- Group/version:
coder.com/v1alpha1
- Kind:
CoderControlPlane
- Resource:
codercontrolplanes
- Scope: namespaced
| Field |
Type |
Description |
image |
string |
Image is the container image used for the Coder control plane pod. |
replicas |
integer |
Replicas is the desired number of control plane pods. |
service |
ServiceSpec |
Service controls the service created in front of the control plane. |
extraArgs |
string array |
ExtraArgs are appended to the default Coder server arguments. |
extraEnv |
EnvVar array |
ExtraEnv are injected into the Coder control plane container. |
imagePullSecrets |
LocalObjectReference array |
ImagePullSecrets are used by the pod to pull private images. |
operatorAccess |
OperatorAccessSpec |
OperatorAccess configures bootstrap API access to the coderd instance. |
licenseSecretRef |
SecretKeySelector |
LicenseSecretRef references a Secret key containing a Coder Enterprise license JWT. When set, the controller uploads the license after the control plane is ready and re-uploads when the Secret value changes. |
serviceAccount |
ServiceAccountSpec |
ServiceAccount configures the ServiceAccount for the control plane pod. |
rbac |
RBACSpec |
RBAC configures namespace-scoped RBAC for workspace provisioning. |
resources |
ResourceRequirements |
Resources sets resource requests/limits for the control plane container. |
securityContext |
SecurityContext |
SecurityContext sets the container security context. |
podSecurityContext |
PodSecurityContext |
PodSecurityContext sets the pod-level security context. |
tls |
TLSSpec |
TLS configures Coder built-in TLS. |
readinessProbe |
ProbeSpec |
ReadinessProbe configures the readiness probe for the control plane container. |
livenessProbe |
ProbeSpec |
LivenessProbe configures the liveness probe for the control plane container. |
envUseClusterAccessURL |
boolean |
EnvUseClusterAccessURL injects a default CODER_ACCESS_URL when not explicitly set. |
expose |
ExposeSpec |
Expose configures external exposure via Ingress or Gateway API. |
envFrom |
EnvFromSource array |
EnvFrom injects environment variables from ConfigMaps/Secrets. |
volumes |
Volume array |
Volumes are additional volumes to add to the pod. |
volumeMounts |
VolumeMount array |
VolumeMounts are additional volume mounts for the control plane container. |
certs |
CertsSpec |
Certs configures additional CA certificate mounts. |
nodeSelector |
object (keys:string, values:string) |
NodeSelector constrains pod scheduling to nodes matching labels. |
tolerations |
Toleration array |
Tolerations are applied to the control plane pod. |
affinity |
Affinity |
Affinity configures pod affinity/anti-affinity rules. |
topologySpreadConstraints |
TopologySpreadConstraint array |
TopologySpreadConstraints control pod topology spread. |
| Field |
Type |
Description |
observedGeneration |
integer |
ObservedGeneration tracks the spec generation this status reflects. |
readyReplicas |
integer |
ReadyReplicas is the number of ready pods observed in the deployment. |
url |
string |
URL is the in-cluster URL for the control plane service. |
operatorTokenSecretRef |
SecretKeySelector |
OperatorTokenSecretRef points to the Secret key containing the coder-k8s-operator API token. |
operatorAccessReady |
boolean |
OperatorAccessReady reports whether operator API access bootstrap succeeded. |
licenseLastApplied |
Time |
LicenseLastApplied is the timestamp of the most recent successful operator-managed license upload. |
licenseLastAppliedHash |
string |
LicenseLastAppliedHash is the SHA-256 hex hash of the trimmed license JWT that LicenseLastApplied refers to. |
licenseTier |
string |
LicenseTier is a best-effort classification of the currently applied license. Values: none, trial, enterprise, premium, unknown. |
entitlementsLastChecked |
Time |
EntitlementsLastChecked is when the operator last queried coderd entitlements. |
externalProvisionerDaemonsEntitlement |
string |
ExternalProvisionerDaemonsEntitlement is the entitlement value for feature "external_provisioner_daemons". Values: entitled, grace_period, not_entitled, unknown. |
phase |
string |
Phase is a high-level readiness indicator. |
conditions |
Condition array |
Conditions are Kubernetes-standard conditions for this resource. |
CertSecretSelector identifies a key within a Secret for CA cert mounting.
| Field |
Type |
Description |
name |
string |
Name is the Secret name. |
key |
string |
Key is the key within the Secret data map. |
CertsSpec configures additional CA certificate mounts.
| Field |
Type |
Description |
secrets |
CertSecretSelector array |
Secrets lists Secret key selectors for CA certificates. Each is mounted at /etc/ssl/certs/\{name\}.crt. |
ExposeSpec configures external exposure for the control plane.
At most one of Ingress or Gateway may be set.
+kubebuilder:validation:XValidation:rule="!(has(self.ingress) && has(self.gateway))",message="only one of ingress or gateway may be set"
| Field |
Type |
Description |
ingress |
IngressExposeSpec |
Ingress configures a networking.k8s.io/v1 Ingress. |
gateway |
GatewayExposeSpec |
Gateway configures a gateway.networking.k8s.io/v1 HTTPRoute. |
GatewayExposeSpec defines Gateway API (HTTPRoute) exposure configuration.
| Field |
Type |
Description |
host |
string |
Host is the primary hostname for the HTTPRoute. |
wildcardHost |
string |
WildcardHost is an optional wildcard hostname. |
parentRefs |
GatewayParentRef array |
ParentRefs are Gateways that the HTTPRoute attaches to. At least one parentRef is required when gateway exposure is configured. |
GatewayParentRef identifies a Gateway for HTTPRoute attachment.
| Field |
Type |
Description |
name |
string |
Name is the Gateway name. |
namespace |
string |
Namespace is the Gateway namespace. |
sectionName |
string |
SectionName is the listener name within the Gateway. |
IngressExposeSpec defines Ingress exposure configuration.
| Field |
Type |
Description |
className |
string |
ClassName is the Ingress class name. |
host |
string |
Host is the primary hostname for the Ingress rule. |
wildcardHost |
string |
WildcardHost is an optional wildcard hostname (e.g., for workspace apps). |
annotations |
object (keys:string, values:string) |
Annotations are applied to the managed Ingress. |
tls |
IngressTLSExposeSpec |
TLS configures TLS termination at the Ingress. |
IngressTLSExposeSpec defines TLS configuration for the Ingress.
| Field |
Type |
Description |
secretName |
string |
SecretName is the TLS Secret for the primary host. |
wildcardSecretName |
string |
WildcardSecretName is the TLS Secret for the wildcard host. |
OperatorAccessSpec configures the controller-managed coderd operator user.
| Field |
Type |
Description |
disabled |
boolean |
Disabled turns off creation and management of the coder-k8s-operator user and API token. |
generatedTokenSecretName |
string |
GeneratedTokenSecretName stores the generated operator API token. |
ProbeSpec configures a Kubernetes probe with an enable toggle.
| Field |
Type |
Description |
enabled |
boolean |
Enabled toggles the probe on or off. When omitted, readiness defaults to enabled while liveness defaults to disabled. |
initialDelaySeconds |
integer |
InitialDelaySeconds is the delay before the probe starts. |
periodSeconds |
integer |
PeriodSeconds controls how often the probe is performed. |
timeoutSeconds |
integer |
TimeoutSeconds is the probe timeout. |
successThreshold |
integer |
SuccessThreshold is the minimum consecutive successes for the probe to be considered successful. |
failureThreshold |
integer |
FailureThreshold is the minimum consecutive failures for the probe to be considered failed. |
RBACSpec configures namespace-scoped RBAC for workspace provisioning.
| Field |
Type |
Description |
workspacePerms |
boolean |
WorkspacePerms enables Role/RoleBinding creation for workspace resources. When omitted, the default is true. |
enableDeployments |
boolean |
EnableDeployments grants apps/deployments permissions (only when WorkspacePerms is true). When omitted, the default is true. |
extraRules |
PolicyRule array |
ExtraRules are appended to the managed Role rules. |
workspaceNamespaces |
string array |
WorkspaceNamespaces lists additional namespaces for Role/RoleBinding creation. |
SecretKeySelector identifies a key in a Secret.
| Field |
Type |
Description |
name |
string |
Name is the Kubernetes Secret name. |
key |
string |
Key is the key inside the Secret data map. |
ServiceAccountSpec configures the ServiceAccount used by the Coder pod.
| Field |
Type |
Description |
disableCreate |
boolean |
DisableCreate skips ServiceAccount creation (use an existing SA). |
name |
string |
Name overrides the ServiceAccount name. Defaults to the CoderControlPlane name. |
annotations |
object (keys:string, values:string) |
Annotations are applied to the managed ServiceAccount. |
labels |
object (keys:string, values:string) |
Labels are applied to the managed ServiceAccount. |
ServiceSpec defines the Service configuration reconciled by the operator.
| Field |
Type |
Description |
type |
ServiceType |
Type controls the Kubernetes service type. |
port |
integer |
Port controls the exposed service port. |
annotations |
object (keys:string, values:string) |
Annotations are applied to the reconciled service object. |
TLSSpec configures Coder built-in TLS.
| Field |
Type |
Description |
secretNames |
string array |
SecretNames lists TLS secrets to mount for built-in TLS. When non-empty, TLS is enabled on the Coder control plane. |
- Go type:
api/v1alpha1/codercontrolplane_types.go
- Generated CRD:
config/crd/bases/coder.com_codercontrolplanes.yaml