-
Notifications
You must be signed in to change notification settings - Fork 937
feat(helm/provisioner): add support for provisioner keys, add note re psk #15122
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
{{/* | ||
Deprecation notices: | ||
*/}} | ||
|
||
{{- if .Values.provisionerDaemon.pskSecretName }} | ||
* Provisioner Daemon PSKs are no longer recommended for use with external | ||
provisioners. Consider migrating to scoped provisioner keys instead. For more | ||
information, see: https://coder.com/docs/admin/provisioners#authentication | ||
{{- end }} | ||
|
||
Enjoy Coder! Please create an issue at https://github.com/coder/coder if you run | ||
into any problems! :) |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,137 @@ | ||
--- | ||
# Source: coder-provisioner/templates/coder.yaml | ||
apiVersion: v1 | ||
kind: ServiceAccount | ||
metadata: | ||
annotations: {} | ||
labels: | ||
app.kubernetes.io/instance: release-name | ||
app.kubernetes.io/managed-by: Helm | ||
app.kubernetes.io/name: coder-provisioner | ||
app.kubernetes.io/part-of: coder-provisioner | ||
app.kubernetes.io/version: 0.1.0 | ||
helm.sh/chart: coder-provisioner-0.1.0 | ||
name: coder-provisioner | ||
--- | ||
# Source: coder-provisioner/templates/rbac.yaml | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: Role | ||
metadata: | ||
name: coder-provisioner-workspace-perms | ||
rules: | ||
- apiGroups: [""] | ||
resources: ["pods"] | ||
verbs: | ||
- create | ||
- delete | ||
- deletecollection | ||
- get | ||
- list | ||
- patch | ||
- update | ||
- watch | ||
- apiGroups: [""] | ||
resources: ["persistentvolumeclaims"] | ||
verbs: | ||
- create | ||
- delete | ||
- deletecollection | ||
- get | ||
- list | ||
- patch | ||
- update | ||
- watch | ||
- apiGroups: | ||
- apps | ||
resources: | ||
- deployments | ||
verbs: | ||
- create | ||
- delete | ||
- deletecollection | ||
- get | ||
- list | ||
- patch | ||
- update | ||
- watch | ||
--- | ||
# Source: coder-provisioner/templates/rbac.yaml | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: RoleBinding | ||
metadata: | ||
name: "coder-provisioner" | ||
subjects: | ||
- kind: ServiceAccount | ||
name: "coder-provisioner" | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: Role | ||
name: coder-provisioner-workspace-perms | ||
--- | ||
# Source: coder-provisioner/templates/coder.yaml | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
annotations: {} | ||
labels: | ||
app.kubernetes.io/instance: release-name | ||
app.kubernetes.io/managed-by: Helm | ||
app.kubernetes.io/name: coder-provisioner | ||
app.kubernetes.io/part-of: coder-provisioner | ||
app.kubernetes.io/version: 0.1.0 | ||
helm.sh/chart: coder-provisioner-0.1.0 | ||
name: coder-provisioner | ||
spec: | ||
replicas: 1 | ||
selector: | ||
matchLabels: | ||
app.kubernetes.io/instance: release-name | ||
app.kubernetes.io/name: coder-provisioner | ||
template: | ||
metadata: | ||
annotations: {} | ||
labels: | ||
app.kubernetes.io/instance: release-name | ||
app.kubernetes.io/managed-by: Helm | ||
app.kubernetes.io/name: coder-provisioner | ||
app.kubernetes.io/part-of: coder-provisioner | ||
app.kubernetes.io/version: 0.1.0 | ||
helm.sh/chart: coder-provisioner-0.1.0 | ||
spec: | ||
containers: | ||
- args: | ||
- provisionerd | ||
- start | ||
command: | ||
- /opt/coder | ||
env: | ||
- name: CODER_PROMETHEUS_ADDRESS | ||
value: 0.0.0.0:2112 | ||
- name: CODER_PROVISIONER_DAEMON_KEY | ||
valueFrom: | ||
secretKeyRef: | ||
key: provisionerd-key | ||
name: coder-provisionerd-key | ||
- name: CODER_PROVISIONERD_TAGS | ||
value: clusterType=k8s,location=auh | ||
- name: CODER_URL | ||
value: http://coder.default.svc.cluster.local | ||
image: ghcr.io/coder/coder:latest | ||
imagePullPolicy: IfNotPresent | ||
lifecycle: {} | ||
name: coder | ||
ports: null | ||
resources: {} | ||
securityContext: | ||
allowPrivilegeEscalation: false | ||
readOnlyRootFilesystem: null | ||
runAsGroup: 1000 | ||
runAsNonRoot: true | ||
runAsUser: 1000 | ||
seccompProfile: | ||
type: RuntimeDefault | ||
volumeMounts: [] | ||
restartPolicy: Always | ||
serviceAccountName: coder-provisioner | ||
terminationGracePeriodSeconds: 600 | ||
volumes: [] |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
coder: | ||
image: | ||
tag: latest | ||
provisionerDaemon: | ||
pskSecretName: "" | ||
keySecretName: "coder-provisionerd-key" | ||
keySecretKey: "provisionerd-key" | ||
tags: | ||
location: auh | ||
clusterType: k8s |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
coder: | ||
image: | ||
tag: latest | ||
provisionerDaemon: | ||
pskSecretName: "" | ||
keySecretName: "" | ||
tags: | ||
location: auh | ||
clusterType: k8s |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,142 @@ | ||
--- | ||
# Source: coder-provisioner/templates/coder.yaml | ||
apiVersion: v1 | ||
kind: ServiceAccount | ||
metadata: | ||
annotations: {} | ||
labels: | ||
app.kubernetes.io/instance: release-name | ||
app.kubernetes.io/managed-by: Helm | ||
app.kubernetes.io/name: coder-provisioner | ||
app.kubernetes.io/part-of: coder-provisioner | ||
app.kubernetes.io/version: 0.1.0 | ||
helm.sh/chart: coder-provisioner-0.1.0 | ||
name: coder-provisioner | ||
--- | ||
# Source: coder-provisioner/templates/rbac.yaml | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: Role | ||
metadata: | ||
name: coder-provisioner-workspace-perms | ||
rules: | ||
- apiGroups: [""] | ||
resources: ["pods"] | ||
verbs: | ||
- create | ||
- delete | ||
- deletecollection | ||
- get | ||
- list | ||
- patch | ||
- update | ||
- watch | ||
- apiGroups: [""] | ||
resources: ["persistentvolumeclaims"] | ||
verbs: | ||
- create | ||
- delete | ||
- deletecollection | ||
- get | ||
- list | ||
- patch | ||
- update | ||
- watch | ||
- apiGroups: | ||
- apps | ||
resources: | ||
- deployments | ||
verbs: | ||
- create | ||
- delete | ||
- deletecollection | ||
- get | ||
- list | ||
- patch | ||
- update | ||
- watch | ||
--- | ||
# Source: coder-provisioner/templates/rbac.yaml | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: RoleBinding | ||
metadata: | ||
name: "coder-provisioner" | ||
subjects: | ||
- kind: ServiceAccount | ||
name: "coder-provisioner" | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: Role | ||
name: coder-provisioner-workspace-perms | ||
--- | ||
# Source: coder-provisioner/templates/coder.yaml | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
annotations: {} | ||
labels: | ||
app.kubernetes.io/instance: release-name | ||
app.kubernetes.io/managed-by: Helm | ||
app.kubernetes.io/name: coder-provisioner | ||
app.kubernetes.io/part-of: coder-provisioner | ||
app.kubernetes.io/version: 0.1.0 | ||
helm.sh/chart: coder-provisioner-0.1.0 | ||
name: coder-provisioner | ||
spec: | ||
replicas: 1 | ||
selector: | ||
matchLabels: | ||
app.kubernetes.io/instance: release-name | ||
app.kubernetes.io/name: coder-provisioner | ||
template: | ||
metadata: | ||
annotations: {} | ||
labels: | ||
app.kubernetes.io/instance: release-name | ||
app.kubernetes.io/managed-by: Helm | ||
app.kubernetes.io/name: coder-provisioner | ||
app.kubernetes.io/part-of: coder-provisioner | ||
app.kubernetes.io/version: 0.1.0 | ||
helm.sh/chart: coder-provisioner-0.1.0 | ||
spec: | ||
containers: | ||
- args: | ||
- provisionerd | ||
- start | ||
command: | ||
- /opt/coder | ||
env: | ||
- name: CODER_PROMETHEUS_ADDRESS | ||
value: 0.0.0.0:2112 | ||
- name: CODER_PROVISIONER_DAEMON_PSK | ||
valueFrom: | ||
secretKeyRef: | ||
key: psk | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. nit: any reason why this is called There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The key name is currently hard-coded in
This wasn't changed as part of this PR. I can add a separate PR to allow customizing the key name, if required. |
||
name: coder-provisionerd-psk | ||
- name: CODER_PROVISIONER_DAEMON_KEY | ||
valueFrom: | ||
secretKeyRef: | ||
key: provisionerd-key | ||
name: coder-provisionerd-key | ||
- name: CODER_PROVISIONERD_TAGS | ||
value: clusterType=k8s,location=auh | ||
- name: CODER_URL | ||
value: http://coder.default.svc.cluster.local | ||
image: ghcr.io/coder/coder:latest | ||
imagePullPolicy: IfNotPresent | ||
lifecycle: {} | ||
name: coder | ||
ports: null | ||
resources: {} | ||
securityContext: | ||
allowPrivilegeEscalation: false | ||
readOnlyRootFilesystem: null | ||
runAsGroup: 1000 | ||
runAsNonRoot: true | ||
runAsUser: 1000 | ||
seccompProfile: | ||
type: RuntimeDefault | ||
volumeMounts: [] | ||
restartPolicy: Always | ||
serviceAccountName: coder-provisioner | ||
terminationGracePeriodSeconds: 600 | ||
volumes: [] |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
coder: | ||
image: | ||
tag: latest | ||
provisionerDaemon: | ||
pskSecretName: "coder-provisionerd-psk" | ||
keySecretName: "coder-provisionerd-key" | ||
keySecretKey: "provisionerd-key" | ||
tags: | ||
location: auh | ||
clusterType: k8s |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it ever sensible to accept both? I think we can only accept one or other as the authentication credential
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, you're correct:
I can remove this test and add a check in the Helm chart, but I'd worry about logic drift.