Air-gapped deployment

Air-gapped deployment

If you need increased security for your Coder deployments, you can set up an air-gapped deployment.

To do so, you must:

  • Pull all Coder deployment resources into your air-gapped environment
  • Push the images to your Docker registry,
  • Deploy Coder from within your air-gapped environment

Coder licenses issued as part of the trial program do not support air-gapped deployments.


Before proceeding, please ensure that you've installed the following software dependencies:

Next, configure the following items in the same network as the Kubernetes cluster that will run Coder (we've provided links to a suggested option for each item type, but you're welcome to use the alternatives of your choice):

Network configuration

Coder requires several preliminary steps to be performed on your network before you can deploy Coder. If you don't already have the following on your network, please see our infrastructure setup guide:

  • A certificate authority
  • A domain name service
  • A local Docker Registry

Version controlling your changes to the Coder install files

Throughout this article, we will suggest changes to the Helm chart that you'll obtain from the .tgz that's returned when you run helm pull. We recommend version controlling your files.

Step 1: Pull all Coder resources into your air-gapped environment

Coder is deployed through helm, and the platform images are hosted in Coder's Docker Hub repo.

  1. Download the Coder Helm charts by running the following command outside of the air-gapped environment:

    helm repo add coder https://helm.coder.com
    helm pull coder/coder

    These commands will add Coder's helm charts and pull the latest stable release into a tarball file whose name uses the following format: coder-X.Y.Z.tgz (X.Y.Z is the Coder release number).

  2. Pull the images for the Coder platform from the following Docker Hub locations:



    Optional: timescale

    Timescale is an internal database meant for evaluation deployments. It is not It is not recommended to run this service in production. Connect to an external Postgres database for production deployments.

    You can pull each of these images from their coderenvs/<img-name>:<version> registry location using the image's name and Coder version:

    docker pull coderenvs/coder-service:<version>

    The following images are optional, though you're welcome to take advantage of Coder's versions instead of building your own:

    Open VSX




    When building images for your environments that rely on a custom certificate authority, be sure to follow the docs for adding certificates to images.

  3. Tag and push all of the images that you've downloaded in the previous step to your internal registry; this registry must be accessible from your air-gapped environment. For example, to push coder-service:

    docker tag coderenvs/coder-service:<version> my-registry.com/coderenvs/coder-service:<version>
    docker push my-registry.com/coderenvs/coder-service:<version>
  4. If necessary, create an offline.values.yaml file that includes the image paths for each of the Coder containers and proxy configuration similar to the following:

      image: my-registry.com/coderenvs/coder-service:<version>
      # Coder will use this proxy for all outbound HTTP/HTTPS connections
      # such as when checking for updated images in the image registry.
      # However, note that images are pulled from the Kubernetes container runtime,
      # and may require a different setting.
        http: http://proxy.internal:8888
        exempt: cluster.local
        image: my-registry.com/coderenvs/timescale:<version>
      image: my-registry.com/coderenvs/envbox:<version>

    See configuring forward and reverse proxies for additional information about Coder's support for network proxies.

  5. Once all of the resources are in your air-gapped network, run the following to deploy Coder to your Kubernetes cluster:

    helm install coder . --create-namespace --namespace coder --values=offline.values.yaml

    If you'd like to run this command after navigating into the coder.tgz directory, you can replace the coder.tgz path with a period:

    helm install --wait --atomic --debug --namespace coder coder . \
       --set postgres.default.image=$REGISTRY_DOMAIN_NAME/coderenvs/coder-service:<version> \
       --set envbox.image=$REGISTRY_DOMAIN_NAME/coderenvs/envbox:<version> \
       --set timescale.image=$REGISTRY_DOMAIN_NAME/coderenvs/timescale:<version> \
       -f registry-cert-values.yml
  6. Next, follow the Installation guide beginning with step 6 to get the access URL and the temporary admin password, which allows you to proceed with setting up and configuring Coder.

Extensions marketplace

Coder users in an air-gapped environment cannot access the public VS Code marketplace. However, you can point Coder to an air-gapped instance of Open VSX to serve assets to users. For instructions on how to do this, see Extensions.

Please review the Open VSX deployment wiki for more information on setting up your Open VSX deployment. Note that there are several components involved, including:

  • The server application, available as the openvsx-server Docker image
  • A PostgreSQL instance to hold the metadata of the published extensions
    • If you use just a database for storage, Open VSX stores everything as binary data, which can increase the storage and network throughput of the database considerable. As such, Open VSX recommends leveraging external storage (e.g., Azure Blob Storage or Google Cloud Storage)
  • Elasticsearch, which Open VSX uses as the default search engine for search queries that originate from the web UI; this is optional, since you can either turn off searches or use database queries
  • GitHub OAuth for user authentication
See an opportunity to improve our docs? Make an edit.