feat: gcp SA mounts & gke-pod template

Author: ericpaulsen

.github/workflows/gcp-linux.yml .github/workflows/gke-code-server-pod.yml

@@ -1,12 +1,12 @@
-name: Update gcp-linux template
+name: Update gke-code-server-pod template
 
 on:
   push:
     branches:
       - main
     paths:
-        - "templates/gcp-linux/main.tf"
-        - ".github/workflows/gcp-linux.yml"
+        - "templates/gke-code-server-pod/main.tf"
+        - ".github/workflows/gke-code-server-pod.yml"
   workflow_dispatch:
 
 jobs:
@@ -25,8 +25,8 @@ jobs:
         - name: Update Coder Template
           uses: matifali/update-coder-template@v3
           with:
-            id: gcp-linux
-            dir: templates/gcp-linux
+            id: gke-code-server-pod
+            dir: templates/gke-code-server-pod
             url: https://eric-aks.demo.coder.com
             name: ${{ steps.latest_commit.outputs.hash }}
             message: ${{ steps.commit_title.outputs.title }}

helm/values.yaml

@@ -3,13 +3,15 @@ coder:
   - /bin/sh
   commandArgs:
   - -c
-  # az CLI auth'd via system-assigned identity prior to instantiating Coder server
-  - az login --identity && /opt/coder server
+  # az & gcloud CLIs auth'd prior to instantiating Coder server
+  - az login --identity && gcloud auth activate-service-account --key-file=/var/secrets/gcp/gcp-service-account-key && /opt/coder server
+
   image:
     # custom image with az CLI installed
     repo: "docker.io/ericpaulsen/coder-2.7.0"
-    tag: "az"
+    tag: "multi-cloud"
     pullPolicy: Always
+
   # user-assigned managed identity used for authenticating Terraform to Azure
   podLabels:
     aadpodidbinding: eric-cluster-pod-identity
@@ -22,14 +24,21 @@ coder:
   replicaCount: 1
   serviceAccount:
     workspacePerms: true
+    
   # GCP credentials for Terraform
   volumes:
-  - name: gcp-credential
+  - name: gke-kubeconfig
+    secret:
+      secretName: gke-kubeconfig
+  - name: gcp-service-account-key
     secret:
-      secretName: gcp-credential
+      secretName: gcp-service-account-key
   volumeMounts:
-  - name: gcp-credential
-    mountPath: /var/secrets/google
+  - name: gke-kubeconfig
+    mountPath: /var/secrets/gke
+    readOnly: false
+  - name: gcp-service-account-key
+    mountPath: /var/secrets/gcp
     readOnly: true
 
 # Coder configuration
@@ -39,13 +48,15 @@ coder:
     value: https://eric-aks.demo.coder.com
   - name: CODER_WILDCARD_ACCESS_URL
     value: '*.eric-aks.demo.coder.com'
+
   # database configuration
   - name: CODER_PG_CONNECTION_URL
     valueFrom:
       secretKeyRef:
         key: url
         # connection URL for Azure Single Server PostgreSQL
         name: azure-db-url
+
   # OIDC/SSO configuration
   - name: CODER_OIDC_ISSUER_URL
     value: https://login.microsoftonline.com/110f0c0f-cd76-4717-a6f8-4eea3d0f8109/v2.0
@@ -69,6 +80,7 @@ coder:
     value: /icon/azure.png
   - name: CODER_DISABLE_PASSWORD_AUTH
     value: "false"
+
   # self-hosted GitLab integration
   - name: CODER_EXTERNAL_AUTH_0_TYPE
     value: gitlab
@@ -92,6 +104,7 @@ coder:
     value: https://owo.codes/oauth/token
   - name: CODER_EXTERNAL_AUTH_0_REGEX
     value: owo\.codes
+
   # GitHub SaaS integration
   - name: CODER_EXTERNAL_AUTH_1_TYPE
     value: github
@@ -107,6 +120,7 @@ coder:
       secretKeyRef:
         key: client-secret
         name: github-secret
+
   # jFrog Artifactory integration
   - name: CODER_EXTERNAL_AUTH_2_TYPE
     value: jfrog
@@ -130,6 +144,7 @@ coder:
     value: /icon/jfrog.svg
   - name: CODER_EXTERNAL_AUTH_2_SCOPES
     value: applied-permissions/user
+
   - name: CODER_SWAGGER_ENABLE
     value: "true" # boolean to enable Swaggger API endpoint, /swagger
   - name: CODER_MAX_TOKEN_LIFETIME
@@ -138,6 +153,7 @@ coder:
     value: "false" # enables browser-only mode, to block SSH connections
   - name: CODER_EXPERIMENTS
     value: workspace_actions,template_update_policies,template_autostop_requirement,deployment_health_page
+
   # networking configuration
   - name: CODER_DERP_CONFIG_URL
     value: https://controlplane.tailscale.com/derpmap/default
@@ -151,6 +167,7 @@ coder:
     value: includeSubDomains,preload # two optional fields can be set in the Strict-Transport-Security header
   - name: CODER_REDIRECT_TO_ACCESS_URL
     value: "false" # specifies whether to redirect requests that do not match the access URL host.
+
   # logging/metrics configuration
   - name: CODER_VERBOSE
     value: "true"

templates/gcp-linux/main.tf

@@ -13,7 +13,7 @@ provider "coder" {
 }
 
 provider "google" {
-  credentials = "/var/secrets/google/gcp-credential"
+  credentials = "/Users/ericpaulsen/code/cdr/k8s/aks/gcp-credential.json"
   zone        = data.coder_parameter.zone.value
   project     = "coder-demo-1"
 }

templates/gke-code-server-pod/README.md

@@ -0,0 +1,73 @@
+---
+name: Develop in a container in a Kubernetes pod
+description: The goal is to enable code-server (VS Code in a browser) 
+tags: [cloud, kubernetes]
+---
+
+# code-server (VS Code) template for a workspace in a GKE pod
+
+### Apps included
+
+1. A web-based terminal
+1. VS Code IDE in a browwser (Coder's `code-server` project)
+
+### Additional input variables and bash scripting
+
+1. Prompt user and clone/install a dotfiles repository (for personalization settings)
+1. Prompt user for compute options (CPU core, memory, and disk)
+1. Prompt user for container image to use
+1. Prompt user for repo to clone
+1. Clone source code repo
+1. Download, install and start latest code-server (VS Code-in-a-browser)
+1. Download, install and start file-browser to show the contents of the `/home/coder` as a `coder_app` and web icon
+1. Add the Access URL and user's Coder session token in the workspace to use the Coder CLI
+
+### Images/languages to choose from
+
+1. NodeJS
+1. Golang
+1. Java
+1. Base (for Rust and Python)
+
+> Note that Rust is installed during the startup script for `~/` configuration
+
+### IDE use
+
+1. While the purpose of this template is to show `code-server` and VS Code in a browser, you can also use the `VS Code Desktop` to download Coder's VS Code extension and the Coder CLI to remotely connect to your Coder workspace from your local installation of VS Code.
+
+### Parameters
+
+Parameters allow users who create workspaces to additional information required in the workspace build. This template will prompt the user for:
+
+1. A Dotfiles repository for workspace personalization `data "coder_parameter" "dotfiles_url"`
+2. The size of the persistent volume claim or `/home/coder` directory `data "coder_parameter" "pvc"`
+
+### Coder session token and Access URL injection
+
+Within the agent resource's `startup_script`:
+
+```hcl
+coder login ${data.coder_workspace.me.access_url} --token ${data.coder_workspace.me.owner_session_token}
+```
+
+### Authentication
+
+This template authenticates to GKE via a mounted `gke-kubeconfig.yaml` on the Coder server.
+
+### Resources
+
+[Coder's Terraform Provider - parameters](https://registry.terraform.io/providers/coder/coder/latest/docs/data-sources/parameter)
+
+[NodeJS coder-react repo](https://github.com/mark-theshark/coder-react)
+
+[Coder's GoLang v2 repo](https://github.com/coder/coder)
+
+[Coder's code-server TypeScript repo](https://github.com/coder/code-server)
+
+[Golang command line repo](https://github.com/sharkymark/commissions)
+
+[Java Hello World repo](https://github.com/sharkymark/java_helloworld)
+
+[Rust repo](https://github.com/sharkymark/rust-hw)
+
+[Python repo](https://github.com/sharkymark/python_commissions)