From 9dfcbe1edd478a57625f66e58d0c50c2e33cb149 Mon Sep 17 00:00:00 2001
From: Kyle Carberry <kyle@coder.com>
Date: Tue, 19 Apr 2022 20:07:46 +0000
Subject: [PATCH 1/3] example: Add Kubernetes multi-service

---
 examples/kubernetes-multi-service/README.md |  5 ++
 examples/kubernetes-multi-service/main.tf   | 78 +++++++++++++++++++++
 2 files changed, 83 insertions(+)
 create mode 100644 examples/kubernetes-multi-service/README.md
 create mode 100644 examples/kubernetes-multi-service/main.tf

diff --git a/examples/kubernetes-multi-service/README.md b/examples/kubernetes-multi-service/README.md
new file mode 100644
index 0000000000000..9144f96e4ca23
--- /dev/null
+++ b/examples/kubernetes-multi-service/README.md
@@ -0,0 +1,5 @@
+---
+name: Develop multiple services in Kubernetes
+description: Get started with Kubernetes development.
+tags: [cloud, kubernetes]
+---
diff --git a/examples/kubernetes-multi-service/main.tf b/examples/kubernetes-multi-service/main.tf
new file mode 100644
index 0000000000000..fa54fa403b76b
--- /dev/null
+++ b/examples/kubernetes-multi-service/main.tf
@@ -0,0 +1,78 @@
+terraform {
+  required_providers {
+    coder = {
+      source  = "coder/coder"
+      version = "~> 0.3.1"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "~> 2.10"
+    }
+  }
+}
+
+provider "kubernetes" {
+  config_path = "~/.kube/config"
+}
+
+data "coder_workspace" "me" {}
+
+resource "coder_agent" "go" {
+  os   = "linux"
+  arch = "amd64"
+}
+
+resource "coder_agent" "java" {
+  os   = "linux"
+  arch = "amd64"
+}
+
+resource "coder_agent" "ubuntu" {
+  os   = "linux"
+  arch = "amd64"
+}
+
+resource "kubernetes_pod" "main" {
+  count = data.coder_workspace.me.start_count
+  metadata {
+    name = "coder-${data.coder_workspace.me.owner}-${data.coder_workspace.me.name}"
+  }
+  spec {
+    container {
+      name    = "go"
+      image   = "mcr.microsoft.com/vscode/devcontainers/go:1"
+      command = ["sh", "-c", coder_agent.go.init_script]
+      security_context {
+        run_as_user = "1000"
+      }
+      env {
+        name  = "CODER_TOKEN"
+        value = coder_agent.go.token
+      }
+    }
+    container {
+      name    = "java"
+      image   = "mcr.microsoft.com/vscode/devcontainers/java"
+      command = ["sh", "-c", coder_agent.java.init_script]
+      security_context {
+        run_as_user = "1000"
+      }
+      env {
+        name  = "CODER_TOKEN"
+        value = coder_agent.java.token
+      }
+    }
+    container {
+      name    = "ubuntu"
+      image   = "mcr.microsoft.com/vscode/devcontainers/base:ubuntu"
+      command = ["sh", "-c", coder_agent.ubuntu.init_script]
+      security_context {
+        run_as_user = "1000"
+      }
+      env {
+        name  = "CODER_TOKEN"
+        value = coder_agent.ubuntu.token
+      }
+    }
+  }
+}

From 7d6bb577ae774ae8c4ea24324ccd158501ff280d Mon Sep 17 00:00:00 2001
From: Ben <ben@coder.com>
Date: Wed, 4 May 2022 23:01:18 +0000
Subject: [PATCH 2/3] fix: change to CODER_AGENT_TOKEN

---
 examples/kubernetes-multi-service/main.tf | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/examples/kubernetes-multi-service/main.tf b/examples/kubernetes-multi-service/main.tf
index fa54fa403b76b..f893ec969a34a 100644
--- a/examples/kubernetes-multi-service/main.tf
+++ b/examples/kubernetes-multi-service/main.tf
@@ -46,7 +46,7 @@ resource "kubernetes_pod" "main" {
         run_as_user = "1000"
       }
       env {
-        name  = "CODER_TOKEN"
+        name  = "CODER_AGENT_TOKEN"
         value = coder_agent.go.token
       }
     }
@@ -58,7 +58,7 @@ resource "kubernetes_pod" "main" {
         run_as_user = "1000"
       }
       env {
-        name  = "CODER_TOKEN"
+        name  = "CODER_AGENT_TOKEN"
         value = coder_agent.java.token
       }
     }
@@ -70,7 +70,7 @@ resource "kubernetes_pod" "main" {
         run_as_user = "1000"
       }
       env {
-        name  = "CODER_TOKEN"
+        name  = "CODER_AGENT_TOKEN"
         value = coder_agent.ubuntu.token
       }
     }

From 371dde84234240594a459f4a461a238b67e314b3 Mon Sep 17 00:00:00 2001
From: Ben Potter <ben@coder.com>
Date: Wed, 11 May 2022 13:19:07 -0500
Subject: [PATCH 3/3] example: use ServiceAccount for cluster authentication
 (#1096)

---
 examples/kubernetes-multi-service/README.md | 72 +++++++++++++++++++++
 examples/kubernetes-multi-service/main.tf   | 56 +++++++++++++++-
 2 files changed, 127 insertions(+), 1 deletion(-)

diff --git a/examples/kubernetes-multi-service/README.md b/examples/kubernetes-multi-service/README.md
index 9144f96e4ca23..dd9944f4b227e 100644
--- a/examples/kubernetes-multi-service/README.md
+++ b/examples/kubernetes-multi-service/README.md
@@ -3,3 +3,75 @@ name: Develop multiple services in Kubernetes
 description: Get started with Kubernetes development.
 tags: [cloud, kubernetes]
 ---
+
+# Authentication
+
+This template has several ways to authenticate to a Kubernetes cluster.
+
+## kubeconfig (Coder host)
+
+If the Coder host has a local `~/.kube/config`, this can be used to authenticate with Coder. Make sure this is on the same user running the `coder` service.
+
+## ServiceAccount
+
+Create a ServiceAccount and role on your cluster to authenticate your template with Coder.
+
+1. Run the following command on a device with Kubernetes context:
+
+    ```sh
+    CODER_NAMESPACE=default
+    kubectl apply -n $CODER_NAMESPACE -f - <<EOF
+    apiVersion: v1
+    kind: ServiceAccount
+    metadata:
+    name: coder
+    ---
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: Role
+    metadata:
+    name: coder
+    rules:
+    - apiGroups: ["", "apps", "networking.k8s.io"] # "" indicates the core API group
+        resources: ["persistentvolumeclaims", "pods", "deployments", "services", "secrets", "pods/exec","pods/log", "events", "networkpolicies", "serviceaccounts"]
+        verbs: ["create", "get", "list", "watch", "update", "patch", "delete", "deletecollection"]
+    - apiGroups: ["metrics.k8s.io", "storage.k8s.io"]
+        resources: ["pods", "storageclasses"]
+        verbs: ["get", "list", "watch"]
+    ---
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+    name: coder
+    subjects:
+    - kind: ServiceAccount
+        name: coder
+    roleRef:
+    kind: Role
+    name: coder
+    apiGroup: rbac.authorization.k8s.io
+    EOF
+    ```
+
+   1. Use the following commands to fetch the values:
+
+        **Cluster IP:**
+
+        ```sh
+        kubectl cluster-info | grep "control plane"
+        ```
+
+        **CA certificate**
+
+        ```sh
+        kubectl get secrets -n $CODER_NAMESPACE -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='coder')].data['ca\.crt']}{'\n'}"
+        ```
+
+        **Token**
+
+        ```sh
+        kubectl get secrets -n $CODER_NAMESPACE -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='coder')].data['token']}{'\n'}"
+        ```
+
+        **Namespace**
+
+        This should be the same as `$CODER_NAMESPACE`, set in step 1.
diff --git a/examples/kubernetes-multi-service/main.tf b/examples/kubernetes-multi-service/main.tf
index f893ec969a34a..2ac3685170ac1 100644
--- a/examples/kubernetes-multi-service/main.tf
+++ b/examples/kubernetes-multi-service/main.tf
@@ -11,8 +11,62 @@ terraform {
   }
 }
 
+variable "step1_use_kubeconfig" {
+  type        = bool
+  sensitive   = true
+  description = "Use local ~/.kube/config? (true/false)"
+}
+
+variable "step2_cluster_host" {
+  type        = string
+  sensitive   = true
+  description = <<-EOF
+  Hint: You can use:
+  $ kubectl cluster-info | grep "control plane"
+
+
+  Leave blank if using ~/.kube/config (from step 1)
+  EOF
+}
+
+variable "step3_certificate" {
+  type        = string
+  sensitive   = true
+  description = <<-EOF
+  Use docs at https://github.com/coder/coder/tree/main/examples/kubernetes-multi-service#serviceaccount to create a ServiceAccount for Coder and grab values.
+
+  Enter CA certificate
+
+  Leave blank if using ~/.kube/config (from step 1)
+  EOF
+}
+
+variable "step4_token" {
+  type        = string
+  sensitive   = true
+  description = <<-EOF
+  Enter token (refer to docs at https://github.com/coder/coder/tree/main/examples/kubernetes-multi-service#serviceaccount)
+
+  Leave blank if using ~/.kube/config (from step 1)
+  EOF
+}
+
+variable "step5_coder_namespace" {
+  type        = string
+  sensitive   = true
+  description = <<-EOF
+  Enter namespace (refer to docs at https://github.com/coder/coder/tree/main/examples/kubernetes-multi-service#serviceaccount)
+
+  Leave blank if using ~/.kube/config (from step 1)
+  EOF
+}
+
 provider "kubernetes" {
-  config_path = "~/.kube/config"
+  # Authenticate via ~/.kube/config or a Coder-specific ServiceAccount, depending on admin preferences
+  config_path            = var.step1_use_kubeconfig == true ? "~/.kube/config" : null
+  host                   = var.step1_use_kubeconfig == false ? var.step2_cluster_host : null
+  cluster_ca_certificate = var.step1_use_kubeconfig == false ? base64decode(var.step3_certificate) : null
+  token                  = var.step1_use_kubeconfig == false ? base64decode(var.step4_token) : null
 }
 
 data "coder_workspace" "me" {}