feat(helm): add pod securityContext and enhanced probe configuration

Blink AI · kylecarbs · Blink AI · commit 23f61287ab78 · 2025-07-23T16:03:35.000Z
This commit adds two important security and operational enhancements to the Coder Helm chart:

1. **Pod-level securityContext support**: Adds  configuration
   to allow setting pod-level security settings like . This is essential for
   proper file permissions when mounting TLS certificates for mTLS PostgreSQL connections.

   Example usage for mTLS PostgreSQL:

2. **Enhanced probe configuration**: Extends readiness and liveness probe configuration
   beyond just  to include:
   - : How often to perform the probe
   - : Probe timeout duration
   - : Required consecutive successes
   - : Allowed consecutive failures

   This provides fine-grained control over probe behavior for production deployments.

These changes maintain backward compatibility while enabling secure mTLS database
connections and better operational control over health checking.

Fixes: Security requirements for mTLS PostgreSQL deployments
Closes: Enhanced probe configuration request

Co-authored-by: kylecarbs &lt;7122116+kylecarbs@users.noreply.github.com&gt;
diff --git a/helm/coder/templates/_coder.tpl b/helm/coder/templates/_coder.tpl
@@ -101,10 +101,34 @@ readinessProbe:
     port: "http"
     scheme: "HTTP"
   initialDelaySeconds: {{ .Values.coder.readinessProbe.initialDelaySeconds }}
+  {{- with .Values.coder.readinessProbe.periodSeconds }}
+  periodSeconds: {{ . }}
+  {{- end }}
+  {{- with .Values.coder.readinessProbe.timeoutSeconds }}
+  timeoutSeconds: {{ . }}
+  {{- end }}
+  {{- with .Values.coder.readinessProbe.successThreshold }}
+  successThreshold: {{ . }}
+  {{- end }}
+  {{- with .Values.coder.readinessProbe.failureThreshold }}
+  failureThreshold: {{ . }}
+  {{- end }}
 livenessProbe:
   httpGet:
     path: /healthz
     port: "http"
     scheme: "HTTP"
   initialDelaySeconds: {{ .Values.coder.livenessProbe.initialDelaySeconds }}
+  {{- with .Values.coder.livenessProbe.periodSeconds }}
+  periodSeconds: {{ . }}
+  {{- end }}
+  {{- with .Values.coder.livenessProbe.timeoutSeconds }}
+  timeoutSeconds: {{ . }}
+  {{- end }}
+  {{- with .Values.coder.livenessProbe.successThreshold }}
+  successThreshold: {{ . }}
+  {{- end }}
+  {{- with .Values.coder.livenessProbe.failureThreshold }}
+  failureThreshold: {{ . }}
+  {{- end }}
 {{- end }}
diff --git a/helm/coder/values.yaml b/helm/coder/values.yaml
@@ -116,6 +116,33 @@ coder:
     # coder.serviceAccount.disableCreate -- Whether to create the service account or use existing service account.
     disableCreate: false
 
+  # coder.podSecurityContext -- Fields related to the pod's security context.
+  # This is useful for setting fsGroup to ensure proper file permissions for
+  # mounted volumes (e.g., for mTLS certificates). See:
+  # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#podsecuritycontext-v1-core
+  #
+  # Example for mTLS PostgreSQL with mounted certificates:
+  # podSecurityContext:
+  #   fsGroup: 1000  # Ensures coder user (1000) can read mounted TLS certs
+  #   runAsNonRoot: true
+  #   runAsUser: 1000
+  #   runAsGroup: 1000
+  #
+  # When mounting TLS certificates for PostgreSQL mTLS, you should also set
+  # the volume defaultMode to 0640:
+  # volumes:
+  # - name: postgres-certs
+  #   secret:
+  #     secretName: postgres-tls-certs
+  #     defaultMode: 0640
+  podSecurityContext: {}
+    # fsGroup: 1000
+    # runAsNonRoot: true
+    # runAsUser: 1000
+    # runAsGroup: 1000
+    # seccompProfile:
+    #   type: RuntimeDefault
+
   # coder.securityContext -- Fields related to the container's security
   # context (as opposed to the pod). Some fields are also present in the pod
   # security context, in which case these values will take precedence.
@@ -211,12 +238,36 @@ coder:
     # coder.readinessProbe.initialDelaySeconds -- Number of seconds after the container
     # has started before readiness probes are initiated.
     initialDelaySeconds: 0
+    # coder.readinessProbe.periodSeconds -- How often (in seconds) to perform the probe.
+    # Default to 10 seconds. Minimum value is 1.
+    # periodSeconds: 10
+    # coder.readinessProbe.timeoutSeconds -- Number of seconds after which the probe times out.
+    # Defaults to 1 second. Minimum value is 1.
+    # timeoutSeconds: 1
+    # coder.readinessProbe.successThreshold -- Minimum consecutive successes for the probe
+    # to be considered successful after having failed. Defaults to 1.
+    # successThreshold: 1
+    # coder.readinessProbe.failureThreshold -- When a probe fails, Kubernetes will
+    # try failureThreshold times before giving up. Defaults to 3.
+    # failureThreshold: 3
 
   # coder.livenessProbe -- Liveness probe configuration for the Coder container.
   livenessProbe:
     # coder.livenessProbe.initialDelaySeconds -- Number of seconds after the container
     # has started before liveness probes are initiated.
     initialDelaySeconds: 0
+    # coder.livenessProbe.periodSeconds -- How often (in seconds) to perform the probe.
+    # Default to 10 seconds. Minimum value is 1.
+    # periodSeconds: 10
+    # coder.livenessProbe.timeoutSeconds -- Number of seconds after which the probe times out.
+    # Defaults to 1 second. Minimum value is 1.
+    # timeoutSeconds: 1
+    # coder.livenessProbe.successThreshold -- Minimum consecutive successes for the probe
+    # to be considered successful after having failed. Defaults to 1. Must be 1 for liveness.
+    # successThreshold: 1
+    # coder.livenessProbe.failureThreshold -- When a probe fails, Kubernetes will
+    # try failureThreshold times before giving up. Defaults to 3.
+    # failureThreshold: 3
 
   # coder.certs -- CA bundles to mount inside the Coder pod.
   certs:
diff --git a/helm/libcoder/templates/_coder.yaml b/helm/libcoder/templates/_coder.yaml
@@ -48,6 +48,10 @@ spec:
       topologySpreadConstraints:
       {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.coder.podSecurityContext }}
+      securityContext:
+      {{- toYaml . | nindent 8 }}
+      {{- end }}
       {{- with .Values.coder.initContainers }}
       initContainers:
       {{ toYaml . | nindent 8 }}
