From 9c49dc970f06cbfb463dad5d3bd8489202d1b927 Mon Sep 17 00:00:00 2001 From: Eric Paulsen Date: Thu, 27 Jan 2022 18:46:00 -0600 Subject: [PATCH 01/14] feat: test coverage for services.annotations --- tests/annotations_test.go | 45 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 tests/annotations_test.go diff --git a/tests/annotations_test.go b/tests/annotations_test.go new file mode 100644 index 00000000..1521b94a --- /dev/null +++ b/tests/annotations_test.go @@ -0,0 +1,45 @@ +package tests + +import ( + "testing" + + "github.com/stretchr/testify/assert" +) + +// ensures services.annotations values are applied to both coderd deployment & +// service +func TestAnnotations(t *testing.T) { + t.Parallel() + + chart := LoadChart(t) + + expected := map[string]string{ + "key": "value", + "service.beta.kubernetes.io/aws-load-balancer-backend-protocol": "http", + } + + objs := chart.MustRender(t, func(cv *CoderValues) { + cv.Services.Annotations = expected + }) + + depl := MustFindDeployment(t, objs, "coderd") + assert.Equal(t, expected, depl.Annotations) + + svc := MustFindService(t, objs, "coderd") + assert.Equal(t, expected, svc.Annotations) +} + +// check if values are empty +func TestAnnotationsEmpty(t *testing.T) { + t.Parallel() + + chart := LoadChart(t) + + objs := chart.MustRender(t, nil) + + depl := MustFindDeployment(t, objs, "coderd") + assert.Empty(t, depl.Annotations) + + svc := MustFindService(t, objs, "coderd") + assert.Empty(t, svc.Annotations) +} From e6c64e3080e3553adde9fbfe04d575a38c88d947 Mon Sep 17 00:00:00 2001 From: Eric Paulsen Date: Fri, 4 Feb 2022 15:14:32 -0600 Subject: [PATCH 02/14] feat: split out annotations --- templates/coderd.yaml | 6 +++--- templates/timescale.yaml | 4 ++-- tests/annotations_test.go | 9 ++++----- tests/values.go | 4 +++- values.yaml | 13 +++++++++---- 5 files changed, 21 insertions(+), 15 deletions(-) diff --git a/templates/coderd.yaml b/templates/coderd.yaml index ff7da7aa..97886237 100644 --- a/templates/coderd.yaml +++ b/templates/coderd.yaml @@ -13,7 +13,7 @@ metadata: app.kubernetes.io/component: {{ include "coder.serviceName" . }} app: {{ include "coder.serviceName" . }} coder.deployment: {{ include "coder.serviceName" . }} - annotations: {{ toYaml .Values.services.annotations | nindent 4 }} + annotations: {{ toYaml .Values.coderd.annotations | nindent 4 }} spec: replicas: {{ default 1 .Values.coderd.replicas }} strategy: @@ -36,7 +36,7 @@ spec: {{- with .Values.coderd.extraLabels -}} {{ toYaml . | nindent 8 }} {{- end }} - annotations: {{ toYaml .Values.services.annotations | nindent 8 }} + annotations: {{ toYaml .Values.coderd.serviceSpec.annotations | nindent 8 }} spec: securityContext: {{ toYaml .Values.coderd.podSecurityContext | nindent 8 }} restartPolicy: Always @@ -253,7 +253,7 @@ metadata: app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/version: {{ .Chart.AppVersion }} app.kubernetes.io/component: {{ include "coder.serviceName" . }} - annotations: {{ toYaml .Values.services.annotations | nindent 4 }} + annotations: {{ toYaml .Values.coderd.serviceSpec.annotations | nindent 4 }} spec: {{- if .Values.coderd.serviceSpec }} {{- toYaml .Values.coderd.serviceSpec | nindent 2 }} diff --git a/templates/timescale.yaml b/templates/timescale.yaml index 7c1ce77b..10085d4f 100644 --- a/templates/timescale.yaml +++ b/templates/timescale.yaml @@ -33,7 +33,7 @@ metadata: app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/version: {{ .Chart.AppVersion }} app.kubernetes.io/component: {{ include "timescale.serviceName" . }} - annotations: {{ toYaml .Values.services.annotations | nindent 4 }} + annotations: {{ toYaml .Values.postgres.default.annotations | nindent 4 }} spec: serviceName: {{ include "timescale.serviceName" . }} replicas: 1 @@ -55,7 +55,7 @@ spec: app.kubernetes.io/component: {{ include "timescale.serviceName" . }} app: timescale coder.deployment: timescale - annotations: {{ toYaml .Values.services.annotations | nindent 8 }} + annotations: {{ toYaml .Values.postgres.default.annotations | nindent 8 }} spec: serviceAccountName: timescale securityContext: diff --git a/tests/annotations_test.go b/tests/annotations_test.go index 1521b94a..258baf00 100644 --- a/tests/annotations_test.go +++ b/tests/annotations_test.go @@ -13,13 +13,12 @@ func TestAnnotations(t *testing.T) { chart := LoadChart(t) - expected := map[string]string{ - "key": "value", - "service.beta.kubernetes.io/aws-load-balancer-backend-protocol": "http", - } + expected := map[string]string{} objs := chart.MustRender(t, func(cv *CoderValues) { - cv.Services.Annotations = expected + cv.Coderd.Annotations = expected + cv.Coderd.ServiceSpec.Annotations = expected + cv.Postgres.Default.Annotations = expected }) depl := MustFindDeployment(t, objs, "coderd") diff --git a/tests/values.go b/tests/values.go index d1b72026..eb304c8f 100644 --- a/tests/values.go +++ b/tests/values.go @@ -94,6 +94,7 @@ type CoderdValues struct { Proxy *CoderdProxyValues `json:"proxy" yaml:"proxy"` ReverseProxy *CoderdReverseProxyValues `json:"reverseProxy" yaml:"reverseProxy"` NetworkPolicy *CoderdNetworkPolicyValues `json:"networkPolicy" yaml:"networkPolicy"` + Annotations map[string]string `json:"annotations" yaml:"annotations"` } // CoderdServiceNodePortsValues reflect values from @@ -168,6 +169,7 @@ type CoderdServiceSpecValues struct { ExternalTrafficPolicy *corev1.ServiceExternalTrafficPolicyType `json:"externalTrafficPolicy" yaml:"externalTrafficPolicy"` LoadBalancerIP *string `json:"loadBalancerIP" yaml:"loadBalancerIP"` LoadBalancerSourceRanges *[]string `json:"loadBalancerSourceRanges" yaml:"loadBalancerSourceRanges"` + Annotations map[string]string `json:"annotations" yaml:"annotations"` } // EnvboxValues reflect values from envbox. @@ -246,6 +248,7 @@ type PostgresDefaultValues struct { StorageClassName *string `json:"storageClassName" yaml:"storageClassName"` Resources *corev1.ResourceRequirements `json:"resources" yaml:"resources"` NetworkPolicy *PostgresDefaultNetworkPolicyValues `json:"networkPolicy" yaml:"networkPolicy"` + Annotations map[string]string `json:"annotations" yaml:"annotations"` } // PostgresDefaultNetworkPolicyValues reflect values from @@ -256,7 +259,6 @@ type PostgresDefaultNetworkPolicyValues struct { // ServicesValues reflect the values from services. type ServicesValues struct { - Annotations map[string]string `json:"annotations" yaml:"annotations"` ClusterDomainSuffix *string `json:"clusterDomainSuffix" yaml:"clusterDomainSuffix"` Tolerations *[]corev1.Toleration `json:"tolerations" yaml:"tolerations"` NodeSelector map[string]string `json:"nodeSelector" yaml:"nodeSelector"` diff --git a/values.yaml b/values.yaml index f76e963c..22124ab7 100644 --- a/values.yaml +++ b/values.yaml @@ -4,7 +4,9 @@ coderd: image: "" # coderd.replicas -- The number of Kubernetes Pod replicas. replicas: 1 - + # coderd.annotations -- Apply annotations to the coderd deployment. + # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} # coderd.serviceSpec -- Specification to inject for the coderd service. See: # https://kubernetes.io/docs/concepts/services-networking/service/ serviceSpec: @@ -21,6 +23,9 @@ coderd: # will be restricted to the specified client IPs. This field will be ignored if # the cloud provider does not support this feature. loadBalancerSourceRanges: [] + # coderd.serviceSpec.annotations -- Apply annotations to the coderd service. + # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} # coderd.serviceNodePorts -- Allows manually setting static node ports for the coderd service. # This is only helpful if static ports are required, and usually should be left alone. @@ -351,12 +356,12 @@ postgres: # PostgreSQL using Helm. If false, no policies will be created for the # built-in database. enable: true + # postgres.default.annotations -- Apply annotations to the default postgres service. + # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} # services -- Kubernetes Service configuration that applies to Coder services. services: - # services.annotations -- A KV mapping of annotations. See: - # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - annotations: {} # services.clusterDomainSuffix -- Custom domain suffix for DNS resolution in your cluster. See: # https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/ clusterDomainSuffix: ".svc.cluster.local" From c02588e597d8b39d66687bd661f5bc280213a3b2 Mon Sep 17 00:00:00 2001 From: Eric Paulsen Date: Fri, 4 Feb 2022 19:03:49 -0600 Subject: [PATCH 03/14] feat: unit testing per annotation & backwards compatibility --- templates/coderd.yaml | 6 ++-- templates/timescale.yaml | 2 +- tests/annotations_test.go | 66 +++++++++++++++++++++++++++++++-------- tests/values.go | 1 + values.yaml | 3 ++ 5 files changed, 61 insertions(+), 17 deletions(-) diff --git a/templates/coderd.yaml b/templates/coderd.yaml index 97886237..b4d3c0cc 100644 --- a/templates/coderd.yaml +++ b/templates/coderd.yaml @@ -13,7 +13,7 @@ metadata: app.kubernetes.io/component: {{ include "coder.serviceName" . }} app: {{ include "coder.serviceName" . }} coder.deployment: {{ include "coder.serviceName" . }} - annotations: {{ toYaml .Values.coderd.annotations | nindent 4 }} + annotations: {{ toYaml (merge .Values.coderd.annotations .Values.services.annotations) | nindent 4 }} spec: replicas: {{ default 1 .Values.coderd.replicas }} strategy: @@ -36,7 +36,7 @@ spec: {{- with .Values.coderd.extraLabels -}} {{ toYaml . | nindent 8 }} {{- end }} - annotations: {{ toYaml .Values.coderd.serviceSpec.annotations | nindent 8 }} + annotations: {{ toYaml (merge .Values.coderd.annotations .Values.services.annotations) | nindent 8 }} spec: securityContext: {{ toYaml .Values.coderd.podSecurityContext | nindent 8 }} restartPolicy: Always @@ -253,7 +253,7 @@ metadata: app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/version: {{ .Chart.AppVersion }} app.kubernetes.io/component: {{ include "coder.serviceName" . }} - annotations: {{ toYaml .Values.coderd.serviceSpec.annotations | nindent 4 }} + annotations: {{ toYaml (merge .Values.coderd.serviceSpec.annotations .Values.services.annotations) | nindent 4 }} spec: {{- if .Values.coderd.serviceSpec }} {{- toYaml .Values.coderd.serviceSpec | nindent 2 }} diff --git a/templates/timescale.yaml b/templates/timescale.yaml index 10085d4f..b1d97991 100644 --- a/templates/timescale.yaml +++ b/templates/timescale.yaml @@ -33,7 +33,7 @@ metadata: app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/version: {{ .Chart.AppVersion }} app.kubernetes.io/component: {{ include "timescale.serviceName" . }} - annotations: {{ toYaml .Values.postgres.default.annotations | nindent 4 }} + annotations: {{ toYaml (merge .Values.postgres.default.annotations .Values.services.annotations) | nindent 4 }} spec: serviceName: {{ include "timescale.serviceName" . }} replicas: 1 diff --git a/tests/annotations_test.go b/tests/annotations_test.go index 258baf00..02496b85 100644 --- a/tests/annotations_test.go +++ b/tests/annotations_test.go @@ -6,39 +6,79 @@ import ( "github.com/stretchr/testify/assert" ) -// ensures services.annotations values are applied to both coderd deployment & -// service +// Ensures services.annotations values and the individual annotations per object +// are applied correctly. func TestAnnotations(t *testing.T) { t.Parallel() - chart := LoadChart(t) + var ( + chart = LoadChart(t) - expected := map[string]string{} + expectedGlobal = map[string]string{ + "global-key": "global-value", + // Should be overwritten by some children. + "key": "global-value", + } + expectedCoderd = map[string]string{ + "key": "value", + "key2": "value2", + } + expectedCoderdService = map[string]string{ + "key": "value", + "service.beta.kubernetes.io/aws-load-balancer-backend-protocol": "http", + } + expectedTimescale = map[string]string{ + "key2": "value", + } + ) objs := chart.MustRender(t, func(cv *CoderValues) { - cv.Coderd.Annotations = expected - cv.Coderd.ServiceSpec.Annotations = expected - cv.Postgres.Default.Annotations = expected + // Ensure backwards compatibility and merging order. + cv.Services.Annotations = expectedGlobal + + cv.Coderd.Annotations = expectedCoderd + cv.Coderd.ServiceSpec.Annotations = expectedCoderdService + cv.Postgres.Default.Annotations = expectedTimescale }) depl := MustFindDeployment(t, objs, "coderd") - assert.Equal(t, expected, depl.Annotations) + assert.Equal(t, mergeAnnotations(expectedGlobal, expectedCoderd), depl.Annotations) svc := MustFindService(t, objs, "coderd") - assert.Equal(t, expected, svc.Annotations) + assert.Equal(t, mergeAnnotations(expectedGlobal, expectedCoderdService), svc.Annotations) + + db := MustFindStatefulSet(t, objs, "timescale") + assert.Equal(t, mergeAnnotations(expectedGlobal, expectedTimescale), db.Annotations) } -// check if values are empty func TestAnnotationsEmpty(t *testing.T) { t.Parallel() - chart := LoadChart(t) - - objs := chart.MustRender(t, nil) + var ( + chart = LoadChart(t) + objs = chart.MustRender(t, nil) + ) depl := MustFindDeployment(t, objs, "coderd") assert.Empty(t, depl.Annotations) svc := MustFindService(t, objs, "coderd") assert.Empty(t, svc.Annotations) + + db := MustFindStatefulSet(t, objs, "timescale") + assert.Empty(t, db.Annotations) +} + +// mergeAnnotations copies `a` into a new map, then it copies all key/value +// pairs from `b` on top of that copy. +func mergeAnnotations(a, b map[string]string) map[string]string { + out := map[string]string{} + for k, v := range a { + out[k] = v + } + for k, v := range b { + out[k] = v + } + + return out } diff --git a/tests/values.go b/tests/values.go index eb304c8f..6104a71b 100644 --- a/tests/values.go +++ b/tests/values.go @@ -263,6 +263,7 @@ type ServicesValues struct { Tolerations *[]corev1.Toleration `json:"tolerations" yaml:"tolerations"` NodeSelector map[string]string `json:"nodeSelector" yaml:"nodeSelector"` Type *corev1.ServiceType `json:"type" yaml:"type"` + Annotations map[string]string `json:"annotations" yaml:"annotations"` } // String returns the string representation of the values. diff --git a/values.yaml b/values.yaml index 22124ab7..4ed73be1 100644 --- a/values.yaml +++ b/values.yaml @@ -362,6 +362,9 @@ postgres: # services -- Kubernetes Service configuration that applies to Coder services. services: + # services.annotations -- A KV mapping of annotations. See: + # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} # services.clusterDomainSuffix -- Custom domain suffix for DNS resolution in your cluster. See: # https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/ clusterDomainSuffix: ".svc.cluster.local" From 11072ba6d8d4eacdf069ee07eeaf7d4901f37318 Mon Sep 17 00:00:00 2001 From: Eric Paulsen Date: Mon, 7 Feb 2022 10:20:00 -0600 Subject: [PATCH 04/14] chore: make README --- README.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 3f53588c..dc2123d8 100644 --- a/README.md +++ b/README.md @@ -25,8 +25,9 @@ View [our docs](https://coder.com/docs/setup/installation) for detailed installa | certs | object | Certificate that will be mounted inside Coder services. | `{"secret":{"key":"","name":""}}` | | certs.secret.key | string | Key pointing to a certificate in the secret. | `""` | | certs.secret.name | string | Name of the secret. | `""` | -| coderd | object | Primary service responsible for all things Coder! | `{"affinity":{"podAntiAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"podAffinityTerm":{"labelSelector":{"matchExpressions":[{"key":"app.kubernetes.io/name","operator":"In","values":["coderd"]}]},"topologyKey":"kubernetes.io/hostname"},"weight":1}]}},"builtinProviderServiceAccount":{"annotations":{},"labels":{}},"clientTLS":{"secretName":""},"devurlsHost":"","extraLabels":{},"image":"","networkPolicy":{"enable":true},"oidc":{"enableRefresh":false,"redirectOptions":{}},"podSecurityContext":{"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}},"proxy":{"exempt":"cluster.local","http":"","https":""},"replicas":1,"resources":{"limits":{"cpu":"250m","memory":"512Mi"},"requests":{"cpu":"250m","memory":"512Mi"}},"reverseProxy":{"headers":[],"trustedOrigins":[]},"satellite":{"accessURL":"","enable":false,"primaryURL":""},"securityContext":{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}},"serviceNodePorts":{"http":null,"https":null},"serviceSpec":{"externalTrafficPolicy":"Local","loadBalancerIP":"","loadBalancerSourceRanges":[],"type":"LoadBalancer"},"superAdmin":{"passwordSecret":{"key":"password","name":""}},"tls":{"devurlsHostSecretName":"","hostSecretName":""},"trustProxyIP":false}` | +| coderd | object | Primary service responsible for all things Coder! | `{"affinity":{"podAntiAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"podAffinityTerm":{"labelSelector":{"matchExpressions":[{"key":"app.kubernetes.io/name","operator":"In","values":["coderd"]}]},"topologyKey":"kubernetes.io/hostname"},"weight":1}]}},"annotations":{},"builtinProviderServiceAccount":{"annotations":{},"labels":{}},"clientTLS":{"secretName":""},"devurlsHost":"","extraLabels":{},"image":"","networkPolicy":{"enable":true},"oidc":{"enableRefresh":false,"redirectOptions":{}},"podSecurityContext":{"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}},"proxy":{"exempt":"cluster.local","http":"","https":""},"replicas":1,"resources":{"limits":{"cpu":"250m","memory":"512Mi"},"requests":{"cpu":"250m","memory":"512Mi"}},"reverseProxy":{"headers":[],"trustedOrigins":[]},"satellite":{"accessURL":"","enable":false,"primaryURL":""},"securityContext":{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}},"serviceNodePorts":{"http":null,"https":null},"serviceSpec":{"annotations":{},"externalTrafficPolicy":"Local","loadBalancerIP":"","loadBalancerSourceRanges":[],"type":"LoadBalancer"},"superAdmin":{"passwordSecret":{"key":"password","name":""}},"tls":{"devurlsHostSecretName":"","hostSecretName":""},"trustProxyIP":false}` | | coderd.affinity | object | Allows specifying an affinity rule for the `coderd` deployment. The default rule prefers to schedule coderd pods on different nodes, which is only applicable if coderd.replicas is greater than 1. | `{"podAntiAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"podAffinityTerm":{"labelSelector":{"matchExpressions":[{"key":"app.kubernetes.io/name","operator":"In","values":["coderd"]}]},"topologyKey":"kubernetes.io/hostname"},"weight":1}]}}` | +| coderd.annotations | object | Apply annotations to the coderd deployment. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ | `{}` | | coderd.builtinProviderServiceAccount | object | Customize the built-in Kubernetes provider service account. | `{"annotations":{},"labels":{}}` | | coderd.builtinProviderServiceAccount.annotations | object | A KV mapping of annotations. See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ | `{}` | | coderd.builtinProviderServiceAccount.labels | object | Add labels to the service account used for the built-in provider. | `{}` | @@ -65,7 +66,8 @@ View [our docs](https://coder.com/docs/setup/installation) for detailed installa | coderd.serviceNodePorts | object | Allows manually setting static node ports for the coderd service. This is only helpful if static ports are required, and usually should be left alone. By default these are dynamically chosen. | `{"http":null,"https":null}` | | coderd.serviceNodePorts.http | string | Sets a static 'coderd' service non-TLS nodePort. This should usually be omitted. | `nil` | | coderd.serviceNodePorts.https | string | Sets a static 'coderd' service TLS nodePort This should usually be omitted. | `nil` | -| coderd.serviceSpec | object | Specification to inject for the coderd service. See: https://kubernetes.io/docs/concepts/services-networking/service/ | `{"externalTrafficPolicy":"Local","loadBalancerIP":"","loadBalancerSourceRanges":[],"type":"LoadBalancer"}` | +| coderd.serviceSpec | object | Specification to inject for the coderd service. See: https://kubernetes.io/docs/concepts/services-networking/service/ | `{"annotations":{},"externalTrafficPolicy":"Local","loadBalancerIP":"","loadBalancerSourceRanges":[],"type":"LoadBalancer"}` | +| coderd.serviceSpec.annotations | object | Apply annotations to the coderd service. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ | `{}` | | coderd.serviceSpec.externalTrafficPolicy | string | Set the traffic policy for the service. See: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip | `"Local"` | | coderd.serviceSpec.loadBalancerIP | string | Set the external IP address of the Ingress service. | `""` | | coderd.serviceSpec.loadBalancerSourceRanges | list | Traffic through the LoadBalancer will be restricted to the specified client IPs. This field will be ignored if the cloud provider does not support this feature. | `[]` | @@ -95,7 +97,8 @@ View [our docs](https://coder.com/docs/setup/installation) for detailed installa | metrics.amplitudeKey | string | Enables telemetry pushing to Amplitude. Amplitude records how users interact with Coder, which is used to improve the product. No events store any personal information. Amplitude can be found here: https://amplitude.com/ Keep empty to disable. | `""` | | postgres.connector | string | Option for configuring database connector type. valid values are: - "postgres" -- default connector - "awsiamrds" -- uses AWS IAM account in environment to authenticate using IAM to connect to an RDS instance. | `"postgres"` | | postgres.database | string | Name of the database that Coder will use. You must create this database first. | `""` | -| postgres.default | object | Configure a built-in PostgreSQL deployment. | `{"enable":true,"image":"","networkPolicy":{"enable":true},"resources":{"limits":{"cpu":"250m","memory":"1Gi"},"requests":{"cpu":"250m","memory":"1Gi","storage":"10Gi"}},"storageClassName":""}` | +| postgres.default | object | Configure a built-in PostgreSQL deployment. | `{"annotations":{},"enable":true,"image":"","networkPolicy":{"enable":true},"resources":{"limits":{"cpu":"250m","memory":"1Gi"},"requests":{"cpu":"250m","memory":"1Gi","storage":"10Gi"}},"storageClassName":""}` | +| postgres.default.annotations | object | Apply annotations to the default postgres service. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ | `{}` | | postgres.default.enable | bool | Deploys a PostgreSQL instance. We recommend using an external PostgreSQL instance in production. If true, all other values are ignored. | `true` | | postgres.default.image | string | Injected by Coder during release. | `""` | | postgres.default.networkPolicy | object | Configure the network policy to apply to the built-in PostgreSQL deployment. | `{"enable":true}` | From 3412f8f4004cad7847b3d73341795f8963962d6d Mon Sep 17 00:00:00 2001 From: Eric Paulsen Date: Wed, 9 Feb 2022 10:22:31 -0600 Subject: [PATCH 05/14] fix: conflicts v2 --- README.md | 9 +++++++-- templates/coderd.yaml | 2 ++ tests/values.go | 5 +++-- values.yaml | 13 +++++++++++-- 4 files changed, 23 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index dc2123d8..2954a251 100644 --- a/README.md +++ b/README.md @@ -25,7 +25,11 @@ View [our docs](https://coder.com/docs/setup/installation) for detailed installa | certs | object | Certificate that will be mounted inside Coder services. | `{"secret":{"key":"","name":""}}` | | certs.secret.key | string | Key pointing to a certificate in the secret. | `""` | | certs.secret.name | string | Name of the secret. | `""` | +<<<<<<< HEAD | coderd | object | Primary service responsible for all things Coder! | `{"affinity":{"podAntiAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"podAffinityTerm":{"labelSelector":{"matchExpressions":[{"key":"app.kubernetes.io/name","operator":"In","values":["coderd"]}]},"topologyKey":"kubernetes.io/hostname"},"weight":1}]}},"annotations":{},"builtinProviderServiceAccount":{"annotations":{},"labels":{}},"clientTLS":{"secretName":""},"devurlsHost":"","extraLabels":{},"image":"","networkPolicy":{"enable":true},"oidc":{"enableRefresh":false,"redirectOptions":{}},"podSecurityContext":{"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}},"proxy":{"exempt":"cluster.local","http":"","https":""},"replicas":1,"resources":{"limits":{"cpu":"250m","memory":"512Mi"},"requests":{"cpu":"250m","memory":"512Mi"}},"reverseProxy":{"headers":[],"trustedOrigins":[]},"satellite":{"accessURL":"","enable":false,"primaryURL":""},"securityContext":{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}},"serviceNodePorts":{"http":null,"https":null},"serviceSpec":{"annotations":{},"externalTrafficPolicy":"Local","loadBalancerIP":"","loadBalancerSourceRanges":[],"type":"LoadBalancer"},"superAdmin":{"passwordSecret":{"key":"password","name":""}},"tls":{"devurlsHostSecretName":"","hostSecretName":""},"trustProxyIP":false}` | +======= +| coderd | object | Primary service responsible for all things Coder! | `{"affinity":{"podAntiAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"podAffinityTerm":{"labelSelector":{"matchExpressions":[{"key":"app.kubernetes.io/name","operator":"In","values":["coderd"]}]},"topologyKey":"kubernetes.io/hostname"},"weight":1}]}},"builtinProviderServiceAccount":{"annotations":{},"labels":{}},"clientTLS":{"secretName":""},"devurlsHost":"","extraLabels":{},"image":"","networkPolicy":{"enable":true},"oidc":{"enableRefresh":false,"redirectOptions":{}},"podSecurityContext":{"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}},"proxy":{"exempt":"cluster.local","http":"","https":""},"replicas":1,"resources":{"limits":{"cpu":"250m","memory":"512Mi"},"requests":{"cpu":"250m","memory":"512Mi"}},"reverseProxy":{"headers":[],"trustedHostnames":[],"trustedOrigins":[]},"satellite":{"accessURL":"","enable":false,"primaryURL":""},"securityContext":{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}},"serviceNodePorts":{"http":null,"https":null},"serviceSpec":{"externalTrafficPolicy":"Local","loadBalancerIP":"","loadBalancerSourceRanges":[],"type":"LoadBalancer"},"superAdmin":{"passwordSecret":{"key":"password","name":""}},"tls":{"devurlsHostSecretName":"","hostSecretName":""},"trustProxyIP":false}` | +>>>>>>> 71994c1 (feat: support multiple access URLs for geo DNS (#219)) | coderd.affinity | object | Allows specifying an affinity rule for the `coderd` deployment. The default rule prefers to schedule coderd pods on different nodes, which is only applicable if coderd.replicas is greater than 1. | `{"podAntiAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"podAffinityTerm":{"labelSelector":{"matchExpressions":[{"key":"app.kubernetes.io/name","operator":"In","values":["coderd"]}]},"topologyKey":"kubernetes.io/hostname"},"weight":1}]}}` | | coderd.annotations | object | Apply annotations to the coderd deployment. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ | `{}` | | coderd.builtinProviderServiceAccount | object | Customize the built-in Kubernetes provider service account. | `{"annotations":{},"labels":{}}` | @@ -49,12 +53,13 @@ View [our docs](https://coder.com/docs/setup/installation) for detailed installa | coderd.proxy.https | string | Proxy to use for HTTPS connections. If this is not set, coderd will use the HTTP proxy (if set), otherwise it will initiate HTTPS connections directly. This corresponds to the https_proxy environment variable. | `""` | | coderd.replicas | int | The number of Kubernetes Pod replicas. | `1` | | coderd.resources | object | Kubernetes resource specification for coderd pods. To unset a value, set it to "". To unset all values, set resources to nil. | `{"limits":{"cpu":"250m","memory":"512Mi"},"requests":{"cpu":"250m","memory":"512Mi"}}` | -| coderd.reverseProxy | object | Whether Coder should trust proxy headers for inbound connections, important for ensuring correct IP addresses when an Ingress Controller, service mesh, or other Layer 7 reverse proxy are deployed in front of Coder. | `{"headers":[],"trustedOrigins":[]}` | +| coderd.reverseProxy | object | Whether Coder should trust proxy headers for inbound connections, important for ensuring correct IP addresses when an Ingress Controller, service mesh, or other Layer 7 reverse proxy are deployed in front of Coder. | `{"headers":[],"trustedHostnames":[],"trustedOrigins":[]}` | | coderd.reverseProxy.headers | list | A list of trusted headers. | `[]` | +| coderd.reverseProxy.trustedHostnames | list | A list of hostnames that coderd (including satellites) will allow for OIDC. If this list is not set, all OIDC traffic will go to the configured access URL in the admin settings on the dashboard (or the satellite's primary URL as configured by Helm). | `[]` | | coderd.reverseProxy.trustedOrigins | list | A list of IPv4 or IPv6 subnets to consider trusted, specified in CIDR format. If hosts are part of a matching network, the configured headers will be trusted; otherwise, coderd will rely on the connecting client IP address. | `[]` | | coderd.satellite | object | Deploy a satellite to geodistribute access to workspaces for lower latency. | `{"accessURL":"","enable":false,"primaryURL":""}` | | coderd.satellite.accessURL | string | URL of the satellite that clients will connect to. e.g. https://sydney.coder.myorg.com | `""` | -| coderd.satellite.enable | bool | Run coderd as a satellite pointing to a primary deployment. Satellite enable low-latency access to workspaces all over the world. Read more: TODO: Link to docs. | `false` | +| coderd.satellite.enable | bool | Run coderd as a satellite pointing to a primary deployment. Satellite enable low-latency access to workspaces all over the world. Read more: https://coder.com/docs/coder/latest/admin/satellites | `false` | | coderd.satellite.primaryURL | string | URL of the primary Coder deployment. Must be accessible from the satellite and clients. eg. https://coder.myorg.com | `""` | | coderd.securityContext | object | Fields related to the container's security context (as opposed to the pod). Some fields are also present in the pod security context, in which case these values will take precedence. | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}}` | | coderd.securityContext.allowPrivilegeEscalation | bool | Controls whether the container can gain additional privileges, such as escalating to root. It is recommended to leave this setting disabled in production. | `false` | diff --git a/templates/coderd.yaml b/templates/coderd.yaml index d994f6d8..91fad396 100644 --- a/templates/coderd.yaml +++ b/templates/coderd.yaml @@ -193,6 +193,8 @@ spec: - name: SSL_CLIENT_KEY_FILE value: "/etc/ssl/certs/client/tls.key" {{- end }} + - name: CODER_TRUSTED_HOSTNAMES + value: {{ join "," .Values.coderd.reverseProxy.trustedHostnames | quote }} {{- include "coder.workspaces.configMapEnv" . | indent 12 }} {{- include "coder.postgres.env" . | indent 12 }} command: diff --git a/tests/values.go b/tests/values.go index 3773e2ef..ac4a8b36 100644 --- a/tests/values.go +++ b/tests/values.go @@ -137,8 +137,9 @@ type CoderdProxyValues struct { // CoderdReverseProxyValues reflect values from coderd.reverseProxy type CoderdReverseProxyValues struct { - TrustedOrigins []string `json:"trustedOrigins" yaml:"trustedOrigins"` - Headers []string `json:"headers" yaml:"headers"` + TrustedOrigins []string `json:"trustedOrigins" yaml:"trustedOrigins"` + Headers []string `json:"headers" yaml:"headers"` + TrustedHostnames []string `json:"trustedHostnames" yaml:"trustedHostnames"` } // CoderdBuiltinProviderServiceAccountValues reflect values from diff --git a/values.yaml b/values.yaml index 88adbe32..8836895e 100644 --- a/values.yaml +++ b/values.yaml @@ -114,13 +114,22 @@ coderd: # - X-Forwarded-For headers: [] + # coderd.reverseProxy.trustedHostnames -- A list of hostnames that coderd + # (including satellites) will allow for OIDC. If this list is not set, all + # OIDC traffic will go to the configured access URL in the admin settings on + # the dashboard (or the satellite's primary URL as configured by Helm). + # + # This is used for geo DNS support with satellites. Read more: + # TODO: link to docs: + trustedHostnames: [] + # coderd.satellite -- Deploy a satellite to geodistribute access to # workspaces for lower latency. satellite: # coderd.satellite.enable -- Run coderd as a satellite pointing to a primary # deployment. Satellite enable low-latency access to workspaces all over the # world. Read more: - # TODO: Link to docs. + # https://coder.com/docs/coder/latest/admin/satellites enable: false # coderd.satellite.accessURL -- URL of the satellite that clients will # connect to. @@ -326,7 +335,7 @@ postgres: # - "awsiamrds" -- uses AWS IAM account in environment to authenticate using # IAM to connect to an RDS instance. connector: "postgres" - + # postgres.default -- Configure a built-in PostgreSQL deployment. default: # postgres.default.enable -- Deploys a PostgreSQL instance. We recommend From f58564b5067ac791cff8d4181977bacc54d4d7c1 Mon Sep 17 00:00:00 2001 From: Eric Paulsen Date: Thu, 10 Feb 2022 16:07:33 -0600 Subject: [PATCH 06/14] chore: make README v2 --- README.md | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/README.md b/README.md index 2954a251..dfced39a 100644 --- a/README.md +++ b/README.md @@ -25,11 +25,7 @@ View [our docs](https://coder.com/docs/setup/installation) for detailed installa | certs | object | Certificate that will be mounted inside Coder services. | `{"secret":{"key":"","name":""}}` | | certs.secret.key | string | Key pointing to a certificate in the secret. | `""` | | certs.secret.name | string | Name of the secret. | `""` | -<<<<<<< HEAD -| coderd | object | Primary service responsible for all things Coder! | `{"affinity":{"podAntiAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"podAffinityTerm":{"labelSelector":{"matchExpressions":[{"key":"app.kubernetes.io/name","operator":"In","values":["coderd"]}]},"topologyKey":"kubernetes.io/hostname"},"weight":1}]}},"annotations":{},"builtinProviderServiceAccount":{"annotations":{},"labels":{}},"clientTLS":{"secretName":""},"devurlsHost":"","extraLabels":{},"image":"","networkPolicy":{"enable":true},"oidc":{"enableRefresh":false,"redirectOptions":{}},"podSecurityContext":{"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}},"proxy":{"exempt":"cluster.local","http":"","https":""},"replicas":1,"resources":{"limits":{"cpu":"250m","memory":"512Mi"},"requests":{"cpu":"250m","memory":"512Mi"}},"reverseProxy":{"headers":[],"trustedOrigins":[]},"satellite":{"accessURL":"","enable":false,"primaryURL":""},"securityContext":{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}},"serviceNodePorts":{"http":null,"https":null},"serviceSpec":{"annotations":{},"externalTrafficPolicy":"Local","loadBalancerIP":"","loadBalancerSourceRanges":[],"type":"LoadBalancer"},"superAdmin":{"passwordSecret":{"key":"password","name":""}},"tls":{"devurlsHostSecretName":"","hostSecretName":""},"trustProxyIP":false}` | -======= -| coderd | object | Primary service responsible for all things Coder! | `{"affinity":{"podAntiAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"podAffinityTerm":{"labelSelector":{"matchExpressions":[{"key":"app.kubernetes.io/name","operator":"In","values":["coderd"]}]},"topologyKey":"kubernetes.io/hostname"},"weight":1}]}},"builtinProviderServiceAccount":{"annotations":{},"labels":{}},"clientTLS":{"secretName":""},"devurlsHost":"","extraLabels":{},"image":"","networkPolicy":{"enable":true},"oidc":{"enableRefresh":false,"redirectOptions":{}},"podSecurityContext":{"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}},"proxy":{"exempt":"cluster.local","http":"","https":""},"replicas":1,"resources":{"limits":{"cpu":"250m","memory":"512Mi"},"requests":{"cpu":"250m","memory":"512Mi"}},"reverseProxy":{"headers":[],"trustedHostnames":[],"trustedOrigins":[]},"satellite":{"accessURL":"","enable":false,"primaryURL":""},"securityContext":{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}},"serviceNodePorts":{"http":null,"https":null},"serviceSpec":{"externalTrafficPolicy":"Local","loadBalancerIP":"","loadBalancerSourceRanges":[],"type":"LoadBalancer"},"superAdmin":{"passwordSecret":{"key":"password","name":""}},"tls":{"devurlsHostSecretName":"","hostSecretName":""},"trustProxyIP":false}` | ->>>>>>> 71994c1 (feat: support multiple access URLs for geo DNS (#219)) +| coderd | object | Primary service responsible for all things Coder! | `{"affinity":{"podAntiAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"podAffinityTerm":{"labelSelector":{"matchExpressions":[{"key":"app.kubernetes.io/name","operator":"In","values":["coderd"]}]},"topologyKey":"kubernetes.io/hostname"},"weight":1}]}},"annotations":{},"builtinProviderServiceAccount":{"annotations":{},"labels":{}},"clientTLS":{"secretName":""},"devurlsHost":"","extraLabels":{},"image":"","networkPolicy":{"enable":true},"oidc":{"enableRefresh":false,"redirectOptions":{}},"podSecurityContext":{"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}},"proxy":{"exempt":"cluster.local","http":"","https":""},"replicas":1,"resources":{"limits":{"cpu":"250m","memory":"512Mi"},"requests":{"cpu":"250m","memory":"512Mi"}},"reverseProxy":{"headers":[],"trustedHostnames":[],"trustedOrigins":[]},"satellite":{"accessURL":"","enable":false,"primaryURL":""},"securityContext":{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}},"serviceNodePorts":{"http":null,"https":null},"serviceSpec":{"annotations":{},"externalTrafficPolicy":"Local","loadBalancerIP":"","loadBalancerSourceRanges":[],"type":"LoadBalancer"},"superAdmin":{"passwordSecret":{"key":"password","name":""}},"tls":{"devurlsHostSecretName":"","hostSecretName":""},"trustProxyIP":false}` | | coderd.affinity | object | Allows specifying an affinity rule for the `coderd` deployment. The default rule prefers to schedule coderd pods on different nodes, which is only applicable if coderd.replicas is greater than 1. | `{"podAntiAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"podAffinityTerm":{"labelSelector":{"matchExpressions":[{"key":"app.kubernetes.io/name","operator":"In","values":["coderd"]}]},"topologyKey":"kubernetes.io/hostname"},"weight":1}]}}` | | coderd.annotations | object | Apply annotations to the coderd deployment. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ | `{}` | | coderd.builtinProviderServiceAccount | object | Customize the built-in Kubernetes provider service account. | `{"annotations":{},"labels":{}}` | From c1390b61213333b14f34e60f2d401390784ea13e Mon Sep 17 00:00:00 2001 From: Eric Paulsen Date: Thu, 10 Feb 2022 17:25:43 -0600 Subject: [PATCH 07/14] fix: annotations merge & add deprecation notice --- README.md | 2 +- templates/timescale.yaml | 2 +- values.yaml | 1 + 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index dfced39a..8ae7ee53 100644 --- a/README.md +++ b/README.md @@ -122,7 +122,7 @@ View [our docs](https://coder.com/docs/setup/installation) for detailed installa | postgres.sslMode | string | Provides variable levels of protection for the PostgreSQL connection. For acceptable values, see: https://www.postgresql.org/docs/11/libpq-ssl.html | `"require"` | | postgres.user | string | User of the external PostgreSQL instance. | `""` | | services | object | Kubernetes Service configuration that applies to Coder services. | `{"annotations":{},"clusterDomainSuffix":".svc.cluster.local","nodeSelector":{"kubernetes.io/arch":"amd64","kubernetes.io/os":"linux"},"tolerations":[],"type":"ClusterIP"}` | -| services.annotations | object | A KV mapping of annotations. See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ | `{}` | +| services.annotations | object | A KV mapping of annotations. See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ DEPRECATED -- Please use the annotations value for each object. | `{}` | | services.clusterDomainSuffix | string | Custom domain suffix for DNS resolution in your cluster. See: https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/ | `".svc.cluster.local"` | | services.nodeSelector | object | See: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | `{"kubernetes.io/arch":"amd64","kubernetes.io/os":"linux"}` | | services.tolerations | list | Each element is a toleration object. See: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ | `[]` | diff --git a/templates/timescale.yaml b/templates/timescale.yaml index b1d97991..80587fcf 100644 --- a/templates/timescale.yaml +++ b/templates/timescale.yaml @@ -55,7 +55,7 @@ spec: app.kubernetes.io/component: {{ include "timescale.serviceName" . }} app: timescale coder.deployment: timescale - annotations: {{ toYaml .Values.postgres.default.annotations | nindent 8 }} + annotations: {{ toYaml (merge .Values.postgres.default.annotations .Values.services.annotations) | nindent 8 }} spec: serviceAccountName: timescale securityContext: diff --git a/values.yaml b/values.yaml index 8836895e..b03bebde 100644 --- a/values.yaml +++ b/values.yaml @@ -378,6 +378,7 @@ postgres: services: # services.annotations -- A KV mapping of annotations. See: # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + # DEPRECATED -- Please use the annotations value for each object. annotations: {} # services.clusterDomainSuffix -- Custom domain suffix for DNS resolution in your cluster. See: # https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/ From a848980b8c05c3d179f56cc416ecede40c8053ec Mon Sep 17 00:00:00 2001 From: Eric Paulsen Date: Fri, 11 Feb 2022 10:39:08 -0600 Subject: [PATCH 08/14] fix: merge testing --- templates/coderd.yaml | 6 +++--- templates/timescale.yaml | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/templates/coderd.yaml b/templates/coderd.yaml index 91fad396..497768cd 100644 --- a/templates/coderd.yaml +++ b/templates/coderd.yaml @@ -13,7 +13,7 @@ metadata: app.kubernetes.io/component: {{ include "coder.serviceName" . }} app: {{ include "coder.serviceName" . }} coder.deployment: {{ include "coder.serviceName" . }} - annotations: {{ toYaml (merge .Values.coderd.annotations .Values.services.annotations) | nindent 4 }} + annotations: {{ toYaml (merge (.Values.coderd.annotations | default (dict)) (.Values.services.annotations | default (dict))) | nindent 8 }} spec: replicas: {{ default 1 .Values.coderd.replicas }} strategy: @@ -36,7 +36,7 @@ spec: {{- with .Values.coderd.extraLabels -}} {{ toYaml . | nindent 8 }} {{- end }} - annotations: {{ toYaml (merge .Values.coderd.annotations .Values.services.annotations) | nindent 8 }} + annotations: {{ toYaml (merge (.Values.coderd.annotations | default (dict)) (.Values.services.annotations | default (dict))) | nindent 8 }} spec: securityContext: {{ toYaml .Values.coderd.podSecurityContext | nindent 8 }} restartPolicy: Always @@ -261,7 +261,7 @@ metadata: app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/version: {{ .Chart.AppVersion }} app.kubernetes.io/component: {{ include "coder.serviceName" . }} - annotations: {{ toYaml (merge .Values.coderd.serviceSpec.annotations .Values.services.annotations) | nindent 4 }} + annotations: {{ toYaml (merge (.Values.coderd.serviceSpec.annotations | default (dict)) (.Values.services.annotations | default (dict))) | nindent 8 }} spec: {{- if .Values.coderd.serviceSpec }} {{- toYaml .Values.coderd.serviceSpec | nindent 2 }} diff --git a/templates/timescale.yaml b/templates/timescale.yaml index 80587fcf..4b373f7f 100644 --- a/templates/timescale.yaml +++ b/templates/timescale.yaml @@ -33,7 +33,7 @@ metadata: app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/version: {{ .Chart.AppVersion }} app.kubernetes.io/component: {{ include "timescale.serviceName" . }} - annotations: {{ toYaml (merge .Values.postgres.default.annotations .Values.services.annotations) | nindent 4 }} + annotations: {{ toYaml (merge (.Values.postgres.default.annotations | default (dict)) (.Values.services.annotations | default (dict))) | nindent 8 }} spec: serviceName: {{ include "timescale.serviceName" . }} replicas: 1 @@ -55,7 +55,7 @@ spec: app.kubernetes.io/component: {{ include "timescale.serviceName" . }} app: timescale coder.deployment: timescale - annotations: {{ toYaml (merge .Values.postgres.default.annotations .Values.services.annotations) | nindent 8 }} + annotations: {{ toYaml (merge (.Values.postgres.default.annotations | default (dict)) (.Values.services.annotations | default (dict))) | nindent 8 }} spec: serviceAccountName: timescale securityContext: From d46f35fcdba1927df12ad162ee928ad32a0e3292 Mon Sep 17 00:00:00 2001 From: Eric Paulsen Date: Fri, 11 Feb 2022 15:41:19 -0600 Subject: [PATCH 09/14] fix: nindent --- templates/coderd.yaml | 6 +++--- templates/timescale.yaml | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/templates/coderd.yaml b/templates/coderd.yaml index 497768cd..65cdaafa 100644 --- a/templates/coderd.yaml +++ b/templates/coderd.yaml @@ -13,7 +13,7 @@ metadata: app.kubernetes.io/component: {{ include "coder.serviceName" . }} app: {{ include "coder.serviceName" . }} coder.deployment: {{ include "coder.serviceName" . }} - annotations: {{ toYaml (merge (.Values.coderd.annotations | default (dict)) (.Values.services.annotations | default (dict))) | nindent 8 }} + annotations: {{ toYaml (merge (.Values.coderd.annotations | default (dict)) (.Values.services.annotations | default (dict))) | nindent 4 }} spec: replicas: {{ default 1 .Values.coderd.replicas }} strategy: @@ -36,7 +36,7 @@ spec: {{- with .Values.coderd.extraLabels -}} {{ toYaml . | nindent 8 }} {{- end }} - annotations: {{ toYaml (merge (.Values.coderd.annotations | default (dict)) (.Values.services.annotations | default (dict))) | nindent 8 }} + annotations: {{ toYaml (merge (.Values.coderd.annotations | default (dict)) (.Values.services.annotations | default (dict))) | nindent 4 }} spec: securityContext: {{ toYaml .Values.coderd.podSecurityContext | nindent 8 }} restartPolicy: Always @@ -261,7 +261,7 @@ metadata: app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/version: {{ .Chart.AppVersion }} app.kubernetes.io/component: {{ include "coder.serviceName" . }} - annotations: {{ toYaml (merge (.Values.coderd.serviceSpec.annotations | default (dict)) (.Values.services.annotations | default (dict))) | nindent 8 }} + annotations: {{ toYaml (merge (.Values.coderd.serviceSpec.annotations | default (dict)) (.Values.services.annotations | default (dict))) | nindent 4 }} spec: {{- if .Values.coderd.serviceSpec }} {{- toYaml .Values.coderd.serviceSpec | nindent 2 }} diff --git a/templates/timescale.yaml b/templates/timescale.yaml index 4b373f7f..55612d4d 100644 --- a/templates/timescale.yaml +++ b/templates/timescale.yaml @@ -33,7 +33,7 @@ metadata: app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/version: {{ .Chart.AppVersion }} app.kubernetes.io/component: {{ include "timescale.serviceName" . }} - annotations: {{ toYaml (merge (.Values.postgres.default.annotations | default (dict)) (.Values.services.annotations | default (dict))) | nindent 8 }} + annotations: {{ toYaml (merge (.Values.postgres.default.annotations | default (dict)) (.Values.services.annotations | default (dict))) | nindent 4 }} spec: serviceName: {{ include "timescale.serviceName" . }} replicas: 1 @@ -55,7 +55,7 @@ spec: app.kubernetes.io/component: {{ include "timescale.serviceName" . }} app: timescale coder.deployment: timescale - annotations: {{ toYaml (merge (.Values.postgres.default.annotations | default (dict)) (.Values.services.annotations | default (dict))) | nindent 8 }} + annotations: {{ toYaml (merge (.Values.postgres.default.annotations | default (dict)) (.Values.services.annotations | default (dict))) | nindent 4 }} spec: serviceAccountName: timescale securityContext: From e73a1ac1c6aa3fe0cdc89d6cfac435eb0a1e7f18 Mon Sep 17 00:00:00 2001 From: Eric Paulsen Date: Tue, 15 Feb 2022 17:25:52 -0600 Subject: [PATCH 10/14] fix: nindent --- templates/coderd.yaml | 2 +- templates/timescale.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/coderd.yaml b/templates/coderd.yaml index 65cdaafa..8fda5ebb 100644 --- a/templates/coderd.yaml +++ b/templates/coderd.yaml @@ -36,7 +36,7 @@ spec: {{- with .Values.coderd.extraLabels -}} {{ toYaml . | nindent 8 }} {{- end }} - annotations: {{ toYaml (merge (.Values.coderd.annotations | default (dict)) (.Values.services.annotations | default (dict))) | nindent 4 }} + annotations: {{ toYaml (merge (.Values.coderd.annotations | default (dict)) (.Values.services.annotations | default (dict))) | nindent 8 }} spec: securityContext: {{ toYaml .Values.coderd.podSecurityContext | nindent 8 }} restartPolicy: Always diff --git a/templates/timescale.yaml b/templates/timescale.yaml index 55612d4d..720b9b45 100644 --- a/templates/timescale.yaml +++ b/templates/timescale.yaml @@ -55,7 +55,7 @@ spec: app.kubernetes.io/component: {{ include "timescale.serviceName" . }} app: timescale coder.deployment: timescale - annotations: {{ toYaml (merge (.Values.postgres.default.annotations | default (dict)) (.Values.services.annotations | default (dict))) | nindent 4 }} + annotations: {{ toYaml (merge (.Values.postgres.default.annotations | default (dict)) (.Values.services.annotations | default (dict))) | nindent 8 }} spec: serviceAccountName: timescale securityContext: From 972673573499520470384a259495916f5a3faf9a Mon Sep 17 00:00:00 2001 From: Eric Paulsen Date: Tue, 15 Feb 2022 17:33:08 -0600 Subject: [PATCH 11/14] feat: unit test for null annotations --- tests/annotations_test.go | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/tests/annotations_test.go b/tests/annotations_test.go index 02496b85..0ae47192 100644 --- a/tests/annotations_test.go +++ b/tests/annotations_test.go @@ -69,6 +69,29 @@ func TestAnnotationsEmpty(t *testing.T) { assert.Empty(t, db.Annotations) } +func TestAnnotationsNull(t *testing.T) { + t.Parallel() + + var ( + chart = LoadChart(t) + objs = chart.MustRender(t, func(cv *CoderValues) { + cv.Coderd.Annotations = nil + cv.Coderd.ServiceSpec.Annotations = nil + cv.Postgres.Default.Annotations = nil + cv.Services.Annotations = nil + }) + ) + + depl := MustFindDeployment(t, objs, "coderd") + assert.Empty(t, depl.Annotations) + + svc := MustFindService(t, objs, "coderd") + assert.Empty(t, svc.Annotations) + + db := MustFindStatefulSet(t, objs, "timescale") + assert.Empty(t, db.Annotations) +} + // mergeAnnotations copies `a` into a new map, then it copies all key/value // pairs from `b` on top of that copy. func mergeAnnotations(a, b map[string]string) map[string]string { From 0bc08f0e848e1a25d70613c3e1d067c7b06d842f Mon Sep 17 00:00:00 2001 From: Eric Paulsen Date: Tue, 15 Feb 2022 17:34:54 -0600 Subject: [PATCH 12/14] chore: merge README --- README.md | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 23294b71..61e2a4f1 100644 --- a/README.md +++ b/README.md @@ -25,9 +25,10 @@ View [our docs](https://coder.com/docs/setup/installation) for detailed installa | certs | object | Certificate that will be mounted inside Coder services. | `{"secret":{"key":"","name":""}}` | | certs.secret.key | string | Key pointing to a certificate in the secret. | `""` | | certs.secret.name | string | Name of the secret. | `""` | -| coderd | object | Primary service responsible for all things Coder! | `{"affinity":{"podAntiAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"podAffinityTerm":{"labelSelector":{"matchExpressions":[{"key":"app.kubernetes.io/name","operator":"In","values":["coderd"]}]},"topologyKey":"kubernetes.io/hostname"},"weight":1}]}},"alternateHostnames":[],"builtinProviderServiceAccount":{"annotations":{},"labels":{}},"clientTLS":{"secretName":""},"devurlsHost":"","extraLabels":{},"image":"","networkPolicy":{"enable":true},"oidc":{"enableRefresh":false,"redirectOptions":{}},"podSecurityContext":{"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}},"proxy":{"exempt":"cluster.local","http":"","https":""},"replicas":1,"resources":{"limits":{"cpu":"250m","memory":"512Mi"},"requests":{"cpu":"250m","memory":"512Mi"}},"reverseProxy":{"headers":[],"trustedOrigins":[]},"satellite":{"accessURL":"","enable":false,"primaryURL":""},"securityContext":{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}},"serviceNodePorts":{"http":null,"https":null},"serviceSpec":{"externalTrafficPolicy":"Local","loadBalancerIP":"","loadBalancerSourceRanges":[],"type":"LoadBalancer"},"superAdmin":{"passwordSecret":{"key":"password","name":""}},"tls":{"devurlsHostSecretName":"","hostSecretName":""},"trustProxyIP":false}` | +| coderd | object | Primary service responsible for all things Coder! | `{"affinity":{"podAntiAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"podAffinityTerm":{"labelSelector":{"matchExpressions":[{"key":"app.kubernetes.io/name","operator":"In","values":["coderd"]}]},"topologyKey":"kubernetes.io/hostname"},"weight":1}]}},"alternateHostnames":[],"annotations":{},"builtinProviderServiceAccount":{"annotations":{},"labels":{}},"clientTLS":{"secretName":""},"devurlsHost":"","extraLabels":{},"image":"","networkPolicy":{"enable":true},"oidc":{"enableRefresh":false,"redirectOptions":{}},"podSecurityContext":{"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}},"proxy":{"exempt":"cluster.local","http":"","https":""},"replicas":1,"resources":{"limits":{"cpu":"250m","memory":"512Mi"},"requests":{"cpu":"250m","memory":"512Mi"}},"reverseProxy":{"headers":[],"trustedOrigins":[]},"satellite":{"accessURL":"","enable":false,"primaryURL":""},"securityContext":{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}},"serviceNodePorts":{"http":null,"https":null},"serviceSpec":{"annotations":{},"externalTrafficPolicy":"Local","loadBalancerIP":"","loadBalancerSourceRanges":[],"type":"LoadBalancer"},"superAdmin":{"passwordSecret":{"key":"password","name":""}},"tls":{"devurlsHostSecretName":"","hostSecretName":""},"trustProxyIP":false}` | | coderd.affinity | object | Allows specifying an affinity rule for the `coderd` deployment. The default rule prefers to schedule coderd pods on different nodes, which is only applicable if coderd.replicas is greater than 1. | `{"podAntiAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"podAffinityTerm":{"labelSelector":{"matchExpressions":[{"key":"app.kubernetes.io/name","operator":"In","values":["coderd"]}]},"topologyKey":"kubernetes.io/hostname"},"weight":1}]}}` | | coderd.alternateHostnames | list | A list of hostnames that coderd (including satellites) will allow for OIDC. If this list is not set, all OIDC traffic will go to the configured access URL in the admin settings on the dashboard (or the satellite's primary URL as configured by Helm). | `[]` | +| coderd.annotations | object | Apply annotations to the coderd deployment. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ | `{}` | | coderd.builtinProviderServiceAccount | object | Customize the built-in Kubernetes provider service account. | `{"annotations":{},"labels":{}}` | | coderd.builtinProviderServiceAccount.annotations | object | A KV mapping of annotations. See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ | `{}` | | coderd.builtinProviderServiceAccount.labels | object | Add labels to the service account used for the built-in provider. | `{}` | @@ -66,7 +67,8 @@ View [our docs](https://coder.com/docs/setup/installation) for detailed installa | coderd.serviceNodePorts | object | Allows manually setting static node ports for the coderd service. This is only helpful if static ports are required, and usually should be left alone. By default these are dynamically chosen. | `{"http":null,"https":null}` | | coderd.serviceNodePorts.http | string | Sets a static 'coderd' service non-TLS nodePort. This should usually be omitted. | `nil` | | coderd.serviceNodePorts.https | string | Sets a static 'coderd' service TLS nodePort This should usually be omitted. | `nil` | -| coderd.serviceSpec | object | Specification to inject for the coderd service. See: https://kubernetes.io/docs/concepts/services-networking/service/ | `{"externalTrafficPolicy":"Local","loadBalancerIP":"","loadBalancerSourceRanges":[],"type":"LoadBalancer"}` | +| coderd.serviceSpec | object | Specification to inject for the coderd service. See: https://kubernetes.io/docs/concepts/services-networking/service/ | `{"annotations":{},"externalTrafficPolicy":"Local","loadBalancerIP":"","loadBalancerSourceRanges":[],"type":"LoadBalancer"}` | +| coderd.serviceSpec.annotations | object | Apply annotations to the coderd service. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ | `{}` | | coderd.serviceSpec.externalTrafficPolicy | string | Set the traffic policy for the service. See: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip | `"Local"` | | coderd.serviceSpec.loadBalancerIP | string | Set the external IP address of the Ingress service. | `""` | | coderd.serviceSpec.loadBalancerSourceRanges | list | Traffic through the LoadBalancer will be restricted to the specified client IPs. This field will be ignored if the cloud provider does not support this feature. | `[]` | @@ -96,7 +98,8 @@ View [our docs](https://coder.com/docs/setup/installation) for detailed installa | metrics.amplitudeKey | string | Enables telemetry pushing to Amplitude. Amplitude records how users interact with Coder, which is used to improve the product. No events store any personal information. Amplitude can be found here: https://amplitude.com/ Keep empty to disable. | `""` | | postgres.connector | string | Option for configuring database connector type. valid values are: - "postgres" -- default connector - "awsiamrds" -- uses AWS IAM account in environment to authenticate using IAM to connect to an RDS instance. | `"postgres"` | | postgres.database | string | Name of the database that Coder will use. You must create this database first. | `""` | -| postgres.default | object | Configure a built-in PostgreSQL deployment. | `{"enable":true,"image":"","networkPolicy":{"enable":true},"resources":{"limits":{"cpu":"250m","memory":"1Gi"},"requests":{"cpu":"250m","memory":"1Gi","storage":"10Gi"}},"storageClassName":""}` | +| postgres.default | object | Configure a built-in PostgreSQL deployment. | `{"annotations":{},"enable":true,"image":"","networkPolicy":{"enable":true},"resources":{"limits":{"cpu":"250m","memory":"1Gi"},"requests":{"cpu":"250m","memory":"1Gi","storage":"10Gi"}},"storageClassName":""}` | +| postgres.default.annotations | object | Apply annotations to the default postgres service. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ | `{}` | | postgres.default.enable | bool | Deploys a PostgreSQL instance. We recommend using an external PostgreSQL instance in production. If true, all other values are ignored. | `true` | | postgres.default.image | string | Injected by Coder during release. | `""` | | postgres.default.networkPolicy | object | Configure the network policy to apply to the built-in PostgreSQL deployment. | `{"enable":true}` | @@ -119,7 +122,7 @@ View [our docs](https://coder.com/docs/setup/installation) for detailed installa | postgres.sslMode | string | Provides variable levels of protection for the PostgreSQL connection. For acceptable values, see: https://www.postgresql.org/docs/11/libpq-ssl.html | `"require"` | | postgres.user | string | User of the external PostgreSQL instance. | `""` | | services | object | Kubernetes Service configuration that applies to Coder services. | `{"annotations":{},"clusterDomainSuffix":".svc.cluster.local","nodeSelector":{"kubernetes.io/arch":"amd64","kubernetes.io/os":"linux"},"tolerations":[],"type":"ClusterIP"}` | -| services.annotations | object | A KV mapping of annotations. See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ | `{}` | +| services.annotations | object | A KV mapping of annotations. See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ DEPRECATED -- Please use the annotations value for each object. | `{}` | | services.clusterDomainSuffix | string | Custom domain suffix for DNS resolution in your cluster. See: https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/ | `".svc.cluster.local"` | | services.nodeSelector | object | See: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | `{"kubernetes.io/arch":"amd64","kubernetes.io/os":"linux"}` | | services.tolerations | list | Each element is a toleration object. See: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ | `[]` | From 598355e44742fb2faf7225516d8575209ebe2e5b Mon Sep 17 00:00:00 2001 From: Eric Paulsen Date: Tue, 15 Feb 2022 17:50:44 -0600 Subject: [PATCH 13/14] chore: refactor coderd service annotations --- templates/coderd.yaml | 2 +- tests/annotations_test.go | 4 ++-- tests/values.go | 2 +- values.yaml | 6 +++--- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/templates/coderd.yaml b/templates/coderd.yaml index a3c30076..374b3970 100644 --- a/templates/coderd.yaml +++ b/templates/coderd.yaml @@ -261,7 +261,7 @@ metadata: app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/version: {{ .Chart.AppVersion }} app.kubernetes.io/component: {{ include "coder.serviceName" . }} - annotations: {{ toYaml (merge (.Values.coderd.serviceSpec.annotations | default (dict)) (.Values.services.annotations | default (dict))) | nindent 4 }} + annotations: {{ toYaml (merge (.Values.coderd.serviceAnnotations | default (dict)) (.Values.services.annotations | default (dict))) | nindent 4 }} spec: {{- if .Values.coderd.serviceSpec }} {{- toYaml .Values.coderd.serviceSpec | nindent 2 }} diff --git a/tests/annotations_test.go b/tests/annotations_test.go index 0ae47192..1cfdfa56 100644 --- a/tests/annotations_test.go +++ b/tests/annotations_test.go @@ -37,7 +37,7 @@ func TestAnnotations(t *testing.T) { cv.Services.Annotations = expectedGlobal cv.Coderd.Annotations = expectedCoderd - cv.Coderd.ServiceSpec.Annotations = expectedCoderdService + cv.Coderd.ServiceAnnotations = expectedCoderdService cv.Postgres.Default.Annotations = expectedTimescale }) @@ -76,7 +76,7 @@ func TestAnnotationsNull(t *testing.T) { chart = LoadChart(t) objs = chart.MustRender(t, func(cv *CoderValues) { cv.Coderd.Annotations = nil - cv.Coderd.ServiceSpec.Annotations = nil + cv.Coderd.ServiceAnnotations = nil cv.Postgres.Default.Annotations = nil cv.Services.Annotations = nil }) diff --git a/tests/values.go b/tests/values.go index 23cb365d..8169e538 100644 --- a/tests/values.go +++ b/tests/values.go @@ -98,6 +98,7 @@ type CoderdValues struct { Annotations map[string]string `json:"annotations" yaml:"annotations"` ClientTLS *CoderdClientTLSValues `json:"clientTLS" yaml:"clientTLS"` AlternateHostnames []string `json:"alternateHostnames" yaml:"alternateHostnames"` + ServiceAnnotations map[string]string `json:"serviceAnnotations" yaml:"serviceAnnotations"` } type CoderdClientTLSValues struct { @@ -176,7 +177,6 @@ type CoderdServiceSpecValues struct { ExternalTrafficPolicy *corev1.ServiceExternalTrafficPolicyType `json:"externalTrafficPolicy" yaml:"externalTrafficPolicy"` LoadBalancerIP *string `json:"loadBalancerIP" yaml:"loadBalancerIP"` LoadBalancerSourceRanges *[]string `json:"loadBalancerSourceRanges" yaml:"loadBalancerSourceRanges"` - Annotations map[string]string `json:"annotations" yaml:"annotations"` } // EnvboxValues reflect values from envbox. diff --git a/values.yaml b/values.yaml index cbdc1700..33417756 100644 --- a/values.yaml +++ b/values.yaml @@ -7,6 +7,9 @@ coderd: # coderd.annotations -- Apply annotations to the coderd deployment. # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ annotations: {} + # coderd.serviceAnnotations -- Apply annotations to the coderd service. + # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + serviceAnnotations: {} # coderd.serviceSpec -- Specification to inject for the coderd service. See: # https://kubernetes.io/docs/concepts/services-networking/service/ serviceSpec: @@ -23,9 +26,6 @@ coderd: # will be restricted to the specified client IPs. This field will be ignored if # the cloud provider does not support this feature. loadBalancerSourceRanges: [] - # coderd.serviceSpec.annotations -- Apply annotations to the coderd service. - # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - annotations: {} # coderd.serviceNodePorts -- Allows manually setting static node ports for the coderd service. # This is only helpful if static ports are required, and usually should be left alone. From 8b02281f6c0d8652a72ba099a16d4998ef032943 Mon Sep 17 00:00:00 2001 From: Eric Paulsen Date: Tue, 15 Feb 2022 19:15:35 -0600 Subject: [PATCH 14/14] chore: make README v3 --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 61e2a4f1..1fbb8796 100644 --- a/README.md +++ b/README.md @@ -25,7 +25,7 @@ View [our docs](https://coder.com/docs/setup/installation) for detailed installa | certs | object | Certificate that will be mounted inside Coder services. | `{"secret":{"key":"","name":""}}` | | certs.secret.key | string | Key pointing to a certificate in the secret. | `""` | | certs.secret.name | string | Name of the secret. | `""` | -| coderd | object | Primary service responsible for all things Coder! | `{"affinity":{"podAntiAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"podAffinityTerm":{"labelSelector":{"matchExpressions":[{"key":"app.kubernetes.io/name","operator":"In","values":["coderd"]}]},"topologyKey":"kubernetes.io/hostname"},"weight":1}]}},"alternateHostnames":[],"annotations":{},"builtinProviderServiceAccount":{"annotations":{},"labels":{}},"clientTLS":{"secretName":""},"devurlsHost":"","extraLabels":{},"image":"","networkPolicy":{"enable":true},"oidc":{"enableRefresh":false,"redirectOptions":{}},"podSecurityContext":{"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}},"proxy":{"exempt":"cluster.local","http":"","https":""},"replicas":1,"resources":{"limits":{"cpu":"250m","memory":"512Mi"},"requests":{"cpu":"250m","memory":"512Mi"}},"reverseProxy":{"headers":[],"trustedOrigins":[]},"satellite":{"accessURL":"","enable":false,"primaryURL":""},"securityContext":{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}},"serviceNodePorts":{"http":null,"https":null},"serviceSpec":{"annotations":{},"externalTrafficPolicy":"Local","loadBalancerIP":"","loadBalancerSourceRanges":[],"type":"LoadBalancer"},"superAdmin":{"passwordSecret":{"key":"password","name":""}},"tls":{"devurlsHostSecretName":"","hostSecretName":""},"trustProxyIP":false}` | +| coderd | object | Primary service responsible for all things Coder! | `{"affinity":{"podAntiAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"podAffinityTerm":{"labelSelector":{"matchExpressions":[{"key":"app.kubernetes.io/name","operator":"In","values":["coderd"]}]},"topologyKey":"kubernetes.io/hostname"},"weight":1}]}},"alternateHostnames":[],"annotations":{},"builtinProviderServiceAccount":{"annotations":{},"labels":{}},"clientTLS":{"secretName":""},"devurlsHost":"","extraLabels":{},"image":"","networkPolicy":{"enable":true},"oidc":{"enableRefresh":false,"redirectOptions":{}},"podSecurityContext":{"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}},"proxy":{"exempt":"cluster.local","http":"","https":""},"replicas":1,"resources":{"limits":{"cpu":"250m","memory":"512Mi"},"requests":{"cpu":"250m","memory":"512Mi"}},"reverseProxy":{"headers":[],"trustedOrigins":[]},"satellite":{"accessURL":"","enable":false,"primaryURL":""},"securityContext":{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}},"serviceAnnotations":{},"serviceNodePorts":{"http":null,"https":null},"serviceSpec":{"externalTrafficPolicy":"Local","loadBalancerIP":"","loadBalancerSourceRanges":[],"type":"LoadBalancer"},"superAdmin":{"passwordSecret":{"key":"password","name":""}},"tls":{"devurlsHostSecretName":"","hostSecretName":""},"trustProxyIP":false}` | | coderd.affinity | object | Allows specifying an affinity rule for the `coderd` deployment. The default rule prefers to schedule coderd pods on different nodes, which is only applicable if coderd.replicas is greater than 1. | `{"podAntiAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"podAffinityTerm":{"labelSelector":{"matchExpressions":[{"key":"app.kubernetes.io/name","operator":"In","values":["coderd"]}]},"topologyKey":"kubernetes.io/hostname"},"weight":1}]}}` | | coderd.alternateHostnames | list | A list of hostnames that coderd (including satellites) will allow for OIDC. If this list is not set, all OIDC traffic will go to the configured access URL in the admin settings on the dashboard (or the satellite's primary URL as configured by Helm). | `[]` | | coderd.annotations | object | Apply annotations to the coderd deployment. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ | `{}` | @@ -64,11 +64,11 @@ View [our docs](https://coder.com/docs/setup/installation) for detailed installa | coderd.securityContext.runAsNonRoot | bool | Requires that the coderd and migrations containers run as an unprivileged user. If setting runAsUser to 0 (root), this will need to be set to false. | `true` | | coderd.securityContext.runAsUser | int | Sets the user id of the pod. For security reasons, we recommend using a non-root user. | `1000` | | coderd.securityContext.seccompProfile | object | Sets the seccomp profile for the migration and runtime containers. | `{"type":"RuntimeDefault"}` | +| coderd.serviceAnnotations | object | Apply annotations to the coderd service. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ | `{}` | | coderd.serviceNodePorts | object | Allows manually setting static node ports for the coderd service. This is only helpful if static ports are required, and usually should be left alone. By default these are dynamically chosen. | `{"http":null,"https":null}` | | coderd.serviceNodePorts.http | string | Sets a static 'coderd' service non-TLS nodePort. This should usually be omitted. | `nil` | | coderd.serviceNodePorts.https | string | Sets a static 'coderd' service TLS nodePort This should usually be omitted. | `nil` | -| coderd.serviceSpec | object | Specification to inject for the coderd service. See: https://kubernetes.io/docs/concepts/services-networking/service/ | `{"annotations":{},"externalTrafficPolicy":"Local","loadBalancerIP":"","loadBalancerSourceRanges":[],"type":"LoadBalancer"}` | -| coderd.serviceSpec.annotations | object | Apply annotations to the coderd service. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ | `{}` | +| coderd.serviceSpec | object | Specification to inject for the coderd service. See: https://kubernetes.io/docs/concepts/services-networking/service/ | `{"externalTrafficPolicy":"Local","loadBalancerIP":"","loadBalancerSourceRanges":[],"type":"LoadBalancer"}` | | coderd.serviceSpec.externalTrafficPolicy | string | Set the traffic policy for the service. See: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip | `"Local"` | | coderd.serviceSpec.loadBalancerIP | string | Set the external IP address of the Ingress service. | `""` | | coderd.serviceSpec.loadBalancerSourceRanges | list | Traffic through the LoadBalancer will be restricted to the specified client IPs. This field will be ignored if the cloud provider does not support this feature. | `[]` |