|
| 1 | +--- |
| 2 | +name: Use Code Server to Develop with Docker |
| 3 | +description: A workspace environment with Code Server and Docker. |
| 4 | +tags: [cloud, kubernetes, linuxserver, code-server, vscode, webide, docker, dind, k8s-dind, dind-rootless] |
| 5 | +--- |
| 6 | + |
| 7 | +# Getting started |
| 8 | + |
| 9 | +This template creates a pod running the [Code-Server](https://github.com/linuxserver/docker-code-server) image from LinuxServer, with Docker support, custom added packages and a [Coder](https://github.com/coder/coder) agent. Docker can safely be reconfigured (enabled/disabled, add/remove persistance) on each launch with the use of parameter files. |
| 10 | + |
| 11 | +## Docker |
| 12 | + |
| 13 | +The workspace can optionally include a sidecar running `docker:dind-rootless`, and automatically installs the selected versions of Docker CLI and Compose from https://download.docker.com/linux/ubuntu/dists/ |
| 14 | + |
| 15 | +If `enable_docker` is false, the Docker sidecar will not be installed and no Docker or package settings will be changed. It is safe to toggle this setting on existing workspaces. No data is removed when Docker is disabled. |
| 16 | + |
| 17 | +If `persist_docker` is true, Docker data will be stored in your home volume and persist across stops and starts. If it is false, the Docker sidecar will use an `emptydir` for storage instead. Emptydir storage does not count against your home volume, but it is irrevocably lost when the workspace is stopped. |
| 18 | + |
| 19 | +It is safe to toggle `persist_docker` on existing workspaces. Data that was saved while the setting is true is retained when the setting is false. It will appear again when the setting is true. |
| 20 | + |
| 21 | +To completely remove Docker data, first set `persist_docker` to false and then remove `~/workspace/.docker-data` from your workspace terminal. |
| 22 | + |
| 23 | +## RBAC |
| 24 | + |
| 25 | +The Coder provisioner requires permission to administer pods and configmaps to use this template. The template |
| 26 | +creates workspaces in a single Kubernetes namespace, using the `workspaces_namespace` parameter set while creating the template. |
| 27 | + |
| 28 | +Create a role as follows and bind it to the user or service account that runs the coder host. If you are using separate namespaces for coder and workspaces, this should be a ClusterRole. |
| 29 | + |
| 30 | +```yaml |
| 31 | +apiVersion: rbac.authorization.k8s.io/v1 |
| 32 | +kind: Role |
| 33 | +metadata: |
| 34 | + name: coder |
| 35 | +rules: |
| 36 | + - apiGroups: [""] |
| 37 | + resources: ["pods"] |
| 38 | + verbs: ["*"] |
| 39 | + - apiGroups: [""] |
| 40 | + resources: ["configmaps"] |
| 41 | + verbs: ["*"] |
| 42 | +``` |
| 43 | +
|
| 44 | +## Authentication |
| 45 | +
|
| 46 | +This template can authenticate using in-cluster authentication, or using a kubeconfig local to the |
| 47 | +Coder host. For additional authentication options, consult the [Kubernetes provider |
| 48 | +documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs). |
| 49 | +
|
| 50 | +### kubeconfig on Coder host |
| 51 | +
|
| 52 | +If the Coder host has a local `~/.kube/config`, you can use this to authenticate |
| 53 | +with Coder. Make sure this is done with same user that's running the `coder` service. |
| 54 | + |
| 55 | +To use this authentication, set the parameter `use_kubeconfig` to true. |
| 56 | + |
| 57 | +### In-cluster authentication |
| 58 | + |
| 59 | +If the Coder host runs in a Pod on the same Kubernetes cluster as you are creating workspaces in, |
| 60 | +you can use in-cluster authentication. |
| 61 | + |
| 62 | +To use this authentication, set the parameter `use_kubeconfig` to false. |
| 63 | + |
| 64 | +The Terraform provisioner will automatically use the service account associated with the pod to |
| 65 | +authenticate to Kubernetes. Be sure to bind a [role with appropriate permission](#rbac) to the |
| 66 | +service account. For example, assuming the Coder host runs in the same namespace as you intend |
| 67 | +to create workspaces: |
| 68 | + |
| 69 | +```yaml |
| 70 | +apiVersion: v1 |
| 71 | +kind: ServiceAccount |
| 72 | +metadata: |
| 73 | + name: coder |
| 74 | +
|
| 75 | +--- |
| 76 | +apiVersion: rbac.authorization.k8s.io/v1 |
| 77 | +kind: RoleBinding |
| 78 | +metadata: |
| 79 | + name: coder |
| 80 | +subjects: |
| 81 | + - kind: ServiceAccount |
| 82 | + name: coder |
| 83 | +roleRef: |
| 84 | + kind: Role |
| 85 | + name: coder |
| 86 | + apiGroup: rbac.authorization.k8s.io |
| 87 | +``` |
| 88 | + |
| 89 | +Then start the Coder host with `serviceAccountName: coder` in the pod spec. |
| 90 | + |
| 91 | +## Namespace |
| 92 | + |
| 93 | +The target namespace in which the pod will be deployed is defined via the `coder_workspace` |
| 94 | +variable. The namespace must exist prior to creating workspaces. |
| 95 | + |
| 96 | +## Persistence |
| 97 | + |
| 98 | +The `/config` directory in this workspace is persisted via the attached PersistentVolumeClaim. |
| 99 | +Any data saved outside of this directory will be lost when the workspace stops. This includes `/usr/local` and any extra system packages installed. |
| 100 | + |
| 101 | +### Persist Docker |
| 102 | + |
| 103 | +If `enable_docker` and `persist_docker` are both true, the `docker` sidecar will use `/config/workspace/.docker-data` to store data such as images, layers and caches. If this is false, Docker data will be lost each time the workspace stops. |
| 104 | + |
| 105 | +If `persist_docker` is `true`, Docker data should be managed only by the Docker CLI (for example, |
| 106 | +`docker system prune -a`). To remove all Docker data, set `persist_docker` to `false` when starting the workspace, then use the terminal to remove `/config/workspace/.docker-data`. |
0 commit comments