# coder -- Primary configuration for `coder server`. coder: # coder.env -- The environment variables to set for Coder. These can be used # to configure all aspects of `coder server`. Please see `coder server --help` # for information about what environment variables can be set. # Note: The following environment variables are set by default and cannot be # overridden: # - CODER_HTTP_ADDRESS: set to 0.0.0.0:8080 and cannot be changed. # - CODER_TLS_ADDRESS: set to 0.0.0.0:8443 if tls.secretName is not empty. # - CODER_TLS_ENABLE: set if tls.secretName is not empty. # - CODER_TLS_CERT_FILE: set if tls.secretName is not empty. # - CODER_TLS_KEY_FILE: set if tls.secretName is not empty. # - KUBE_POD_IP # - CODER_DERP_SERVER_RELAY_URL # # The following environment variables have defaults but CAN be overridden: # - CODER_PROMETHEUS_ADDRESS: defaults to 0.0.0.0:2112. Override to restrict # access (e.g., 127.0.0.1:2112 for localhost only). # Prometheus must still be enabled by setting CODER_PROMETHEUS_ENABLE. # - CODER_PPROF_ADDRESS: defaults to 0.0.0.0:6060. Override to restrict access # (e.g., 127.0.0.1:6060 for localhost only). This is recommended for security # as pprof can expose sensitive runtime information. # Profiling must still be enabled by setting CODER_PPROF_ENABLE. # # We will additionally set CODER_ACCESS_URL if unset to the cluster service # URL, unless coder.envUseClusterAccessURL is set to false. env: [] # - name: "CODER_ACCESS_URL" # value: "https://coder.example.com" # coder.envFrom -- Secrets or ConfigMaps to use for Coder's environment # variables. If you want one environment variable read from a secret, then use # coder.env valueFrom. See the K8s docs for valueFrom here: # https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#define-container-environment-variables-using-secret-data # # If setting CODER_ACCESS_URL in coder.envFrom, then you must set # coder.envUseClusterAccessURL to false. envFrom: [] # - configMapRef: # name: coder-config # - secretRef: # name: coder-config # coder.envUseClusterAccessURL -- Determines whether the CODER_ACCESS_URL env # is added to coder.env if it's not already set there. Set this to false if # defining CODER_ACCESS_URL in coder.envFrom to avoid conflicts. envUseClusterAccessURL: true # coder.image -- The image to use for Coder. image: # coder.image.repo -- The repository of the image. repo: "ghcr.io/coder/coder" # coder.image.tag -- The tag of the image, defaults to {{.Chart.AppVersion}} # if not set. If you're using the chart directly from git, the default # app version will not work and you'll need to set this value. The helm # chart helpfully fails quickly in this case. tag: "" # coder.image.pullPolicy -- The pull policy to use for the image. See: # https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy pullPolicy: IfNotPresent # coder.image.pullSecrets -- The secrets used for pulling the Coder image from # a private registry. pullSecrets: [] # - name: "pull-secret" # coder.initContainers -- Init containers for the deployment. See: # https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ initContainers: [] # - name: init-container # image: busybox:1.28 # command: ['sh', '-c', "sleep 2"] # coder.annotations -- The Deployment annotations. See: # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ annotations: {} # coder.labels -- The Deployment labels. See: # https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ labels: {} # coder.podAnnotations -- The Coder pod annotations. See: # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ # Note: The annotation `app.kubernetes.io/component` is automatically added to identify # the component type (coderd, wsproxy, or provisionerd). podAnnotations: {} # coder.podLabels -- The Coder pod labels. See: # https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ podLabels: {} # coder.priorityClassName -- The priority class name to assign to the Coder pod. See: # https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ # The PriorityClass must exist in the cluster prior to deploying Coder with this set. priorityClassName: "" # coder.serviceAccount -- Configuration for the automatically created service # account. Creation of the service account cannot be disabled. serviceAccount: # coder.serviceAccount.workspacePerms -- Whether or not to grant the coder # service account permissions to manage workspaces. This includes # permission to manage pods and persistent volume claims in the deployment # namespace. # # It is recommended to keep this on if you are using Kubernetes templates # within Coder. workspacePerms: true # coder.serviceAccount.enableDeployments -- Provides the service account # permission to manage Kubernetes deployments. Depends on workspacePerms. enableDeployments: true # coder.serviceAccount.extraRules -- Additional permissions added to the SA # role. Depends on workspacePerms. extraRules: [] # - apiGroups: [""] # resources: ["services"] # verbs: # - create # - delete # - deletecollection # - get # - list # - patch # - update # - watch # coder.serviceAccount.workspaceNamespaces -- Grant this service account permissions # to manage Coder workspaces in specific namespaces without using ClusterRoles. # When specified, Roles and RoleBindings will be created in each listed namespace # binding to the service account in the release namespace. # Each item can optionally override the default permissions. workspaceNamespaces: [] # - name: dev-ws # workspacePerms: true # Defaults to top-level setting # enableDeployments: true # Defaults to top-level setting # extraRules: [] # Defaults to top-level setting # - name: staging-ws # coder.serviceAccount.annotations -- The Coder service account annotations. annotations: {} # coder.serviceAccount.labels -- The Coder service account labels. labels: {} # coder.serviceAccount.name -- The service account name name: coder # coder.serviceAccount.disableCreate -- Whether to create the service account or use existing service account. disableCreate: false # coder.securityContext -- Fields related to the container's security # context (as opposed to the pod). Some fields are also present in the pod # security context, in which case these values will take precedence. securityContext: # coder.securityContext.runAsNonRoot -- Requires that the coder container # runs as an unprivileged user. If setting runAsUser to 0 (root), this # will need to be set to false. runAsNonRoot: true # coder.securityContext.runAsUser -- Sets the user id of the container. # For security reasons, we recommend using a non-root user. runAsUser: 1000 # coder.securityContext.runAsGroup -- Sets the group id of the container. # For security reasons, we recommend using a non-root group. runAsGroup: 1000 # coder.securityContext.readOnlyRootFilesystem -- Mounts the container's # root filesystem as read-only. readOnlyRootFilesystem: null # coder.securityContext.seccompProfile -- Sets the seccomp profile for # the coder container. seccompProfile: type: RuntimeDefault # coder.securityContext.allowPrivilegeEscalation -- Controls whether # the container can gain additional privileges, such as escalating to # root. It is recommended to leave this setting disabled in production. allowPrivilegeEscalation: false # coder.podSecurityContext -- Pod-level security context settings that apply # to all containers in the pod. This is useful for setting volume ownership # (fsGroup) when mounting secrets like TLS certificates. These settings are # applied at the pod level, while coder.securityContext applies at the # container level. Container-level settings take precedence over pod-level # settings for overlapping fields. This is opt-in and not set by default. # Common use case: Set fsGroup to ensure mounted secret volumes have correct # group ownership for the coder user to read certificate files. podSecurityContext: {} # Example configuration for certificate mounting: # podSecurityContext: # # Sets group ownership of mounted volumes (e.g., for certificate secrets) # fsGroup: 1000 # # Additional pod-level security settings (optional) # runAsUser: 1000 # runAsGroup: 1000 # runAsNonRoot: true # supplementalGroups: [4000] # seccompProfile: # type: RuntimeDefault # # Note: Avoid conflicts with container-level securityContext settings # # Container-level settings take precedence over pod-level settings # # IMPORTANT: OpenShift Compatibility # On OpenShift, Security Context Constraints (SCCs) may restrict or override # these values. If you encounter pod creation failures: # 1. Check your namespace's assigned SCC with: oc describe scc # 2. Ensure runAsUser/fsGroup values are within allowed UID/GID ranges # 3. Consider using 'anyuid' SCC for more flexibility, or # 4. Omit runAsUser/runAsGroup and only set fsGroup for volume ownership # 5. OpenShift may automatically assign compatible values if left unset # coder.volumes -- A list of extra volumes to add to the Coder pod. volumes: [] # - name: "my-volume" # emptyDir: {} # coder.volumeMounts -- A list of extra volume mounts to add to the Coder pod. volumeMounts: [] # - name: "my-volume" # mountPath: "/mnt/my-volume" # coder.tls -- The TLS configuration for Coder. tls: # coder.tls.secretNames -- A list of TLS server certificate secrets to mount # into the Coder pod. The secrets should exist in the same namespace as the # Helm deployment and should be of type "kubernetes.io/tls". The secrets # will be automatically mounted into the pod if specified, and the correct # "CODER_TLS_*" environment variables will be set for you. # Note: If you encounter permission issues reading mounted certificates, # consider setting coder.podSecurityContext.fsGroup to match your container # user (typically 1000) to ensure proper file ownership. secretNames: [] # coder.replicaCount -- The number of Kubernetes deployment replicas. This # should only be increased if High Availability is enabled. # # This is an Enterprise feature. Contact sales@coder.com. replicaCount: 1 # coder.workspaceProxy -- Whether or not this deployment of Coder is a Coder # Workspace Proxy. Workspace Proxies reduce the latency between the user and # their workspace for web connections (workspace apps and web terminal) and # proxied connections from the CLI. Workspace Proxies are optional and only # recommended for geographically sparse teams. # # Make sure you set CODER_PRIMARY_ACCESS_URL and CODER_PROXY_SESSION_TOKEN in # the environment below. You can get a proxy token using the CLI: # coder wsproxy create \ # --name "proxy-name" \ # --display-name "Proxy Name" \ # --icon "/emojis/xyz.png" # # This is an Enterprise feature. Contact sales@coder.com # Docs: https://coder.com/docs/admin/workspace-proxies workspaceProxy: false # coder.lifecycle -- container lifecycle handlers for the Coder container, allowing # for lifecycle events such as postStart and preStop events # See: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/ lifecycle: {} # postStart: # exec: # command: ["/bin/sh", "-c", "echo postStart"] # preStop: # exec: # command: ["/bin/sh","-c","echo preStart"] # coder.resources -- The resources to request for Coder. The below values are # defaults and can be overridden. resources: # limits: # cpu: 2000m # memory: 4096Mi # requests: # cpu: 2000m # memory: 4096Mi # coder.readinessProbe -- Readiness probe configuration for the Coder container. # See https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#Probe # for default values. readinessProbe: # coder.readinessProbe.enabled -- Whether to enable the readiness probe. enabled: true # coder.readinessProbe.initialDelaySeconds -- Number of seconds after the container # has started before readiness probes are initiated. initialDelaySeconds: 0 # coder.readinessProbe.periodSeconds -- How often (in seconds) to perform the probe. # periodSeconds: 10 # coder.readinessProbe.timeoutSeconds -- Number of seconds after which the probe times out. # timeoutSeconds: 1 # coder.readinessProbe.successThreshold -- Minimum consecutive successes for the probe # to be considered successful after having failed. # successThreshold: 1 # coder.readinessProbe.failureThreshold -- Minimum consecutive failures for the probe # to be considered failed after having succeeded. # failureThreshold: 3 # coder.livenessProbe -- Liveness probe configuration for the Coder container. # See https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#Probe # for default values. livenessProbe: # coder.livenessProbe.enabled -- Whether to enable the liveness probe. enabled: false # coder.livenessProbe.initialDelaySeconds -- Number of seconds after the container # has started before liveness probes are initiated. initialDelaySeconds: 0 # coder.livenessProbe.periodSeconds -- How often (in seconds) to perform the probe. # periodSeconds: 10 # coder.livenessProbe.timeoutSeconds -- Number of seconds after which the probe times out. # timeoutSeconds: 1 # coder.livenessProbe.successThreshold -- Minimum consecutive successes for the probe # to be considered successful after having failed. # successThreshold: 1 # coder.livenessProbe.failureThreshold -- Minimum consecutive failures for the probe # to be considered failed after having succeeded. # failureThreshold: 3 # coder.certs -- CA bundles to mount inside the Coder pod. certs: # coder.certs.secrets -- A list of CA bundle secrets to mount into the Coder # pod. The secrets should exist in the same namespace as the Helm # deployment. # # The given key in each secret is mounted at # `/etc/ssl/certs/{secret_name}.crt`. secrets: [] # - name: "my-ca-bundle" # key: "ca-bundle.crt" # coder.affinity -- Allows specifying an affinity rule for the `coder` deployment. # The default rule prefers to schedule coder pods on different # nodes, which is only applicable if coder.replicaCount is greater than 1. affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - podAffinityTerm: labelSelector: matchExpressions: - key: app.kubernetes.io/instance operator: In values: - "coder" topologyKey: kubernetes.io/hostname weight: 1 topologySpreadConstraints: # - maxSkew: 1 # topologyKey: kubernetes.io/hostname # whenUnsatisfiable: DoNotSchedule # labelSelector: # matchLabels: # app.kubernetes.io/instance: coder # coder.tolerations -- Tolerations for tainted nodes. # See: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ tolerations: [] # - key: "key" # operator: "Equal" # value: "value" # effect: "NoSchedule" # coder.nodeSelector -- Node labels for constraining coder pods to nodes. # See: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector nodeSelector: {} # kubernetes.io/os: linux # coder.service -- The Service object to expose for Coder. service: # coder.service.enable -- Whether to create the Service object. enable: true # coder.service.type -- The type of service to expose. See: # https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types type: LoadBalancer # coder.service.sessionAffinity -- Must be set to ClientIP or None # AWS ELB does not support session stickiness based on ClientIP, so you must set this to None. # The error message you might see: "Unsupported load balancer affinity: ClientIP" # https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity sessionAffinity: None # coder.service.externalTrafficPolicy -- The external traffic policy to use. # You may need to change this to "Local" to preserve the source IP address # in some situations. # https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip externalTrafficPolicy: Cluster # coder.service.loadBalancerIP -- The IP address of the LoadBalancer. If not # specified, a new IP will be generated each time the load balancer is # recreated. It is recommended to manually create a static IP address in # your cloud and specify it here in production to avoid accidental IP # address changes. loadBalancerIP: "" # coder.service.loadBalancerClass -- The class name of the LoadBalancer. See: # https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class loadBalancerClass: "" # coder.service.annotations -- The service annotations. See: # https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer annotations: {} # coder.service.httpNodePort -- Enabled if coder.service.type is set to # NodePort or LoadBalancer. If not set, Kubernetes will allocate a port from the default # range, 30000-32767. httpNodePort: "" # coder.service.httpsNodePort -- Enabled if coder.service.type is set to # NodePort or LoadBalancer. If not set, Kubernetes will allocate a port from the default # range, 30000-32767. httpsNodePort: "" # coder.ingress -- The Ingress object to expose for Coder. ingress: # coder.ingress.enable -- Whether to create the Ingress object. If using an # Ingress, we recommend not specifying coder.tls.secretNames as the Ingress # will handle TLS termination. enable: false # coder.ingress.className -- The name of the Ingress class to use. className: "" # coder.ingress.host -- The hostname to match on. # Be sure to also set CODER_ACCESS_URL within coder.env[] host: "" # coder.ingress.wildcardHost -- The wildcard hostname to match on. Should be # in the form "*.example.com" or "*-suffix.example.com". If you are using a # suffix after the wildcard, the suffix will be stripped from the created # ingress to ensure that it is a legal ingress host. Optional if not using # applications over subdomains. # Be sure to also set CODER_WILDCARD_ACCESS_URL within coder.env[] wildcardHost: "" # coder.ingress.annotations -- The ingress annotations. annotations: {} # coder.ingress.tls -- The TLS configuration to use for the Ingress. tls: # coder.ingress.tls.enable -- Whether to enable TLS on the Ingress. enable: false # coder.ingress.tls.secretName -- The name of the TLS secret to use. secretName: "" # coder.ingress.tls.wildcardSecretName -- The name of the TLS secret to # use for the wildcard host. wildcardSecretName: "" # coder.httproute -- The HTTPRoute object to expose for Coder. httproute: # coder.httproute.enable -- Whether to create the HTTPRoute object. If using a # Gateway, we recommend not specifying coder.tls.secretNames as the Gateway # will handle TLS termination. enable: false # coder.httproute.parentRefs -- the parentRefs to bind the route to # - name: my-gw # namespace: gateway-namespace # # sectionName is optional to fix to a specific listener # sectionName: listener-name parentRefs: [] # coder.httproute.host -- The hostname to match on. # Be sure to also set CODER_ACCESS_URL within coder.env[] host: "" # coder.httproute.wildcardHost -- The wildcard hostname to match on. Should be # in the form "*.example.com" or "*-suffix.example.com". If you are using a # suffix after the wildcard, the suffix will be stripped from the created # ingress to ensure that it is a legal ingress host. Optional if not using # applications over subdomains. # Be sure to also set CODER_WILDCARD_ACCESS_URL within coder.env[] wildcardHost: "" # coder.httproute.annotations -- The HTTPRoute annotations. annotations: {} # coder.command -- The command to use when running the Coder container. Used # for customizing the location of the `coder` binary in your image. command: - /opt/coder # coder.commandArgs -- Set arguments for the entrypoint command of the Coder pod. commandArgs: [] # provisionerDaemon -- Configuration for external provisioner daemons. # # This is an Enterprise feature. Contact sales@coder.com. provisionerDaemon: # provisionerDaemon.pskSecretName -- The name of the Kubernetes secret that contains the # Pre-Shared Key (PSK) to use to authenticate external provisioner daemons with Coder. The # secret must be in the same namespace as the Helm deployment, and contain an item called "psk" # which contains the pre-shared key. pskSecretName: "" # extraTemplates -- Array of extra objects to deploy with the release. Strings # are evaluated as a template and can use template expansions and functions. All # other objects are used as yaml. extraTemplates: #- | # apiVersion: v1 # kind: ConfigMap # metadata: # name: my-configmap # data: # key: {{ .Values.myCustomValue | quote }}