Close all the remainings tasks

Author: paolomainardi

deployment/chart/README.md

@@ -49,29 +49,36 @@ The following table lists the configurable parameters of the code-server chart a
 | Parameter                         | Description                                | Default                                                   |
 | --------------------------------- | ------------------------------------------ | --------------------------------------------------------- |
 | `image.registry`                  | Code-server image registry                 | `docker.io`                                               |
-| `image.repository`                | Code-server Image name                     | `codercom/code-server`                                          |
+| `image.repository`                | Code-server Image name                     | `codercom/code-server`                                    |
 | `image.tag`                       | Code-server Image tag                      | `{TAG_NAME}`                                              |
 | `image.pullPolicy`                | Code-server image pull policy              | `IfNotPresent`                                            |
 | `nameOverride`                    | String to partially override code-server.fullname template with a string (will prepend the release name) | `nil` |
-| `fullnameOverride`                | String to fully override code-server.fullname template with a string   |
-| `hostnameOverride`                | String to fully override code-server container hostname  |
-| `service.type`                    | Kubernetes Service type                    | `NodePort`                                            |
-| `service.port`                    | Service HTTP port                          | `8443`                                                      |
+| `fullnameOverride`                | String to fully override code-server.fullname template with a string                                   |
+| `hostnameOverride`                | String to fully override code-server container hostname                                                |
+| `service.type`                    | Kubernetes Service type                    | `NodePort`                                                |
+| `service.port`                    | Service HTTP port                          | `8443`                                                    |
 | `ingress.enabled`                 | Enable ingress controller resource         | `false`                                                   |
-| `ingress.hosts[0].name`           | Hostname to your code-server installation       | `code-server.local`                                            |
+| `ingress.hosts[0].name`           | Hostname to your code-server installation  | `code-server.local`                                       |
 | `ingress.hosts[0].path`           | Path within the url structure              | `/`                                                       |
 | `ingress.hosts[0].tls`            | Utilize TLS backend in ingress             | `false`                                                   |
 | `ingress.hosts[0].certManager`    | Add annotations for cert-manager           | `false`                                                   |
-| `ingress.hosts[0].tlsSecret`      | TLS Secret (certificates)                  | `code-server.local-tls-secret`                                 |
+| `ingress.hosts[0].tlsSecret`      | TLS Secret (certificates)                  | `code-server.local-tls-secret`                            |
 | `ingress.hosts[0].annotations`    | Annotations for this host's ingress record | `[]`                                                      |
 | `ingress.secrets[0].name`         | TLS Secret Name                            | `nil`                                                     |
 | `ingress.secrets[0].certificate`  | TLS Secret Certificate                     | `nil`                                                     |
-| `ingress.secrets[0].key`          | TLS Secret Key                             | `nil`   |
-| `resources`                       | CPU/Memory resource requests/limits        | Memory: `512Mi`, CPU: `300m`               |
+| `ingress.secrets[0].key`          | TLS Secret Key                             | `nil`                                                     |
+| `extraArgs`                       | Additional code-server container arguments | `{}`                                                      |
+| `extraVars`                       | Optional environment variables for code-server | `{}`                                                  |
+| `volumePermissions.enabled`       | Enable volume permissions init container       | `true`                                                |
+| `volumePermissions.securityContext.runAsUser` | User ID for the init container | `0`                                                       |
+| `securityContext.enabled`         | Enable security context     | `true`                                                                   |
+| `securityContext.fsGroup`         | Group ID for the container  | `1000`                                                                   |
+| `securityContext.runAsUser`       | User ID for the container	  | `1000`                                                                   |
+| `resources`                       | CPU/Memory resource requests/limits        | `{}`                                                      |
 | `persistence.enabled`             | Enable persistence using PVC               | `true`                                                    |
-| `persistence.storageClass`        | PVC Storage Class for code-server volume        | `nil` (uses alpha storage class annotation)               |
-| `persistence.accessMode`          | PVC Access Mode for code-server volume          | `ReadWriteOnce`                                           |
-| `persistence.size`         | PVC Storage Request for code-server volume      | `8Gi`
+| `persistence.storageClass`        | PVC Storage Class for code-server volume        | `nil`                                                |
+| `persistence.accessMode`          | PVC Access Mode for code-server volume          | `ReadWriteOnce`                                      |
+| `persistence.size`                | PVC Storage Request for code-server volume      | `8Gi`                                                |
 
 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
 
@@ -91,6 +98,4 @@ $ helm install --name my-release -f values.yaml deployment/chart
 
 > **Tip**: You can use the default [values.yaml](values.yaml)
 
-## Image
 
-The `image` parameter allows specifying which image will be pulled for the chart.

deployment/chart/templates/NOTES.txt

@@ -19,3 +19,7 @@
   echo "Visit http://127.0.0.1:8080 to use your application"
   kubectl port-forward $POD_NAME 8080:80
 {{- end }}
+
+Administrator credentials:
+
+  Password : $(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "code-server.fullname" . }} -o jsonpath="{.data.password}" | base64 --decode)

deployment/chart/templates/deployment.yaml

@@ -24,24 +24,51 @@ spec:
       {{- if .Values.hostnameOverride }}
       hostname: {{ .Values.hostnameOverride }}
       {{- end }}
+      {{- if .Values.securityContext.enabled }}
+      securityContext:
+        fsGroup: {{ .Values.securityContext.fsGroup }}
+      {{- end }}
+      {{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }}
       initContainers:
-        - name: permissions
-          image: busybox:latest
-          imagePullPolicy: IfNotPresent
-          command: ["/bin/sh"]
-          args: ["-c", "chown -R 1000:1000 /home/coder"]
-          volumeMounts:
-          - name: data
-            mountPath: /home/coder
+      - name: init-chmod-data
+        image: busybox:latest
+        imagePullPolicy: IfNotPresent
+        command:
+          - sh
+          - -c
+          - |
+            chown -R {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} /home/coder
+        securityContext:
+          runAsUser: {{ .Values.volumePermissions.securityContext.runAsUser }}
+        volumeMounts:
+        - name: data
+          mountPath: /home/coder
+      {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
-          args: ["--allow-http", "--no-auth"]
+          {{- if .Values.securityContext.enabled }}
           securityContext:
-            runAsUser: 1000
-            runAsGroup: 1000
-            fsGroup: 1000
+            runAsUser: {{ .Values.securityContext.runAsUser }}
+          {{- end }}
+          env:
+          - name: PASSWORD
+            valueFrom:
+              secretKeyRef:
+              {{- if .Values.existingSecret }}
+                name: {{ .Values.existingSecret }}
+              {{- else }}
+                name: {{ template "code-server.fullname" . }}
+              {{- end }}
+                key: password
+        {{- if .Values.extraVars }}
+{{ toYaml .Values.extraVars | indent 12 }}
+        {{- end }}
+        {{- if .Values.extraArgs }}
+          args:
+{{ toYaml .Values.extraArgs | indent 12 }}
+        {{- end }}
           volumeMounts:
           - name: data
             mountPath: /home/coder/project

deployment/chart/templates/secrets.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "code-server.fullname" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "code-server.name" . }}
+    helm.sh/chart: {{ include "code-server.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+type: Opaque
+data:
+  {{ if .Values.password }}
+  password: "{{ .Values.password | b64enc }}"
+  {{ else }}
+  password: "{{ randAlphaNum 24 | b64enc }}"
+  {{ end }}

deployment/chart/values.yaml

@@ -30,7 +30,35 @@ ingress:
   #    hosts:
   #      - code-server.example.loc
 
-resources:
+# Optional additional arguments
+extraArgs: []
+#  - --allow-http
+#  - --no-auth
+
+# Optional additional environment variables
+extraVars: []
+#  - name: DISABLE_TELEMETRY
+#    value: true
+
+##
+## Init containers parameters:
+## volumePermissions: Change the owner of the persist volume mountpoint to RunAsUser:fsGroup
+##
+volumePermissions:
+  enabled: true
+  ## Init container Security Context
+  securityContext:
+    runAsUser: 0
+
+## Pod Security Context
+## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+##
+securityContext:
+  enabled: true
+  fsGroup: 1000
+  runAsUser: 1000
+
+resources: {}
   # We usually recommend not to specify default resources and to leave this as a conscious
   # choice for the user. This also increases chances charts run on environments with little
   # resources, such as Minikube. If you do want to specify resources, uncomment the following