Allow passing Git SSH key as an environment variable

[phorcys420]

Following up to a discord conversation where an user tries to clone a Git repository via SSH and is met with the following error:

envbuilder v1.0.0-rc.6+23d086e - Build development environments from repositories in a container
coder/coder#1: 🔑 Using SSH authentication!
coder/coder#1: 🔑 No SSH key found, falling back to agent!
coder/coder#1: ❌ Failed to connect to SSH agent: error creating SSH agent: "SSH agent requested but SSH_AUTH_SOCK not-specified"
coder/coder#1: 📦 Cloning git@github.com:XXX.git to /workspaces/XXX...
Failed to clone repository: clone "git@XXX.git": error creating SSH agent: "SSH agent requested but SSH_AUTH_SOCK not-specified"

Falling back to the default image...

This makes sense because the Coder user's SSH key was never added to the workspace.

While there is a workaround, it's really not great, how can we make this better?
With k8s the issue is not that bad since you can just define a secret from the key and pass that secret as a file to the container, but what about Docker and VMs?

Workaround

Downloading the key to some temporary path (via an entrypoint script, since envbox runs before the agent)
(or via the TF provider's coder_workspace_owner.ssh_* instead of using a script)
Then passing the key's path to ENVBUILDER_GIT_SSH_PRIVATE_KEY_PATH.

[johnstcn]

Linking a relevant PR here: #174

For now, in the case of both Docker, the best approach is probably to write the key to a path on-disk and bind-mount it into the container. For VMs, it would be a similar process except the SSH key would have to be embedded in the VM's startup metadata. These are both probably involved enough to need their own example templates.

[johnstcn]

@phorcys420 How about adding ENVBUILDER_GIT_SSH_PRIVATE_KEY_BASE64 for the use-case where writing the key to a file isn't an easy option? I'd like to keep the file option around because some security-conscious orgs don't like having secrets stored in environment variables.

[phorcys420]

For now, in the case of both Docker, the best approach is probably to write the key to a path on-disk and bind-mount it into the container.

I think this isn't great because it requires an additional step in the Terraform template, in this case they use the user's SSH key, which means storing each user's key then mounting it.

[phorcys420]

@phorcys420 How about adding ENVBUILDER_GIT_SSH_PRIVATE_KEY_BASE64 for the use-case where writing the key to a file isn't an easy option? I'd like to keep the file option around because some security-conscious orgs don't like having secrets stored in environment variables.

I think this is a fine workaround given that even if we don't like storing secrets in environment variables, the Coder agent token is stored in the env and allows to get the private key, so no downgrade in terms of security.

I agree, the file option should stay too.