SSH repositories fail to configure with coder

[geiseri]

If I try to use a private git repository over SSH I see the following error:

envbuilder - Build development environments from repositories in a container
#1: 📦 Cloning ssh://[email protected]/hive-io/hive-rest.git to /workspaces/hive-rest.git...
Failed to clone repository: clone "ssh://[email protected]/hive-io/hive-rest.git": error creating SSH agent: "SSH agent requested but SSH_AUTH_SOCK not-specified"
Falling back to the default image...
#2: 🏗️ Building image...
#2: Retrieving image manifest codercom/enterprise-base:ubuntu
#2: Retrieving image codercom/enterprise-base:ubuntu from registry index.docker.io
#2: Built cross stage deps: map[]

I didn't see a way to configure that to use the built in SSH key provided by coder. Is there a missing setting?

[kylecarbs]

We don't support cloning over SSH in envbuilder currently, but it's not something I'm opposed to adding.

Does cloning over HTTP(s) not work for your scenario?

[janLo]

Would it be sufficient to drop an coder agent binary into the envbuilder image and set GIT_SSH_COMMAND=/.envbuilder/coder gitssh -- ?

[kylecarbs]

I think that might work, but it'd need the agent env vars as well.

[chrisspalm]

This would be useful!

[geiseri]

Those are in the user profile right?

[chewbh]

Is there plan to look at implementing this? Support for cloning over SSH in envbuilder will be very useful.

Some developers has preference using SSH over HTTP/S for interacting with git. To them, it is not expected that a devcontainer workspace fail to build due to this, given that they have already configure a SSH key within Coder and that they are force to fallback to use HTTP/S for cloning.

In addition, to support cloning private repos, we specifically need to add additional terraform logic or uses coder_external_auth to configure GIT environment variables in the workspace template.

[nwrkbiz]

Adding support for this, would also provide a simple and secure workaround for #60

[thattolleyguy]

+1 for adding support for this. This is the top reason our company isn't using coder yet

[johnstcn]

There are two main cases to consider here:

1. Local container runtime (for example, local Docker daemon): we can simply use SSH_AUTH_SOCK to get the required credentials, or pass a local SSH key in.
2. Remote container runtime (Kubernetes etc.): we will need some external method of getting git credentials. We can't necessarily expect folks to go storing SSH keys or other credentials in secrets, and I don't see an easy way of magically passing an SSH auth socket to a container running in a Kubernetes cluster. Integrating with Coder using the coder gitssh workflow would seem to be the way to go here.

In the second case, there is a circular dependency where we need the agent to get the git credentials to clone the repo and build the container, but we need to build the container to start the agent. To work around this, we can possibly have envbuilder perform step of getting the git SSH key from Coder using the agent token directly.

[johnstcn]

Plan:

• Add support for reading a SSH private key from a file (SSH_PRIVATE_KEY_PATH) feat: support cloning over SSH via private key auth #170
• Add support for passing in a known_hosts file (SSH_KNOWN_HOSTS_BASE64) (Edit: users can simply mount in a known_hosts file and set SSH_KNOWN_HOSTS if required) feat: support cloning over SSH via private key auth #170
• Add support for performing a SSH keyscan and generating a known_hosts file if no known_hosts file provided (Edit: we can simply use a custom HostKeysCallback that logs and accepts all host keys) feat: support cloning over SSH via private key auth #170
• Add support for SSH key authentication using SSH_PRIVATE_KEY_PATH feat: support cloning over SSH via private key auth #170
• Add support for fetching an SSH key from Coder if CODER_AGENT_URL and CODER_AGENT_TOKEN are provided using coder/agentsdk and no SSH_PRIVATE_KEY_PATH is provided. feat: fetch SSH key from Coder if required #174
• Add support for injecting Coder-generated SSH keys to the Coder terraform provider Add coder_workspace_owner data source terraform-provider-coder#219

[mtojek]

Agreed with @johnstcn to resolve it.

[johnstcn]

Closing this issue out. A follow-up issue will provide the capability for the Coder terraform provider to inject the user's SSH private key into workspace resources. However, there should be no further changes required in envbuilder to support this.