This repository contains the configuration files needed to deploy Coder on Amazon EKS with Application Load Balancer (ALB), ForgeRock SSO integration, GitHub external authentication, and TLS termination.
The main Helm values file that configures Coder with:
- ALB Integration: Uses ClusterIP service with Ingress for ALB
- ForgeRock OIDC SSO: Complete OIDC configuration for enterprise authentication
- GitHub External Auth: Enables GitHub integration for workspace templates
- Local User Creation: Allows password-based authentication alongside SSO
- Resource Limits: 2 CPU cores and 8GB RAM per Coder instance
- Provisioner Configuration: 8 threads for concurrent workspace builds
- High Availability: 2 replicas with multi-AZ pod anti-affinity
- TLS: Handled by ALB with ACM certificates
Defines the required Kubernetes secrets for:
- Database Connection: PostgreSQL connection URL
- ForgeRock OIDC: Client ID and secret for SSO
- GitHub OAuth: Client credentials for external authentication
Automated deployment script that:
- Creates the namespace
- Applies secrets
- Adds Helm repository
- Performs dry-run validation with interactive review
- Deploys Coder
- Validates deployment status
- Provides troubleshooting helpers
Terraform template for creating workspaces with:
- VS Code Server: Web-based IDE on port 13337
- JupyterLab: Data science environment on port 8888
- GitHub Integration: Automatic Git configuration with tokens
- Configurable Resources: CPU, memory, and storage parameters
- Development Tools: Docker, Git, and common utilities
Before deploying, ensure you have:
- EKS cluster running
- AWS Load Balancer Controller installed
- ACM certificate created and validated for your domain
- Proper IAM permissions for ALB controller
- PostgreSQL database (RDS recommended)
- ForgeRock OIDC application configured
- GitHub OAuth application created
- DNS records pointing to your domain
-
kubectlconfigured for your EKS cluster -
helmv3.x installed - Access to create secrets in the target namespace
- Update
required-secrets.yamlwith your actual values:
# Database connection (base64 encoded)
echo -n 'postgres://username:password@host:5432/coder?sslmode=require' | base64
# ForgeRock credentials (base64 encoded)
echo -n 'your-forgerock-client-id' | base64
echo -n 'your-forgerock-client-secret' | base64
# GitHub credentials (base64 encoded)
echo -n 'your-github-client-id' | base64
echo -n 'your-github-client-secret' | base64- Replace placeholders in
required-secrets.yamlwith the base64 values above
- Update
values.yamlwith your specific values:
# Update these values:
CODER_ACCESS_URL: "https://your-domain.com"
CODER_WILDCARD_ACCESS_URL: "*.your-domain.com"
CODER_OIDC_ISSUER_URL: "https://your-forgerock.com/oauth2"
CODER_OIDC_EMAIL_DOMAIN: "your-company.com"
# Update ALB certificate ARN:
alb.ingress.kubernetes.io/certificate-arn: "arn:aws:acm:region:account:certificate/your-cert-id"
# Update ingress hosts:
host: "your-domain.com"
wildcardHost: "*.your-domain.com"- Make the script executable:
chmod +x deployment-commands.sh- Run the deployment:
./deployment-commands.sh-
Review the dry-run output carefully before proceeding
-
Press Enter to continue with deployment or Ctrl+C to abort
# Check pods
kubectl get pods -n coder
# Check ingress
kubectl get ingress -n coder
# Check logs
kubectl logs -n coder -l app.kubernetes.io/name=coder -f- Check AWS Console: Go to EC2 → Load Balancers
- Verify Target Groups: Ensure targets are healthy
- Test DNS:
nslookup your-domain.com - Test Connectivity:
curl -I https://your-domain.com/healthz
Pods not starting:
- Check resource limits vs node capacity
- Verify secrets are created correctly
- Check image pull permissions
ALB not routing traffic:
- Verify certificate ARN is correct
- Check security groups allow traffic
- Ensure DNS points to ALB hostname
Authentication issues:
- Verify ForgeRock/GitHub redirect URIs
- Check client credentials in secrets
- Review OIDC issuer URL format
- Login to Coder as an admin
- Clone the Coder Registry repo:
git clone https://github.com/coder/registry.git - Switch to the template directory:
cd registry/registry/coder/templates/kubernetes - Push the contents of the template to your deployment:
coder template push kubernetes -d .
Coder includes Prometheus metrics on port 2112:
# Port-forward to access metrics
kubectl port-forward -n coder svc/coder 2112:2112
# View metrics
curl http://localhost:2112/metrics- Secrets Management: Consider using AWS Secrets Manager or External Secrets Operator
- Network Policies: Implement Kubernetes network policies
- RBAC: Review and restrict ServiceAccount permissions
- Image Security: Scan container images for vulnerabilities
- WAF: Consider enabling AWS WAF on the ALB
# Update Helm repository
helm repo update
# Check available versions
helm search repo coder-v2/coder
# Upgrade with dry-run first
helm upgrade coder coder-v2/coder \
--namespace coder \
--values values.yaml \
--dry-run --debug
# Apply upgrade
helm upgrade coder coder-v2/coder \
--namespace coder \
--values values.yaml- Coder Documentation
- Kubernetes Templates Guide
- AWS Load Balancer Controller
- ForgeRock OIDC Configuration
For issues:
- Check the troubleshooting section above
- Review Coder logs:
kubectl logs -n coder -l app.kubernetes.io/name=coder - Check AWS ALB target group health
- Verify DNS and certificate configuration
- Contact your platform team or Coder support
Note: This configuration is production-ready but should be customized for your specific security and compliance requirements.