feat: Add tunnel by default (#4399)

* feat: Add tunnel by default If an access URL is not specified, we will always tunnel. This is from community-member feedback who exclaimed that it's confusing having the default for `coder server` display a warning message, and I agree. There is very little (maybe none) in running `coder server` without tunnel and without an access URL, so this seems like overall a much better UX. * Update install.sh Co-authored-by: Ben Potter <ben@coder.com> * Update docs/install/packages.md Co-authored-by: Ben Potter <ben@coder.com> * Fix reset pass test * Fix e2e test Co-authored-by: Ben Potter <ben@coder.com>
coder · sreya · Oct 10, 2022 · Oct 4, 2022 · Oct 4, 2022 · Oct 4, 2022
commit 3cc77d96eb35512ec70f6e89b2d2d73cc0f680ea
diff --git a/README.md b/README.md
@@ -58,7 +58,7 @@ Once installed, you can start a production deployment<sup>1</sup> with a single
 
 ```sh
 # Automatically sets up an external access URL on *.try.coder.app
-coder server --tunnel
+coder server
 
 # Requires a PostgreSQL instance and external access URL
 coder server --postgres-url <url> --access-url <url>

diff --git a/cli/resetpassword_test.go b/cli/resetpassword_test.go
@@ -41,6 +41,7 @@ func TestResetPassword(t *testing.T) {
 	serverCmd, cfg := clitest.New(t,
 		"server",
 		"--address", ":0",
+		"--access-url", "example.com",
 		"--postgres-url", connectionURL,
 		"--cache-dir", t.TempDir(),
 	)

diff --git a/cli/server.go b/cli/server.go
@@ -111,7 +111,6 @@ func Server(newAPI func(context.Context, *coderd.Options) (*coderd.API, error))
 		tlsEnable                        bool
 		tlsKeyFiles                      []string
 		tlsMinVersion                    string
-		tunnel                           bool
 		traceEnable                      bool
 		secureAuthCookie                 bool
 		sshKeygenAlgorithmRaw            string
@@ -243,26 +242,23 @@ func Server(newAPI func(context.Context, *coderd.Options) (*coderd.API, error))
 			if tlsEnable {
 				localURL.Scheme = "https"
 			}
-			if accessURL == "" {
-				accessURL = localURL.String()
-			}
 
 			var (
 				ctxTunnel, closeTunnel = context.WithCancel(ctx)
-				devTunnel              *devtunnel.Tunnel
-				devTunnelErr           <-chan error
+				tunnel                 *devtunnel.Tunnel
+				tunnelErr              <-chan error
 			)
 			defer closeTunnel()
 
-			// If we're attempting to tunnel in dev-mode, the access URL
-			// needs to be changed to use the tunnel.
-			if tunnel {
-				cmd.Printf("Opening tunnel so workspaces can connect to your deployment\n")
-				devTunnel, devTunnelErr, err = devtunnel.New(ctxTunnel, logger.Named("devtunnel"))
+			// If the access URL is empty, we attempt to run a reverse-proxy tunnel
+			// to make the initial setup really simple.
+			if accessURL == "" {
+				cmd.Printf("Opening tunnel so workspaces can connect to your deployment. For production scenarios, specify an external access URL\n")
+				tunnel, tunnelErr, err = devtunnel.New(ctxTunnel, logger.Named("devtunnel"))
 				if err != nil {
 					return xerrors.Errorf("create tunnel: %w", err)
 				}
-				accessURL = devTunnel.URL
+				accessURL = tunnel.URL
 			}
 
 			accessURLParsed, err := parseURL(ctx, accessURL)
@@ -288,11 +284,11 @@ func Server(newAPI func(context.Context, *coderd.Options) (*coderd.API, error))
 				if isLocal {
 					reason = "isn't externally reachable"
 				}
-				cmd.Printf("%s The access URL %s %s, this may cause unexpected problems when creating workspaces. Generate a unique *.try.coder.app URL with:\n", cliui.Styles.Warn.Render("Warning:"), cliui.Styles.Field.Render(accessURLParsed.String()), reason)
-				cmd.Println(cliui.Styles.Code.Render(strings.Join(os.Args, " ") + " --tunnel"))
+				cmd.Printf("%s The access URL %s %s, this may cause unexpected problems when creating workspaces. Generate a unique *.try.coder.app URL by not specifying an access URL.\n", cliui.Styles.Warn.Render("Warning:"), cliui.Styles.Field.Render(accessURLParsed.String()), reason)
 			}
 
-			cmd.Printf("View the Web UI: %s\n", accessURLParsed.String())
+			// A newline is added before for visibility in terminal output.
+			cmd.Printf("\nView the Web UI: %s\n", accessURLParsed.String())
 
 			// Used for zero-trust instance identity with Google Cloud.
 			googleTokenValidator, err := idtoken.NewValidator(ctx, option.WithoutAuthentication())
@@ -472,7 +468,7 @@ func Server(newAPI func(context.Context, *coderd.Options) (*coderd.API, error))
 					OIDCIssuerURL:   oidcIssuerURL,
 					Prometheus:      promEnabled,
 					STUN:            len(derpServerSTUNAddrs) != 0,
-					Tunnel:          tunnel,
+					Tunnel:          tunnel != nil,
 				})
 				if err != nil {
 					return xerrors.Errorf("create telemetry reporter: %w", err)
@@ -569,17 +565,17 @@ func Server(newAPI func(context.Context, *coderd.Options) (*coderd.API, error))
 			eg.Go(func() error {
 				// Make sure to close the tunnel listener if we exit so the
 				// errgroup doesn't wait forever!
-				if tunnel {
-					defer devTunnel.Listener.Close()
+				if tunnel != nil {
+					defer tunnel.Listener.Close()
 				}
 
 				return server.Serve(listener)
 			})
-			if tunnel {
+			if tunnel != nil {
 				eg.Go(func() error {
 					defer listener.Close()
 
-					return server.Serve(devTunnel.Listener)
+					return server.Serve(tunnel.Listener)
 				})
 			}
 			go func() {
@@ -624,7 +620,7 @@ func Server(newAPI func(context.Context, *coderd.Options) (*coderd.API, error))
 				_, _ = fmt.Fprintln(cmd.OutOrStdout(), cliui.Styles.Bold.Render(
 					"Interrupt caught, gracefully exiting. Use ctrl+\\ to force quit",
 				))
-			case exitErr = <-devTunnelErr:
+			case exitErr = <-tunnelErr:
 				if exitErr == nil {
 					exitErr = xerrors.New("dev tunnel closed unexpectedly")
 				}
@@ -650,9 +646,9 @@ func Server(newAPI func(context.Context, *coderd.Options) (*coderd.API, error))
 			// in-flight requests, give in-flight requests 5 seconds to
 			// complete.
 			cmd.Println("Shutting down API server...")
-			err = shutdownWithTimeout(server.Shutdown, 5*time.Second)
+			err = shutdownWithTimeout(server.Shutdown, 3*time.Second)
 			if err != nil {
-				cmd.Printf("API server shutdown took longer than 5s: %s", err)
+				cmd.Printf("API server shutdown took longer than 3s: %s\n", err)
 			} else {
 				cmd.Printf("Gracefully shut down API server\n")
 			}
@@ -694,10 +690,10 @@ func Server(newAPI func(context.Context, *coderd.Options) (*coderd.API, error))
 			cmd.Println("Done waiting for WebSocket connections")
 
 			// Close tunnel after we no longer have in-flight connections.
-			if tunnel {
+			if tunnel != nil {
 				cmd.Println("Waiting for tunnel to close...")
 				closeTunnel()
-				<-devTunnelErr
+				<-tunnelErr
 				cmd.Println("Done waiting for tunnel")
 			}
 
@@ -855,8 +851,6 @@ func Server(newAPI func(context.Context, *coderd.Options) (*coderd.API, error))
 		"Paths to the private keys for each of the certificates. It requires a PEM-encoded file")
 	cliflag.StringVarP(root.Flags(), &tlsMinVersion, "tls-min-version", "", "CODER_TLS_MIN_VERSION", "tls12",
 		`Minimum supported version of TLS. Accepted values are "tls10", "tls11", "tls12" or "tls13"`)
-	cliflag.BoolVarP(root.Flags(), &tunnel, "tunnel", "", "CODER_TUNNEL", false,
-		"Workspaces must be able to reach the `access-url`. This overrides your access URL with a public access URL that tunnels your Coder deployment.")
 	cliflag.BoolVarP(root.Flags(), &traceEnable, "trace", "", "CODER_TRACE", false,
 		"Whether application tracing data is collected.")
 	cliflag.BoolVarP(root.Flags(), &secureAuthCookie, "secure-auth-cookie", "", "CODER_SECURE_AUTH_COOKIE", false,

diff --git a/cli/server_test.go b/cli/server_test.go
@@ -56,6 +56,7 @@ func TestServer(t *testing.T) {
 		root, cfg := clitest.New(t,
 			"server",
 			"--address", ":0",
+			"--access-url", "example.com",
 			"--postgres-url", connectionURL,
 			"--cache-dir", t.TempDir(),
 		)
@@ -87,6 +88,7 @@ func TestServer(t *testing.T) {
 		root, cfg := clitest.New(t,
 			"server",
 			"--address", ":0",
+			"--access-url", "example.com",
 			"--cache-dir", t.TempDir(),
 		)
 		pty := ptytest.New(t)
@@ -159,6 +161,7 @@ func TestServer(t *testing.T) {
 			"server",
 			"--in-memory",
 			"--address", ":0",
+			"--access-url", "example.com",
 			"--access-url", "foobarbaz.mydomain",
 			"--cache-dir", t.TempDir(),
 		)
@@ -189,6 +192,7 @@ func TestServer(t *testing.T) {
 			"server",
 			"--in-memory",
 			"--address", ":0",
+			"--access-url", "example.com",
 			"--access-url", "https://google.com",
 			"--cache-dir", t.TempDir(),
 		)
@@ -218,6 +222,7 @@ func TestServer(t *testing.T) {
 			"server",
 			"--in-memory",
 			"--address", ":0",
+			"--access-url", "example.com",
 			"--tls-enable",
 			"--tls-min-version", "tls9",
 			"--cache-dir", t.TempDir(),
@@ -234,6 +239,7 @@ func TestServer(t *testing.T) {
 			"server",
 			"--in-memory",
 			"--address", ":0",
+			"--access-url", "example.com",
 			"--tls-enable",
 			"--tls-client-auth", "something",
 			"--cache-dir", t.TempDir(),
@@ -290,6 +296,7 @@ func TestServer(t *testing.T) {
 					"server",
 					"--in-memory",
 					"--address", ":0",
+					"--access-url", "example.com",
 					"--cache-dir", t.TempDir(),
 				}
 				args = append(args, c.args...)
@@ -310,6 +317,7 @@ func TestServer(t *testing.T) {
 			"server",
 			"--in-memory",
 			"--address", ":0",
+			"--access-url", "example.com",
 			"--tls-enable",
 			"--tls-cert-file", certPath,
 			"--tls-key-file", keyPath,
@@ -349,6 +357,7 @@ func TestServer(t *testing.T) {
 			"server",
 			"--in-memory",
 			"--address", ":0",
+			"--access-url", "example.com",
 			"--tls-enable",
 			"--tls-cert-file", cert1Path,
 			"--tls-key-file", key1Path,
@@ -432,6 +441,7 @@ func TestServer(t *testing.T) {
 			"server",
 			"--in-memory",
 			"--address", ":0",
+			"--access-url", "example.com",
 			"--provisioner-daemons", "1",
 			"--cache-dir", t.TempDir(),
 		)
@@ -458,6 +468,7 @@ func TestServer(t *testing.T) {
 			"server",
 			"--in-memory",
 			"--address", ":0",
+			"--access-url", "example.com",
 			"--trace=true",
 			"--cache-dir", t.TempDir(),
 		)
@@ -495,6 +506,7 @@ func TestServer(t *testing.T) {
 			"server",
 			"--in-memory",
 			"--address", ":0",
+			"--access-url", "example.com",
 			"--telemetry",
 			"--telemetry-url", server.URL,
 			"--cache-dir", t.TempDir(),
@@ -525,6 +537,7 @@ func TestServer(t *testing.T) {
 			"server",
 			"--in-memory",
 			"--address", ":0",
+			"--access-url", "example.com",
 			"--provisioner-daemons", "1",
 			"--prometheus-enable",
 			"--prometheus-address", ":"+strconv.Itoa(randomPort),
@@ -577,6 +590,7 @@ func TestServer(t *testing.T) {
 			"server",
 			"--in-memory",
 			"--address", ":0",
+			"--access-url", "example.com",
 			"--oauth2-github-client-id", "fake",
 			"--oauth2-github-client-secret", "fake",
 			"--oauth2-github-enterprise-base-url", fakeRedirect,

diff --git a/coder.env b/coder.env
@@ -1,11 +1,4 @@
-# Coder must be reachable from an external URL
-# for users and workspaces to connect.
-
-# Option 1) Enable CODER_TUNNEL to generate a
-# unique *. try.coder.com access URL
-CODER_TUNNEL=false
-
-# Option 2) Set an access URL
+# Coder must be reachable from an external URL for users and workspaces to connect.
 # e.g. https://coder.example.com
 CODER_ACCESS_URL=
 

diff --git a/coderd/authorize.go b/coderd/authorize.go
@@ -119,7 +119,7 @@ func (api *API) checkAuthorization(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	api.Logger.Warn(ctx, "check-auth",
+	api.Logger.Debug(ctx, "check-auth",
 		slog.F("my_id", httpmw.APIKey(r).UserID),
 		slog.F("got_id", auth.ID),
 		slog.F("name", auth.Username),

diff --git a/coderd/csp.go b/coderd/csp.go
@@ -34,7 +34,7 @@ func (api *API) logReportCSPViolations(rw http.ResponseWriter, r *http.Request)
 	for k, v := range v.Report {
 		fields = append(fields, slog.F(k, v))
 	}
-	api.Logger.Warn(ctx, "csp violation", fields...)
+	api.Logger.Debug(ctx, "csp violation", fields...)
 
 	httpapi.Write(ctx, rw, http.StatusOK, "ok")
 }
diff --git a/coderd/workspaceagents.go b/coderd/workspaceagents.go
@@ -311,7 +311,7 @@ func (api *API) dialWorkspaceAgentTailnet(r *http.Request, agentID uuid.UUID) (*
 	conn, err := tailnet.NewConn(&tailnet.Options{
 		Addresses: []netip.Prefix{netip.PrefixFrom(tailnet.IP(), 128)},
 		DERPMap:   derpMap,
-		Logger:    api.Logger.Named("tailnet").Leveled(slog.LevelDebug),
+		Logger:    api.Logger.Named("tailnet"),
 	})
 	if err != nil {
 		return nil, xerrors.Errorf("create tailnet conn: %w", err)
@@ -453,7 +453,7 @@ func (api *API) workspaceAgentCoordinate(rw http.ResponseWriter, r *http.Request
 	// Ignore all trace spans after this.
 	ctx = trace.ContextWithSpan(ctx, tracing.NoopSpan)
 
-	api.Logger.Info(ctx, "accepting agent", slog.F("resource", resource), slog.F("agent", workspaceAgent))
+	api.Logger.Info(ctx, "accepting agent", slog.F("agent", workspaceAgent))
 
 	defer conn.Close(websocket.StatusNormalClosure, "")
 

diff --git a/docker-compose.yaml b/docker-compose.yaml
@@ -13,9 +13,6 @@ services:
       # that workspaces can reach. This cannot be localhost
       # or 127.0.0.1 for non-Docker templates!
       CODER_ACCESS_URL: "${CODER_ACCESS_URL}"
-      # Alternatively, you can enable CODER_TUNNEL for
-      # proof-of-concept deployments.
-      CODER_TUNNEL: "${CODER_TUNNEL:-false}"
     # If the coder user does not have write permissions on
     # the docker socket, you can uncomment the following
     # lines and set the group ID to one that has write

diff --git a/docs/admin/configure.md b/docs/admin/configure.md
@@ -1,11 +1,6 @@
 Coder server's primary configuration is done via environment variables. For a full list
 of the options, run `coder server --help` on the host.
 
-## Tunnel
-
-For proof-of-concept deployments, you can set `CODER_TUNNEL=true` to run Coder on a unique `*.try.coder.app` URL.
-This is a quick way to allow users and workspaces outside your LAN to connect to Coder.
-
 ## Access URL
 
 `CODER_ACCESS_URL` is required if you are not using the tunnel. Set this to the external URL
@@ -14,6 +9,11 @@ should not be localhost.
 
 > Access URL should be a external IP address or domain with DNS records pointing to Coder.
 
+### Tunnel
+
+If an access URL is not specified, Coder will create
+a publicly accessible URL to reverse proxy your deployment for simple setup.
+
 ## Wildcard access URL
 
 `CODER_WILDCARD_ACCESS_URL` is necessary for [port forwarding](../networking/port-forwarding.md#dashboard)

diff --git a/docs/images/quickstart/aws/aws7.png b/docs/images/quickstart/aws/aws7.png
diff --git a/docs/images/quickstart/azure/azure7.png b/docs/images/quickstart/azure/azure7.png
diff --git a/docs/install/binary.md b/docs/install/binary.md
@@ -15,7 +15,7 @@ Coder publishes self-contained .zip and .tar.gz archives in [GitHub releases](ht
 
    ```sh
    # Automatically sets up an external access URL on *.try.coder.app
-   coder server --tunnel
+   coder server
 
    # Requires a PostgreSQL instance and external access URL
    coder server --postgres-url <url> --access-url <url>

diff --git a/docs/install/docker.md b/docs/install/docker.md
@@ -4,7 +4,7 @@ You can install and run Coder using the official Docker images published on [Git
 
 Docker is required. See the [official installation documentation](https://docs.docker.com/install/).
 
-## Run Coder with built-in database and tunnel (quick)
+## Run Coder with the built-in database (quick)
 
 For proof-of-concept deployments, you can run a complete Coder instance with
 the following command:
@@ -14,7 +14,6 @@ export CODER_DATA=$HOME/.config/coderv2-docker
 export DOCKER_GROUP=$(getent group docker | cut -d: -f3)
 mkdir -p $CODER_DATA
 docker run --rm -it \
-  -e CODER_TUNNEL=true \
   -v $CODER_DATA:/home/coder/.config \
   -v /var/run/docker.sock:/var/run/docker.sock \
   --group-add $DOCKER_GROUP \
@@ -68,7 +67,7 @@ an PostgreSQL container and volume.
    ```sh
    cd coder
 
-   CODER_TUNNEL=true docker-compose up
+   docker-compose up
    ```
 
    For production deployments, we recommend setting an [access URL](../admin/configure.md#access-url):
@@ -79,8 +78,6 @@ an PostgreSQL container and volume.
    CODER_ACCESS_URL=https://coder.example.com docker-compose up
    ```
 
-   > Without `CODER_ACCESS_URL` or `CODER_TUNNEL` set, Coder will bind to `localhost:7080`. This will only work for Docker-based templates.
-
 4. Visit the web ui via the configured url. You can add `/login` to the base url to create the first user via the ui.
 
 5. Follow the on-screen instructions log in and create your first template and workspace

diff --git a/docs/install/packages.md b/docs/install/packages.md
@@ -7,7 +7,7 @@
 1. Run Coder as a system service.
 
    ```sh
-   # Set up an access URL or enable CODER_TUNNEL
+   # Optional) Set up an access URL
    sudo vim /etc/coder.d/coder.env
 
    # To systemd to start Coder now and on reboot