Feature Request: Improve Workspace Recovery if backup/restore only a limited subset #17260

bjornrobertsson · 2025-04-04T12:19:33Z

bjornrobertsson
Apr 4, 2025
Collaborator

Understanding the Coder Agent Authentication Issue with Velero Backup/Restore

When a Workspace and it's resources are restored, i.e. with Velero Backup, the Workspace is running but is not associate correctly and has lost the connection to coderd.

Velero backup supports different methods of backup, i.e. Full:

velero backup create coder-full-backup --include-namespaces coder
velero restore create --from-backup coder-full-backup

Based on the guidance, Coder only suggests backup of the PostgreSQL database: https://coder.com/docs/admin/infrastructure/validated-architectures#disaster-recovery

But for instance related recovery, a smaller subset would include only Workspaces, so you want to restore only ONE Workspace since (reasons vary but a partial backup is logical when addressing a limited problem):

velero backup create $BACKUP_NAME --selector com.coder.workspace.name="$WORKSPACE_NAME" --wait
velero restore create --from-backup $BACKUP_NAME --wait

Status seen in Workspace pod

connecting to coderd  
run exited with error ...  
error= GET https://example.com/api/v2/workspaceagents/me/rpc?version=2.4: unexpected status code 401: Workspace agent not authorized.: Try logging in using 'coder login'.  
Error: The agent cannot authenticate until the workspace provision job has been completed. If the job is no longer running, this agent is invalid.  
connecting to coderd

The issue occurs when restoring a Coder workspace with Velero but is likely to happen with any partial restore.

The expectation to restart the Workspace is valid, and in the restored state, the 'Retry' button is not enabled.

Root Cause Analysis (of the error and Coder GitHub code)

Workspace agents authenticate using a unique token/secret
The token is created and validated during the workspace provisioning job
When restoring from backup, the agent has its old credentials, but the Coder control plane doesn't recognize them since the provision job is no longer active

The key files involved in agent authentication:

coderd/workspaceagents.go - Handles agent authentication and RPC
agent/agent.go - The agent connection logic
provisionersdk/proto/provisioner.go - Defines the provisioning job states

Claude's Suggestions:

I recommend modifying the coderd/workspaceagents.go file to enable a "recovery mode" for agents that have been restored from backup:

// Add to coderd/workspaceagents.go

// authenticateAgent handles workspace agent authentication, with support for restored agents
func (api *API) authenticateAgent(r *http.Request) (*database.WorkspaceAgent, error) {
    token := r.Header.Get(AgentAuthTokenHeader)
    if token == "" {
        return nil, xerrors.New("no agent auth token provided")
    }

    agent, err := api.Database.GetWorkspaceAgentByAuthToken(r.Context(), token)
    if err != nil {
        if !xerrors.Is(err, sql.ErrNoRows) {
            return nil, xerrors.Errorf("get agent by auth token: %w", err)
        }
        
        // Check if this is a restored agent trying to reconnect
        restoredAgent, restoredErr := api.tryAuthenticateRestoredAgent(r.Context(), token)
        if restoredErr == nil && restoredAgent != nil {
            // Found a restored agent, regenerate auth token and return
            return restoredAgent, nil
        }
        
        return nil, xerrors.Errorf("agent auth token invalid: %w", err)
    }

    return agent, nil
}

// tryAuthenticateRestoredAgent attempts to authenticate an agent that may have been restored from backup
func (api *API) tryAuthenticateRestoredAgent(ctx context.Context, token string) (*database.WorkspaceAgent, error) {
    // Try to find an agent that matches the first part of the token (pre-secret portion)
    // This is a heuristic approach - in a real implementation you'd need a more secure method
    tokenParts := strings.Split(token, ".")
    if len(tokenParts) < 2 {
        return nil, xerrors.New("invalid token format")
    }
    
    agentID := tokenParts[0]
    
    agents, err := api.Database.GetWorkspaceAgentsCreatedAfter(ctx, time.Now().Add(-7*24*time.Hour))
    if err != nil {
        return nil, err
    }
    
    // Find a potential restored agent
    for _, agent := range agents {
        if strings.HasPrefix(agent.ID.String(), agentID) {
            // Found a potential match, regenerate auth for this agent
            newToken := uuid.New().String()
            err = api.Database.UpdateWorkspaceAgentAuthToken(ctx, database.UpdateWorkspaceAgentAuthTokenParams{
                ID: agent.ID,
                AuthToken: newToken,
            })
            if err != nil {
                return nil, err
            }
            
            // Log the recovery for audit purposes
            api.Logger.Info(ctx, "restored workspace agent authentication",
                slog.F("agent_id", agent.ID),
                slog.F("workspace_id", agent.WorkspaceID),
            )
            
            return agent, nil
        }
    }
    
    return nil, xerrors.New("no matching restored agent found")
}

// Also add needed database methods to coderd/database/database.go:

// GetWorkspaceAgentsCreatedAfter gets all workspace agents created after the given time
func (q *Q) GetWorkspaceAgentsCreatedAfter(ctx context.Context, after time.Time) ([]database.WorkspaceAgent, error) {
    // Implementation details will depend on your database schema
    // ...
}

// UpdateWorkspaceAgentAuthToken updates the auth token for a workspace agent
func (q *Q) UpdateWorkspaceAgentAuthToken(ctx context.Context, params database.UpdateWorkspaceAgentAuthTokenParams) error {
    // Implementation details will depend on your database schema
    // ...
}

Alternative Approach

Another potentially more secure approach would be to add a recovery endpoint specifically for restored agents:

// In coderd/workspaceagents.go

func (api *API) registerAgentRecoveryHandlers(r *chi.Mux) {
    r.Post("/api/v2/workspaceagents/recovery", api.handleAgentRecovery)
}

func (api *API) handleAgentRecovery(rw http.ResponseWriter, r *http.Request) {
    // Extract agent identity information from request
    var req struct {
        AgentID       string `json:"agent_id"`
        WorkspaceID   string `json:"workspace_id"`
        RecoveryToken string `json:"recovery_token"`  // A token derived from agent's instance data
    }
    
    if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
        httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
            Message: "Invalid request",
            Detail:  err.Error(),
        })
        return
    }
    
    // Validate this is a legitimate agent through instance verification 
    // ...
    
    // Regenerate token and update database
    // ...
    
    // Return new auth token to the agent
}

Implementation Notes

The restoration approach requires careful security consideration to prevent unauthorized access
You should add validation to ensure only legitimate restored agents can recover their authentication
Consider adding a configuration option to disable this feature if not needed
Add logging for audit purposes when agents are restored

This solution allows legitimate restored agents to reconnect while maintaining security. The agent would need to attempt the normal authentication flow first, and if that fails, try the recovery mechanism.

matifali · 2025-04-04T12:28:31Z

matifali
Apr 4, 2025
Maintainer

I don't think there is value in restoring running workspaces (agents). But yes backing up the persistent storage of all workspaces and the Coder DB itself with Valero looks promising.

So I am interested in a use case where we don't have to make any changes in Coder and Valero can work independently.

We can probably do an integration guide on how to configure Valero to perform backups of Coder DB and Coder workspaces.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Feature Request: Improve Workspace Recovery if backup/restore only a limited subset #17260

{{title}}

Replies: 1 comment

{{title}}

Select a reply

Feature Request: Improve Workspace Recovery if backup/restore only a limited subset #17260

bjornrobertsson Apr 4, 2025 Collaborator

Understanding the Coder Agent Authentication Issue with Velero Backup/Restore

Velero backup supports different methods of backup, i.e. Full:

Status seen in Workspace pod

Root Cause Analysis (of the error and Coder GitHub code)

Claude's Suggestions:

Alternative Approach

Implementation Notes

Replies: 1 comment

matifali Apr 4, 2025 Maintainer

bjornrobertsson
Apr 4, 2025
Collaborator

matifali
Apr 4, 2025
Maintainer