Download coder-agent from a host with untrusted CA certificate
Hello!
I'm using the example k8s template for running inside a k8s pod.
When the pod spins up it tries to download using curl the coder-agent itself (directly from the running server). The server is host with a selfsigned ssl certificate, thus, curl command fails.
Where is this installation script? I could not find it in terraform files nor in
https://code-server.dev/install.sh
How is this being pulled and how can I modify it so I could append my own trusted CA cert?
Thanks.28 Replies
hello, can you send me your terraform template ?
you should be able to add your own certificate to the workspace image
Where is this installation script?I think it is in the coder terraform provider but I am totally unsure.
@Phorcys this is the default kubernetes template. for that matter.
yeah so
you should change the pod's
spec.container.image from codercom/enterprise-base:ubuntu to your own image which has the certs in it's trust store, I think this is the only was as of now.I see.. I'll give it a go. I'll take this one as a base and modify it per my needs.
soo
How do I download the original script then? I'll look for it in github.
you don't have to
you can just modify the pod's
spec.container.command
from ["sh", "-c", coder_agent.main.init_script]
to ["my_script_or_whatever", "&&", "sh", "-c", coder_agent.main.init_script]
kinda dirty but it will work
you could put the script in a volume so you don't have to feed it 900 argumentsI like the idea of building my own image here based on the
codercom/enterprise-base:ubuntu image.
Follow up question - I use ECR (AWS image registry). Can I reference private registries that needs authentication?yes
let me find it
Where are you looking for it? In official docs?
I was about to tell you, you can look in the provider's documentation
Will do.
so, in that case it's
hashicorp/kubernetes
-> https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs
same goes for the coder provider coder/coder if you're looking for coder-related stuff.
-> https://registry.terraform.io/providers/coder/coder/latest/docs
I know you can do it with the docker provider, you should be able to do it with this one too but I haven't seen it beforeI think its less related to the coder provider and more to the
kubernetes_pod resourceit is, I was just giving that link for reference incase you're looking for docs for
coder_app/any coder resources.
I think I found it
yuphttps://kubernetes.io/docs/concepts/containers/images/#image-names
here it says you can use
fictional.registry.example/imagename, I don't know about authentication though
I'll look for it. Sounds like a solved issue 🙂
👍
I'll update my findings here later on before I resolve this thread.
sounds good
Baking this into a custom docker image worked.
As for EKS, once the EKS node has permissions to ECR in its IAM role there's no need to login.
The Dockerfile looks like this.
The user
root is important here as this is the only user that can update the trusted store globally.does it make your user
root when you open up a shell from coder ?Unfortunately, it is.
Automatically authenticate user with Coder in a workspace - Coder/C...
Automatically authenticate user with Coder in a workspace
yeah, so you can just add
USER coder at the end of that dockerfileSorry for abusing this thread (I can open another one if needed)
coder agent fails to start within the workspace pod with 401.
This is injected from
coder_agent.main.token - Should I feed it with a custom token? How does this work?
I'll be happy to read the docs - but I can't seem to find anything related..you should make another one yeah
also i have no clue on this one
i don't really understand how it works yet
Marked the thread as resolved.