Skip to content

CoderControlPlane

API identity

  • Group/version: coder.com/v1alpha1
  • Kind: CoderControlPlane
  • Resource: codercontrolplanes
  • Scope: namespaced

Spec

Field Type Description
image string Image is the container image used for the Coder control plane pod.
replicas integer Replicas is the desired number of control plane pods.
service ServiceSpec Service controls the service created in front of the control plane.
extraArgs string array ExtraArgs are appended to the default Coder server arguments.
extraEnv EnvVar array ExtraEnv are injected into the Coder control plane container.
imagePullSecrets LocalObjectReference array ImagePullSecrets are used by the pod to pull private images.
operatorAccess OperatorAccessSpec OperatorAccess configures bootstrap API access to the coderd instance.
licenseSecretRef SecretKeySelector LicenseSecretRef references a Secret key containing a Coder Enterprise license JWT. When set, the controller uploads the license after the control plane is ready and re-uploads when the Secret value changes.
serviceAccount ServiceAccountSpec ServiceAccount configures the ServiceAccount for the control plane pod.
rbac RBACSpec RBAC configures namespace-scoped RBAC for workspace provisioning.
resources ResourceRequirements Resources sets resource requests/limits for the control plane container.
securityContext SecurityContext SecurityContext sets the container security context.
podSecurityContext PodSecurityContext PodSecurityContext sets the pod-level security context.
tls TLSSpec TLS configures Coder built-in TLS.
readinessProbe ProbeSpec ReadinessProbe configures the readiness probe for the control plane container.
livenessProbe ProbeSpec LivenessProbe configures the liveness probe for the control plane container.
envUseClusterAccessURL boolean EnvUseClusterAccessURL injects a default CODER_ACCESS_URL when not explicitly set.
expose ExposeSpec Expose configures external exposure via Ingress or Gateway API.
envFrom EnvFromSource array EnvFrom injects environment variables from ConfigMaps/Secrets.
volumes Volume array Volumes are additional volumes to add to the pod.
volumeMounts VolumeMount array VolumeMounts are additional volume mounts for the control plane container.
certs CertsSpec Certs configures additional CA certificate mounts.
nodeSelector object (keys:string, values:string) NodeSelector constrains pod scheduling to nodes matching labels.
tolerations Toleration array Tolerations are applied to the control plane pod.
affinity Affinity Affinity configures pod affinity/anti-affinity rules.
topologySpreadConstraints TopologySpreadConstraint array TopologySpreadConstraints control pod topology spread.

Status

Field Type Description
observedGeneration integer ObservedGeneration tracks the spec generation this status reflects.
readyReplicas integer ReadyReplicas is the number of ready pods observed in the deployment.
url string URL is the in-cluster URL for the control plane service.
operatorTokenSecretRef SecretKeySelector OperatorTokenSecretRef points to the Secret key containing the coder-k8s-operator API token.
operatorAccessReady boolean OperatorAccessReady reports whether operator API access bootstrap succeeded.
licenseLastApplied Time LicenseLastApplied is the timestamp of the most recent successful operator-managed license upload.
licenseLastAppliedHash string LicenseLastAppliedHash is the SHA-256 hex hash of the trimmed license JWT that LicenseLastApplied refers to.
licenseTier string LicenseTier is a best-effort classification of the currently applied license. Values: none, trial, enterprise, premium, unknown.
entitlementsLastChecked Time EntitlementsLastChecked is when the operator last queried coderd entitlements.
externalProvisionerDaemonsEntitlement string ExternalProvisionerDaemonsEntitlement is the entitlement value for feature "external_provisioner_daemons". Values: entitled, grace_period, not_entitled, unknown.
phase string Phase is a high-level readiness indicator.
conditions Condition array Conditions are Kubernetes-standard conditions for this resource.

Referenced types

CertSecretSelector

CertSecretSelector identifies a key within a Secret for CA cert mounting.

Field Type Description
name string Name is the Secret name.
key string Key is the key within the Secret data map.

CertsSpec

CertsSpec configures additional CA certificate mounts.

Field Type Description
secrets CertSecretSelector array Secrets lists Secret key selectors for CA certificates. Each is mounted at /etc/ssl/certs/\{name\}.crt.

ExposeSpec

ExposeSpec configures external exposure for the control plane. At most one of Ingress or Gateway may be set. +kubebuilder:validation:XValidation:rule="!(has(self.ingress) && has(self.gateway))",message="only one of ingress or gateway may be set"

Field Type Description
ingress IngressExposeSpec Ingress configures a networking.k8s.io/v1 Ingress.
gateway GatewayExposeSpec Gateway configures a gateway.networking.k8s.io/v1 HTTPRoute.

GatewayExposeSpec

GatewayExposeSpec defines Gateway API (HTTPRoute) exposure configuration.

Field Type Description
host string Host is the primary hostname for the HTTPRoute.
wildcardHost string WildcardHost is an optional wildcard hostname.
parentRefs GatewayParentRef array ParentRefs are Gateways that the HTTPRoute attaches to. At least one parentRef is required when gateway exposure is configured.

GatewayParentRef

GatewayParentRef identifies a Gateway for HTTPRoute attachment.

Field Type Description
name string Name is the Gateway name.
namespace string Namespace is the Gateway namespace.
sectionName string SectionName is the listener name within the Gateway.

IngressExposeSpec

IngressExposeSpec defines Ingress exposure configuration.

Field Type Description
className string ClassName is the Ingress class name.
host string Host is the primary hostname for the Ingress rule.
wildcardHost string WildcardHost is an optional wildcard hostname (e.g., for workspace apps).
annotations object (keys:string, values:string) Annotations are applied to the managed Ingress.
tls IngressTLSExposeSpec TLS configures TLS termination at the Ingress.

IngressTLSExposeSpec

IngressTLSExposeSpec defines TLS configuration for the Ingress.

Field Type Description
secretName string SecretName is the TLS Secret for the primary host.
wildcardSecretName string WildcardSecretName is the TLS Secret for the wildcard host.

OperatorAccessSpec

OperatorAccessSpec configures the controller-managed coderd operator user.

Field Type Description
disabled boolean Disabled turns off creation and management of the coder-k8s-operator user and API token.
generatedTokenSecretName string GeneratedTokenSecretName stores the generated operator API token.

ProbeSpec

ProbeSpec configures a Kubernetes probe with an enable toggle.

Field Type Description
enabled boolean Enabled toggles the probe on or off. When omitted, readiness defaults to enabled while liveness defaults to disabled.
initialDelaySeconds integer InitialDelaySeconds is the delay before the probe starts.
periodSeconds integer PeriodSeconds controls how often the probe is performed.
timeoutSeconds integer TimeoutSeconds is the probe timeout.
successThreshold integer SuccessThreshold is the minimum consecutive successes for the probe to be considered successful.
failureThreshold integer FailureThreshold is the minimum consecutive failures for the probe to be considered failed.

RBACSpec

RBACSpec configures namespace-scoped RBAC for workspace provisioning.

Field Type Description
workspacePerms boolean WorkspacePerms enables Role/RoleBinding creation for workspace resources. When omitted, the default is true.
enableDeployments boolean EnableDeployments grants apps/deployments permissions (only when WorkspacePerms is true). When omitted, the default is true.
extraRules PolicyRule array ExtraRules are appended to the managed Role rules.
workspaceNamespaces string array WorkspaceNamespaces lists additional namespaces for Role/RoleBinding creation.

SecretKeySelector

SecretKeySelector identifies a key in a Secret.

Field Type Description
name string Name is the Kubernetes Secret name.
key string Key is the key inside the Secret data map.

ServiceAccountSpec

ServiceAccountSpec configures the ServiceAccount used by the Coder pod.

Field Type Description
disableCreate boolean DisableCreate skips ServiceAccount creation (use an existing SA).
name string Name overrides the ServiceAccount name. Defaults to the CoderControlPlane name.
annotations object (keys:string, values:string) Annotations are applied to the managed ServiceAccount.
labels object (keys:string, values:string) Labels are applied to the managed ServiceAccount.

ServiceSpec

ServiceSpec defines the Service configuration reconciled by the operator.

Field Type Description
type ServiceType Type controls the Kubernetes service type.
port integer Port controls the exposed service port.
annotations object (keys:string, values:string) Annotations are applied to the reconciled service object.

TLSSpec

TLSSpec configures Coder built-in TLS.

Field Type Description
secretNames string array SecretNames lists TLS secrets to mount for built-in TLS. When non-empty, TLS is enabled on the Coder control plane.

Source

  • Go type: api/v1alpha1/codercontrolplane_types.go
  • Generated CRD: config/crd/bases/coder.com_codercontrolplanes.yaml