Merge branch '22-update-coder-helm-chart-to-1-36-1' into 'main'

Update Coder Helm chart to 1.36.1

Closes #22

See merge request platform-one/big-bang/apps/developer-tools/coder!39

CHANGELOG.md

 # Changelog
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.36.1] - 2022-11-18
+### Changed
+- Upgrade Coder from 1.35.1 to 1.36.1
+
 ## [1.35.1] - 2022-10-19
 ### Changed
 - Upgrade Coder from 1.34.0 to 1.35.1

README.md

 # coder
 
-![Version: 1.35.1](https://img.shields.io/badge/Version-1.35.1-informational?style=flat-square) ![AppVersion: 1.35.1](https://img.shields.io/badge/AppVersion-1.35.1-informational?style=flat-square)
+![Version: 1.36.1](https://img.shields.io/badge/Version-1.36.1-informational?style=flat-square) ![AppVersion: 1.36.1](https://img.shields.io/badge/AppVersion-1.36.1-informational?style=flat-square)
 
 Coder moves developer workspaces to your cloud and centralizes their creation and management.
 
@@ -37,9 +37,10 @@ helm install coder chart/
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| coderd | object | `{"affinity":{"podAntiAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"podAffinityTerm":{"labelSelector":{"matchExpressions":[{"key":"app.kubernetes.io/name","operator":"In","values":["coderd"]}]},"topologyKey":"kubernetes.io/hostname"},"weight":1}]}},"alternateHostnames":[],"annotations":{},"builtinProviderServiceAccount":{"annotations":{},"labels":{},"migrate":true},"clientTLS":{"secretName":""},"devurlsHost":"","extraEnvs":[],"extraLabels":{},"image":"registry1.dso.mil/ironbank/coder/coder-enterprise/coder-service:1.35.1","liveness":{"failureThreshold":30,"initialDelaySeconds":30,"periodSeconds":10,"timeoutSeconds":3},"networkPolicy":{"enable":true},"oidc":{"enableRefresh":false,"redirectOptions":{}},"podSecurityContext":{"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}},"proxy":{"exempt":"cluster.local","http":"","https":""},"readiness":{"failureThreshold":15,"initialDelaySeconds":10,"periodSeconds":10,"timeoutSeconds":3},"replicas":1,"resources":{"limits":{"cpu":"250m","memory":"512Mi"},"requests":{"cpu":"250m","memory":"512Mi"}},"reverseProxy":{"headers":[],"trustedOrigins":[]},"satellite":{"accessURL":"","enable":false,"primaryURL":""},"scim":{"authSecret":{"key":"secret","name":""},"enable":false},"securityContext":{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}},"serviceAnnotations":{},"serviceNodePorts":{"http":null,"https":null},"serviceSpec":{"type":"ClusterIP"},"superAdmin":{"passwordSecret":{"key":"password","name":""}},"tls":{"devurlsHostSecretName":"","hostSecretName":""},"trustProxyIP":false,"workspaceServiceAccount":{"annotations":{},"labels":{}}}` | Primary service responsible for all things Coder! |
-| coderd.image | string | `"registry1.dso.mil/ironbank/coder/coder-enterprise/coder-service:1.35.1"` | Injected by Coder during release. |
+| coderd | object | `{"affinity":{"podAntiAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"podAffinityTerm":{"labelSelector":{"matchExpressions":[{"key":"app.kubernetes.io/name","operator":"In","values":["coderd"]}]},"topologyKey":"kubernetes.io/hostname"},"weight":1}]}},"alternateHostnames":[],"annotations":{},"builtinProviderServiceAccount":{"annotations":{},"labels":{},"migrate":true},"clientTLS":{"secretName":""},"devurlsHost":"","extraEnvs":[],"extraLabels":{},"image":"registry1.dso.mil/ironbank/coder/coder-enterprise/coder-service:1.36.1","imagePullSecret":"","liveness":{"failureThreshold":30,"initialDelaySeconds":30,"periodSeconds":10,"timeoutSeconds":3},"networkPolicy":{"enable":true},"oidc":{"enableRefresh":false,"redirectOptions":{}},"podSecurityContext":{"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}},"proxy":{"exempt":"cluster.local","http":"","https":""},"readiness":{"failureThreshold":15,"initialDelaySeconds":10,"periodSeconds":10,"timeoutSeconds":3},"replicas":1,"resources":{"limits":{"cpu":"250m","memory":"512Mi"},"requests":{"cpu":"250m","memory":"512Mi"}},"reverseProxy":{"headers":[],"trustedOrigins":[]},"satellite":{"accessURL":"","enable":false,"primaryURL":""},"scim":{"authSecret":{"key":"secret","name":""},"enable":false},"securityContext":{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}},"serviceAnnotations":{},"serviceNodePorts":{"http":null,"https":null},"serviceSpec":{"type":"ClusterIP"},"superAdmin":{"passwordSecret":{"key":"password","name":""}},"tls":{"devurlsHostSecretName":"","hostSecretName":""},"trustProxyIP":false,"workspaceServiceAccount":{"annotations":{},"labels":{}}}` | Primary service responsible for all things Coder! |
+| coderd.image | string | `"registry1.dso.mil/ironbank/coder/coder-enterprise/coder-service:1.36.1"` | Injected by Coder during release. |
 | coderd.replicas | int | `1` | The number of Kubernetes Pod replicas. |
+| coderd.imagePullSecret | string | `""` | The secret used for pulling the coderd image from a private registry. |
 | coderd.annotations | object | `{}` | Apply annotations to the coderd deployment. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ |
 | coderd.serviceAnnotations | object | `{}` | Apply annotations to the coderd service. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ |
 | coderd.serviceSpec | object | `{"type":"ClusterIP"}` | Specification to inject for the coderd service. See: https://kubernetes.io/docs/concepts/services-networking/service/ |
@@ -105,8 +106,8 @@ helm install coder chart/
 | ingress.annotations | object | `{"nginx.ingress.kubernetes.io/proxy-body-size":"0"}` | Additional annotations to add to the Ingress object. The behavior is typically dependent on the Ingress Controller implementation, and useful for managing features like TLS termination. |
 | ingress.tls | object | `{"enable":false}` | Configures TLS settings for the Ingress. TLS certificates are specified in coderd.tls.hostSecretName and coderd.tls.devurlsHostSecretName. |
 | ingress.tls.enable | bool | `false` | Determines whether the Ingress handles TLS. |
-| envbox | object | `{"image":"docker.io/coderenvs/envbox:1.35.1"}` | Required for running Docker inside containers. See requirements: https://coder.com/docs/coder/latest/admin/workspace-management/cvms |
-| envbox.image | string | `"docker.io/coderenvs/envbox:1.35.1"` | Injected by Coder during release. |
+| envbox | object | `{"image":"docker.io/coderenvs/envbox:1.36.1"}` | Required for running Docker inside containers. See requirements: https://coder.com/docs/coder/latest/admin/workspace-management/cvms |
+| envbox.image | string | `"docker.io/coderenvs/envbox:1.36.1"` | Injected by Coder during release. |
 | postgres.host | string | `""` | Host of the external PostgreSQL instance. |
 | postgres.port | string | `""` | Port of the external PostgreSQL instance. |
 | postgres.user | string | `""` | User of the external PostgreSQL instance. |
@@ -118,11 +119,13 @@ helm install coder chart/
 | postgres.ssl.certSecret.name | string | `""` | Name of the secret. |
 | postgres.ssl.certSecret.key | string | `""` | Key pointing to a certificate in the secret. |
 | postgres.ssl.keySecret | object | `{"key":"","name":""}` | Secret containing a PEM encoded key file. |
+| postgres.ssl.keySecret.name | string | `""` | Name of the secret. |
 | postgres.ssl.keySecret.key | string | `""` | Key pointing to a certificate in the secret. |
 | postgres.ssl.rootCertSecret | object | `{"key":"","name":""}` | Secret containing a PEM encoded root cert file. |
 | postgres.ssl.rootCertSecret.name | string | `""` | Name of the secret. |
 | postgres.ssl.rootCertSecret.key | string | `""` | Key pointing to a certificate in the secret. |
 | postgres.connector | string | `"postgres"` | Option for configuring database connector type. valid values are: - "postgres" -- default connector - "awsiamrds" -- uses AWS IAM account in environment to authenticate using   IAM to connect to an RDS instance. |
+| postgres.noPasswordEnv | bool | `false` | If enabled, passwordSecret will be specified as a volumeMount and the env `DB_PASSWORD_PATH` will be set instead to point to that location. The default behaviour is to set the environment variable `DB_PASSWORD` to the value of the postgres password secret. |
 | postgres.default | object | `{"annotations":{},"enable":true,"image":"registry.dso.mil/platform-one/big-bang/apps/developer-tools/coder/timescale:1.18.1","networkPolicy":{"enable":true},"resources":{"limits":{"cpu":"250m","memory":"1Gi"},"requests":{"cpu":"250m","memory":"1Gi","storage":"10Gi"}},"storageClassName":""}` | Configure a built-in PostgreSQL deployment. |
 | postgres.default.enable | bool | `true` | Deploys a PostgreSQL instance. We recommend using an external PostgreSQL instance in production. If true, all other values are ignored. |
 | postgres.default.image | string | `"registry.dso.mil/platform-one/big-bang/apps/developer-tools/coder/timescale:1.18.1"` | Injected by Coder during release. |

chart/Chart.yaml

 apiVersion: v2
-appVersion: 1.35.1
+appVersion: 1.36.1
 description: 'Coder moves developer workspaces to your cloud and centralizes their
   creation and management. '
 home: https://coder.com
@@ -14,4 +14,4 @@ maintainers:
 name: coder
 sources:
 - https://github.com/cdr/enterprise-helm
-version: 1.35.1
+version: 1.36.1

chart/README.md

@@ -121,6 +121,7 @@ View [our docs](https://coder.com/docs/setup/installation) for detailed installa
 | postgres.default.resources.requests.storage | string | Specifies the size of the volume claim for persisting the database. | `"10Gi"` |
 | postgres.default.storageClassName | string | Set the storageClass to store the database. | `""` |
 | postgres.host | string | Host of the external PostgreSQL instance. | `""` |
+| postgres.noPasswordEnv | bool | If enabled, passwordSecret will be specified as a volumeMount and the env `DB_PASSWORD_PATH` will be set instead to point to that location. The default behaviour is to set the environment variable `DB_PASSWORD` to the value of the postgres password secret. | `false` |
 | postgres.passwordSecret | string | Name of an existing secret in the current namespace with the password of the PostgreSQL instance. The password must be contained in the secret field `password`. This should be set to an empty string if the database does not require a password to connect. | `""` |
 | postgres.port | string | Port of the external PostgreSQL instance. | `""` |
 | postgres.ssl | object | Options for configuring the SSL cert, key, and root cert when connecting to Postgres. | `{"certSecret":{"key":"","name":""},"keySecret":{"key":"","name":""},"rootCertSecret":{"key":"","name":""}}` |
@@ -129,6 +130,7 @@ View [our docs](https://coder.com/docs/setup/installation) for detailed installa
 | postgres.ssl.certSecret.name | string | Name of the secret. | `""` |
 | postgres.ssl.keySecret | object | Secret containing a PEM encoded key file. | `{"key":"","name":""}` |
 | postgres.ssl.keySecret.key | string | Key pointing to a certificate in the secret. | `""` |
+| postgres.ssl.keySecret.name | string | Name of the secret. | `""` |
 | postgres.ssl.rootCertSecret | object | Secret containing a PEM encoded root cert file. | `{"key":"","name":""}` |
 | postgres.ssl.rootCertSecret.key | string | Key pointing to a certificate in the secret. | `""` |
 | postgres.ssl.rootCertSecret.name | string | Name of the secret. | `""` |

chart/templates/_common.tpl

@@ -28,12 +28,17 @@ storageClassName: {{ .Values.postgres.default.storageClassName | quote }}
 - name: DB_USER
   value: {{ .Values.postgres.user | quote }}
 {{- if ne .Values.postgres.passwordSecret "" }}
+{{- if .Values.postgres.noPasswordEnv }}
+- name: DB_PASSWORD_PATH
+  value: "/run/secrets/{{ .Values.postgres.passwordSecret }}/password"
+{{- else }}
 - name: DB_PASSWORD
   valueFrom:
     secretKeyRef:
       name: {{ .Values.postgres.passwordSecret | quote }}    
       key: password
 {{- end }}
+{{- end }}
 - name: DB_CONNECTOR
   value: {{ .Values.postgres.connector | quote }}
 - name: DB_SSL_MODE
@@ -95,6 +100,11 @@ volumes:
     secret:
       secretName: {{ .Values.coderd.clientTLS.secretName | quote }}
 {{- end }}
+{{- if .Values.postgres.noPasswordEnv }}
+  - name: {{ .Values.postgres.passwordSecret | quote }}
+    secret:
+      secretName: {{ .Values.postgres.passwordSecret | quote }}
+{{- end }}
 {{- end }}
 
 # coder.volumeMounts adds a volume mounts stanza if a cert.secret is
@@ -138,6 +148,11 @@ volumeMounts:
     mountPath: /etc/ssl/certs/client
     readOnly: true
 {{- end }}
+{{- if .Values.postgres.noPasswordEnv }}
+  - name: {{ .Values.postgres.passwordSecret | quote }}
+    mountPath: "/run/secrets/{{ .Values.postgres.passwordSecret }}"
+    readOnly: true
+{{- end }}
 {{- end }}
 
 # coder.serviceTolerations adds tolerations if any are specified to

chart/values.yaml

 # coderd -- Primary service responsible for all things Coder!
 coderd:
   # coderd.image -- Injected by Coder during release.
-  image: registry1.dso.mil/ironbank/coder/coder-enterprise/coder-service:1.35.1
+  image: registry1.dso.mil/ironbank/coder/coder-enterprise/coder-service:1.36.1
   # coderd.replicas -- The number of Kubernetes Pod replicas.
   replicas: 1
+  # coderd.imagePullSecret -- The secret used for pulling the coderd image from
+  # a private registry.
+  imagePullSecret: ""
   # coderd.annotations -- Apply annotations to the coderd deployment.
   # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
   annotations: {}
@@ -320,7 +323,7 @@ ingress:
 # https://coder.com/docs/coder/latest/admin/workspace-management/cvms
 envbox:
   # envbox.image -- Injected by Coder during release.
-  image: docker.io/coderenvs/envbox:1.35.1
+  image: docker.io/coderenvs/envbox:1.36.1
 # Contains fields related to the Postgres backend. If providing your own
 # instance, a minimum version of Postgres 11 is required with the contrib
 # package installed.
@@ -355,7 +358,7 @@ postgres:
       key: ""
     # postgres.ssl.keySecret -- Secret containing a PEM encoded key file.
     keySecret:
-      # postgres.ssl.keytSecret.name -- Name of the secret.
+      # postgres.ssl.keySecret.name -- Name of the secret.
       name: ""
       # postgres.ssl.keySecret.key -- Key pointing to a certificate in the secret.
       key: ""
@@ -371,6 +374,11 @@ postgres:
   # - "awsiamrds" -- uses AWS IAM account in environment to authenticate using
   #   IAM to connect to an RDS instance.
   connector: "postgres"
+  # postgres.noPasswordEnv -- If enabled, passwordSecret will be specified as a volumeMount
+  # and the env `DB_PASSWORD_PATH` will be set instead to point to that location.
+  # The default behaviour is to set the environment variable `DB_PASSWORD` to the value
+  # of the postgres password secret.
+  noPasswordEnv: false
   # postgres.default -- Configure a built-in PostgreSQL deployment.
   default:
     # postgres.default.enable -- Deploys a PostgreSQL instance. We recommend