Skip to content

feat: Add workspace proxy enterprise cli commands #7123

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 22 commits into from
Closed

feat: Add workspace proxy enterprise cli commands #7123

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
7271e8f
feat: Add workspace proxy enterprise cli commands
Emyrk Apr 13, 2023
0a1af72
chore: Handle custom workspace proxy options. Remove excess
Emyrk Apr 13, 2023
9fc8078
Add primary access url
Emyrk Apr 13, 2023
56d0ad7
Include app security key
Emyrk Apr 13, 2023
4d7daed
Add output formats for registering a proxy
Emyrk Apr 13, 2023
62f676b
Fix formats
Emyrk Apr 13, 2023
913aef1
Add cli cmd to get app security key
Emyrk Apr 13, 2023
9c37e16
Add deleting proxies
Emyrk Apr 13, 2023
9d4591c
feat: Allow workspace proxy spawn in develop.sh
Emyrk Apr 14, 2023
cc29ffc
Make gen
Emyrk Apr 14, 2023
54a6fc5
Import ordeR
Emyrk Apr 14, 2023
139c309
Quote shell var
Emyrk Apr 14, 2023
6ce0dec
Imports
Emyrk Apr 14, 2023
ffc3877
Fix lint
Emyrk Apr 14, 2023
db78701
Tabs vs spaces
Emyrk Apr 14, 2023
e49f96c
remove unused command
Emyrk Apr 17, 2023
5f05cbf
Fix compile and make gen
Emyrk Apr 17, 2023
0d9da63
Fix slim cmd to include extra proxy cmds
Emyrk Apr 17, 2023
60fb59e
Import order
Emyrk Apr 17, 2023
b9283d8
Import order
Emyrk Apr 17, 2023
dab84e3
Fix comment
Emyrk Apr 17, 2023
ea3593d
Fix compile with name
Emyrk Apr 17, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
chore: Handle custom workspace proxy options. Remove excess
  • Loading branch information
@Emyrk
Emyrk committed Apr 17, 2023
commit 0a1af727f91a93361ab0bbc4149a1fa203da311c
10 changes: 10 additions & 0 deletions cli/clibase/option.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,16 @@ func (s *OptionSet) Add(opts ...Option) {
*s = append(*s, opts...)
}

func (s OptionSet) Filter(filter func(opt Option) bool) OptionSet {
cpy := make(OptionSet, 0)
for _, opt := range s {
if filter(opt) {
cpy = append(cpy, opt)
}
}
return cpy
}

// FlagSet returns a pflag.FlagSet for the OptionSet.
func (s *OptionSet) FlagSet() *pflag.FlagSet {
if s == nil {
Expand Down
101 changes: 71 additions & 30 deletions codersdk/deployment.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -333,10 +333,17 @@ type DangerousConfig struct {
}

const (
flagEnterpriseKey = "enterprise"
flagSecretKey = "secret"
flagEnterpriseKey = "enterprise"
flagSecretKey = "secret"
flagExternalProxies = "external_workspace_proxies"
)

func IsExternalProxies(opt clibase.Option) bool {
// If it is a bool, use the bool value.
b, _ := strconv.ParseBool(opt.Annotations[flagExternalProxies])
return b
}

func IsSecretDeploymentOption(opt clibase.Option) bool {
return opt.Annotations.IsSet(flagSecretKey)
}
Expand Down Expand Up @@ -470,6 +477,7 @@ when required by your organization's security policy.`,
Value: &c.HTTPAddress,
Group: &deploymentGroupNetworkingHTTP,
YAML: "httpAddress",
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
}
tlsBindAddress := clibase.Option{
Name: "TLS Address",
Expand All @@ -480,6 +488,7 @@ when required by your organization's security policy.`,
Value: &c.TLS.Address,
Group: &deploymentGroupNetworkingTLS,
YAML: "address",
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
}
redirectToAccessURL := clibase.Option{
Name: "Redirect to Access URL",
Expand All @@ -499,6 +508,7 @@ when required by your organization's security policy.`,
Env: "CODER_ACCESS_URL",
Group: &deploymentGroupNetworking,
YAML: "accessURL",
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
},
{
Name: "Wildcard Access URL",
Expand All @@ -508,6 +518,7 @@ when required by your organization's security policy.`,
Value: &c.WildcardAccessURL,
Group: &deploymentGroupNetworking,
YAML: "wildcardAccessURL",
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
},
redirectToAccessURL,
{
Expand All @@ -534,7 +545,8 @@ when required by your organization's security policy.`,
httpAddress,
tlsBindAddress,
},
Group: &deploymentGroupNetworking,
Group: &deploymentGroupNetworking,
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
},
// TLS settings
{
Expand All @@ -545,6 +557,7 @@ when required by your organization's security policy.`,
Value: &c.TLS.Enable,
Group: &deploymentGroupNetworkingTLS,
YAML: "enable",
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
},
{
Name: "Redirect HTTP to HTTPS",
Expand All @@ -557,6 +570,7 @@ when required by your organization's security policy.`,
UseInstead: clibase.OptionSet{redirectToAccessURL},
Group: &deploymentGroupNetworkingTLS,
YAML: "redirectHTTP",
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
},
{
Name: "TLS Certificate Files",
Expand All @@ -566,6 +580,7 @@ when required by your organization's security policy.`,
Value: &c.TLS.CertFiles,
Group: &deploymentGroupNetworkingTLS,
YAML: "certFiles",
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
},
{
Name: "TLS Client CA Files",
Expand All @@ -575,6 +590,7 @@ when required by your organization's security policy.`,
Value: &c.TLS.ClientCAFile,
Group: &deploymentGroupNetworkingTLS,
YAML: "clientCAFile",
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
},
{
Name: "TLS Client Auth",
Expand All @@ -585,6 +601,7 @@ when required by your organization's security policy.`,
Value: &c.TLS.ClientAuth,
Group: &deploymentGroupNetworkingTLS,
YAML: "clientAuth",
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
},
{
Name: "TLS Key Files",
Expand All @@ -594,6 +611,7 @@ when required by your organization's security policy.`,
Value: &c.TLS.KeyFiles,
Group: &deploymentGroupNetworkingTLS,
YAML: "keyFiles",
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
},
{
Name: "TLS Minimum Version",
Expand All @@ -604,6 +622,7 @@ when required by your organization's security policy.`,
Value: &c.TLS.MinVersion,
Group: &deploymentGroupNetworkingTLS,
YAML: "minVersion",
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
},
{
Name: "TLS Client Cert File",
Expand All @@ -613,6 +632,7 @@ when required by your organization's security policy.`,
Value: &c.TLS.ClientCertFile,
Group: &deploymentGroupNetworkingTLS,
YAML: "clientCertFile",
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
},
{
Name: "TLS Client Key File",
Expand All @@ -622,6 +642,7 @@ when required by your organization's security policy.`,
Value: &c.TLS.ClientKeyFile,
Group: &deploymentGroupNetworkingTLS,
YAML: "clientKeyFile",
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
},
// Derp settings
{
Expand Down Expand Up @@ -712,6 +733,7 @@ when required by your organization's security policy.`,
Value: &c.Prometheus.Enable,
Group: &deploymentGroupIntrospectionPrometheus,
YAML: "enable",
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
},
{
Name: "Prometheus Address",
Expand All @@ -722,6 +744,7 @@ when required by your organization's security policy.`,
Value: &c.Prometheus.Address,
Group: &deploymentGroupIntrospectionPrometheus,
YAML: "address",
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
},
{
Name: "Prometheus Collect Agent Stats",
Expand All @@ -741,6 +764,7 @@ when required by your organization's security policy.`,
Value: &c.Pprof.Enable,
Group: &deploymentGroupIntrospectionPPROF,
YAML: "enable",
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
},
{
Name: "pprof Address",
Expand All @@ -751,6 +775,7 @@ when required by your organization's security policy.`,
Value: &c.Pprof.Address,
Group: &deploymentGroupIntrospectionPPROF,
YAML: "address",
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
},
// oAuth settings
{
Expand Down Expand Up @@ -1007,13 +1032,14 @@ when required by your organization's security policy.`,
Value: &c.Trace.Enable,
Group: &deploymentGroupIntrospectionTracing,
YAML: "enable",
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
},
{
Name: "Trace Honeycomb API Key",
Description: "Enables trace exporting to Honeycomb.io using the provided API Key.",
Flag: "trace-honeycomb-api-key",
Env: "CODER_TRACE_HONEYCOMB_API_KEY",
Annotations: clibase.Annotations{}.Mark(flagSecretKey, "true"),
Annotations: clibase.Annotations{}.Mark(flagSecretKey, "true").Mark(flagExternalProxies, "true"),
Value: &c.Trace.HoneycombAPIKey,
Group: &deploymentGroupIntrospectionTracing,
},
Expand All @@ -1025,6 +1051,7 @@ when required by your organization's security policy.`,
Value: &c.Trace.CaptureLogs,
Group: &deploymentGroupIntrospectionTracing,
YAML: "captureLogs",
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
},
// Provisioner settings
{
Expand Down Expand Up @@ -1074,19 +1101,21 @@ when required by your organization's security policy.`,
Flag: "dangerous-disable-rate-limits",
Env: "CODER_DANGEROUS_DISABLE_RATE_LIMITS",

Value: &c.RateLimit.DisableAll,
Hidden: true,
Value: &c.RateLimit.DisableAll,
Hidden: true,
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
},
{
Name: "API Rate Limit",
Description: "Maximum number of requests per minute allowed to the API per user, or per IP address for unauthenticated users. Negative values mean no rate limit. Some API endpoints have separate strict rate limits regardless of this value to prevent denial-of-service or brute force attacks.",
// Change the env from the auto-generated CODER_RATE_LIMIT_API to the
// old value to avoid breaking existing deployments.
Env: "CODER_API_RATE_LIMIT",
Flag: "api-rate-limit",
Default: "512",
Value: &c.RateLimit.API,
Hidden: true,
Env: "CODER_API_RATE_LIMIT",
Flag: "api-rate-limit",
Default: "512",
Value: &c.RateLimit.API,
Hidden: true,
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
},
// Logging settings
{
Expand All @@ -1096,9 +1125,10 @@ when required by your organization's security policy.`,
Env: "CODER_VERBOSE",
FlagShorthand: "v",

Value: &c.Verbose,
Group: &deploymentGroupIntrospectionLogging,
YAML: "verbose",
Value: &c.Verbose,
Group: &deploymentGroupIntrospectionLogging,
YAML: "verbose",
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
},
{
Name: "Human Log Location",
Expand All @@ -1109,6 +1139,7 @@ when required by your organization's security policy.`,
Value: &c.Logging.Human,
Group: &deploymentGroupIntrospectionLogging,
YAML: "humanPath",
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
},
{
Name: "JSON Log Location",
Expand All @@ -1119,6 +1150,7 @@ when required by your organization's security policy.`,
Value: &c.Logging.JSON,
Group: &deploymentGroupIntrospectionLogging,
YAML: "jsonPath",
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
},
{
Name: "Stackdriver Log Location",
Expand All @@ -1129,6 +1161,7 @@ when required by your organization's security policy.`,
Value: &c.Logging.Stackdriver,
Group: &deploymentGroupIntrospectionLogging,
YAML: "stackdriverPath",
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
},
// ☢️ Dangerous settings
{
Expand Down Expand Up @@ -1157,6 +1190,7 @@ when required by your organization's security policy.`,
Env: "CODER_EXPERIMENTS",
Value: &c.Experiments,
YAML: "experiments",
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
},
{
Name: "Update Check",
Expand Down Expand Up @@ -1199,6 +1233,7 @@ when required by your organization's security policy.`,
Value: &c.ProxyTrustedHeaders,
Group: &deploymentGroupNetworking,
YAML: "proxyTrustedHeaders",
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
},
{
Name: "Proxy Trusted Origins",
Expand All @@ -1208,6 +1243,7 @@ when required by your organization's security policy.`,
Value: &c.ProxyTrustedOrigins,
Group: &deploymentGroupNetworking,
YAML: "proxyTrustedOrigins",
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
},
{
Name: "Cache Directory",
Expand Down Expand Up @@ -1243,28 +1279,31 @@ when required by your organization's security policy.`,
Value: &c.SecureAuthCookie,
Group: &deploymentGroupNetworking,
YAML: "secureAuthCookie",
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
},
{
Name: "Strict-Transport-Security",
Description: "Controls if the 'Strict-Transport-Security' header is set on all static file responses. " +
"This header should only be set if the server is accessed via HTTPS. This value is the MaxAge in seconds of " +
"the header.",
Default: "0",
Flag: "strict-transport-security",
Env: "CODER_STRICT_TRANSPORT_SECURITY",
Value: &c.StrictTransportSecurity,
Group: &deploymentGroupNetworkingTLS,
YAML: "strictTransportSecurity",
Default: "0",
Flag: "strict-transport-security",
Env: "CODER_STRICT_TRANSPORT_SECURITY",
Value: &c.StrictTransportSecurity,
Group: &deploymentGroupNetworkingTLS,
YAML: "strictTransportSecurity",
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
},
{
Name: "Strict-Transport-Security Options",
Description: "Two optional fields can be set in the Strict-Transport-Security header; 'includeSubDomains' and 'preload'. " +
"The 'strict-transport-security' flag must be set to a non-zero value for these options to be used.",
Flag: "strict-transport-security-options",
Env: "CODER_STRICT_TRANSPORT_SECURITY_OPTIONS",
Value: &c.StrictTransportSecurityOptions,
Group: &deploymentGroupNetworkingTLS,
YAML: "strictTransportSecurityOptions",
Flag: "strict-transport-security-options",
Env: "CODER_STRICT_TRANSPORT_SECURITY_OPTIONS",
Value: &c.StrictTransportSecurityOptions,
Group: &deploymentGroupNetworkingTLS,
YAML: "strictTransportSecurityOptions",
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
},
{
Name: "SSH Keygen Algorithm",
Expand Down Expand Up @@ -1308,7 +1347,7 @@ when required by your organization's security policy.`,
Description: "Whether Coder only allows connections to workspaces via the browser.",
Flag: "browser-only",
Env: "CODER_BROWSER_ONLY",
Annotations: clibase.Annotations{}.Mark(flagEnterpriseKey, "true"),
Annotations: clibase.Annotations{}.Mark(flagEnterpriseKey, "true").Mark(flagExternalProxies, "true"),
Value: &c.BrowserOnly,
Group: &deploymentGroupNetworking,
YAML: "browserOnly",
Expand All @@ -1328,17 +1367,19 @@ when required by your organization's security policy.`,
Flag: "disable-path-apps",
Env: "CODER_DISABLE_PATH_APPS",

Value: &c.DisablePathApps,
YAML: "disablePathApps",
Value: &c.DisablePathApps,
YAML: "disablePathApps",
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
},
{
Name: "Disable Owner Workspace Access",
Description: "Remove the permission for the 'owner' role to have workspace execution on all workspaces. This prevents the 'owner' from ssh, apps, and terminal access based on the 'owner' role. They still have their user permissions to access their own workspaces.",
Flag: "disable-owner-workspace-access",
Env: "CODER_DISABLE_OWNER_WORKSPACE_ACCESS",

Value: &c.DisableOwnerWorkspaceExec,
YAML: "disableOwnerWorkspaceAccess",
Value: &c.DisableOwnerWorkspaceExec,
YAML: "disableOwnerWorkspaceAccess",
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
},
{
Name: "Session Duration",
Expand Down
Loading