- Notifications
You must be signed in to change notification settings - Fork926
feat(provisioner): pass owner git ssh key#13366
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Conversation
Uh oh!
There was an error while loading.Please reload this page.
| @@ -202,6 +202,8 @@ func provisionEnv( | |||
| "CODER_WORKSPACE_OWNER_NAME="+metadata.GetWorkspaceOwnerName(), | |||
| "CODER_WORKSPACE_OWNER_OIDC_ACCESS_TOKEN="+metadata.GetWorkspaceOwnerOidcAccessToken(), | |||
| "CODER_WORKSPACE_OWNER_GROUPS="+string(ownerGroups), | |||
| "CODER_WORKSPACE_OWNER_SSH_PUBLIC_KEY="+metadata.GetWorkspaceOwnerSshPublicKey(), | |||
| "CODER_WORKSPACE_OWNER_SSH_PRIVATE_KEY="+metadata.GetWorkspaceOwnerSshPrivateKey(), | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Is this safe to do?
I suppose if the provisioner is compromised all bets are off, but just curious if there is anything we should be sensitive to here in relation to passing the privkey around.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
The safety of these values is predicated on
a) trusting the provisioner that's executing the job,
b) trusting the communication channel between the provisioner and coder.
So if someone can either access the environment variables of theterraform-provider-coder process, or intercept the communication path between provisionerd and coderd, then all bets are off.
Apart from that, this is a sensitive variable just like the OIDC access token or Coder session token that get passed in the same way.
2254e0e to3a9a7d1CompareThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
I'd like to see a bit more error handling, but other than that, LGTM!
Uh oh!
There was an error while loading.Please reload this page.
cca3cb1 intomainUh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Related tocoder/terraform-provider-coder#219
Passes owner git SSH key to proto metadata that gets passed to the terraform provider.
NOTE: requires a release of coder/terraform-provider-coder before merge.