SSH repositories fail to configure with coder about envbuilder HOT 12 CLOSED

Is there plan to look at implementing this? Support for cloning over SSH in envbuilder will be very useful.

Some developers has preference using SSH over HTTP/S for interacting with git. To them, it is not expected that a devcontainer workspace fail to build due to this, given that they have already configure a SSH key within Coder and that they are force to fallback to use HTTP/S for cloning.

In addition, to support cloning private repos, we specifically need to add additional terraform logic or uses coder_external_auth to configure GIT environment variables in the workspace template.

from envbuilder.

We don't support cloning over SSH in envbuilder currently, but it's not something I'm opposed to adding.

Does cloning over HTTP(s) not work for your scenario?

from envbuilder.

Would it be sufficient to drop an coder agent binary into the envbuilder image and set GIT_SSH_COMMAND=/.envbuilder/coder gitssh -- ?

from envbuilder.

I think that might work, but it'd need the agent env vars as well.

from envbuilder.

This would be useful!

from envbuilder.

Those are in the user profile right?

from envbuilder.

Adding support for this, would also provide a simple and secure workaround for #60

from envbuilder.

+1 for adding support for this. This is the top reason our company isn't using coder yet

from envbuilder.

There are two main cases to consider here:

1. Local container runtime (for example, local Docker daemon): we can simply use SSH_AUTH_SOCK to get the required credentials, or pass a local SSH key in.
2. Remote container runtime (Kubernetes etc.): we will need some external method of getting git credentials. We can't necessarily expect folks to go storing SSH keys or other credentials in secrets, and I don't see an easy way of magically passing an SSH auth socket to a container running in a Kubernetes cluster. Integrating with Coder using the coder gitssh workflow would seem to be the way to go here.

In the second case, there is a circular dependency where we need the agent to get the git credentials to clone the repo and build the container, but we need to build the container to start the agent. To work around this, we can possibly have envbuilder perform step of getting the git SSH key from Coder using the agent token directly.

from envbuilder.

Plan:

• Add support for reading a SSH private key from a file (SSH_PRIVATE_KEY_PATH) #170
• Add support for passing in a known_hosts file (SSH_KNOWN_HOSTS_BASE64) (Edit: users can simply mount in a known_hosts file and set SSH_KNOWN_HOSTS if required) #170
• Add support for performing a SSH keyscan and generating a known_hosts file if no known_hosts file provided (Edit: we can simply use a custom HostKeysCallback that logs and accepts all host keys) #170
• Add support for SSH key authentication using SSH_PRIVATE_KEY_PATH #170
• Add support for fetching an SSH key from Coder if CODER_AGENT_URL and CODER_AGENT_TOKEN are provided using coder/agentsdk and no SSH_PRIVATE_KEY_PATH is provided. #174
• Add support for injecting Coder-generated SSH keys to the Coder terraform provider coder/terraform-provider-coder#219

from envbuilder.

Agreed with @johnstcn to resolve it.

from envbuilder.

Closing this issue out. A follow-up issue will provide the capability for the Coder terraform provider to inject the user's SSH private key into workspace resources. However, there should be no further changes required in envbuilder to support this.

from envbuilder.