aks questions - enterprise version

Has anyone used azure blob storage with code-server workspaces, three use cases 1. as an alternative to the default which is disk 2. as a shared read only for large files like the trivy dB in an air gapped environment 3. As shared read/write storage for large data manipulation tasks. Coder is deployed in aks. I also have question about using deployment versus pods as I have seen templates for both. Does one have benefits over the other? Also, are there any tricks to get envbox working in AKS? If I use azure app registration as the oidc login or the external auth can I use that somehow to authenticate for the blob storage? I do have workload identity enabled on the cluster but I am currently only using it for SOPS kubernetes secrets decryption. I also plan to setup coder external provisioned. How can auto start and stop those so that I can scale the node pool to zero at night etc. ? Can I create a node pool with azure user assigned managed identity or do I have to use a service principal for the external provisioners? Also if the external provisioners are in different clusters in different vnets in different subscriptions divided by different business units, do I have to use a multi cluster mesh with istio or is vnet peering sufficient.
3 Replies
Codercord
Codercord5mo ago
<#1268997704714031156>
Category
Help needed
Product
Coder OSS (v2)
Platform
Linux
Logs
Please post any relevant logs/error messages.
Phorcys
Phorcys4mo ago
some people use artifactory which i believe is similar. For your first question, I would advise to use Deployment over Pods, deployments manage a set of pods and will try to self-heal if a pod is killed.
If I use azure app registration as the oidc login or the external auth can I use that somehow to authenticate for the blob storage?
You can use Azure as an external auth provider and run coder external-auth access-token <provider name> within the workspace to get that token, you can also require the user to be connected to the external auth to be able to use the template. If the token allows you to do what you want then it should be okay, maybe you will need to grant specific permissions to the app you'll create on the tenant
I also plan to setup coder external provisioned. How can auto start and stop those so that I can scale the node pool to zero at night etc. ?
For scaling, I would recommend that you look into scaling with Kubernetes' Deployments, but AFAIK you cannot scale to zero without an API call
Can I create a node pool with azure user assigned managed identity or do I have to use a service principal for the external provisioners?
I am not sure what you mean by this, could you please elaborate?
Also if the external provisioners are in different clusters in different vnets in different subscriptions divided by different business units, do I have to use a multi cluster mesh with istio or is vnet peering sufficient.
I'm not familiar with multi cluster meshing but so long as the Coder deployment can reach the provisioners (and vice-versa) then you should be good, the provisioners also need to be able to access the target environments where the worskpaces are being deployed (e.g Azure, Docker, etc) @Spiked_Grape closing this one, feel free to reopen if needed.
Codercord
Codercord4mo ago
@Phorcys closed the thread.

Did you find this page helpful?