Multitenancy with Coder
Hi,
I hope this question isn't as silly as my last one was. 😊
I read in the docs, that to allow for the usage of secrets other Terraform providers would need to access external APIs with, I'd need to start up the Coder pod (in k8s scenario), with the secrets already loaded as environment variables. (Do correct me if I am wrong!)
So far so good. But, what about if I need Coder to be serving workspaces that need a whole slew of secrets?
Let me explain the use case.
Let's say, instead of allowing Coder to create subdomains to access the workspaces, I want to go through Cloudflare to create the subdomains to offer access. However, the developers all have different accounts to Cloudflare for their own sites. I don't believe I'd want to load all these credentials, even as env vars, into the Coder server environment.
Is there another, smarter, way to handle this kind of scenario? I was thinking something along the lines of sidecars. Jobs that could be ran via a secondary Coder servers, but then "closed" after the job is completed. The only open question in my mind would be Terraform state and keeping it available for destruction purposes. 🤔
4 Replies
<#1306199209493528646>
Category
Other
Product
Coder OSS (v2)
Platform
Linux
Logs
Please post any relevant logs/error messages.
hey @Scott, why not use external auth and have them log in to their cloudflare account there?
eh, it doesn't seem that Cloudflare has OAuth capability
we are looking into implementing user-wide secrets for this scenario but it's not a thing yet
currently you would probably have them input the token via a
coder_parameter, or you could use an external secret store and have them log in to that instead
also, you don't need to use environment variables, it's just the recommended way for server-wide secrets when you don't have an external secret store like vault
for user-wide secrets you wouldn't use env variablesYeah, the idea is to store the secrets wisely and securely in a subsystem (via sealed secrets), and be able to call upon them when a workspace is fired up, not when the Coder server is fired up, to build the particular environment. We don't want the devs to have to continually log into different services to get work done. We want it to be automated to save time and effort.
In the end, we need to come up with this process for areas outside of the remote dev environments too, so we'll take the task of making secrets available to do other processes outside of Coder. I was just hoping to streamline the remote dev environments' building in Coder's ways of doing things. 🙂
you could also use a password manager cli if you have one of those
but yeah i'm not aware of anything working out of the box