Coder hardly support self-signed certificates for Agent and vscode extension.

[ArKam]

Hi team,

I'm installing a coder instance on a personal lab (for demo at work) kubernetes, however, even if I can definitely see the potential of such tool, it can't be deployed correctly because as soon as you create a workspace, coder will complain about the workspace not being able to be reached as the agent can't be installed (logs shows an issue with the endpoint URL being a self-signed certificate).

The pretty same issue arise with vscode.

Couldn't we get an option that just ignore self-signed certificate? Something like a switch that would tell the user about the potential security issue he may face and then just do not try to verify self-signed certs?

Here is the issue that I faced with Coder 2.12.6 and vscode extension:

And here are my vscode informations:

[kylecarbs]

You'll have to install the self-signed certificate on your local machine running VS Code as well as the server running Coder.

I believe we support insecure, but it's not particularly recommended.

Can you use a LetsEncrypt certificate instead?

[ArKam]

Unfortunately no, I’m deploying the instance for a demo and this sandbox environment is almost fully offline.

On a lab deployment at home I do use cert-manager and LE yes.

[kylecarbs]

@code-asher do we support insecure for all things?

[code-asher]

For the VS Code plugin, I think the coder.insecure option only works if you also disable VS Code's built-in proxy agent by changing http.proxySupport to off or fallback. Otherwise, it may not use our proxy agent which is where we set the insecure option. So setting both of those might work.

I am not 100% sure if you will also need to fix the malformed self-signed certificate to have the signing capability or if the insecure option will bypass that requirement as well.

[ArKam]

Ok, I'll test all of that that!
Where do I set the coder.insecure tho?

Thanks a lot.

[ArKam]

Ok, I've just verified and set the vscode coder extension setting and it work, the extension is now able to connect to the remote environment.

Only the agent is not able to download properly on the server side (Kubernetes).

For those having the same issue than me regarding the extension, do:

File > Preferences > Settings > Extensions (left navbar under User tab) > Coder > Insecure (true).

[code-asher]

Glad that worked! For the agent I am not actually sure what options we have there for bypassing certificate verification, but could you include your certificate in the image so the agent will accept it? Or actually, probably better to mount it in with Kubernetes.

Edit: took a brief look at the agent and I am pretty sure there are no options to skip verification.

[ArKam]

We could just add a env variable such as insecure_agent_retrieve and use that env variable to craft a curl -k (or curl --insecure) then continue with the current other part of the url.

I've managed to test it on my lab, using --insecure works.

I've also managed to get a working cert-manager provider using LE.

[code-asher]

Yeah, that would make sense.

[bpmct]

Moving to https://github.com/coder/vscode-coder

[code-asher]

I will go ahead and close this since we resolved the VS Code portion, and open another issue for doing something with the agent: coder/coder#14500