Skip to content

helm: add certs secret mount #4641

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 15 commits into from
Dec 7, 2022
Merged

helm: add certs secret mount #4641

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
e0eb5d2
helm: add certs secret mount
ericpaulsen Oct 19, 2022
28555c1
fix: values ref
ericpaulsen Oct 19, 2022
7444091
fix: conditional brackets
ericpaulsen Oct 19, 2022
b816d6a
rm: comment
ericpaulsen Oct 19, 2022
c133461
refactor: cert secrets list
ericpaulsen Oct 19, 2022
01eca84
fix: undefined var
ericpaulsen Oct 19, 2022
502a4a4
chore: remove deprecated value coder.tls.secretName
deansheather Oct 19, 2022
c655bf8
chore: improve helm volumes logic
deansheather Oct 19, 2022
5e2a75c
feat: add support for multiple CA bundles to helm
deansheather Oct 19, 2022
fd5f3e6
Merge branch 'main' into helm-ca-certs
ericpaulsen Oct 24, 2022
3dd81fe
Merge branch 'main' into helm-ca-certs
ericpaulsen Oct 24, 2022
d113cd7
fix: grammar
ericpaulsen Oct 24, 2022
43cd118
merge: main into branch
ericpaulsen Nov 29, 2022
479006b
resolve: conflict
ericpaulsen Dec 7, 2022
29e0f60
Merge branch 'main' into helm-ca-certs
ericpaulsen Dec 7, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 3 additions & 5 deletions helm/templates/NOTES.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,6 @@
{{- if .Values.coder.tls.secretName }}

WARN: coder.tls.secretName is deprecated and will be removed in a future
release. Please use coder.tls.secretNames instead.
{{- end }}
{{/*
Deprecation notices:
*/}}

Enjoy Coder! Please create an issue at https://github.com/coder/coder if you run
into any problems! :)
70 changes: 42 additions & 28 deletions helm/templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ Coder Docker image URI
Coder listen port (must be > 1024)
*/}}
{{- define "coder.port" }}
{{- if or .Values.coder.tls.secretNames .Values.coder.tls.secretName -}}
{{- if .Values.coder.tls.secretNames -}}
8443
{{- else -}}
8080
Expand All @@ -57,7 +57,7 @@ Coder listen port (must be > 1024)
Coder service port
*/}}
{{- define "coder.servicePort" }}
{{- if or .Values.coder.tls.secretNames .Values.coder.tls.secretName -}}
{{- if .Values.coder.tls.secretNames -}}
443
{{- else -}}
80
Expand All @@ -68,7 +68,7 @@ Coder service port
Port name
*/}}
{{- define "coder.portName" }}
{{- if or .Values.coder.tls.secretNames .Values.coder.tls.secretName -}}
{{- if .Values.coder.tls.secretNames -}}
https
{{- else -}}
http
Expand All @@ -85,56 +85,71 @@ Scheme
{{/*
Coder volume definitions.
*/}}
{{- define "coder.volumes" }}
{{- if or .Values.coder.tls.secretNames .Values.coder.tls.secretName }}
volumes:
{{- define "coder.volumeList" }}
{{ range $secretName := .Values.coder.tls.secretNames -}}
- name: "tls-{{ $secretName }}"
secret:
secretName: {{ $secretName | quote }}
{{ end -}}
{{- if .Values.coder.tls.secretName -}}
- name: "tls-{{ .Values.coder.tls.secretName }}"
{{ range $secret := .Values.coder.certs.secrets -}}
- name: "ca-cert-{{ $secret.name }}"
secret:
secretName: {{ .Values.coder.tls.secretName | quote }}
{{- end }}
{{- else }}
volumes: {{ if and (not .Values.coder.tls.secretNames) (not .Values.coder.tls.secretName) }}[]{{ end }}
secretName: {{ $secret.name | quote }}
{{ end -}}
{{- end }}

{{/*
Coder volumes yaml.
*/}}
{{- define "coder.volumes" }}
{{- if trim (include "coder.volumeList" .) -}}
volumes:
{{- include "coder.volumeList" . -}}
{{- else -}}
volumes: []
{{- end -}}
{{- end }}

{{/*
Coder volume mounts.
*/}}
{{- define "coder.volumeMounts" }}
{{- if or .Values.coder.tls.secretNames .Values.coder.tls.secretName }}
volumeMounts:
{{- define "coder.volumeMountList" }}
{{ range $secretName := .Values.coder.tls.secretNames -}}
- name: "tls-{{ $secretName }}"
mountPath: "/etc/ssl/certs/coder/{{ $secretName }}"
readOnly: true
{{ end }}
{{- if .Values.coder.tls.secretName -}}
- name: "tls-{{ .Values.coder.tls.secretName }}"
mountPath: "/etc/ssl/certs/coder/{{ .Values.coder.tls.secretName }}"
{{ end -}}
{{ range $secret := .Values.coder.certs.secrets -}}
- name: "ca-cert-{{ $secret.name }}"
mountPath: "/etc/ssl/certs/{{ $secret.name }}.crt"
subPath: {{ $secret.key | quote }}
readOnly: true
{{ end -}}
{{- end }}
{{- else }}

{{/*
Coder volume mounts yaml.
*/}}
{{- define "coder.volumeMounts" }}
{{- if trim (include "coder.volumeMountList" .) -}}
volumeMounts:
{{- include "coder.volumeMountList" . -}}
{{- else -}}
volumeMounts: []
{{- end }}
{{- end -}}
{{- end }}

{{/*
Coder TLS environment variables.
*/}}
{{- define "coder.tlsEnv" }}
{{- if or .Values.coder.tls.secretNames .Values.coder.tls.secretName }}
{{- if .Values.coder.tls.secretNames }}
- name: CODER_TLS_ENABLE
value: "true"
- name: CODER_TLS_CERT_FILE
value: "{{ range $idx, $secretName := .Values.coder.tls.secretNames -}}{{ if $idx }},{{ end }}/etc/ssl/certs/coder/{{ $secretName }}/tls.crt{{- end }}{{ if .Values.coder.tls.secretName -}}/etc/ssl/certs/coder/{{ .Values.coder.tls.secretName }}/tls.crt{{- end }}"
value: "{{ range $idx, $secretName := .Values.coder.tls.secretNames -}}{{ if $idx }},{{ end }}/etc/ssl/certs/coder/{{ $secretName }}/tls.crt{{- end }}"
- name: CODER_TLS_KEY_FILE
value: "{{ range $idx, $secretName := .Values.coder.tls.secretNames -}}{{ if $idx }},{{ end }}/etc/ssl/certs/coder/{{ $secretName }}/tls.key{{- end }}{{ if .Values.coder.tls.secretName -}}/etc/ssl/certs/coder/{{ .Values.coder.tls.secretName }}/tls.key{{- end }}"
value: "{{ range $idx, $secretName := .Values.coder.tls.secretNames -}}{{ if $idx }},{{ end }}/etc/ssl/certs/coder/{{ $secretName }}/tls.key{{- end }}"
{{- end }}
{{- end }}

Expand Down Expand Up @@ -162,10 +177,9 @@ included at the top of coder.yaml.
*/}}
{{- define "coder.verifyDeprecated" }}
{{/*
Deprecated value coder.tls.secretName should not be used alongside new value
coder.tls.secretName.
Deprecated value coder.tls.secretName must not be used.
*/}}
{{- if and .Values.coder.tls.secretName .Values.coder.tls.secretNames }}
{{ fail "You must specify either coder.tls.secretName or coder.tls.secretNames, not both." }}
{{- if .Values.coder.tls.secretName }}
{{ fail "coder.tls.secretName is deprecated, use coder.tls.secretNames instead." }}
{{- end }}
{{- end }}
17 changes: 13 additions & 4 deletions helm/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ coder:
# coder.image.pullPolicy -- The pull policy to use for the image. See:
# https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy
pullPolicy: IfNotPresent
# coder.image.pullSecret -- The secret used for pulling the Coder image from
# coder.image.pullSecrets -- The secrets used for pulling the Coder image from
# a private registry.
pullSecrets: []
# - name: "pull-secret"
Expand Down Expand Up @@ -60,9 +60,6 @@ coder:
# will be automatically mounted into the pod if specified, and the correct
# "CODER_TLS_*" environment variables will be set for you.
secretNames: []
# coder.tls.secretName -- Deprecated. Use `coder.tls.secretNames` instead.
# This will be removed in a future release.
# secretName: ""

# coder.resources -- The resources to request for Coder. These are optional
# and are not set by default.
Expand All @@ -74,6 +71,18 @@ coder:
# cpu: 100m
# memory: 128Mi

# coder.certs -- CA bundles to mount inside the Coder pod.
certs:
# coder.certs.secrets -- A list of CA bundle secrets to mount into the Coder
# pod. The secrets should exist in the same namespace as the Helm
# deployment.
#
# The given key in each secret is mounted at
# `/etc/ssl/certs/{secret_name}.crt`.
secrets: []
# - name: "my-ca-bundle"
# key: "ca-bundle.crt"

# coder.affinity -- Allows specifying an affinity rule for the `coder` deployment.
# The default rule prefers to schedule coder pods on different
# nodes, which is only applicable if coder.replicaCount is greater than 1.
Expand Down