},

{

"title": "Generate a Support Bundle",

"description": "Generate and upload a Support Bundle to Coder Support",

"path": "./tutorials/support-bundle.md"

},

{

"title": "Configuring Okta",

"description": "Custom claims/scopes with Okta for group/role sync",

"path": "./tutorials/configuring-okta.md"

},

{

"title": "Google to AWS Federation",

"description": "Federating a Google Cloud service account to AWS",

"path": "./tutorials/gcp-to-aws.md"

},

{

"title": "JFrog Artifactory Integration",

"description": "Integrate Coder with JFrog Artifactory",

"path": "./tutorials/artifactory-integration.md"

},

{

"title": "Island Secure Browser Integration",

"description": "Integrate Coder with Island's Secure Browser",

"path": "./tutorials/island-integration.md"

},

{

"title": "Template ImagePullSecrets",

"description": "Creating ImagePullSecrets for private registries",

"path": "./tutorials/image-pull-secret.md"

},

{

"title": "Postgres SSL",

"description": "Configure Coder to connect to Postgres over SSL",

"path": "./tutorials/postgres-ssl.md"

},

{

"title": "Azure Federation",

"description": "Federating Coder to Azure",

"path": "./tutorials/azure-federation.md"

},

{

"title": "Scanning Coder Workspaces with JFrog Xray",

"description": "Integrate Coder with JFrog Xray",

"path": "./tutorials/xray-integration.md"

Here you can find a list of employee-written tutorials on Coder for OSS and

Enterprise. These are hosted on our

[Github](https://github.com/coder/coder/) where you can leave feedback or

request new topics to be covered.

<children>

This page is rendered on https://coder.com/docs/v2/latest/guides. Refer to the other documents in the `guides/` directory for specific employee-written guides.

</children>

<div>

<a href="https://github.com/matifali" style="text-decoration: none; color: inherit;">

<span style="vertical-align:middle;">M Atif Ali</span>

<img src="https://github.com/matifali.png" width="24px" height="24px" style="vertical-align:middle; margin: 0px;"/>

</a>

</div>

January 24, 2024

Use Coder and JFrog Artifactory together to secure your development environments

without disturbing your developers' existing workflows.

This guide will demonstrate how to use JFrog Artifactory as a package registry

within a workspace.

- A JFrog Artifactory instance

- 1:1 mapping of users in Coder to users in Artifactory by email address or

username

- Repositories configured in Artifactory for each package manager you want to

use

The most straight-forward way to authenticate your template with Artifactory is

by using our official Coder [modules](https://registry.coder.com). We publish

two type of modules that automate the JFrog Artifactory and Coder integration.

1. [JFrog-OAuth](https://registry.coder.com/modules/jfrog-oauth)

2. [JFrog-Token](https://registry.coder.com/modules/jfrog-token)

This module is usable by JFrog self-hosted (on-premises) Artifactory as it

requires configuring a custom integration. This integration benefits from

Coder's [external-auth](https://coder.com/docs/v2/latest/admin/external-auth)

feature and allows each user to authenticate with Artifactory using an OAuth

flow and issues user-scoped tokens to each user.

To set this up, follow these steps:

1. Modify your Helm chart `values.yaml` for JFrog Artifactory to add,

artifactory:

enabled: true

frontend:

extraEnvironmentVariables:

- name: JF_FRONTEND_FEATURETOGGLER_ACCESSINTEGRATION

value: "true"

access:

accessConfig:

integrations-enabled: true

integration-templates:

- id: "1"

name: "CODER"

redirect-uri: "https://CODER_URL/external-auth/jfrog/callback"

scope: "applied-permissions/user"

<https://JFROG_URL/ui/admin/configuration/integrations/new> and select the

Application Type as the integration you created in step 1.

[external authentication](https://coder.com/docs/v2/latest/admin/external-auth)

to Coder by setting these env variables,

[JFrog-OAuth](https://registry.coder.com/modules/jfrog-oauth) module to

configure the integration.

To set this up, follow these steps:

[admin token](https://registry.terraform.io/providers/jfrog/artifactory/latest/docs#access-token)

with scope `applied-permissions/admin`.

[JFrog-Token](https://registry.coder.com/modules/jfrog-token) module to

configure the integration and pass the admin token. It is recommended to

store the token in a sensitive terraform variable to prevent it from being

displayed in plain text in the terraform state.

- See the full example template

[here](https://github.com/coder/coder/tree/main/examples/jfrog/docker).

- To serve extensions from your own VS Code Marketplace, check out

[code-marketplace](https://github.com/coder/code-marketplace#artifactory-storage).

- To store templates in Artifactory, check out our

[Artifactory modules](../templates/modules.md#artifactory) docs.

<div>

<a href="https://github.com/ericpaulsen" style="text-decoration: none; color: inherit;">

<span style="vertical-align:middle;">Eric Paulsen</span>

<img src="https://github.com/ericpaulsen.png" width="24px" height="24px" style="vertical-align:middle; margin: 0px;"/>

</a>

</div>

January 26, 2024

This guide will walkthrough how to authenticate a Coder Provisioner to Microsoft

Azure, using a Service Principal with a client certificate. You can use this

guide for authenticating Coder to Azure, regardless of where Coder is run,

either on-premise or in a non-Azure cloud. This method is one of several

[recommended by Terraform](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs#authenticating-to-azure).

We'll need to create the certificate Coder will use for authentication. Run the

below command to generate a private key and self-signed certificate:

Next, generate a `.pfx` file to be used by Coder's Provisioner to authenticate

the AzureRM provider:

Navigate to the Azure portal, and into the Microsoft Entra ID section. Select

the App Registration blade, and register a new application. Fill in the

following fields:

- **Name**: this is a friendly identifier and can be anything (e.g. "Coder")

- **Supported Account Types**: - set to "Accounts in this organizational

directory only (single-tenant)"

The **Redirect URI** field does not need to be set in this case. Take note of

the `Application (client) ID` and `Directory (tenant) ID` values, which will be

used by Coder.

To upload the certificate we created in Step 1, select **Certificates &

secrets** on the left-hand side, and select **Upload Certificate**. Upload the

public key file, which is `service-principal.crt` from the example above.

Now that the Application is created in Microsoft Entra ID, we need to assign

permissions to the Service Principal so it can provision Azure resources for

Coder users. Navigate to the Subscriptions blade in the Azure Portal, select the

**Subscription > Access Control (IAM) > Add > Add role assignment**.

Set the **Role** that grants the appropriate permissions to create the Azure

resources you need for your Coder workspaces. `Contributor` will provide

Read/Write on all Subscription resources. For more information on the available

roles, see the

[Microsoft documentation](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles).

Now that the client certificate is uploaded to Azure, we need to mount the

certificate files into the Coder deployment. If running Coder on Kubernetes, you

will need to create the `.pfx` file as a Kubernetes secret, and mount it into

the Helm chart.

Run the below command to create the secret:

In addition, create secrets for each of the following values from your Azure

Application:

- Client ID

- Tenant ID

- Subscription ID

- Certificate password

Next, set the following values in Coder's Helm chart:

coder:

env:

- name: ARM_CLIENT_ID

valueFrom:

secretKeyRef:

key: id

name: arm-client-id

- name: ARM_CLIENT_CERTIFICATE_PATH

value: /home/coder/az/

- name: ARM_CLIENT_CERTIFICATE_PASSWORD

valueFrom:

secretKeyRef:

key: password

name: arm-client-cert-password

- name: ARM_TENANT_ID

valueFrom:

secretKeyRef:

key: id

name: arm-tenant-id

- name: ARM_SUBSCRIPTION_ID

valueFrom:

secretKeyRef:

key: id

name: arm-subscription-id

volumes:

- name: "azure-client-cert"

secret:

secretName: "azure-client-cert-secret"

volumeMounts:

- name: "azure-client-cert"

mountPath: "/home/coder/az/"

readOnly: true