If you need increased security for your Coder deployments, you can set up an air-gapped deployment.
To do so, you must:
Coder licenses issued as part of the trial program do not support air-gapped deployments.
Before proceeding, please ensure that you've installed the following software dependencies:
Next, configure the following items in the same network as the Kubernetes cluster that will run Coder (we've provided links to a suggested option for each item type, but you're welcome to use the alternatives of your choice):
Coder requires several preliminary steps to be performed on your network before you can deploy Coder. If you don't already have the following on your network, please see our infrastructure setup guide:
Throughout this article, we will suggest changes to the Helm chart that you'll
obtain from the
.tgz that's returned when you run
helm pull. We recommend
version controlling your files.
Coder is deployed through helm, and the platform images are hosted in Coder's Docker Hub repo.
Pull down the Coder helm charts by running the following in a non-air-gapped workspace:
helm repo add coder https://helm.coder.com helm pull coder/coder
These commands will add Coder's helm charts and pull the latest stable
release into a tarball file whose name uses the following format:
coder-X.Y.Z.tgz (X.Y.Z is the Coder release number).
Pull the images for the Coder platform from the following Docker Hub locations:
Timescale is an internal database meant for evaluation deployments. It is not It is not recommended to run this service in production. Connect to an external Postgres database for production deployments.
timescale (Note: We recommend you only use timescale for evaluation purposes if you don't have an external PostgreSQL database available. For production workspaces, we strong recommend that you use an external PostgreSQL database; the installation section will cover more on updating your Helm chart with your database information.)
You can pull each of these images from their
registry location using the image's name and Coder version:
docker pull coderenvs/coder-service:<version>
To access Coder, you'll need an ingress controller; you can use nginx-ingress-controller, or you can use your own.
The following images are optional, though you're welcome to take advantage of Coder's versions instead of building your own:
When building images for your workspaces that rely on a custom certificate authority, be sure to follow the docs for adding certificates to images.
Tag and push all of the images that you've downloaded in the previous step to
your internal registry; this registry must be accessible from your air-gapped
workspace. For example, to push
docker tag coderenvs/coder-service:<version> my-registry.com/coderenvs/coder-service:<version> docker push my-registry.com/coderenvs/coder-service:<version>
Modify the image used for the ingress controller. In
you obtained by running
helm pull, find the
You'll see that this file has only one instance of
image:. Replace this
with the image for your local ingress controller image:
Once all of the resources are in your air-gapped network, run the following to deploy Coder to your Kubernetes cluster:
kubectl create namespace coder helm --namespace coder install coder /path/to/coder-X.Y.Z.tgz \ --set cemanager.image=my-registry.com/coderenvs/coder-service:<version> \ --set envproxy.image=my-registry.com/coderenvs/coder-service:<version> \ --set envbuilder.image=my-registry.com/coderenvs/envbuilder:<version> \ --set timescale.image=my-registry.com/coderenvs/timescale:<version> \ --set dashboard.image=my-registry.com/coderenvs/dashboard:<version> \ --set envbox.image=my-registry.com/coderenvs/envbox:<version>
If you'd like to run this command after navigating into the
directory, you can replace the
coder.tgz path with a period:
helm install --wait --atomic --debug --namespace coder coder . \ --set cemanager.image=$REGISTRY_DOMAIN_NAME/coderenvs/coder-service:<version> \ --set envproxy.image=$REGISTRY_DOMAIN_NAME/coderenvs/coder-service:<version> \ --set envbox.image=$REGISTRY_DOMAIN_NAME/coderenvs/envbox:<version> \ --set envbuilder.image=$REGISTRY_DOMAIN_NAME/coderenvs/envbuilder:<version> \ --set timescale.image=$REGISTRY_DOMAIN_NAME/coderenvs/timescale:<version> \ --set dashboard.image=$REGISTRY_DOMAIN_NAME/coderenvs/dashboard:<version> \ -f registry-cert-values.yml
Next, follow the Installation guide beginning with step 6 to get the access URL and the temporary admin password, which allows you to proceed with setting up and configuring Coder.
Coder users in an air-gapped workspace cannot access the public VS Code marketplace. However, you can point Coder to an air-gapped instance of OpenVSX to serve assets to users. For instructions on implementing this, see Extensions.
You can also review the OpenVSX deployment wiki for more information.