Fix agent init: interpolate init_script at plan time via heredoc#44
Merged
Conversation
Replace the CODER_AGENT_INIT_SCRIPT env var approach with direct Terraform interpolation of coder_agent.main.init_script into the container args using a heredoc. Matches the pattern used by Sentry's GCE startup-script — the script is a literal string in the pod spec, never subject to runtime shell expansion. Drop CODER_AGENT_TOKEN and CODER_AGENT_INIT_SCRIPT env vars (both are embedded in the init script by the Coder provider).
Fixes the 'provider hashes are missing for the current platform (linux_amd64)' warning that appeared on every workspace provision.
Deploying with
|
| Status | Name | Latest Commit | Preview URL | Updated (UTC) |
|---|---|---|---|---|
| ✅ Deployment successful! View logs |
opencode-email-worker | e24c005 | Commit Preview URL Branch Preview URL |
May 06 2026, 11:06 PM |
The agent init script requires these to connect back to the Coder control plane. CODER_AGENT_URL was missing entirely, causing: error: create agent client: CODER_AGENT_URL must be set
…cript The Coder bootstrap script uses ACCESS_URL and AUTH_TYPE as shell variables to set CODER_AGENT_URL and download the agent binary. When the Coder server's access URL isn't configured, these resolve to empty strings and the agent fails with 'CODER_AGENT_URL must be set'. Set them explicitly as container env vars using data.coder_workspace.me.access_url.
The Coder provider substitutes ACCESS_URL as a literal value into the init script at plan time. When the server's access URL config is empty, the script has literal empty strings for BINARY_URL and CODER_AGENT_URL. After writing the init script to a file via heredoc, sed-patch both lines to inject the correct URL from the CODER_AGENT_URL container env var (set from data.coder_workspace.me.access_url).
data.coder_workspace.me.access_url returns empty because the Coder server doesn't have access_url configured. Hardcode the URL until the server config is fixed.
printenv dumps the raw init script to a file without any shell expansion. Then sed patches the baked-in empty CODER_AGENT_URL and BINARY_URL with the correct server URL before exec'ing.
The Coder provider bakes an empty ACCESS_URL into init_script because the server's access URL isn't configured. Every approach to patch the script fails because the substitution is literal (not a shell var reference). Since the image already has the coder binary, just exec it directly with CODER_AGENT_URL, CODER_AGENT_AUTH, and CODER_AGENT_TOKEN set as container env vars.
The Coder provider bakes empty ACCESS_URL into init_script. Use Terraform's replace() to fix BINARY_URL and CODER_AGENT_URL in the script string at plan time, before it's written to the pod spec. No shell quoting or sed needed.
The Terraform state confirms coder_agent.main.init_script already has the correct BINARY_URL and CODER_AGENT_URL baked in by the provider. The replace() calls and extra env vars were unnecessary. Drop them and use the simple heredoc pattern that matches Sentry's templates.
The heredoc approach fails on Kubernetes because args are serialized as JSON — newlines become literal \n escape sequences and the shell never sees the line breaks that heredoc syntax requires. Pass the init script as an env var instead and use printenv to write it to a file, which preserves newlines correctly. This is the Kubernetes-specific adaptation of the Sentry GCE pattern.
Wrap the gh auth setup-git and git identity configuration block with set +e / set -e so failures in that section (e.g. gh spawning git in a non-repo cwd, network errors, jq parse failures) are logged as warnings instead of aborting the script before exec "$@". The critical setup (volume ownership, mkdir, git init) still runs under set -e. Only the best-effort identity block is relaxed.
… of direct /usr/bin/coder agent Remove the command override that bypassed docker-entrypoint.sh entirely. The image ENTRYPOINT (tini -> docker-entrypoint.sh) now runs first for volume ownership, git init, and gh/git identity setup, then exec's into the Coder init script delivered via the CODER_AGENT_INIT_SCRIPT env var.
…GENT_TOKEN env var
… opencode serve The container command (sh -c init_script) bypasses docker-entrypoint.sh entirely, so OpenCode never gets the environment it needs: no git init, no .opencode session dir, no PVC chown. The coder_script now replicates the critical entrypoint setup before starting opencode serve. Also rename opentower display_name from 'Opentower Webhooks' to 'OpenTower'.
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changes
Fix agent connectivity — Replace the
CODER_AGENT_INIT_SCRIPTenv var approach with direct Terraform interpolation ofcoder_agent.main.init_scriptinto containerargsusing a heredoc. The script is a literal string in the pod spec with no runtime shell expansion — same pattern as Sentry's GCEstartup-script. DropCODER_AGENT_TOKENandCODER_AGENT_INIT_SCRIPTenv vars (both embedded in the init script by the Coder provider). OpenCode is started viacoder_scriptafter the agent connects.Add linux_amd64 provider hashes — Fixes the
.terraform.lock.hcl was modified during initwarning on every workspace provision.