### Start Local Docker Registry Source: https://github.com/coder/envbuilder/blob/main/docs/build-secrets.md Starts a local Docker registry to push and inspect the built image. This is a prerequisite for the build process. ```bash docker run --rm -d -p 5000:5000 --name envbuilder-registry registry:2 ``` -------------------------------- ### Terraform for Coder Agent Startup Script Source: https://github.com/coder/envbuilder/blob/main/docs/docker.md Example of how to integrate Docker daemon startup into an agent's startup script when using Coder. ```terraform resource "coder_agent" "dev" { ... startup_script = <<-EOT set -eux -o pipefail nohup dockerd > /var/log/docker.log 2>&1 & EOT } ``` -------------------------------- ### Example Docker Configuration JSON Source: https://github.com/coder/envbuilder/blob/main/docs/container-registry-auth.md This is an example of the JSON structure for Docker authentication. The 'auth' field should contain a base64 encoded string of your username and password. ```json { "auths": { "https://index.docker.io/v1/": { "auth": "base64-encoded-username-and-password" } } } ``` -------------------------------- ### Configure Envbuilder Init Process Source: https://github.com/coder/envbuilder/blob/main/README.md This script dynamically configures the user and init command for the container. It checks for systemd and sets ENVBUILDER_INIT_COMMAND accordingly, then demonstrates how to run envbuilder with this setup script. ```bash # init.sh - Change the init if systemd exists if command -v systemd >/dev/null; then echo "Hey 👋 $TARGET_USER" echo ENVBUILDER_INIT_COMMAND=systemd >> $ENVBUILDER_ENV else echo ENVBUILDER_INIT_COMMAND=bash >> $ENVBUILDER_ENV fi # Run envbuilder with the setup script docker run -it --rm \ -v ./:/some-dir \ -e ENVBUILDER_SETUP_SCRIPT=/some-dir/init.sh \ ... ``` -------------------------------- ### Start mitmproxy for HTTPS Interception Source: https://github.com/coder/envbuilder/blob/main/docs/proxy.md Starts mitmproxy in a Docker container to act as a transparent HTTPS proxy. It disables HTTP2 to avoid negotiation issues with Envbuilder and mounts a volume for certificates. ```bash docker run --rm -d --user $(id -u):$(id -g) --name mitmproxy -v ./certs:/home/mitmproxy/.mitmproxy -p 8080:8080 -p 127.0.0.1:8081:8081 mitmproxy/mitmproxy mitmweb --web-host 0.0.0.0 --set http2=false ``` -------------------------------- ### Run Envbuilder with DinD via Devcontainer Feature Source: https://github.com/coder/envbuilder/blob/main/docs/docker.md Utilizes the `docker-in-docker` Devcontainer feature within Envbuilder. Requires `onCreateCommand` to start Docker and manual symlinking for `/run`. ```bash docker run -it --rm \ --privileged \ -v /tmp/envbuilder:/workspaces \ -e ENVBUILDER_GIT_URL=https://github.com/coder/envbuilder \ -e ENVBUILDER_DEVCONTAINER_DIR=/workspaces/envbuilder/examples/docker/03_dind_feature \ -e ENVBUILDER_INIT_SCRIPT=bash \ ghcr.io/coder/envbuilder:latest ``` -------------------------------- ### Run Envbuilder with Docker-in-Docker (DinD) Source: https://github.com/coder/envbuilder/blob/main/docs/docker.md Starts Envbuilder in privileged mode to run a Docker daemon inside the container. Requires a custom script or hook to start the Docker daemon. ```bash docker run -it --rm \ --privileged \ -v /tmp/envbuilder:/workspaces \ -e ENVBUILDER_GIT_URL=https://github.com/coder/envbuilder \ -e ENVBUILDER_DEVCONTAINER_DIR=/workspaces/envbuilder/examples/docker/02_dind \ -e ENVBUILDER_INIT_SCRIPT=bash \ ghcr.io/coder/envbuilder:latest ``` -------------------------------- ### Add htop to Dockerfile Source: https://github.com/coder/envbuilder/blob/main/README.md This snippet shows how to modify a Dockerfile to include the 'htop' package. After this change, re-running the envbuilder command will result in a container with htop installed. ```diff - RUN apt-get install vim sudo -y + RUN apt-get install vim sudo htop -y ``` -------------------------------- ### Create Kubernetes Docker Registry Secret Source: https://github.com/coder/envbuilder/blob/main/docs/container-registry-auth.md Use this command to create a Kubernetes secret for Docker registry authentication. This example is for Artifactory, but works for any registry. ```shell # Artifactory example kubectl create secret docker-registry regcred \ --docker-server=my-artifactory.jfrog.io \ --docker-username=read-only \ --docker-password=secret-pass \ --docker-email=me@example.com \ -n coder ``` -------------------------------- ### Run Envbuilder with Specific Devcontainer Directory Source: https://github.com/coder/envbuilder/blob/main/docs/using-local-files.md Control the directory Envbuilder searches for `devcontainer.json` or `Dockerfile` using `ENVBUILDER_DEVCONTAINER_DIR`. This example mounts the current directory to `/src` and specifies `build` as the devcontainer directory. ```shell ls build/ Dockerfile devcontainer.json docker run -it --rm -e ENVBUILDER_INIT_SCRIPT='bash' -e ENVBUILDER_DEVCONTAINER_DIR=build -v $PWD:/src ghcr.io/coder/envbuilder:latest ``` -------------------------------- ### Get mitmproxy Container IP Address Source: https://github.com/coder/envbuilder/blob/main/docs/proxy.md Retrieves the IP address of the running mitmproxy container using Docker inspect and jq. This IP is needed to configure the HTTPS proxy environment variable. ```bash docker inspect mitmproxy | jq -r '.[].NetworkSettings.IPAddress' ``` -------------------------------- ### Prepare Build Files and Dockerfile Source: https://github.com/coder/envbuilder/blob/main/docs/build-secrets.md Sets up the build directory, creates a Dockerfile that utilizes build secrets, and defines a devcontainer.json. The Dockerfile uses secrets for hashing, demonstrating their use without exposing them. ```bash mkdir test-build-secrets cd test-build-secrets cat << EOF > Dockerfile FROM alpine:latest RUN --mount=type=secret,id=TEST_BUILD_SECRET_A,env=TEST_BUILD_SECRET_A echo -n \$TEST_BUILD_SECRET_A | sha256sum > /foo_secret_hash.txt RUN --mount=type=secret,id=TEST_BUILD_SECRET_B,dst=/tmp/bar.secret cat /tmp/bar.secret | sha256sum > /bar_secret_hash.txt EOF cat << EOF > devcontainer.json { "build": { "dockerfile": "Dockerfile" } } EOF echo 'runtime-secret-a' > runtime-secret.txt ``` -------------------------------- ### Run Envbuilder with Local Image Cache Source: https://github.com/coder/envbuilder/blob/main/docs/caching.md Mount the pre-pulled base image cache as a read-only volume into the Envbuilder container. Specify the mount path using the environment variable. ```bash # Run envbuilder with the local image cache. docker run -it --rm \ -v /tmp/kaniko-cache:/image-cache:ro \ -e ENVBUILDER_BASE_IMAGE_CACHE_DIR=/image-cache ``` -------------------------------- ### Experiment with Layer Cache Directory Source: https://github.com/coder/envbuilder/blob/main/docs/caching.md Use a local directory for layer caching to experiment without a container registry. Mount a volume to persist the cache between runs. ```bash docker run -it --rm \ -v /tmp/envbuilder-cache:/cache \ -e ENVBUILDER_LAYER_CACHE_DIR=/cache ... ``` -------------------------------- ### Push Built Image to Cache Repo Source: https://github.com/coder/envbuilder/blob/main/docs/caching.md Enable pushing the entire built image to the cache repository alongside individual layers. Ensure ENVBUILDER_CACHE_REPO is set. ```bash ENVBUILDER_PUSH_IMAGE=1 ``` -------------------------------- ### Run Envbuilder with Current Directory Mounted Source: https://github.com/coder/envbuilder/blob/main/docs/using-local-files.md Mount the current directory to `/workspaces/empty` to use local files. This is useful for quick iteration without a remote Git repo. The `ENVBUILDER_INIT_SCRIPT` is set to `bash`. ```shell # Create a sample Devcontainer and Dockerfile in the current directory printf '{"build": { "dockerfile": "Dockerfile"}}' > devcontainer.json printf 'FROM debian:bookworm\nRUN apt-get update && apt-get install -y cowsay' > Dockerfile # Run envbuilder with the current directory mounted into `/workspaces/empty`. # The instructions to add /usr/games to $PATH have been omitted for brevity. docker run -it --rm -e ENVBUILDER_INIT_SCRIPT='bash' -v $PWD:/workspaces/empty ghcr.io/coder/envbuilder:latest ``` -------------------------------- ### Pre-pull Base Image for Caching Source: https://github.com/coder/envbuilder/blob/main/docs/caching.md Use the kaniko warmer image to pull your base image from the registry into a local directory. This directory will serve as a read-only cache for Envbuilder. ```bash # Pull your base image from the registry to a local directory. docker run --rm \ -v /tmp/kaniko-cache:/cache \ gcr.io/kaniko-project/warmer:latest \ --cache-dir=/cache \ --image= ``` -------------------------------- ### Run Envbuilder with Custom CA Certificate Source: https://github.com/coder/envbuilder/blob/main/docs/proxy.md Use this command to run Envbuilder with a custom CA certificate mounted as a volume and specified via the SSL_CERT_FILE environment variable. This allows Envbuilder to trust the server certificate served by mitmproxy. ```bash docker run -it --rm \ -v $PWD/certs:/certs \ -e SSL_CERT_FILE=/certs/mitmproxy-ca-cert.pem \ -e https_proxy=https://172.17.0.2:8080 \ -e ENVBUILDER_INIT_SCRIPT='/bin/sh' \ -e ENVBUILDER_GIT_URL='https://github.com/coder/envbuilder.git' \ ghcr.io/coder/envbuilder:latest ``` -------------------------------- ### Run Envbuilder with Custom Workspace Folder Source: https://github.com/coder/envbuilder/blob/main/docs/using-local-files.md Specify a custom workspace folder using `ENVBUILDER_WORKSPACE_FOLDER` and mount your local project to it. This allows Envbuilder to find your project files in a location other than the default. ```shell docker run -it --rm -e ENVBUILDER_INIT_SCRIPT='bash ' -e ENVBUILDER_WORKSPACE_FOLDER=/src -v $PWD:/src ghcr.io/coder/envbuilder:latest ``` -------------------------------- ### Run Envbuilder Docker Container Source: https://github.com/coder/envbuilder/blob/main/README.md This command runs the envbuilder Docker container, cloning a specified repository, building an image from a Dockerfile or devcontainer.json, and executing an initialization script. ```bash docker run -it --rm \ -v /tmp/envbuilder:/workspaces \ -e ENVBUILDER_GIT_URL=https://github.com/coder/envbuilder-starter-devcontainer \ -e ENVBUILDER_INIT_SCRIPT=bash \ ghcr.io/coder/envbuilder ``` -------------------------------- ### Probe Layer Cache for Existing Images Source: https://github.com/coder/envbuilder/blob/main/docs/caching.md Activate a dry-run build to check for the presence of pre-built images in the cache repository without actually building. Envbuilder exits with an error if a layer is not found. ```bash ENVBUILDER_GET_CACHED_IMAGE=1 ``` -------------------------------- ### Run Envbuilder with Docker-in-Docker Source: https://github.com/coder/envbuilder/blob/main/docs/docker.md Execute the Envbuilder image using Sysbox to enable Docker-in-Docker. This command mounts local workspace directories and sets environment variables to configure the build process. ```bash docker run -it --rm \ -v /tmp/envbuilder:/workspaces \ -e ENVBUILDER_GIT_URL=https://github.com/coder/envbuilder \ -e ENVBUILDER_DEVCONTAINER_DIR=/workspaces/envbuilder/examples/docker/02_dind \ -e ENVBUILDER_INIT_SCRIPT=/entrypoint.sh \ --runtime sysbox-runc \ ghcr.io/coder/envbuilder:latest ``` -------------------------------- ### Execute Envbuilder Build with Secrets Source: https://github.com/coder/envbuilder/blob/main/docs/build-secrets.md Runs the Envbuilder container, passing build secrets via environment variables. It also configures the cache repository, enables image pushing, and mounts local files. ```bash docker run -it --rm \ -e ENVBUILDER_BUILD_SECRETS='TEST_BUILD_SECRET_A=secret-foo,TEST_BUILD_SECRET_B=secret-bar' \ -e ENVBUILDER_INIT_SCRIPT='/bin/sh' \ -e ENVBUILDER_CACHE_REPO=$(docker inspect envbuilder-registry | jq -r '.[].NetworkSettings.IPAddress'):5000/test-container \ -e ENVBUILDER_PUSH_IMAGE=1 \ -v $PWD:/workspaces/empty \ -v $PWD/runtime-secret.txt:/runtime-secret.txt \ ghcr.io/coder/envbuilder:latest ``` -------------------------------- ### Run Envbuilder with HTTPS Proxy Source: https://github.com/coder/envbuilder/blob/main/docs/proxy.md This command runs Envbuilder with the `https_proxy` environment variable set to the mitmproxy instance. It demonstrates the certificate verification failure when the proxy's certificate is not trusted. ```bash docker run -it --rm \ -e https_proxy=https://172.17.0.2:8080 \ -e ENVBUILDER_INIT_SCRIPT='/bin/sh' \ -e ENVBUILDER_GIT_URL='https://github.com/coder/envbuilder.git' \ ghcr.io/coder/envbuilder:latest ``` -------------------------------- ### Cleanup Build Artifacts and Containers Source: https://github.com/coder/envbuilder/blob/main/docs/build-secrets.md After verifying that no secrets are included in the image, use these commands to clean up saved artifacts and stop running containers. ```bash cd ../ rm -r test-build-secrets docker stop envbuilder-registry ``` -------------------------------- ### Verify Image Layers for Secrets Source: https://github.com/coder/envbuilder/blob/main/docs/build-secrets.md Pulls the built container image, saves it to a tar archive, extracts the layers, and scans for the presence of build secrets or runtime secrets. ```bash docker pull localhost:5000/test-container:latest docker save -o test-container.tar localhost:5000/test-container mkdir -p test-container tar -xf test-container.tar -C test-container/ cd test-container/ # Scan image layers for secrets: find . -type f | xargs tar -xOf 2>/dev/null | strings | grep -rn "secret-foo" find . -type f | xargs tar -xOf 2>/dev/null | strings | grep -rn "secret-bar" find . -type f | xargs tar -xOf 2>/dev/null | strings | grep -rn "runtime-secret" ``` -------------------------------- ### Scan Image Manifests for Secrets Source: https://github.com/coder/envbuilder/blob/main/docs/build-secrets.md Use these commands to scan image manifests for specific secret strings. Ensure the output is empty to confirm secrets are not present. Rerun with a non-secret string to verify scanning functionality. ```bash find . -type f | xargs -n1 grep -rnI 'secret-foo' ``` ```bash find . -type f | xargs -n1 grep -rnI 'secret-bar' ``` ```bash find . -type f | xargs -n1 grep -rnI 'runtime-secret' ``` -------------------------------- ### Run Envbuilder with Rootless DinD Source: https://github.com/coder/envbuilder/blob/main/docs/docker.md Executes Envbuilder in a privileged container, running Docker in rootless mode using `rootlesskit`. This enhances security by isolating the Docker daemon. ```bash docker run -it --rm \ --privileged \ -v /tmp/envbuilder:/workspaces \ -e ENVBUILDER_GIT_URL=https://github.com/coder/envbuilder \ -e ENVBUILDER_DEVCONTAINER_DIR=/workspaces/envbuilder/examples/docker/04_dind_rootless \ -e ENVBUILDER_INIT_SCRIPT=/entrypoint.sh \ ghcr.io/coder/envbuilder:latest ``` -------------------------------- ### Inspect Proxy Certificate with OpenSSL Source: https://github.com/coder/envbuilder/blob/main/docs/proxy.md Uses openssl s_client to connect to a server through the mitmproxy on localhost:8080 and inspect the certificate chain. This helps in understanding why certificate verification might fail. ```bash openssl s_client -proxy localhost:8080 -servername github.com -connect github.com:443 | head -n 10 ``` -------------------------------- ### Run Envbuilder with Docker Outside of Docker (DooD) Source: https://github.com/coder/envbuilder/blob/main/docs/docker.md Launches Envbuilder by mounting the host's Docker socket, allowing direct access to the host's Docker daemon. Use with caution due to security implications. ```bash docker run -it --rm \ -v /tmp/envbuilder:/workspaces \ -e ENVBUILDER_GIT_URL=https://github.com/coder/envbuilder \ -e ENVBUILDER_DEVCONTAINER_DIR=/workspaces/envbuilder/examples/docker/01_dood \ -e ENVBUILDER_INIT_SCRIPT=bash \ -v /var/run/docker.sock:/var/run/docker.sock \ ghcr.io/coder/envbuilder:latest ``` -------------------------------- ### Set Cache Repository Source: https://github.com/coder/envbuilder/blob/main/docs/caching.md Configure the container registry repository for caching layers. This requires prior authentication with your registry. ```bash ENVBUILDER_CACHE_REPO=ghcr.io/coder/repo-cache ``` -------------------------------- ### SSH Authentication with Private Key Path Source: https://github.com/coder/envbuilder/blob/main/docs/git-auth.md Authenticate to a private Git repository using SSH by specifying the path to your private key file within the container. ```bash docker run -it --rm \ -v /tmp/envbuilder:/workspaces \ -e ENVBUILDER_GIT_URL=git@example.com:path/to/private/repo.git \ -e ENVBUILDER_INIT_SCRIPT=bash \ -e ENVBUILDER_GIT_SSH_PRIVATE_KEY_PATH=/.ssh/id_rsa \ -v /home/user/id_rsa:/.ssh/id_rsa \ ghcr.io/coder/envbuilder ``` -------------------------------- ### Set Docker Config Base64 Environment Variable Source: https://github.com/coder/envbuilder/blob/main/docs/container-registry-auth.md Provide the base64 encoded Docker configuration to envbuilder using the ENVBUILDER_DOCKER_CONFIG_BASE64 environment variable. ```env ENVBUILDER_DOCKER_CONFIG_BASE64=ewoJImF1dGhzIjogewoJCSJodHRwczovL2luZGV4LmRvY2tlci5pby92MS8iOiB7CgkJCSJhdXRoIjogImJhc2U2NCBlbmNvZGVkIHRva2VuIgoJCX0KCX0KfQo= ``` -------------------------------- ### Run Envbuilder Without Proxy Source: https://github.com/coder/envbuilder/blob/main/docs/proxy.md This command runs Envbuilder to clone a repository and obtain a shell within the built environment. It's used to verify normal operation before introducing a proxy. ```bash docker run -it --rm \ -e ENVBUILDER_INIT_SCRIPT='/bin/sh' \ -e ENVBUILDER_GIT_URL='https://github.com/coder/envbuilder.git' \ ghcr.io/coder/envbuilder:latest ``` -------------------------------- ### Specify Forked Kaniko Dependency Source: https://github.com/coder/envbuilder/blob/main/docs/development.md Use this replace directive in go.mod to point to the project's fork of Kaniko for container image building. ```go replace github.com/GoogleContainerTools/kaniko => github.com/coder/kaniko ``` -------------------------------- ### Stop mitmproxy Container and Remove Certificates Source: https://github.com/coder/envbuilder/blob/main/docs/proxy.md Use these commands to stop the running mitmproxy Docker container and remove the generated SSL certificates after the demonstration. ```bash docker stop mitmproxy rm -r certs/ ``` -------------------------------- ### Pin Moby Go Archive Version Source: https://github.com/coder/envbuilder/blob/main/docs/development.md If encountering 'undefined: archive.Uncompressed' or 'archive.Compression' errors, pin moby/go-archive to v0.1.0 in go.mod to resolve symbol location changes. ```bash go mod edit -require 'github.com/moby/go-archive@v0.1.0' go mod tidy ``` -------------------------------- ### Verify Secrets Not Available in Running Container Source: https://github.com/coder/envbuilder/blob/main/docs/build-secrets.md Checks the process environment and filesystem within the running container to confirm that build secrets are not exposed after the build process. ```bash cat /proc/self/environ | tr '\0' '\n' printenv ``` -------------------------------- ### Verify Build Secrets Had Side Effects Source: https://github.com/coder/envbuilder/blob/main/docs/build-secrets.md Compares checksums of secrets used during the build with checksums stored in the container to confirm that secrets were utilized for side effects. ```bash echo -n "secret-foo" | sha256sum cat /foo_secret_hash.txt echo -n "secret-bar" | sha256sum cat /bar_secret_hash.txt ``` -------------------------------- ### Find Tailscale Version in Coder Module Source: https://github.com/coder/envbuilder/blob/main/docs/development.md Use this command to locate the required Tailscale version in the coder/coder/v2 module's go.mod file, necessary for aligning replace directives. ```bash grep 'replace tailscale.com' /path/to/coder/coder/go.mod ``` -------------------------------- ### SSH Authentication with Base64 Encoded Key Source: https://github.com/coder/envbuilder/blob/main/docs/git-auth.md Authenticate to a private Git repository using SSH by providing the base64-encoded content of your private key. ```bash docker run -it --rm \ -v /tmp/envbuilder:/workspaces \ -e ENVBUILDER_GIT_URL=git@example.com:path/to/private/repo.git \ -e ENVBUILDER_INIT_SCRIPT=bash \ -e ENVBUILDER_GIT_SSH_PRIVATE_KEY_BASE64=$(base64 < ~/.ssh/id_ed25519) \ ghcr.io/coder/envbuilder ``` -------------------------------- ### Exclude Incompatible Netlink Versions Source: https://github.com/coder/envbuilder/blob/main/docs/development.md Add these exclude directives to go.mod to force Go to select compatible versions of vishvananda/netlink, preventing build errors caused by API changes in v1.3.0+. ```go exclude ( github.com/vishvananda/netlink v1.3.0 github.com/vishvananda/netlink v1.3.1-0.20250303224720-0e7078ed04c8 ) ``` -------------------------------- ### Base64 Encode Docker Config for Docker Hub Source: https://github.com/coder/envbuilder/blob/main/docs/container-registry-auth.md Encode your ~/.docker/config.json file using the base64 command. The -w0 flag ensures no line wrapping. ```bash $ base64 -w0 ~/.docker/config.json ewoJImF1dGhzIjogewoJCSJodHRwczovL2luZGV4LmRvY2tlci5pby92MS8iOiB7CgkJCSJhdXRoIjogImJhc2U2NCBlbmNvZGVkIHRva2VuIgoJCX0KCX0KfQo= ``` -------------------------------- ### SSH Agent-Based Authentication Source: https://github.com/coder/envbuilder/blob/main/docs/git-auth.md Authenticate to a private Git repository using SSH agent forwarding by mounting your agent socket. ```bash docker run -it --rm \ -v /tmp/envbuilder:/workspaces \ -e ENVBUILDER_GIT_URL=git@example.com:path/to/private/repo.git \ -e ENVBUILDER_INIT_SCRIPT=bash \ -e SSH_AUTH_SOCK=/tmp/ssh-auth-sock \ -v $SSH_AUTH_SOCK:/tmp/ssh-auth-sock \ ghcr.io/coder/envbuilder ``` -------------------------------- ### Specify Git Branch with Envbuilder Source: https://github.com/coder/envbuilder/blob/main/docs/usage-with-coder.md Use ENVBUILDER_GIT_URL with a "refs/heads" reference to select a specific Git branch for your Devcontainer. ```shell ENVBUILDER_GIT_URL=https://github.com/coder/envbuilder-starter-devcontainer/#refs/heads/my-feature-branch ``` -------------------------------- ### Configure External Auth for GitHub Source: https://github.com/coder/envbuilder/blob/main/docs/git-auth.md Use the coder_external_auth Terraform resource to automatically provide GitHub access tokens for envbuilder when creating a workspace. ```hcl data "coder_external_auth" "github" { id = "github" } resource "docker_container" "dev" { env = [ ENVBUILDER_GIT_USERNAME = data.coder_external_auth.github.access_token, ] } ``` -------------------------------- ### Specify Forked Tailscale Dependency Source: https://github.com/coder/envbuilder/blob/main/docs/development.md Use this replace directive in go.mod to point to the project's fork of Tailscale. Essential when upgrading coder/coder/v2. ```go replace tailscale.com => github.com/coder/tailscale ``` -------------------------------- ### Exit Envbuilder Container Source: https://github.com/coder/envbuilder/blob/main/docs/proxy.md Command to exit the Envbuilder container after successful build and shell access. ```bash exit ``` -------------------------------- ### Kubernetes Deployment Volume Mount for Docker Config Source: https://github.com/coder/envbuilder/blob/main/docs/container-registry-auth.md This Terraform configuration demonstrates how to mount a Kubernetes secret as a volume in a deployment. This allows the container to access the Docker configuration file. ```hcl resource "kubernetes_deployment" "example" { metadata { namespace = coder } spec { spec { container { # Define the volumeMount with the pull credentials volume_mount { name = "docker-config-volume" mount_path = "/.envbuilder/config.json" sub_path = ".dockerconfigjson" } } # Define the volume which maps to the pull credentials volume { name = "docker-config-volume" secret { secret_name = "regcred" } } } } } ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.