github enterprise auto upload publish SSH key
Hey folks! I'm curious if anyone has had any luck setting up https://registry.coder.com/modules/github-upload-public-key to automate uploading SSH keys to make git clone easier? I've got things mostly plumbed together as https://coder.com/docs/admin/external-auth#github-enterprise prescribes, but I keep getting 401 errors so I'm curious what I'm missing
Github Upload Public Key - Coder Registry
Automates uploading Coder public key to Github so users don't have to.
Solution:Jump to solution
Finally got it to work! I learned a couple things:
* https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/differences-between-github-apps-and-oauth-apps I originally had created a github app. Looking back at this, I think I might be able to get the github app to work, but 🤷 I have an oauth app working now
* When I posted last night I was missing
github_api_url completely. I initially tried https://github.example.com but this afternoon I realized I needed to use https://github.example.com/api/v3...26 Replies
<#1263374396844933182>
Category
Help needed
Product
Coder OSS (v2)
Platform
Linux
Logs
Please post any relevant logs/error messages.
During workspace startup, I see the following at the top of our startup logs
hi, could you send your main.tf over?
Could it be due to the incorrect configuration as highlighted in
https://github.com/coder/coder/pull/13780
GitHub
Clarify OAUTH2 configuration for Github Entrerprise by ggolin · Pul...
This change clarifies how to configure OAUTH2 configuration for Github Enterprise. Note that coder does not log any errors when the enterprise URL is set without the protocol scheme (https://). The...
@Phorcys do you mean the main.tf from our template? I can't share that since it includes a bunch of internal setup.
Or do you mean the main.tf referenced from https://registry.coder.com/modules/github-upload-public-key ? I followed the example towards the bottom of that page and added that to our template
Github Upload Public Key - Coder Registry
Automates uploading Coder public key to Github so users don't have to.
@Atif I think that's for using github for authenticating to coder (i.e. https://coder.com/docs/admin/auth ) vs their external auth (https://coder.com/docs/admin/external-auth ) ? I'm currently using
https:// in all the env vars that get set in our k8s argocd appset yaml file.
Yes. You are right.
Looks like I forgot to set the
github_api_url variable when I used the module! 🤦♂️
It's still not quite working, but the error code (406) makes more sense than what I was seeing before (401) because I can manually get a 406yes, I do mean that, but it seems you got on another track
if it is needed we might ask you to send a redacted template file, even over DMs if you're more comfortable with that
Solution
Finally got it to work! I learned a couple things:
* https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/differences-between-github-apps-and-oauth-apps I originally had created a github app. Looking back at this, I think I might be able to get the github app to work, but 🤷 I have an oauth app working now
* When I posted last night I was missing
github_api_url completely. I initially tried https://github.example.com but this afternoon I realized I needed to use https://github.example.com/api/v3Hi @tpottinger glad to know that you have found the solution. Please share your feedback if you think docs can be improved around this. What did you find confusing and what's missing. Also you are welcome to contribute to docs ❤️
@Atif the docs on https://coder.com/docs/admin/external-auth#github say "it's easier to configure a GitHub OAuth app!" but the screenshots are from a "GitHub App" not a GitHub "Oauth App". I suspect both are able to work, but the instruction "Install the App for your organization" only applies for GitHub Apps, not GitHub Oauth Apps. I wasn't able to convince our GHE admins to install the GitHub App, so idk if/what that step is necessary for.
Also, the docs on https://registry.coder.com/modules/github-upload-public-key reference
CODER_EXTERNAL_AUTH_0_SCOPES but I suspect that's only required for GitHub Oauth Apps? GitHub Apps need to configure permissions, and the docs on https://coder.com/docs/admin/external-auth#github includes a screenshot for "Permissions & events" that I think replaces the need for the _SCOPES env var. I'm not 100% sureGithub Upload Public Key - Coder Registry
Automates uploading Coder public key to Github so users don't have to.
And finally, an easy addition would be a note on https://registry.coder.com/modules/github-upload-public-key for Github Enterprise: adding the
github_api_url parameter in the example tf module usage is needed.Github Upload Public Key - Coder Registry
Automates uploading Coder public key to Github so users don't have to.
cc: @Steve @ericpaulsen
is there a module for automatically uploading coder ssh key to gitlab self hosted enterprise? I assume it would it need to check that the user doesn't already have the key added.
hey! what are you trying to achieve?
git commit signing with gitlab without the users manually adding the key to gitlab themselves
if you only need to clone a repo, then you don't need to update the ssh key if you use external auth
i see
know that this is pretty risky because anyone with access to the workspace will be able to push signed commits
I thought thats what this github module already did
no, it uses OAuth to push commits using an API key
the commits are unsigned
if you do want to do this, you will still need external auth, you can use the git-commit-signing module to automatically download the SSH key to
~/.ssh and configure git to use it.
then grab the OAuth token using coder external-auth access-token <gitlab-external-auth-name> and add the SSH key using the APIwell there is already a coder module for using coder ssh key so even if they manually add the key themselves this would still be the case.
well, i suppose you're right yes
it does add a layer of risk though as anyone on the workspace could add SSH keys (i believe you have to enable a scope in the OAuth app for the token to be able to do so)
yeah I was looking at doing that and then would have add some logic to make sure the key hasn't been added already. I was just wondering if there was a different way
not really no