C
Coder.com•2mo ago
nicolas

Installing coder in EKS

Hello, I'm trying to install Coder and I'm having some difficulty connecting everything. 1. I created an NLB with Ingress Nginx (basic config: ports 80 and 443). The certificate is from ACM. 2. In the Helm chart for Coder, I configured Cognito, set the URL with my NLB DNS, and enabled ClusterIP. 3. I created an Ingress (not in the Coder Helm chart) to point to port 80. Question 1: Is this the correct way to expose Coder outside of EKS? For now, I enter the NLB DNS name, but it looks like I can't redirect to Coder. Question 2: Has anyone successfully used Cognito to retrieve the email and create the account at login? I'm using the Authorization Code Grant, and even with the secret key, it looks like Coder can't decode the token. Thanks
Solution:
Yes 🙂 in the config i missed "internet-facing" x_x thanks to GPT haha, but i wonder if the team who code the template file for the load balancer parameter to check if they can add the security group option 🙂
Jump to solution
26 Replies
Codercord
Codercord•2mo ago
<#1350085949635428424>
Category
Help needed
Product
Coder (v2)
Platform
Linux
Logs
Please post any relevant logs/error messages.
Phorcys
Phorcys•2mo ago
Bonjour :-)
Question 1: Is this the correct way to expose Coder outside of EKS? For now, I enter the NLB DNS name, but it looks like I can't redirect to Coder.
yes, this should be one of the correct ways to expose it, I've always used the Ingress from the chart though, so I'm not sure how it'll work in your case
Question 2: Has anyone successfully used Cognito to retrieve the email and create the account at login? I'm using the Authorization Code Grant, and even with the secret key, it looks like Coder can't decode the token.
I assume you're trying to use Cognito via OAuth, are you met with any error messages?
nicolas
nicolasOP•2mo ago
Hi 🙂 , for cognito i try oidc and i have the field email not found in the paylaod.
Phorcys
Phorcys•2mo ago
by default, Coder looks for the email in the email OIDC claim, it sounds like it has a different name with Cognito you can set the CODER_OIDC_EMAIL_FIELD environment variable to whatever Cognito uses if you can't find it, you can set CODER_VERBOSE=true to find all the claims in the debug log see https://coder.com/docs/admin/users/oidc-auth#oidc-claims for more info
nicolas
nicolasOP•2mo ago
Thanks 🙂 , il have a really good question. I try to use rstudio image and for now just lunch vs code. I read the doc and i dont find any explication about why the agent want to start. And the think is that i need to install my agent in the dockerfile. I saw in the logs that the downlaod URL is my domain(aws alb) but can't not be contacted. Is there a way to force the init script to use my url ? I added in the pod env but the script dont use it i think.
Phorcys
Phorcys•2mo ago
hey, the agent install script uses CODER_ACCESS_URL, you should change that if possible if it's not possible, then all you can do is a find-and-replace on the agent's init_script
nicolas
nicolasOP•2mo ago
It was hard but i found in the doc that we can setup manualy the value 🙂 In the terraform template
Phorcys
Phorcys•2mo ago
i don't remember this being possible, would you be able to show me how you've done it?
nicolas
nicolasOP•2mo ago
provider "coder" { url = "http://coder.default.svc.cluster.local" } Its need to be tested in other context to check if its realy working I found something Nice. You can create an alb in the config. But by défaut its http. Do you know if its possible to use the acm certificate, so with the arn ? And dose it mean i neeed to enable tls in the coder config ? Cause you can not downlaod an acm keys My réflexion is i neeed to setup nlb, ingress and clusterip
Phorcys
Phorcys•2mo ago
nice, i didn't know about this! which config are you talking about? the Helm chart's config? if you enable tls in the Coder config, Coder will serve as https, but not the ingress/load balancer in front of it, so i'd advise to keep Coder in http and just set up SSL for what's in front of it
nicolas
nicolasOP•2mo ago
Yes well the main goal is to redirect https to http 80 to coder, but what annotations i neeed to have ? And with the chart i need to have ingress also ? The flow between nlb and coder is still gray for me to understand If you have any config of an nlp and coder config that work with acm certificate ( only set in the nlb) it would be Nice 😮 @Phorcys hello, do you know if there is a way to have multiples annotations and configure https ? Without the use of the tls (certificat in acm). Why in the doc annoation:{ annotation }.
Phorcys
Phorcys•2mo ago
sorry for not answering earlier, I only have experience with using regular K8S and don't really know the specifics about AWS AKS could you show me how you would do it with another app's helm chart maybe? this way it would be easier for me to find a Coder-specific response from my POV, you're trying to achieve this: NLB (with HTTP/S cert from ACM) <-> Coder I think you'd want to edit coder.service to use the NLB? by default coder.service.type is set to LoadBalancer, but that is the generic K8S approach, maybe AWS needs this to be set to something different
nicolas
nicolasOP•2mo ago
Yes so the objectif was to set the nlb with the type loadbalancer but after my tests what il found is the first deployment create the alb the correct target group but with no sg . So when il delete the svc and redeploy now 2sg are creates but the target group is now set to 8080 🫠 . If coder is design to be deploy in the cloud, aws but be have a special config And i do exactly what the doc seed. Only the lines for the nlb
Phorcys
Phorcys•2mo ago
since i'm not really sure, i will attempt setting up Coder in AWS via the Helm chart to see will you be at KubeCon EU next week? we could meet up there if you want
nicolas
nicolasOP•2mo ago
Well im in Canada Montréal Thanks 🙂 maybe i miss a key point
Max
Max•2mo ago
Somewhat related but what is the recommended amount of CPU/RAM for the nodes running coder workspaces?
Atif
Atif•2mo ago
It's subjective and depends what you want to run in your workspace.
nicolas
nicolasOP•5w ago
. @Phorcys did you have time to install coder in aws ? 🙂 The challange is to attach a security group with the nlb . Dont know why is so hard to do
Phorcys
Phorcys•5w ago
hey, sorry, not yet, this is lower priority than the other issues we have since it's not a coder-specific question but rather coder-in-aws given i don't really have the AWS knowledge needed to give you a proper answer at the moment, i need to dig deeper but it takes time :-)
nicolas
nicolasOP•5w ago
No problem 🙂 , i continue to debug on my side and if i find something i will let you know
Phorcys
Phorcys•2w ago
hey! were you able to figure this out?
Solution
nicolas
nicolas•2w ago
Yes 🙂 in the config i missed "internet-facing" x_x thanks to GPT haha, but i wonder if the team who code the template file for the load balancer parameter to check if they can add the security group option 🙂
Phorcys
Phorcys•2w ago
i will check it out, thanks for following up!
yuji.fushiguro
yuji.fushiguro•2d ago
Hello, I jumped in this chat because I have a similar setup in EKS except my cluster has cert-manager and external DNS. So I'm able to get a TLS cert from Venafi and create a record in Route 53 to access the dashboard. The problem that I'm facing is that my EKS Cluster is private and does not have access to the internet. So I tried 2 approaches and they yield similar results. Problems I'm seeing with my setup 1. When I try to use a K8s Deployment template I see error in the logs that says, "failed to query provider from registry.coder.com". 2. 1. When I try to use a K8s Devcontainer template I see error in the logs that says, "failed to query provider from artifactory.my-company.com" I don't know why 2 templates are creating 2 different errors Steps I took to try to solve my problem 1. In my helm chart, I have an initcontainer that "supposedly" pull a different Terraform binary to use, pull the terraformrc file from the initcontainer image, and also the credentials.tfrc.json file as well. Since my cluster doesn't have access to the internet but it does have access to Artifactory. I thought doing this would remedy my issue. 2. log into the server with the coder CLI and update the templates. This didn't work because when I try to push the template I get a error stating, "Websocket protocol violation: Connection header "close" does not contain Upgrade".
Phorcys
Phorcys•2d ago
I'll get back to you soon with a more detailed answer but the current TL;DR is that we don't support the module registry well with air-gapped deployments and you should download the individual modules from https://github.com/coder/modules and install them from a local source (git repo) instead
GitHub
GitHub - coder/modules: A collection of Terraform Modules to extend...
A collection of Terraform Modules to extend Coder templates. - coder/modules

Did you find this page helpful?