Sounds like we have to better define what the API for this is going to look like, wildcard (domain, routing, etc), and some general discussion to be had before we can get started on this.
@spikecurtis @f0ssel @bpmct can we get a discussion or RFC going on this?

@spikecurtis brought up some notes from #2610

• Cluster operator might not have a wildcard certificate / DNS entry as these are expensive

  This is sady a (time or $) cost the cluster operator has to pay if they want this feature. It's free with LetsEncrypt/ZeroSSL but costly in some enterprise/government scenarios.

  We have a (now closed proposal) RFC: Zero-config DevURLs #2986 which we could revive if we get a lot of feedback that people want a quick "tunnel" solution.

• Certain apps seem to require this as indicated in the title

  We haven't come across an IDE where a path "required" yet, but requires a lot of tinkering and header manipulation to get things right. In v1, some didn't due to opinionated headers we set. Any app we have in our documentation should run on a path unless we explicitly say otherwise and link to an open issue.

• Some apps can support both, but need to be correctly configured, e.g. RStudio according to @Emyrk

  👍🏼

• Backend can probably accept either, simultaneously, but we still need to determine what URL to use on the front end

  Having it configurable by each coder_app in the template makes the most sense to me (down the road, a deployment-wide default could be added.

What do others think?

@bpmct

We have a (now closed proposal) #2986

The same people that have their networks chained by bureaucracy are unlikely to be able to use the solution proposed in that feature since it requires using our DNS and opens up their deployment to MITM attacks.

Backend can probably accept either

I think we need to support both automatically for each app to avoid breaking workflows. I also don't see a reason to disable one for the other.

The same people that have their networks chained by bureaucracy are unlikely to be able to use the solution proposed in that feature since it requires using our DNS and opens up their deployment to MITM attacks.

Yeah for sure it would only help for small/trial deployments who really like web browsers and dislike setting up reverse proxies and certificates. There are other solutions though, such as Caddy's on-demand TLS + builtin via compose or something which are suitable for small deployments

I think we need to support both automatically for each app to avoid breaking workflows. I also don't see a reason to disable one for the other.

Yeah, it just comes down to where the link goes when the user clicks it from the dashboard (path or wildcard). I am suggesting we configure that via coder_app in the Template, but open to other ideas 🤷🏼

Yeah, it just comes down to where the link goes when the user clicks it from the dashboard (path or wildcard). I am suggesting we configure that via coder_app in the Template, but open to other ideas 🤷🏼

I suppose each app has to declare how it expects requests. I suppose if unspecified, it would prefer the wildcard?

Sure, as long as a wildcard is hooked up. 🤷🏼

Ugh. Well, the URL has to be stable. I wish there were a way to avoid extra configuration in the template.

Done in #3753