NotificationsYou must be signed in to change notification settings
Fork925
Star10.1k

Commita7a7e75

authored

K8s template uses an authenticated environment (#2104)

* feat: K8s template uses authenticated environmentSigned-off-by: Spike Curtis <spike@coder.com>* fmtSigned-off-by: Spike Curtis <spike@coder.com>

1 parenta860b86 commita7a7e75Copy full SHA for a7a7e75

File tree

2 files changed

+64

-105

lines changed

examples/templates/kubernetes-multi-service
- README.md
- main.tf

2 files changed

+64

-105

lines changed

`‎examples/templates/kubernetes-multi-service/README.md`

Lines changed: 52 additions & 56 deletions

Original file line number	Diff line number	Diff line change
`@@ -4,75 +4,71 @@ description: Get started with Kubernetes development.`
`4`	`4`	`tags:[cloud, kubernetes]`
`5`	`5`	`---`
`6`	`6`
`7`		`-#Authentication`
	`7`	`+#Getting started`
`8`	`8`
`9`		`-This template features two ways to authenticate to a Kubernetes cluster.`
	`9`	`+##RBAC`
`10`	`10`
`11`		`-##kubeconfig (Coder host)`
	`11`	`+The Coder provisioner requires permission to administer pods to use this template. The template`
	`12`	+creates workspaces in a single Kubernetes namespace, using the`workspaces_namespace` parameter set
	`13`	`+while creating the template.`
`12`	`14`
`13`		-If the Coder host has a local`~/.kube/config`, you can use this to authenticate
`14`		-with Coder. Make sure this is done with same user that's running the`coder` service.
	`15`	`+Create a role as follows and bind it to the user or service account that runs the coder host.`
`15`	`16`
`16`		`-##ServiceAccount`
	`17`	+```yaml
	`18`	`+apiVersion:rbac.authorization.k8s.io/v1`
	`19`	`+kind:Role`
	`20`	`+metadata:`
	`21`	`+name:coder`
	`22`	`+rules:`
	`23`	`+-apiGroups:[""]`
	`24`	`+resources:["pods"]`
	`25`	`+verbs:["*"]`
	`26`	+```
`17`	`27`
`18`		`-Create a ServiceAccount and role on your cluster to authenticate your template with Coder.`
	`28`	`+## Authentication`
`19`	`29`
`20`		`-1. Run the following command on a device with Kubernetes context:`
	`30`	`+This template can authenticate using in-cluster authentication, or using a kubeconfig local to the`
	`31`	`+Coder host. For additional authentication options, consult the [Kubernetes provider`
	`32`	`+documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs).`
`21`	`33`
`22`		-```sh
`23`		`- CODER_NAMESPACE=default`
`24`		`- kubectl apply -n$CODER_NAMESPACE -f -<<EOF`
`25`		`- apiVersion: v1`
`26`		`- kind: ServiceAccount`
`27`		`- metadata:`
`28`		`- name: coder`
`29`		`- ---`
`30`		`- apiVersion: rbac.authorization.k8s.io/v1`
`31`		`- kind: Role`
`32`		`- metadata:`
`33`		`- name: coder`
`34`		`- rules:`
`35`		`- - apiGroups: ["", "apps", "networking.k8s.io"] # "" indicates the core API group`
`36`		`- resources: ["persistentvolumeclaims", "pods", "deployments", "services", "secrets", "pods/exec","pods/log", "events", "networkpolicies", "serviceaccounts"]`
`37`		`- verbs: ["create", "get", "list", "watch", "update", "patch", "delete", "deletecollection"]`
`38`		`- - apiGroups: ["metrics.k8s.io", "storage.k8s.io"]`
`39`		`- resources: ["pods", "storageclasses"]`
`40`		`- verbs: ["get", "list", "watch"]`
`41`		`- ---`
`42`		`- apiVersion: rbac.authorization.k8s.io/v1`
`43`		`- kind: RoleBinding`
`44`		`- metadata:`
`45`		`- name: coder`
`46`		`- subjects:`
`47`		`- - kind: ServiceAccount`
`48`		`- name: coder`
`49`		`- roleRef:`
`50`		`- kind: Role`
`51`		`- name: coder`
`52`		`- apiGroup: rbac.authorization.k8s.io`
`53`		`- EOF`
`54`		-```
	`34`	`+### kubeconfig on Coder host`
`55`	`35`
`56`		`-1. Use the following commands to fetch the values:`
	`36`	+If the Coder host has a local`~/.kube/config`, you can use this to authenticate
	`37`	+with Coder. Make sure this is done with same user that's running the `coder` service.
	`38`	`+`
	`39`	+To use this authentication, set the parameter `use_kubeconfig` to true.
`57`	`40`
`58`		`-Cluster IP:`
	`41`	`+### In-cluster authentication`
`59`	`42`
`60`		-```sh
`61`		`- kubectl cluster-info \| grep "control plane"`
`62`		-```
	`43`	`+If the Coder host runs in a Pod on the same Kubernetes cluster as you are creating workspaces in,`
	`44`	`+you can use in-cluster authentication.`
`63`	`45`
`64`		`-CA certificate`
	`46`	+To use this authentication, set the parameter `use_kubeconfig` to false.
`65`	`47`
`66`		-```sh
`67`		`- kubectl get secrets -n$CODER_NAMESPACE -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='coder')].data['ca\.crt']}{'\n'}"`
`68`		-```
	`48`	`+The Terraform provisioner will automatically use the service account associated with the pod to`
	`49`	`+authenticate to Kubernetes. Be sure to bind a [role with appropriate permission](#rbac) to the`
	`50`	`+service account. For example, assuming the Coder host runs in the same namespace as you intend`
	`51`	`+to create workspaces:`
`69`	`52`
`70`		`-Token`
	`53`	+```yaml
	`54`	`+apiVersion: v1`
	`55`	`+kind: ServiceAccount`
	`56`	`+metadata:`
	`57`	`+ name: coder`
`71`	`58`
`72`		-```sh
`73`		`- kubectl get secrets -n$CODER_NAMESPACE -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='coder')].data['token']}{'\n'}"`
`74`		-```
	`59`	`+---`
	`60`	`+apiVersion: rbac.authorization.k8s.io/v1`
	`61`	`+kind: RoleBinding`
	`62`	`+metadata:`
	`63`	`+ name: coder`
	`64`	`+subjects:`
	`65`	`+ - kind: ServiceAccount`
	`66`	`+ name: coder`
	`67`	`+roleRef:`
	`68`	`+ kind: Role`
	`69`	`+ name: coder`
	`70`	`+ apiGroup: rbac.authorization.k8s.io`
	`71`	+```
`75`	`72`
`76`		`-Namespace`
	`73`	+Then start the Coder host with `serviceAccountName:coder` in the pod spec.
`77`	`74`
`78`		- This should be the same as`$CODER_NAMESPACE`,setin step 1.

`‎examples/templates/kubernetes-multi-service/main.tf`

Lines changed: 12 additions & 49 deletions

Original file line number	Diff line number	Diff line change
`@@ -11,70 +11,32 @@ terraform {`
`11`	`11`	`}`
`12`	`12`	`}`
`13`	`13`
`14`		`-variable"step1_use_kubeconfig" {`
	`14`	`+variable"use_kubeconfig" {`
`15`	`15`	`type=bool`
`16`	`16`	`sensitive=true`
`17`	`17`	`description=<<-EOF`
`18`	`18`	`Use host kubeconfig? (true/false)`
`19`	`19`
`20`		`- If true, a valid "~/.kube/config" must be present on the Coder host. This`
`21`		- is likely not your local machine unless you are using `coder server --dev.`
`22`		`-`
`23`		`- If false, proceed for instructions creating a ServiceAccount on your existing`
`24`		`- Kubernetes cluster.`
`25`		`- EOF`
`26`		`-}`
`27`		`-`
`28`		`-variable"step2_cluster_host" {`
`29`		`-type=string`
`30`		`-sensitive=true`
`31`		`-description=<<-EOF`
`32`		`- Hint: You can use:`
`33`		`- $ kubectl cluster-info \| grep "control plane"`
`34`		`-`
	`20`	`+ Set this to false if the Coder host is itself running as a Pod on the same`
	`21`	`+ Kubernetes cluster as you are deploying workspaces to.`
`35`	`22`
`36`		`- Leave blank if using ~/.kube/config (from step 1)`
`37`		`- EOF`
`38`		`-}`
`39`		`-`
`40`		`-variable"step3_certificate" {`
`41`		`-type=string`
`42`		`-sensitive=true`
`43`		`-description=<<-EOF`
`44`		`- Use docs at https://github.com/coder/coder/tree/main/examples/templates/kubernetes-multi-service#serviceaccount to create a ServiceAccount for Coder and grab values.`
`45`		`-`
`46`		`- Enter CA certificate`
`47`		`-`
`48`		`- Leave blank if using ~/.kube/config (from step 1)`
`49`		`- EOF`
`50`		`-}`
`51`		`-`
`52`		`-variable"step4_token" {`
`53`		`-type=string`
`54`		`-sensitive=true`
`55`		`-description=<<-EOF`
`56`		`- Enter token (refer to docs at https://github.com/coder/coder/tree/main/examples/templates/kubernetes-multi-service#serviceaccount)`
	`23`	`+ Set this to true if the Coder host is running outside the Kubernetes cluster`
	`24`	`+ for workspaces. A valid "~/.kube/config" must be present on the Coder host. This`
	`25`	+ is likely not your local machine unless you are using `coder server --dev.`
`57`	`26`
`58`		`- Leave blank if using ~/.kube/config (from step 1)`
`59`	`27`	`EOF`
`60`	`28`	`}`
`61`	`29`
`62`		`-variable"step5_coder_namespace" {`
	`30`	`+variable"workspaces_namespace" {`
`63`	`31`	`type=string`
`64`	`32`	`sensitive=true`
`65`		`-description=<<-EOF`
`66`		`- Enter namespace (refer to docs at https://github.com/coder/coder/tree/main/examples/templates/kubernetes-multi-service#serviceaccount)`
`67`		`-`
`68`		`- Leave blank if using ~/.kube/config (from step 1)`
`69`		`- EOF`
	`33`	`+description="The namespace to create workspaces in (must exist prior to creating workspaces)"`
	`34`	`+default="coder-workspaces"`
`70`	`35`	`}`
`71`	`36`
`72`	`37`	`provider"kubernetes" {`
`73`	`38`	`# Authenticate via ~/.kube/config or a Coder-specific ServiceAccount, depending on admin preferences`
`74`		`-config_path=var.step1_use_kubeconfig==true?"~/.kube/config":null`
`75`		`-host=var.step1_use_kubeconfig==false? var.step2_cluster_host:null`
`76`		`-cluster_ca_certificate=var.step1_use_kubeconfig==false?base64decode(var.step3_certificate):null`
`77`		`-token=var.step1_use_kubeconfig==false?base64decode(var.step4_token):null`
	`39`	`+config_path=var.use_kubeconfig==true?"~/.kube/config":null`
`78`	`40`	`}`
`79`	`41`
`80`	`42`	`data"coder_workspace""me" {}`
`@@ -97,7 +59,8 @@ resource "coder_agent" "ubuntu" {`
`97`	`59`	`resource"kubernetes_pod""main" {`
`98`	`60`	`count=data.coder_workspace.me.start_count`
`99`	`61`	`metadata {`
`100`		`-name="coder-${data.coder_workspace.me.owner}-${data.coder_workspace.me.name}"`
	`62`	`+name="coder-${data.coder_workspace.me.owner}-${data.coder_workspace.me.name}"`
	`63`	`+namespace=var.workspaces_namespace`
`101`	`64`	`}`
`102`	`65`	`spec {`
`103`	`66`	`container {`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commita7a7e75

File tree

2 files changed

2 files changed

`‎examples/templates/kubernetes-multi-service/README.md`

`‎examples/templates/kubernetes-multi-service/main.tf`

0 commit comments