feat(coder/modules/boundary): add boundary module#840
Conversation
There was a problem hiding this comment.
Pull request overview
Adds a new coder/boundary registry module intended to set up Boundary-related tooling for Coder workspaces.
Changes:
- Introduces a Boundary install/setup shell script that can compile from source, install from release, or rely on
coder boundary. - Adds a Terraform module (
main.tf) that deploys and runs the install script on an agent. - Adds module README and Terraform native tests (
.tftest.hcl).
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 7 comments.
| File | Description |
|---|---|
registry/coder/modules/boundary/scripts/install.sh |
Installs Boundary (or validates coder boundary) and generates a wrapper script. |
registry/coder/modules/boundary/main.tf |
Defines module variables and a coder_script to deliver/execute install.sh. |
registry/coder/modules/boundary/README.md |
Documents module usage and examples. |
registry/coder/modules/boundary/boundary.tftest.hcl |
Adds Terraform plan-time assertions for basic module wiring. |
…lation and execution
| source = "git::https://github.com/coder/registry.git//registry/coder/modules/coder-utils?ref=feat/coder-utils-optional-install-start" | ||
| # version = "1.0.1" |
There was a problem hiding this comment.
This module depends on coder-utils via a Git source pinned to a feature branch (ref=feat/coder-utils-optional-install-start). For a published registry module, this is brittle (branch rename/deletion breaks installs) and makes upgrades non-reproducible. Prefer depending on a tagged release/commit SHA (or a registry-published module version) and remove the commented-out version line once a stable version is available.
| source = "git::https://github.com/coder/registry.git//registry/coder/modules/coder-utils?ref=feat/coder-utils-optional-install-start" | |
| # version = "1.0.1" | |
| source = "coder/coder-utils/coder" | |
| version = "1.0.1" |
There was a problem hiding this comment.
will be resolved later
| cat > "${BOUNDARY_WRAPPER_SCRIPT}" << 'WRAPPER_EOF' | ||
| #!/usr/bin/env bash | ||
| set -euo pipefail | ||
| exec boundary -- "$@" | ||
| WRAPPER_EOF | ||
| else | ||
| # Use coder boundary subcommand (default) | ||
| # Copy coder binary to strip CAP_NET_ADMIN capabilities. | ||
| # This is necessary because boundary doesn't work with privileged binaries | ||
| # (you can't launch privileged binaries inside network namespaces unless | ||
| # you have sys_admin). | ||
| CODER_NO_CAPS="${module_path}/coder-no-caps" | ||
| if ! cp "$(command -v coder)" "${CODER_NO_CAPS}"; then | ||
| echo "Error: Failed to copy coder binary to ${CODER_NO_CAPS}. boundary cannot be enabled." >&2 | ||
| exit 1 | ||
| fi | ||
| cat > "${BOUNDARY_WRAPPER_SCRIPT}" << 'WRAPPER_EOF' | ||
| #!/usr/bin/env bash | ||
| set -euo pipefail | ||
| SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" | ||
| exec "${SCRIPT_DIR}/coder-no-caps" boundary -- "$@" | ||
| WRAPPER_EOF |
There was a problem hiding this comment.
The generated wrapper scripts always inject a -- separator (exec boundary -- "$@" / exec ... boundary -- "$@"). This prevents passing boundary flags through the wrapper (e.g. --help, -h, or any future boundary options) and will also cause the wrapper to try to execute --help as a command when invoked as boundary-wrapper.sh --help. Consider handling --help/flag-only invocations separately (invoke boundary --help / coder boundary --help without the --), and only insert -- when the first arg is the command to run in the namespace.
…missing mock support Three root causes: 1. boundary_script_destination used 'install.sh' - same filename that coder-utils writes to. This caused the running script to overwrite itself, corrupting bash's incremental read and producing empty install.log / no wrapper. Fix: rename to 'boundary-install.sh'. 2. coder-mock.sh didn't handle 'coder exp sync' commands used by coder-utils for script ordering. With set -o errexit, scripts failed immediately. Fix: add exp sync as no-op (exit 0). 3. Test setup used setupUtil which only extracts ONE coder_script, but coder-utils creates multiple (pre_install, install, post_install). Fix: extract all coder_scripts from terraform state and run them sequentially in lifecycle order. 4. wrapper-script-execution test called 'wrapper.sh --help' which the mock couldn't handle after the '--' separator (tried to exec '--help'). Fix: test with 'echo boundary-test' instead.
Description
Type of Change
Module Information
Path:
registry/coder/modules/boundaryNew version:
v1.0.0Breaking change: [ ] Yes [x] No
Testing & Validation
bun test)bun fmt)Related Issues