progress

deansheather · deansheather · commit fba27bc4569d · 2022-07-22T15:24:34.000Z
diff --git a/Dockerfile b/Dockerfile
@@ -14,4 +14,9 @@ LABEL \
 # The coder binary is injected by scripts/build_docker.sh.
 ADD coder /opt/coder
 
+# Create coder group and user.
+RUN addgroup -g 1000 coder &&
+	adduser -D -g "" -h /home/coder -G coder -u 1000 coder
+USER coder:coder
+
 ENTRYPOINT [ "/opt/coder", "server" ]
diff --git a/helm/Chart.yaml b/helm/Chart.yaml
@@ -3,7 +3,8 @@ name: coder
 description: Remote development environments on your infrastructure.
 home: https://github.com/coder/coder
 
-# version and appVersion are injected at release.
+# version and appVersion are injected at release and will always be shown as
+# 0.1.0 in the repository.
 type: application
 version: "0.1.0"
 appVersion: "0.1.0"
diff --git a/helm/templates/_helpers.tpl b/helm/templates/_helpers.tpl
@@ -12,6 +12,14 @@ Create chart name and version as used by the chart label.
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
+{{/*
+Selector labels
+*/}}
+{{- define "coder.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "coder.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
 {{/*
 Common labels
 */}}
@@ -23,11 +31,3 @@ app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "coder.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "coder.name" . }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-{{- end }}
diff --git a/helm/templates/deployment.yaml b/helm/templates/deployment.yaml
@@ -5,7 +5,10 @@ metadata:
   labels:
     {{- include "coder.labels" . | nindent 4 }}
 spec:
-  replicas: {{ .Values.coder.replicaCount }}
+  # NOTE: this is currently not used as coder v2 does not support high
+  #       availability yet.
+  # replicas: {{ .Values.coder.replicaCount }}
+  replicas: 1
   selector:
     matchLabels:
       {{- include "coder.selectorLabels" . | nindent 6 }}
@@ -15,36 +18,45 @@ spec:
         {{- include "coder.selectorLabels" . | nindent 8 }}
     spec:
       restartPolicy: Always
-      terminationGracePeriodSeconds: 300
+      terminationGracePeriodSeconds: 60
       containers:
         - name: coder
-          image: "{{ .Values.coder.image.repo }}:{{ .Values.coder.image.tag | default .Chart.AppVersion }}"
+          image: "{{ .Values.coder.image.repo }}:{{ .Values.coder.image.tag | default (printf "v%v" .Chart.AppVersion) }}"
           imagePullPolicy: {{ .Values.coder.image.pullPolicy }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
           env:
-            - name: CODER_ADDRESS
-              value: "0.0.0.0:80"
             {{- if .Values.coder.tls.secretName }}
+            - name: CODER_ADDRESS
+              value: "0.0.0.0:443"
             - name: CODER_TLS_ENABLE
               value: "true"
             - name: CODER_TLS_CERT_FILE
               value: /etc/ssl/certs/coder/tls.crt
             - name: CODER_TLS_KEY_FILE
               value: /etc/ssl/certs/coder/tls.key
+            {{- else }}
+            - name: CODER_ADDRESS
+              value: "0.0.0.0:80"
             {{- end }}
             {{- with .Values.coder.env -}}
             {{ toYaml . | nindent 12 }}
             {{- end }}
           ports:
+            {{- if .Values.coder.tls.secretName }}
+            - name: https
+              containerPort: 443
+              protocol: TCP
+            {{- else }}
             - name: http
               containerPort: 80
               protocol: TCP
+            {{- end }}
           readinessProbe:
             httpGet:
-              path: /
+              path: /api/v2/buildinfo
               port: http
           livenessProbe:
             httpGet:
-              path: /
+              path: /api/v2/buildinfo
               port: http
diff --git a/helm/templates/service.yaml b/helm/templates/service.yaml
@@ -1,3 +1,5 @@
+{{- if .Values.coder.service.enable }}
+---
 apiVersion: v1
 kind: Service
 metadata:
@@ -7,13 +9,17 @@ metadata:
 spec:
   type: {{ .Values.coder.service.type }}
   ports:
-    - name: http
-      port: 80
-      targetPort: http
-      protocol: TCP
+    {{- if .Values.coder.tls.secretName }}
     - name: https
       port: 443
       targetPort: https
       protocol: TCP
+    {{- else }}
+    - name: http
+      port: 80
+      targetPort: http
+      protocol: TCP
+    {{- end }}
   selector:
     {{- include "coder.selectorLabels" . | nindent 4 }}
+{{- end }}
diff --git a/helm/values.yaml b/helm/values.yaml
@@ -1,28 +1,68 @@
 # coder -- Primary configuration for `coder server`.
 coder:
-  # coder.replicaCount -- The number of Kubernetes deployment replicas.
-  replicaCount: 1
+  # NOTE: this is currently not used as coder v2 does not support high
+  #       availability yet.
+  # # coder.replicaCount -- The number of Kubernetes deployment replicas.
+  # replicaCount: 1
 
   # coder.image -- The image to use for Coder.
   image:
     # coder.image.repo -- The repository of the image.
     repo: "ghcr.io/coder/coder"
-    # coder.image.tag -- The tag of the image, defaults to the same version as
-    # the chart.
-    tag: "{{.Release.Version}}"
+    # coder.image.tag -- The tag of the image, defaults to {{.Chart.AppVersion}}
+    # if not set.
+    tag: ""
     # coder.image.pullPolicy -- The pull policy to use for the image. See:
     # https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy
     pullPolicy: IfNotPresent
 
+  # coder.env -- The environment variables to set for Coder. These can be used
+  # to configure all aspects of `coder server`. Please see `coder server --help`
+  # for information about what environment variables can be set.
+  #
+  # Note: The following environment variables are set by default and cannot be
+  # overridden:
+  # - CODER_ADDRESS: set to 0.0.0.0:80 and cannot be changed.
+  # - CODER_TLS_ENABLE: set if tls.secretName is not empty.
+  # - CODER_TLS_CERT_FILE: set if tls.secretName is not empty.
+  # - CODER_TLS_KEY_FILE: set if tls.secretName is not empty.
+  env:
+    - name: CODER_ACCESS_URL
+      value: "https://coder.example.com"
+    #- name: CODER_PG_CONNECTION_URL
+    #  value: "postgres://coder:password@postgres:5432/coder?sslmode=disable"
+
+  # coder.tls -- The TLS configuration for Coder.
+  tls:
+    # coder.tls.secretName -- The name of the secret containing the TLS
+    # certificate. The secret should exist in the same namespace as the Helm
+    # deployment and should be of type "kubernetes.io/tls". The secret will be
+    # automatically mounted into the pod if specified, and the correct
+    # "CODER_TLS_*" environment variables will be set for you.
+    secretName: ""
+
+  # coder.resources -- The resources to request for Coder. These are optional
+  # and are not set by default.
+  resources: {}
+    # limits:
+    #   cpu: 100m
+    #   memory: 128Mi
+    # requests:
+    #   cpu: 100m
+    #   memory: 128Mi
+
   # coder.service -- The Service object to expose for Coder.
   service:
+    # coder.service.enable -- Whether to create the Service object.
+    enable: true
     # coder.service.type -- The type of service to expose. See:
     # https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
     type: LoadBalancer
     # coder.service.externalTrafficPolicy -- The external traffic policy to use.
-    # On AWS EKS you may need to change this to "Cluster". See:
+    # You may need to change this to "Local" to preserve the source IP address
+    # in some situations.
     # https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
-    externalTrafficPolicy: Local
+    externalTrafficPolicy: Cluster
     # coder.service.loadBalancerIP -- The IP address of the LoadBalancer. If not
     # specified, a new IP will be generated each time the load balancer is
     # recreated. It is recommended to manually create a static IP address in
@@ -32,7 +72,7 @@ coder:
 
   # coder.ingress -- The Ingress object to expose for Coder.
   ingress:
-    # coder.ingress.enable -- Whether to enable the Ingress.
+    # coder.ingress.enable -- Whether to create the Ingress object.
     enable: false
     # coder.ingress.className -- The name of the Ingress class to use.
     className: ""
@@ -44,38 +84,3 @@ coder:
       enable: false
       # coder.ingress.tls.secretName -- The name of the TLS secret to use.
       secretName: ""
-
-  # coder.tls -- The TLS configuration for Coder.
-  tls:
-    # coder.tls.secretName -- The name of the secret containing the TLS
-    # certificate. The secret should exist in the same namespace as the Helm
-    # deployment and should be of type "kubernetes.io/tls". The secret will be
-    # automatically mounted into the pod if specified, and the correct
-    # "CODER_TLS_*" environment variables will be set for you.
-    secretName: ""
-
-  # coder.resources -- The resources to request for Coder. These are optional
-  # and are not set by default.
-  resources: {}
-    # limits:
-    #   cpu: 100m
-    #   memory: 128Mi
-    # requests:
-    #   cpu: 100m
-    #   memory: 128Mi
-
-  # coder.env -- The environment variables to set for Coder. These can be used
-  # to configure all aspects of `coder server`. Please see `coder server --help`
-  # for information about what environment variables can be set.
-  #
-  # Note: The following environment variables are set by default and cannot be
-  # overridden:
-  # - CODER_ADDRESS: set to 0.0.0.0:80 and cannot be changed.
-  # - CODER_TLS_ENABLE: set if tls.secretName is not empty.
-  # - CODER_TLS_CERT_FILE: set if tls.secretName is not empty.
-  # - CODER_TLS_KEY_FILE: set if tls.secretName is not empty.
-  env:
-    - name: CODER_ACCESS_URL
-      value: "https://coder.example.com"
-    - name: CODER_PG_CONNECTION_URL
-      value: "postgres://coder:password@postgres:5432/coder?sslmode=disable"
