Skip to content

feat(helm): add pod securityContext and enhanced probe configuration #19013

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(helm): add pod securityContext and enhanced probe configuration #19013

wants to merge 1 commit into from
+79 −0

Conversation

blink-so[bot]
Copy link
Contributor

@blink-so blink-so bot commented Jul 23, 2025

Summary

This PR adds two critical security and operational enhancements to the Coder Helm chart:

1. Pod-level securityContext Support

Adds coder.podSecurityContext configuration to enable pod-level security settings, particularly fsGroup for proper file permissions when mounting TLS certificates.

Use Case: Essential for mTLS PostgreSQL deployments where the Coder container (running as user 1000) needs to read mounted TLS certificates.

Example Configuration:

coder:
  podSecurityContext:
    fsGroup: 1000  # Ensures coder user can read mounted TLS certs
    runAsNonRoot: true
    runAsUser: 1000
    runAsGroup: 1000

2. Enhanced Probe Configuration

Extends readiness and liveness probe configuration beyond just initialDelaySeconds to include all standard Kubernetes probe options:

  • periodSeconds: How often to perform the probe
  • timeoutSeconds: Probe timeout duration
  • successThreshold: Required consecutive successes
  • failureThreshold: Allowed consecutive failures

Example Configuration:

coder:
  readinessProbe:
    initialDelaySeconds: 0
    periodSeconds: 10
    timeoutSeconds: 5
    failureThreshold: 3
  livenessProbe:
    initialDelaySeconds: 30
    periodSeconds: 30
    timeoutSeconds: 10
    failureThreshold: 3

Changes Made

  • helm/libcoder/templates/_coder.yaml: Added pod-level securityContext support
  • helm/coder/values.yaml: Added podSecurityContext configuration with comprehensive documentation and mTLS examples
  • helm/coder/templates/_coder.tpl: Enhanced probe configurations with all standard options
  • helm/coder/values.yaml: Added enhanced probe configuration options with detailed documentation

Backward Compatibility

Fully backward compatible - all new configurations are optional and use Helm's with conditionals.

Testing

This addresses the specific security requirements mentioned for mTLS PostgreSQL deployments where:

  1. TLS certificates are mounted with defaultMode: 0640
  2. Pod fsGroup: 1000 is required for the coder user to read the certificates
  3. Enhanced probe configuration provides better operational control

Related Issues

Fixes security requirements for mTLS PostgreSQL deployments and enhanced probe configuration requests.

Requested by: @Michael-Patterson for CoreWeave managed PostgreSQL mTLS deployment
Priority: High - blocking secure database connections

@kylecarbs
feat(helm): add pod securityContext and enhanced probe configuration
23f6128 
This commit adds two important security and operational enhancements to the Coder Helm chart:

1. **Pod-level securityContext support**: Adds  configuration
   to allow setting pod-level security settings like . This is essential for
   proper file permissions when mounting TLS certificates for mTLS PostgreSQL connections.

   Example usage for mTLS PostgreSQL:

2. **Enhanced probe configuration**: Extends readiness and liveness probe configuration
   beyond just  to include:
   - : How often to perform the probe
   - : Probe timeout duration
   - : Required consecutive successes
   - : Allowed consecutive failures

   This provides fine-grained control over probe behavior for production deployments.

These changes maintain backward compatibility while enabling secure mTLS database
connections and better operational control over health checking.

Fixes: Security requirements for mTLS PostgreSQL deployments
Closes: Enhanced probe configuration request

Co-authored-by: kylecarbs <7122116+kylecarbs@users.noreply.github.com>
@github-actions GitHub Actions
Copy link


Thank you for your submission, we really appreciate it. Like many open-source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution. You can sign the CLA by just posting a Pull Request Comment same as the below format.

I have read the CLA Document and I hereby sign the CLA

Blink AI seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
You can retrigger this bot by commenting recheck in this Pull Request. Posted by the CLA Assistant Lite bot.

@michaelvp411
Copy link
Contributor

michaelvp411 commented Jul 23, 2025
edited
Loading

Didn't need a PR just lookin at blinks output. Will raise an issue for this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@michaelvp411