diff --git a/helm/templates/NOTES.txt b/helm/templates/NOTES.txt index 38b987acbd45b..18fc33c10d272 100644 --- a/helm/templates/NOTES.txt +++ b/helm/templates/NOTES.txt @@ -1,8 +1,6 @@ -{{- if .Values.coder.tls.secretName }} - -WARN: coder.tls.secretName is deprecated and will be removed in a future - release. Please use coder.tls.secretNames instead. -{{- end }} +{{/* +Deprecation notices: +*/}} Enjoy Coder! Please create an issue at https://github.com/coder/coder if you run into any problems! :) diff --git a/helm/templates/_helpers.tpl b/helm/templates/_helpers.tpl index b0b04baacbe20..681c54dcb6f60 100644 --- a/helm/templates/_helpers.tpl +++ b/helm/templates/_helpers.tpl @@ -46,7 +46,7 @@ Coder Docker image URI Coder listen port (must be > 1024) */}} {{- define "coder.port" }} -{{- if or .Values.coder.tls.secretNames .Values.coder.tls.secretName -}} +{{- if .Values.coder.tls.secretNames -}} 8443 {{- else -}} 8080 @@ -57,7 +57,7 @@ Coder listen port (must be > 1024) Coder service port */}} {{- define "coder.servicePort" }} -{{- if or .Values.coder.tls.secretNames .Values.coder.tls.secretName -}} +{{- if .Values.coder.tls.secretNames -}} 443 {{- else -}} 80 @@ -68,7 +68,7 @@ Coder service port Port name */}} {{- define "coder.portName" }} -{{- if or .Values.coder.tls.secretNames .Values.coder.tls.secretName -}} +{{- if .Values.coder.tls.secretNames -}} https {{- else -}} http @@ -85,56 +85,71 @@ Scheme {{/* Coder volume definitions. */}} -{{- define "coder.volumes" }} -{{- if or .Values.coder.tls.secretNames .Values.coder.tls.secretName }} -volumes: +{{- define "coder.volumeList" }} {{ range $secretName := .Values.coder.tls.secretNames -}} - name: "tls-{{ $secretName }}" secret: secretName: {{ $secretName | quote }} {{ end -}} -{{- if .Values.coder.tls.secretName -}} -- name: "tls-{{ .Values.coder.tls.secretName }}" +{{ range $secret := .Values.coder.certs.secrets -}} +- name: "ca-cert-{{ $secret.name }}" secret: - secretName: {{ .Values.coder.tls.secretName | quote }} -{{- end }} -{{- else }} -volumes: {{ if and (not .Values.coder.tls.secretNames) (not .Values.coder.tls.secretName) }}[]{{ end }} + secretName: {{ $secret.name | quote }} +{{ end -}} {{- end }} + +{{/* +Coder volumes yaml. +*/}} +{{- define "coder.volumes" }} +{{- if trim (include "coder.volumeList" .) -}} +volumes: +{{- include "coder.volumeList" . -}} +{{- else -}} +volumes: [] +{{- end -}} {{- end }} {{/* Coder volume mounts. */}} -{{- define "coder.volumeMounts" }} -{{- if or .Values.coder.tls.secretNames .Values.coder.tls.secretName }} -volumeMounts: +{{- define "coder.volumeMountList" }} {{ range $secretName := .Values.coder.tls.secretNames -}} - name: "tls-{{ $secretName }}" mountPath: "/etc/ssl/certs/coder/{{ $secretName }}" readOnly: true -{{ end }} -{{- if .Values.coder.tls.secretName -}} -- name: "tls-{{ .Values.coder.tls.secretName }}" - mountPath: "/etc/ssl/certs/coder/{{ .Values.coder.tls.secretName }}" +{{ end -}} +{{ range $secret := .Values.coder.certs.secrets -}} +- name: "ca-cert-{{ $secret.name }}" + mountPath: "/etc/ssl/certs/{{ $secret.name }}.crt" + subPath: {{ $secret.key | quote }} readOnly: true +{{ end -}} {{- end }} -{{- else }} + +{{/* +Coder volume mounts yaml. +*/}} +{{- define "coder.volumeMounts" }} +{{- if trim (include "coder.volumeMountList" .) -}} +volumeMounts: +{{- include "coder.volumeMountList" . -}} +{{- else -}} volumeMounts: [] -{{- end }} +{{- end -}} {{- end }} {{/* Coder TLS environment variables. */}} {{- define "coder.tlsEnv" }} -{{- if or .Values.coder.tls.secretNames .Values.coder.tls.secretName }} +{{- if .Values.coder.tls.secretNames }} - name: CODER_TLS_ENABLE value: "true" - name: CODER_TLS_CERT_FILE - value: "{{ range $idx, $secretName := .Values.coder.tls.secretNames -}}{{ if $idx }},{{ end }}/etc/ssl/certs/coder/{{ $secretName }}/tls.crt{{- end }}{{ if .Values.coder.tls.secretName -}}/etc/ssl/certs/coder/{{ .Values.coder.tls.secretName }}/tls.crt{{- end }}" + value: "{{ range $idx, $secretName := .Values.coder.tls.secretNames -}}{{ if $idx }},{{ end }}/etc/ssl/certs/coder/{{ $secretName }}/tls.crt{{- end }}" - name: CODER_TLS_KEY_FILE - value: "{{ range $idx, $secretName := .Values.coder.tls.secretNames -}}{{ if $idx }},{{ end }}/etc/ssl/certs/coder/{{ $secretName }}/tls.key{{- end }}{{ if .Values.coder.tls.secretName -}}/etc/ssl/certs/coder/{{ .Values.coder.tls.secretName }}/tls.key{{- end }}" + value: "{{ range $idx, $secretName := .Values.coder.tls.secretNames -}}{{ if $idx }},{{ end }}/etc/ssl/certs/coder/{{ $secretName }}/tls.key{{- end }}" {{- end }} {{- end }} @@ -162,10 +177,9 @@ included at the top of coder.yaml. */}} {{- define "coder.verifyDeprecated" }} {{/* -Deprecated value coder.tls.secretName should not be used alongside new value -coder.tls.secretName. +Deprecated value coder.tls.secretName must not be used. */}} -{{- if and .Values.coder.tls.secretName .Values.coder.tls.secretNames }} -{{ fail "You must specify either coder.tls.secretName or coder.tls.secretNames, not both." }} +{{- if .Values.coder.tls.secretName }} +{{ fail "coder.tls.secretName is deprecated, use coder.tls.secretNames instead." }} {{- end }} {{- end }} diff --git a/helm/values.yaml b/helm/values.yaml index abbb98875be13..48db441fe1ab5 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -17,7 +17,7 @@ coder: # coder.image.pullPolicy -- The pull policy to use for the image. See: # https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy pullPolicy: IfNotPresent - # coder.image.pullSecret -- The secret used for pulling the Coder image from + # coder.image.pullSecrets -- The secrets used for pulling the Coder image from # a private registry. pullSecrets: [] # - name: "pull-secret" @@ -60,9 +60,6 @@ coder: # will be automatically mounted into the pod if specified, and the correct # "CODER_TLS_*" environment variables will be set for you. secretNames: [] - # coder.tls.secretName -- Deprecated. Use `coder.tls.secretNames` instead. - # This will be removed in a future release. - # secretName: "" # coder.resources -- The resources to request for Coder. These are optional # and are not set by default. @@ -74,6 +71,18 @@ coder: # cpu: 100m # memory: 128Mi + # coder.certs -- CA bundles to mount inside the Coder pod. + certs: + # coder.certs.secrets -- A list of CA bundle secrets to mount into the Coder + # pod. The secrets should exist in the same namespace as the Helm + # deployment. + # + # The given key in each secret is mounted at + # `/etc/ssl/certs/{secret_name}.crt`. + secrets: [] + # - name: "my-ca-bundle" + # key: "ca-bundle.crt" + # coder.affinity -- Allows specifying an affinity rule for the `coder` deployment. # The default rule prefers to schedule coder pods on different # nodes, which is only applicable if coder.replicaCount is greater than 1.