contains template. -Usage: -{{ include "coder.template.render" ( dict "value" .Values.path.to.the.Value "context" $) }} -*/}} +# coder.template.render -- renders a value that contains template. {{- define "coder.template.render" -}} {{- if typeIs "string" .value }} {{- tpl .value .context }} diff --git a/templates/_ingress.tpl b/templates/_ingress.tpl index a9bac6af..e3d8a086 100644 --- a/templates/_ingress.tpl +++ b/templates/_ingress.tpl @@ -4,7 +4,7 @@ values.yaml settings. */}} {{- define "coder.ingress.tls" }} -{{- if (merge .Values dict | dig "ingress" "tls" "enable" false) }} +{{- if .Values.ingress.tls.enable }} tls: {{- if and .Values.ingress.host .Values.ingress.tls.hostSecretName }} - hosts: @@ -14,30 +14,9 @@ {{- if .Values.devurls }} {{- if and .Values.devurls.host .Values.ingress.tls.devurlsHostSecretName }} - hosts: - - {{ include "movedValue" (dict "Values" .Values "Key" "coderd.devurlsHost") }} + - {{ .Values.coderd.devurlsHost }} secretName: {{ .Values.ingress.tls.devurlsHostSecretName }} {{- end }} {{- end }} {{- end }} {{- end }} - -{{/* */}} -{{- define "coder.hasNginxIngress" }} -{{- if (lookup "v1" "Service" .Release.Namespace "ingress-nginx") -}} -true -{{- else -}} -false -{{- end }} -{{- end }} - -{{- define "coder.useServiceNext" }} -{{- if eq (merge .Values dict | dig "coderd" "serviceNext" false) true -}} -true -{{- else if eq (merge .Values dict | dig "ingress" "useDefault" true) false -}} -false -{{- else if eq (include "coder.hasNginxIngress" .) "false" -}} -true -{{- else -}} -false -{{- end }} -{{- end }} diff --git a/templates/_migrate.tpl b/templates/_migrate.tpl deleted file mode 100644 index 36c94675..00000000 --- a/templates/_migrate.tpl +++ /dev/null @@ -1,80 +0,0 @@ -{{- /* Defines a KV mapping of values that have been moved. */}} -{{- /* If a value specified in this mapping is set, we notify */}} -{{- /* of deprecation in NOTES.txt */}} -{{- define "moved" }} -{{- $moved := dict }} -{{- /* To deprecate a value, map the new location to the old below */}} -{{- $_ := set $moved "coderd" "cemanager" }} -{{- $_ := set $moved "coderd.replicas" "cemanager.replicas" }} -{{- $_ := set $moved "coderd.image" "cemanager.image" }} -{{- $_ := set $moved "coderd.resources" "cemanager.resources" }} -{{- $_ := set $moved "coderd.devurlsHost" "devurls.host" }} -{{- $_ := set $moved "coderd.serviceSpec.loadBalancerIP" "ingress.loadBalancerIP" }} -{{- $_ := set $moved "coderd.serviceSpec.loadBalancerSourceRanges" "ingress.loadBalancerSourceRanges" }} -{{- $_ := set $moved "coderd.serviceSpec.externalTrafficPolicy" "ingress.service.externalTrafficPolicy" }} -{{- $_ := set $moved "coderd.tls.hostSecretName" "ingress.tls.hostSecretName" }} -{{- $_ := set $moved "coderd.tls.devurlsHostSecretName" "ingress.tls.devurlsHostSecretName" }} -{{- $_ := set $moved "postgres.default.storageClassName" "storageClassName" }} -{{- $_ := set $moved "postgres.default.image" "timescale.image" }} -{{- $_ := set $moved "postgres.default.resources" "timescale.resources" }} -{{- $_ := set $moved "postgres.default.resources.requests.storage" "timescale.resources.requests.storage" }} -{{- $_ := set $moved "postgres.default.enable" "postgres.useDefault" }} -{{- $_ := set $moved "services.annotations" "deploymentAnnotations" }} -{{- $_ := set $moved "services.tolerations" "serviceTolerations" }} -{{- $_ := set $moved "services.clusterDomainSuffix" "clusterDomainSuffix" }} -{{- $_ := set $moved "services.type" "serviceType" }} -{{- $_ := set $moved "coderd.builtinProviderServiceAccount.annotations" "serviceAccount.annotations" }} -{{- $_ := set $moved "coderd.builtinProviderServiceAccount.labels" "serviceAccount.labels" }} -{{- toJson $moved }} -{{- end }} - -{{- /* - Use when a key has been moved for deprecation. - Prioritizes the value of "New" above "Old". - Provide a "Default" key to set a default value. - - Example: - {{ include "movedValue" (dict "Values" .Values "Key" "postgres.default.storageClassName") }} -*/}} -{{- define "movedValue" }} - {{- $key := required "`Key` must be set!" .Key }} - {{- $values := required "`Values` must be set!" .Values }} - {{- $found := true }} - - {{- $moved := fromJson (include "moved" .) }} - {{- $oldkey := index $moved $key }} - {{- $oldvalue := "" }} - {{- if $oldkey }} - {{- $oldvalue = include "movedValue" (dict "Values" .Values "Key" $oldkey "Default" .Default "Nested" true) }} - {{- else if not .Nested }} - {{ fail "Developer Error: 'movedValue' is used for deprecated values only. Reference the value directly instead!" }} - {{- end }} - - {{- if ne $oldvalue "" }} - {{- $oldvalue }} - {{- else }} - {{- /* Iterate through the provided key split by "." */}} - {{- /* eg. "some.kinda.key" is ["some", "kinda", "key"] */}} - {{- range $index, $keypart := splitList "." $key }} - {{- /* There's no way to break this loop */}} - {{- /* If not found once, we know the chain is broken */}} - {{- if $found }} - {{- $values = index $values $keypart }} - {{- if not $values }} - {{- $found = false }} - {{- end }} - {{- if kindIs "bool" $values }} - {{- $found = true }} - {{- end }} - {{- end }} - {{- end }} - - {{- if $found }} - {{- toYaml $values }} - {{- else }} - {{- if and (not .Nested) .Default }} - {{- toYaml .Default }} - {{- end }} - {{- end }} - {{- end }} -{{- end }} diff --git a/templates/coderd.yaml b/templates/coderd.yaml index 242f90a8..d8f3649e 100644 --- a/templates/coderd.yaml +++ b/templates/coderd.yaml @@ -9,12 +9,9 @@ metadata: coder.deployment: {{ include "coder.serviceName" . }} name: {{ include "coder.serviceName" . }} namespace: {{ .Release.Namespace | quote }} - annotations: - {{- range $key, $value := fromYaml (include "movedValue" (dict "Values" .Values "Key" "services.annotations")) }} - {{ $key }}: {{ $value | quote }} - {{- end }} + annotations: {{- toYaml .Values.services.annotations | nindent 4 }} spec: - replicas: {{ include "movedValue" (dict "Values" .Values "Key" "coderd.replicas" 1) }} + replicas: {{ default 1 .Values.coderd.replicas }} strategy: rollingUpdate: maxSurge: "25%" @@ -29,17 +26,9 @@ spec: app.kubernetes.io/part-of: coder app: {{ include "coder.serviceName" . }} coder.deployment: {{ include "coder.serviceName" . }} - annotations: - {{- range $key, $value := fromYaml (include "movedValue" (dict "Values" .Values "Key" "services.annotations")) }} - {{ $key }}: {{ $value | quote }} - {{- end }} + annotations: {{- toYaml .Values.services.annotations | nindent 8 }} spec: - securityContext: - {{- if hasKey .Values "cemanager" }} - {{- toYaml .Values.cemanager.podSecurityContext | nindent 8 }} - {{- else }} - {{- toYaml .Values.coderd.podSecurityContext | nindent 8 }} - {{- end }} + securityContext: {{- toYaml .Values.coderd.podSecurityContext | nindent 8 }} restartPolicy: Always # terminationGracePeriodSeconds should be set to the upper bound for container rebuilds and creates. # 5 minutes @@ -48,14 +37,14 @@ spec: serviceAccountName: coder {{- end }} {{- if .Values.coderd.affinity }} - affinity: {{- include "coder.template.render" ( dict "value" .Values.coderd.affinity "context" $) | nindent 8 }} + affinity: {{- include "coder.template.render" (dict "value" .Values.coderd.affinity "context" $) | nindent 8 }} {{- end }} {{- include "coder.services.nodeSelector" . | indent 6 }} {{- include "coder.serviceTolerations" . | indent 6 }} {{- if not .Values.coderd.satellite.enable }} initContainers: - name: migrations - image: {{ include "movedValue" (dict "Values" .Values "Key" "coderd.image") }} + image: {{ .Values.coderd.image | quote }} imagePullPolicy: Always env: - name: HUMAN_LOG @@ -75,11 +64,11 @@ spec: fieldRef: fieldPath: metadata.namespace - name: DEVURL_HOST - value: {{ include "movedValue" (dict "Values" .Values "Key" "coderd.devurlsHost") }} + value: {{ .Values.coderd.devurlsHost | quote }} - name: VERBOSE value: "true" {{- include "coder.postgres.env" . | indent 12 }} -{{- include "coder.environments.configMapEnv" . | indent 12 }} +{{- include "coder.workspaces.configMapEnv" . | indent 12 }} command: - coderd - migrate @@ -94,17 +83,12 @@ spec: {{- end }} containers: - name: {{ include "coder.serviceName" . }} - image: {{ include "movedValue" (dict "Values" .Values "Key" "coderd.image") }} + image: {{ .Values.coderd.image | quote }} imagePullPolicy: Always ports: - name: tcp-{{ include "coder.serviceName" . }} containerPort: 8080 - securityContext: - {{- if hasKey .Values "cemanager" }} - {{- toYaml .Values.cemanager.securityContext | nindent 12 }} - {{- else }} - {{- toYaml .Values.coderd.securityContext | nindent 12 }} - {{- end }} + securityContext: {{ toYaml .Values.coderd.securityContext | nindent 12 }} # coderd is a daemon service, no need to allocate a tty for it. tty: false env: @@ -131,14 +115,14 @@ spec: fieldRef: fieldPath: metadata.namespace - name: DEVURL_HOST - value: {{ include "movedValue" (dict "Values" .Values "Key" "coderd.devurlsHost") }} + value: {{ .Values.coderd.devurlsHost | quote }} - name: POD_IP valueFrom: fieldRef: fieldPath: status.podIP - name: VERBOSE value: "true" - {{- if and (eq (include "coder.hasNginxIngress" .) "true") (eq (merge .Values dict | dig "coderd" "serviceNext" false) false) (merge .Values dict | dig "ingress" "enable" true) (merge .Values dict | dig "ingress" "useDefault" true) }} + {{- if .Values.ingress.enable }} - name: TRUST_PROXY_IP value: "true" {{- else }} @@ -158,11 +142,11 @@ spec: {{- end }} {{- $serverCerts := list }} {{- $serverKeys := list }} - {{- if ne (include "movedValue" (dict "Values" .Values "Key" "coderd.tls.hostSecretName")) "" }} + {{- if ne .Values.coderd.tls.hostSecretName "" }} {{ $serverCerts = append $serverCerts "/etc/ssl/certs/host/tls.crt" }} {{ $serverKeys = append $serverKeys "/etc/ssl/certs/host/tls.key" }} {{- end }} - {{- if ne (include "movedValue" (dict "Values" .Values "Key" "coderd.tls.devurlsHostSecretName")) "" }} + {{- if ne .Values.coderd.tls.devurlsHostSecretName "" }} {{- $serverCerts = append $serverCerts "/etc/ssl/certs/devurls/tls.crt" }} {{- $serverKeys = append $serverKeys "/etc/ssl/certs/devurls/tls.key" }} {{- end }} @@ -187,7 +171,7 @@ spec: name: {{ .Values.coderd.superAdmin.passwordSecret.name | quote }} key: {{ .Values.coderd.superAdmin.passwordSecret.key | quote }} {{- end }} -{{- include "coder.environments.configMapEnv" . | indent 12 }} +{{- include "coder.workspaces.configMapEnv" . | indent 12 }} {{- include "coder.postgres.env" . | indent 12 }} command: - coderd @@ -210,7 +194,7 @@ spec: initialDelaySeconds: 10 failureThreshold: 7 periodSeconds: 10 -{{- include "coder.resources" (fromYaml (include "movedValue" (dict "Values" .Values "Key" "coderd.resources"))) | indent 10 }} +{{- include "coder.resources" .Values.coderd.resources | indent 10 }} {{- include "coder.volumeMounts" . | indent 10 }} {{- include "coder.volumes" . | indent 6 }} {{- if .Values.coderd.satellite.enable }} @@ -229,7 +213,6 @@ data: privateKey: {{ genPrivateKey "ecdsa" | b64enc }} {{- end }} {{- end }} -{{ if eq (include "coder.useServiceNext" .) "true" }} --- apiVersion: v1 kind: Service @@ -240,12 +223,11 @@ metadata: name: {{ include "coder.serviceName" . }} {{- end }} namespace: {{ .Release.Namespace | quote }} - annotations: - {{- range $key, $value := .Values.coderd.serviceAnnotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} + annotations: {{ toYaml .Values.services.annotations | nindent 4 }} spec: -{{ toYaml .Values.coderd.serviceSpec | indent 2 }} + {{- if .Values.coderd.serviceSpec }} + {{- toYaml .Values.coderd.serviceSpec | nindent 2 }} + {{- end }} selector: coder.deployment: {{ include "coder.serviceName" . }} ports: @@ -253,32 +235,13 @@ spec: port: 80 targetPort: 8080 protocol: TCP - {{ if .Values.coderd.serviceNodePorts.http }} - nodePort: {{ .Values.coderd.serviceNodePorts.http }} - {{ end }} + {{- if .Values.coderd.serviceNodePorts.http }} + nodePort: {{ .Values.coderd.serviceNodePorts.http }} + {{- end }} - name: tcp-{{ include "coder.serviceName" . }}-https port: 443 targetPort: 8443 protocol: TCP - {{ if .Values.coderd.serviceNodePorts.https }} + {{- if .Values.coderd.serviceNodePorts.https }} nodePort: {{ .Values.coderd.serviceNodePorts.https }} - {{ end }} -{{- else }} ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ include "coder.serviceName" . }} - namespace: {{ .Release.Namespace | quote }} -spec: - type: {{ include "movedValue" (dict "Values" .Values "Key" "services.type") | quote}} - selector: - coder.deployment: {{ include "coder.serviceName" . }} - ports: - - name: tcp-{{ include "coder.serviceName" . }} - port: 8080 - protocol: TCP - - name: tcp-{{ include "coder.serviceName" . }}-https - port: 8443 - protocol: TCP -{{- end }} + {{- end }} diff --git a/templates/dashboard.yaml b/templates/dashboard.yaml deleted file mode 100644 index 88471ac6..00000000 --- a/templates/dashboard.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if .Values.dashboard }} -{{/* - The dashboard service only exists for compatibility with custom ingresses. - Dashboard is no longer needed, so we point it's traffic directly at the coderd - pods now. -*/}} ---- -apiVersion: v1 -kind: Service -metadata: - name: dashboard - namespace: {{ .Release.Namespace | quote }} -spec: - type: {{ .Values.serviceType | quote }} - selector: - coder.deployment: {{ include "coder.serviceName" . }} - ports: - - name: tcp-dashboard - port: 3000 - targetPort: 8080 - protocol: TCP -{{- end }} diff --git a/templates/ingress.yaml b/templates/ingress.yaml index f16874a9..ae6d48d6 100644 --- a/templates/ingress.yaml +++ b/templates/ingress.yaml @@ -1,415 +1,5 @@ -{{- if and (eq (include "coder.hasNginxIngress" .) "true") (eq (merge .Values dict | dig "coderd" "serviceNext" false) false) (merge .Values dict | dig "ingress" "enable" true) (merge .Values dict | dig "ingress" "useDefault" true) }} +{{- if .Values.ingress.enable }} --- -apiVersion: v1 -kind: ConfigMap -metadata: - name: custom-headers - namespace: {{ .Release.Namespace | quote }} -data: - # The default timeout to receive a response from the backend is - # 15 seconds. This is a little low for applications like webpack - # which may need extra time to compile resources upon receiving - # a request. - # See https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-upstream-rq-timeout-ms - X-Envoy-Upstream-Rq-Timeout-Ms: "60000" ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: nginx-configuration - namespace: {{ .Release.Namespace | quote }} - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -data: - proxy-set-headers: "{{ .Release.Namespace }}/custom-headers" - enable-underscores-in-headers: "true" ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: tcp-services - namespace: {{ .Release.Namespace | quote }} - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: udp-services - namespace: {{ .Release.Namespace | quote }} - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: nginx-ingress-serviceaccount - namespace: {{ .Release.Namespace | quote }} - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: nginx-ingress-clusterrole-{{ .Release.Namespace }} - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -rules: - - apiGroups: - - "" - resources: - - configmaps - - endpoints - - nodes - - pods - - secrets - verbs: - - list - - watch - - apiGroups: - - "" - resources: - - nodes - verbs: - - get - - apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - apiGroups: - - "extensions" - - "networking.k8s.io" - resources: - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - "extensions" - - "networking.k8s.io" - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - "extensions" - - "storage.k8s.io" - resources: - - storageclasses - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: nginx-ingress-role - namespace: {{ .Release.Namespace | quote }} - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -rules: - - apiGroups: - - "" - resources: - - configmaps - - pods - - secrets - - namespaces - verbs: - - get - - apiGroups: - - "" - resources: - - configmaps - resourceNames: - # Defaults to "-" - # Here: "-" - # This has to be adapted if you change either parameter - # when launching the nginx-ingress-controller. - - ingress-controller-leader-{{ .Release.Namespace }} - verbs: - - get - - update - - apiGroups: - - "" - resources: - - configmaps - verbs: - - create - - apiGroups: - - "" - resources: - - endpoints - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: nginx-ingress-role-nisa-binding - namespace: {{ .Release.Namespace | quote }} - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: nginx-ingress-role -subjects: - - kind: ServiceAccount - name: nginx-ingress-serviceaccount - namespace: {{ .Release.Namespace | quote }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - # The cluster role binding needs to be namespaced to avoid - # reassigning the subject each time someone makes a push. - name: nginx-ingress-clusterrole-nisa-binding-{{ .Release.Namespace }} - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: nginx-ingress-clusterrole-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: nginx-ingress-serviceaccount - namespace: {{ .Release.Namespace | quote }} ---- -apiVersion: apps/v1 -kind: {{ merge .Values dict | dig "ingress" "deployment" "kind" "Deployment" | quote }} -metadata: - name: nginx-ingress-controller - namespace: {{ .Release.Namespace | quote }} - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - annotations: - {{- range $key, $value := fromYaml (include "movedValue" (dict "Values" .Values "Key" "services.annotations")) }} - {{ $key }}: {{ $value | quote }} - {{- end }} -spec: -{{- if eq (merge .Values dict | dig "ingress" "deployment" "kind" "Deployment") "Deployment" }} - replicas: 1 -{{- end }} - selector: - matchLabels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - template: - metadata: - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - annotations: - prometheus.io/port: "10254" - prometheus.io/scrape: "true" - {{- range $key, $value := fromYaml (include "movedValue" (dict "Values" .Values "Key" "services.annotations")) }} - {{ $key }}: {{ $value | quote }} - {{- end }} - spec: - # wait up to five minutes for the drain of connections - terminationGracePeriodSeconds: 300 - serviceAccountName: nginx-ingress-serviceaccount -{{- include "coder.services.nodeSelector" . | indent 6 }} -{{- include "coder.serviceTolerations" . | indent 6 }} - containers: - - name: nginx-ingress-controller - image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.33.0 - args: - - /nginx-ingress-controller - # The ingress-class points the nginx controller to our - # "web-ingress" ingress resource. - - --ingress-class={{ .Release.Namespace }} - - --configmap=$(POD_NAMESPACE)/nginx-configuration - - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services - - --udp-services-configmap=$(POD_NAMESPACE)/udp-services - - --publish-service=$(POD_NAMESPACE)/ingress-nginx - - --annotations-prefix=nginx.ingress.kubernetes.io - securityContext: - allowPrivilegeEscalation: true - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - # www-data -> 101 - runAsUser: 101 - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - ports: - - name: http - containerPort: 80 - - name: https - containerPort: 443 - livenessProbe: - failureThreshold: 3 - exec: - command: - - curl - - s - - http://localhost:10254/healthz - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 10 - readinessProbe: - failureThreshold: 3 - exec: - command: - - curl - - s - - http://localhost:10254/healthz - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 10 - lifecycle: - preStop: - exec: - command: - - /wait-shutdown - ---- -kind: Service -apiVersion: v1 -metadata: - name: ingress-nginx - namespace: {{ .Release.Namespace | quote }} - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - annotations: - {{- range $key, $value := fromYaml (merge .Values dict | dig "ingress" "service" "annotations" "Default" "{}") }} - {{ $key }}: {{ $value | quote }} - {{- end }} -spec: - externalTrafficPolicy: {{ include "movedValue" (dict "Values" .Values "Key" "coderd.serviceSpec.externalTrafficPolicy") | quote }} - type: {{ merge .Values dict | dig "coderd" "serviceSpec" "type" "LoadBalancer" }} - loadBalancerIP: {{ include "movedValue" (dict "Values" .Values "Key" "coderd.serviceSpec.loadBalancerIP") | quote }} - loadBalancerSourceRanges: -{{ include "movedValue" (dict "Values" .Values "Key" "coderd.serviceSpec.loadBalancerSourceRanges") | indent 4 }} - selector: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - ports: - - name: http - port: 80 - targetPort: http - - name: https - port: 443 - targetPort: https -{{- if (merge .Values dict | dig "ssh" "enable" true) }} - - name: ssh - port: 22 - targetPort: 22 - protocol: TCP -{{- end }} ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: web-ingress - namespace: {{ .Release.Namespace | quote }} - annotations: - {{- if ne (merge .Values dict | dig "ingress" "useDefault" true) false }} - # This class definition connects the nginx ingress controller - # to the web-ingress. - kubernetes.io/ingress.class: {{ .Release.Namespace | quote }} - # A body size of 0 prevents 413 status codes when trying to - # push an image. - nginx.ingress.kubernetes.io/proxy-body-size: "0" - {{- end }} - {{- range $key, $value := merge .Values dict | dig "ingress" "annotations" dict }} - {{ $key }}: {{ $value | quote }} - {{- end }} -spec: -{{- include "coder.ingress.tls" . }} - defaultBackend: - service: - name: {{ include "coder.serviceName" . }} - port: - number: 8080 - {{- if .Values.coderd.satellite.enable }} - {{- if (merge .Values dict | dig "ingress" "useDefault" true) }} - rules: - - host: {{ merge .Values dict | dig "ingress" "host" "" | quote }} - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: {{ include "coder.serviceName" . }} - port: - number: 8080 - {{- end }} - {{- else }} - rules: - - host: {{ merge .Values dict | dig "ingress" "host" "" | quote }} - http: - paths: - {{- if (merge .Values dict | dig "ingress" "useDefault" true) }} - - path: /api - pathType: Prefix - backend: - service: - name: {{ include "coder.serviceName" . }} - port: - number: 8080 - - path: /auth - pathType: Prefix - backend: - service: - name: {{ include "coder.serviceName" . }} - port: - number: 8080 - - path: / - pathType: Prefix - backend: - {{- if .Values.dashboard }} - service: - name: dashboard - port: - number: 3000 - {{- else }} - service: - name: {{ include "coder.serviceName" . }} - port: - number: 8080 - {{- end }} - {{- end }} - {{- end }} -{{- end }} ---- -{{- if and (merge .Values dict | dig "coderd" "serviceNext" true) (merge .Values dict | dig "ingress" "enable" true) }} apiVersion: networking.k8s.io/v1 kind: Ingress metadata: diff --git a/templates/rbac.yaml b/templates/rbac.yaml index bb3220ee..505be664 100644 --- a/templates/rbac.yaml +++ b/templates/rbac.yaml @@ -14,14 +14,8 @@ kind: ServiceAccount metadata: name: coder namespace: {{ .Release.Namespace | quote }} - annotations: - {{- range $key, $value := fromYaml (include "movedValue" (dict "Values" .Values "Key" "coderd.builtinProviderServiceAccount.annotations")) }} - {{ $key }}: {{ $value | quote }} - {{- end }} - labels: - {{- range $key, $value := fromYaml (include "movedValue" (dict "Values" .Values "Key" "coderd.builtinProviderServiceAccount.labels")) }} - {{ $key }}: {{ $value | quote }} - {{- end }} + annotations: {{ toYaml .Values.coderd.builtinProviderServiceAccount.annotations | nindent 4 }} + labels: {{ toYaml .Values.coderd.builtinProviderServiceAccount.labels | nindent 4 }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role diff --git a/templates/timescale.yaml b/templates/timescale.yaml index 91353d32..376e739a 100644 --- a/templates/timescale.yaml +++ b/templates/timescale.yaml @@ -1,4 +1,4 @@ -{{- if eq (include "movedValue" (dict "Values" .Values "Key" "postgres.default.enable" "Default" "false")) "true"}} +{{- if .Values.postgres.default.enable }} {{- if not .Values.coderd.satellite.enable }} --- apiVersion: v1 @@ -23,10 +23,7 @@ kind: StatefulSet metadata: name: timescale namespace: {{ .Release.Namespace }} - annotations: - {{- range $key, $value := fromYaml (include "movedValue" (dict "Values" .Values "Key" "services.annotations")) }} - {{ $key }}: {{ $value | quote }} - {{- end }} + annotations: {{ toYaml .Values.services.annotations | nindent 4 }} spec: serviceName: timescale replicas: 1 @@ -40,10 +37,7 @@ spec: app.kubernetes.io/part-of: coder app: timescale coder.deployment: timescale - annotations: - {{- range $key, $value := fromYaml (include "movedValue" (dict "Values" .Values "Key" "services.annotations")) }} - {{ $key }}: {{ $value | quote }} - {{- end }} + annotations: {{ toYaml .Values.services.annotations | nindent 8 }} spec: serviceAccountName: timescale securityContext: @@ -56,7 +50,7 @@ spec: {{- include "coder.serviceTolerations" . | indent 6 }} containers: - name: timescale - image: {{ include "movedValue" (dict "Values" .Values "Key" "postgres.default.image") }} + image: {{ .Values.postgres.default.image | quote }} imagePullPolicy: Always readinessProbe: exec: @@ -95,7 +89,7 @@ spec: - name: run mountPath: /var/run/postgresql readOnly: false -{{- include "coder.resources" (fromYaml (include "movedValue" (dict "Values" .Values "Key" "postgres.default.resources"))) | indent 10 }} +{{- include "coder.resources" .Values.postgres.default.resources | indent 10 }} lifecycle: preStop: exec: @@ -117,7 +111,7 @@ spec: accessModes: ["ReadWriteOnce"] resources: requests: - storage: {{ include "movedValue" (dict "Values" .Values "Key" "postgres.default.resources.requests.storage") | quote }} + storage: {{ .Values.postgres.default.resources.requests.storage | quote }} --- apiVersion: v1 kind: ServiceAccount From 755849671603443ad33ea405ccb523886cb663c2 Mon Sep 17 00:00:00 2001 From: Jonathan Yu Date: Fri, 10 Dec 2021 14:07:37 +0000 Subject: [PATCH 2/5] move default ingress annotations to values --- README.md | 4 ++-- templates/coderd.yaml | 33 ++++++++++++++------------------- templates/ingress.yaml | 34 +++++++++++++++------------------- values.yaml | 4 +++- 4 files changed, 34 insertions(+), 41 deletions(-) diff --git a/README.md b/README.md index 1c06e497..afe4acaf 100644 --- a/README.md +++ b/README.md @@ -63,8 +63,8 @@ View [our docs](https://coder.com/docs/setup/installation) for detailed installa | coderd.trustProxyIP | bool | Whether Coder should trust X-Real-IP and/or X-Forwarded-For headers from your reverse proxy. This should only be turned on if you're using a reverse proxy that sets both of these headers. This is always enabled if the Nginx ingress is deployed. | `false` | | envbox | object | Required for running Docker inside containers. See requirements: https://coder.com/docs/coder/v1.19/admin/workspace-management/cvms | `{"image":""}` | | envbox.image | string | Injected by Coder during release. | `""` | -| ingress | object | Configure an Ingress to route traffic to Coder services. | `{"annotations":{},"enable":false,"host":"","tls":{"enable":false}}` | -| ingress.annotations | object | Additional annotations to add to the Ingress object. The behavior is typically dependent on the Ingress Controller implementation, and useful for managing features like TLS termination. | `{}` | +| ingress | object | Configure an Ingress to route traffic to Coder services. | `{"annotations":{"nginx.ingress.kubernetes.io/proxy-body-size":"0"},"enable":false,"host":"","tls":{"enable":false}}` | +| ingress.annotations | object | Additional annotations to add to the Ingress object. The behavior is typically dependent on the Ingress Controller implementation, and useful for managing features like TLS termination. | `{"nginx.ingress.kubernetes.io/proxy-body-size":"0"}` | | ingress.enable | bool | A boolean controlling whether to create an Ingress. | `false` | | ingress.host | string | The hostname to proxy to the Coder installation. The cluster Ingress Controller typically uses server name indication or the HTTP Host header to route traffic. | `""` | | ingress.tls | object | Configures TLS settings for the Ingress. | `{"enable":false}` | diff --git a/templates/coderd.yaml b/templates/coderd.yaml index d8f3649e..122b73f2 100644 --- a/templates/coderd.yaml +++ b/templates/coderd.yaml @@ -9,7 +9,7 @@ metadata: coder.deployment: {{ include "coder.serviceName" . }} name: {{ include "coder.serviceName" . }} namespace: {{ .Release.Namespace | quote }} - annotations: {{- toYaml .Values.services.annotations | nindent 4 }} + annotations: {{ toYaml .Values.services.annotations | nindent 4 }} spec: replicas: {{ default 1 .Values.coderd.replicas }} strategy: @@ -26,9 +26,9 @@ spec: app.kubernetes.io/part-of: coder app: {{ include "coder.serviceName" . }} coder.deployment: {{ include "coder.serviceName" . }} - annotations: {{- toYaml .Values.services.annotations | nindent 8 }} + annotations: {{ toYaml .Values.services.annotations | nindent 8 }} spec: - securityContext: {{- toYaml .Values.coderd.podSecurityContext | nindent 8 }} + securityContext: {{ toYaml .Values.coderd.podSecurityContext | nindent 8 }} restartPolicy: Always # terminationGracePeriodSeconds should be set to the upper bound for container rebuilds and creates. # 5 minutes @@ -39,8 +39,8 @@ spec: {{- if .Values.coderd.affinity }} affinity: {{- include "coder.template.render" (dict "value" .Values.coderd.affinity "context" $) | nindent 8 }} {{- end }} -{{- include "coder.services.nodeSelector" . | indent 6 }} -{{- include "coder.serviceTolerations" . | indent 6 }} + {{- include "coder.services.nodeSelector" . | indent 6 }} + {{- include "coder.serviceTolerations" . | indent 6 }} {{- if not .Values.coderd.satellite.enable }} initContainers: - name: migrations @@ -67,19 +67,14 @@ spec: value: {{ .Values.coderd.devurlsHost | quote }} - name: VERBOSE value: "true" -{{- include "coder.postgres.env" . | indent 12 }} -{{- include "coder.workspaces.configMapEnv" . | indent 12 }} + {{- include "coder.postgres.env" . | indent 12 }} + {{- include "coder.workspaces.configMapEnv" . | indent 12 }} command: - coderd - migrate - up - securityContext: - {{- if hasKey .Values "cemanager" }} - {{- toYaml .Values.cemanager.securityContext | nindent 12 }} - {{- else }} - {{- toYaml .Values.coderd.securityContext | nindent 12 }} - {{- end }} -{{- include "coder.volumeMounts" . | indent 10 }} + securityContext: {{ toYaml .Values.coderd.securityContext | nindent 12 }} + {{- include "coder.volumeMounts" . | indent 10 }} {{- end }} containers: - name: {{ include "coder.serviceName" . }} @@ -171,8 +166,8 @@ spec: name: {{ .Values.coderd.superAdmin.passwordSecret.name | quote }} key: {{ .Values.coderd.superAdmin.passwordSecret.key | quote }} {{- end }} -{{- include "coder.workspaces.configMapEnv" . | indent 12 }} -{{- include "coder.postgres.env" . | indent 12 }} + {{- include "coder.workspaces.configMapEnv" . | indent 12 }} + {{- include "coder.postgres.env" . | indent 12 }} command: - coderd {{- if not .Values.coderd.satellite.enable }} @@ -194,9 +189,9 @@ spec: initialDelaySeconds: 10 failureThreshold: 7 periodSeconds: 10 -{{- include "coder.resources" .Values.coderd.resources | indent 10 }} -{{- include "coder.volumeMounts" . | indent 10 }} -{{- include "coder.volumes" . | indent 6 }} + {{- include "coder.resources" .Values.coderd.resources | indent 10 }} + {{- include "coder.volumeMounts" . | indent 10 }} + {{- include "coder.volumes" . | indent 6 }} {{- if .Values.coderd.satellite.enable }} --- apiVersion: v1 diff --git a/templates/ingress.yaml b/templates/ingress.yaml index ae6d48d6..1bc3c8a0 100644 --- a/templates/ingress.yaml +++ b/templates/ingress.yaml @@ -5,15 +5,11 @@ kind: Ingress metadata: name: coderd-ingress namespace: {{ .Release.Namespace | quote }} - annotations: - nginx.ingress.kubernetes.io/proxy-body-size: "0" - {{- range $key, $value := merge .Values dict | dig "ingress" "annotations" dict }} - {{ $key }}: {{ $value | quote }} - {{- end }} + annotations: {{ toYaml .Values.ingress.annotations | nindent 4 }} spec: {{- include "coder.ingress.tls" . }} rules: - - host: {{ merge .Values dict | dig "ingress" "host" "" | quote }} + - host: {{ .Values.ingress.host | quote }} http: paths: - path: / @@ -23,19 +19,19 @@ spec: name: {{ include "coder.serviceName" . }} port: name: tcp-{{ include "coder.serviceName" . }} - {{- /* Regex docs on '*-suffix.example.com'. This is required as the original - * input including the suffix is not a legal ingress host. We need to - * remove the suffix, and keep the wildcard '*'. - * - * - '\\*' Starts with '*' - * - '[^.]*' Suffix is 0 or more characters, '-suffix' - * - '(' Start domain capture group - * - '\\.' The domain should be separated with a '.' from the subdomain - * - '.*' Rest of the domain. - * - ')' $1 is the ''.example.com' - */ -}} - {{- $devURLHost := merge .Values dict | dig "coderd" "devurlsHost" "" }} - - host: {{ regexReplaceAll "\\*[^.]*(\\..*)" $devURLHost "*${1}" | quote }} + + {{/* Regex docs on '*-suffix.example.com'. This is required as the original + * input including the suffix is not a legal ingress host. We need to + * remove the suffix, and keep the wildcard '*'. + * + * - '\\*' Starts with '*' + * - '[^.]*' Suffix is 0 or more characters, '-suffix' + * - '(' Start domain capture group + * - '\\.' The domain should be separated with a '.' from the subdomain + * - '.*' Rest of the domain. + * - ')' $1 is the ''.example.com' + */}} + - host: {{ regexReplaceAll "\\*[^.]*(\\..*)" .Values.coderd.devurlsHost "*${1}" | quote }} http: paths: - path: / diff --git a/values.yaml b/values.yaml index 2cb3d560..bc57cfa2 100644 --- a/values.yaml +++ b/values.yaml @@ -183,7 +183,9 @@ ingress: # ingress.annotations -- Additional annotations to add to the Ingress # object. The behavior is typically dependent on the Ingress Controller # implementation, and useful for managing features like TLS termination. - annotations: {} + annotations: + nginx.ingress.kubernetes.io/proxy-body-size: "0" + # ingress.tls -- Configures TLS settings for the Ingress. tls: # ingress.tls.enable -- Determines whether the Ingress handles TLS. From 91bffde4f0464b7645cd7ccc0be41ba7a5556250 Mon Sep 17 00:00:00 2001 From: Jonathan Yu Date: Fri, 10 Dec 2021 14:13:03 +0000 Subject: [PATCH 3/5] fix --- templates/timescale.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/timescale.yaml b/templates/timescale.yaml index 376e739a..77ceb82a 100644 --- a/templates/timescale.yaml +++ b/templates/timescale.yaml @@ -47,7 +47,7 @@ spec: runAsGroup: 70 fsGroup: 70 terminationGracePeriodSeconds: 60 -{{- include "coder.serviceTolerations" . | indent 6 }} + {{- include "coder.serviceTolerations" . | indent 6 }} containers: - name: timescale image: {{ .Values.postgres.default.image | quote }} @@ -89,7 +89,7 @@ spec: - name: run mountPath: /var/run/postgresql readOnly: false -{{- include "coder.resources" .Values.postgres.default.resources | indent 10 }} + {{- include "coder.resources" .Values.postgres.default.resources | indent 10 }} lifecycle: preStop: exec: From 2bbbfd2bb3387e2333b8a7148de9511db93af119 Mon Sep 17 00:00:00 2001 From: Jonathan Yu Date: Fri, 10 Dec 2021 14:15:17 +0000 Subject: [PATCH 4/5] always configure trustProxyIP manually --- templates/coderd.yaml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/templates/coderd.yaml b/templates/coderd.yaml index 122b73f2..c7ddc097 100644 --- a/templates/coderd.yaml +++ b/templates/coderd.yaml @@ -117,13 +117,8 @@ spec: fieldPath: status.podIP - name: VERBOSE value: "true" - {{- if .Values.ingress.enable }} - - name: TRUST_PROXY_IP - value: "true" - {{- else }} - name: TRUST_PROXY_IP value: {{ .Values.coderd.trustProxyIP | quote }} - {{- end }} {{- if .Values.coderd.satellite.enable }} - name: CODER_SATELLITE_PRIVATE_KEY valueFrom: From e9a8fb9ad9c96547331a5303b05637e9d99a5def Mon Sep 17 00:00:00 2001 From: Jonathan Yu Date: Fri, 10 Dec 2021 14:17:14 +0000 Subject: [PATCH 5/5] update link to refer to latest --- README.md | 2 +- values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index afe4acaf..8477e7f0 100644 --- a/README.md +++ b/README.md @@ -61,7 +61,7 @@ View [our docs](https://coder.com/docs/setup/installation) for detailed installa | coderd.tls.devurlsHostSecretName | string | The secret to use for DevURL TLS. | `""` | | coderd.tls.hostSecretName | string | The secret to use for TLS. | `""` | | coderd.trustProxyIP | bool | Whether Coder should trust X-Real-IP and/or X-Forwarded-For headers from your reverse proxy. This should only be turned on if you're using a reverse proxy that sets both of these headers. This is always enabled if the Nginx ingress is deployed. | `false` | -| envbox | object | Required for running Docker inside containers. See requirements: https://coder.com/docs/coder/v1.19/admin/workspace-management/cvms | `{"image":""}` | +| envbox | object | Required for running Docker inside containers. See requirements: https://coder.com/docs/coder/latest/admin/workspace-management/cvms | `{"image":""}` | | envbox.image | string | Injected by Coder during release. | `""` | | ingress | object | Configure an Ingress to route traffic to Coder services. | `{"annotations":{"nginx.ingress.kubernetes.io/proxy-body-size":"0"},"enable":false,"host":"","tls":{"enable":false}}` | | ingress.annotations | object | Additional annotations to add to the Ingress object. The behavior is typically dependent on the Ingress Controller implementation, and useful for managing features like TLS termination. | `{"nginx.ingress.kubernetes.io/proxy-body-size":"0"}` | diff --git a/values.yaml b/values.yaml index bc57cfa2..2c280a35 100644 --- a/values.yaml +++ b/values.yaml @@ -192,7 +192,7 @@ ingress: enable: false # envbox -- Required for running Docker inside containers. See requirements: -# https://coder.com/docs/coder/v1.19/admin/workspace-management/cvms +# https://coder.com/docs/coder/latest/admin/workspace-management/cvms envbox: # envbox.image -- Injected by Coder during release. image: ""