From 32d4bd78f8e67f8ba8f48c12da64c46223d1556b Mon Sep 17 00:00:00 2001 From: Cian Johnston Date: Thu, 17 Oct 2024 12:12:40 +0100 Subject: [PATCH 1/4] feat(helm/provisioner): add support for provisioner keys, add note re psk --- helm/provisioner/templates/NOTES.txt | 12 ++ helm/provisioner/templates/_coder.tpl | 9 ++ helm/provisioner/tests/chart_test.go | 8 + .../tests/testdata/provisionerd_key.golden | 137 +++++++++++++++++ .../tests/testdata/provisionerd_key.yaml | 10 ++ .../testdata/provisionerd_psk_and_key.golden | 142 ++++++++++++++++++ .../testdata/provisionerd_psk_and_key.yaml | 10 ++ helm/provisioner/values.yaml | 20 ++- 8 files changed, 345 insertions(+), 3 deletions(-) create mode 100644 helm/provisioner/templates/NOTES.txt create mode 100644 helm/provisioner/tests/testdata/provisionerd_key.golden create mode 100644 helm/provisioner/tests/testdata/provisionerd_key.yaml create mode 100644 helm/provisioner/tests/testdata/provisionerd_psk_and_key.golden create mode 100644 helm/provisioner/tests/testdata/provisionerd_psk_and_key.yaml diff --git a/helm/provisioner/templates/NOTES.txt b/helm/provisioner/templates/NOTES.txt new file mode 100644 index 0000000000000..8af04c505bf38 --- /dev/null +++ b/helm/provisioner/templates/NOTES.txt @@ -0,0 +1,12 @@ +{{/* +Deprecation notices: +*/}} + +{{- if .Values.provisionerDaemon.pskSecretName }} +Note: Provisioner Daemon PSKs are no longer recommended for use with external +provisioners. Consider migrating to scoped provisioner keys instead. For more +information, see: https://coder.com/docs/admin/provisioners#authentication +{{- end }} + +Enjoy Coder! Please create an issue at https://github.com/coder/coder if you run +into any problems! :) diff --git a/helm/provisioner/templates/_coder.tpl b/helm/provisioner/templates/_coder.tpl index b84b7d8c4e48c..101c855c46f74 100644 --- a/helm/provisioner/templates/_coder.tpl +++ b/helm/provisioner/templates/_coder.tpl @@ -32,11 +32,20 @@ args: env: - name: CODER_PROMETHEUS_ADDRESS value: "0.0.0.0:2112" +{{- if .Values.provisionerDaemon.pskSecretName }} - name: CODER_PROVISIONER_DAEMON_PSK valueFrom: secretKeyRef: name: {{ .Values.provisionerDaemon.pskSecretName | quote }} key: psk +{{- end }} +{{- if and .Values.provisionerDaemon.keySecretName .Values.provisionerDaemon.keySecretKey }} +- name: CODER_PROVISIONER_DAEMON_KEY + valueFrom: + secretKeyRef: + name: {{ .Values.provisionerDaemon.keySecretName | quote }} + key: {{ .Values.provisionerDaemon.keySecretKey | quote }} +{{- end }} {{- if include "provisioner.tags" . }} - name: CODER_PROVISIONERD_TAGS value: {{ include "provisioner.tags" . }} diff --git a/helm/provisioner/tests/chart_test.go b/helm/provisioner/tests/chart_test.go index 78567b5b481d3..f6ca9321d2855 100644 --- a/helm/provisioner/tests/chart_test.go +++ b/helm/provisioner/tests/chart_test.go @@ -52,6 +52,14 @@ var testCases = []testCase{ name: "provisionerd_psk", expectedError: "", }, + { + name: "provisionerd_key", + expectedError: "", + }, + { + name: "provisionerd_psk_and_key", + expectedError: "", + }, { name: "extra_templates", expectedError: "", diff --git a/helm/provisioner/tests/testdata/provisionerd_key.golden b/helm/provisioner/tests/testdata/provisionerd_key.golden new file mode 100644 index 0000000000000..c4f33f766df43 --- /dev/null +++ b/helm/provisioner/tests/testdata/provisionerd_key.golden @@ -0,0 +1,137 @@ +--- +# Source: coder-provisioner/templates/coder.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: {} + labels: + app.kubernetes.io/instance: release-name + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: coder-provisioner + app.kubernetes.io/part-of: coder-provisioner + app.kubernetes.io/version: 0.1.0 + helm.sh/chart: coder-provisioner-0.1.0 + name: coder-provisioner +--- +# Source: coder-provisioner/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: coder-provisioner-workspace-perms +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - apps + resources: + - deployments + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +--- +# Source: coder-provisioner/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: "coder-provisioner" +subjects: + - kind: ServiceAccount + name: "coder-provisioner" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: coder-provisioner-workspace-perms +--- +# Source: coder-provisioner/templates/coder.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + labels: + app.kubernetes.io/instance: release-name + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: coder-provisioner + app.kubernetes.io/part-of: coder-provisioner + app.kubernetes.io/version: 0.1.0 + helm.sh/chart: coder-provisioner-0.1.0 + name: coder-provisioner +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: release-name + app.kubernetes.io/name: coder-provisioner + template: + metadata: + annotations: {} + labels: + app.kubernetes.io/instance: release-name + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: coder-provisioner + app.kubernetes.io/part-of: coder-provisioner + app.kubernetes.io/version: 0.1.0 + helm.sh/chart: coder-provisioner-0.1.0 + spec: + containers: + - args: + - provisionerd + - start + command: + - /opt/coder + env: + - name: CODER_PROMETHEUS_ADDRESS + value: 0.0.0.0:2112 + - name: CODER_PROVISIONER_DAEMON_KEY + valueFrom: + secretKeyRef: + key: provisionerd-key + name: coder-provisionerd-key + - name: CODER_PROVISIONERD_TAGS + value: clusterType=k8s,location=auh + - name: CODER_URL + value: http://coder.default.svc.cluster.local + image: ghcr.io/coder/coder:latest + imagePullPolicy: IfNotPresent + lifecycle: {} + name: coder + ports: null + resources: {} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: null + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: [] + restartPolicy: Always + serviceAccountName: coder-provisioner + terminationGracePeriodSeconds: 600 + volumes: [] diff --git a/helm/provisioner/tests/testdata/provisionerd_key.yaml b/helm/provisioner/tests/testdata/provisionerd_key.yaml new file mode 100644 index 0000000000000..c5ab331a45078 --- /dev/null +++ b/helm/provisioner/tests/testdata/provisionerd_key.yaml @@ -0,0 +1,10 @@ +coder: + image: + tag: latest +provisionerDaemon: + pskSecretName: "" + keySecretName: "coder-provisionerd-key" + keySecretKey: "provisionerd-key" + tags: + location: auh + clusterType: k8s diff --git a/helm/provisioner/tests/testdata/provisionerd_psk_and_key.golden b/helm/provisioner/tests/testdata/provisionerd_psk_and_key.golden new file mode 100644 index 0000000000000..6ddaf8f292211 --- /dev/null +++ b/helm/provisioner/tests/testdata/provisionerd_psk_and_key.golden @@ -0,0 +1,142 @@ +--- +# Source: coder-provisioner/templates/coder.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: {} + labels: + app.kubernetes.io/instance: release-name + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: coder-provisioner + app.kubernetes.io/part-of: coder-provisioner + app.kubernetes.io/version: 0.1.0 + helm.sh/chart: coder-provisioner-0.1.0 + name: coder-provisioner +--- +# Source: coder-provisioner/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: coder-provisioner-workspace-perms +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - apps + resources: + - deployments + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +--- +# Source: coder-provisioner/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: "coder-provisioner" +subjects: + - kind: ServiceAccount + name: "coder-provisioner" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: coder-provisioner-workspace-perms +--- +# Source: coder-provisioner/templates/coder.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + labels: + app.kubernetes.io/instance: release-name + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: coder-provisioner + app.kubernetes.io/part-of: coder-provisioner + app.kubernetes.io/version: 0.1.0 + helm.sh/chart: coder-provisioner-0.1.0 + name: coder-provisioner +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: release-name + app.kubernetes.io/name: coder-provisioner + template: + metadata: + annotations: {} + labels: + app.kubernetes.io/instance: release-name + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: coder-provisioner + app.kubernetes.io/part-of: coder-provisioner + app.kubernetes.io/version: 0.1.0 + helm.sh/chart: coder-provisioner-0.1.0 + spec: + containers: + - args: + - provisionerd + - start + command: + - /opt/coder + env: + - name: CODER_PROMETHEUS_ADDRESS + value: 0.0.0.0:2112 + - name: CODER_PROVISIONER_DAEMON_PSK + valueFrom: + secretKeyRef: + key: psk + name: coder-provisionerd-psk + - name: CODER_PROVISIONER_DAEMON_KEY + valueFrom: + secretKeyRef: + key: provisionerd-key + name: coder-provisionerd-key + - name: CODER_PROVISIONERD_TAGS + value: clusterType=k8s,location=auh + - name: CODER_URL + value: http://coder.default.svc.cluster.local + image: ghcr.io/coder/coder:latest + imagePullPolicy: IfNotPresent + lifecycle: {} + name: coder + ports: null + resources: {} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: null + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: [] + restartPolicy: Always + serviceAccountName: coder-provisioner + terminationGracePeriodSeconds: 600 + volumes: [] diff --git a/helm/provisioner/tests/testdata/provisionerd_psk_and_key.yaml b/helm/provisioner/tests/testdata/provisionerd_psk_and_key.yaml new file mode 100644 index 0000000000000..530f48807edff --- /dev/null +++ b/helm/provisioner/tests/testdata/provisionerd_psk_and_key.yaml @@ -0,0 +1,10 @@ +coder: + image: + tag: latest +provisionerDaemon: + pskSecretName: "coder-provisionerd-psk" + keySecretName: "coder-provisionerd-key" + keySecretKey: "provisionerd-key" + tags: + location: auh + clusterType: k8s diff --git a/helm/provisioner/values.yaml b/helm/provisioner/values.yaml index 273a74bd759b1..d12003f76fb50 100644 --- a/helm/provisioner/values.yaml +++ b/helm/provisioner/values.yaml @@ -192,12 +192,26 @@ coder: # provisionerDaemon -- Provisioner Daemon configuration options provisionerDaemon: - # provisionerDaemon.pskSecretName -- The name of the Kubernetes secret that contains the + # provisionerDaemon.pskSecretName -- (deprecated) The name of the Kubernetes secret that contains the # Pre-Shared Key (PSK) to use to authenticate with Coder. The secret must be in the same namespace - # as the Helm deployment, and contain an item called "psk" which contains the pre-shared key. + # as the Helm deployment, and contain an item called "psk" which contains the + # pre-shared key. + # WARNING: this field is deprecated and will be removed in a future release. + # Please use provisionerDaemon.keySecretName instead and generate a + # provisioner key instead of a PSK. pskSecretName: "coder-provisioner-psk" - # provisionerDaemon.tags -- Tags to filter provisioner jobs by + # provisionerDaemon.keySecretName -- The name of the Kubernetes + # secret that contains a provisioner key to use to authenticate with Coder. + # See: https://coder.com/docs/admin/provisioners#authentication + keySecretName: "" + # provisionerDaemon.keySecretKey -- The key of the Kubernetes + # secret specified in provisionerDaemon.keySecretName that contains + # the provisioner key. Defaults to "key". + keySecretKey: "key" + + # provisionerDaemon.tags -- Tags to filter provisioner jobs by. + # See: https://coder.com/docs/admin/provisioners#provisioner-tags tags: {} # location: usa From c47c8400e4aa051582109a7b1322f8673d518f8e Mon Sep 17 00:00:00 2001 From: Cian Johnston Date: Thu, 17 Oct 2024 12:16:07 +0100 Subject: [PATCH 2/4] adjust notes formatting --- helm/provisioner/templates/NOTES.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/helm/provisioner/templates/NOTES.txt b/helm/provisioner/templates/NOTES.txt index 8af04c505bf38..4d1f285d847ef 100644 --- a/helm/provisioner/templates/NOTES.txt +++ b/helm/provisioner/templates/NOTES.txt @@ -3,9 +3,9 @@ Deprecation notices: */}} {{- if .Values.provisionerDaemon.pskSecretName }} -Note: Provisioner Daemon PSKs are no longer recommended for use with external -provisioners. Consider migrating to scoped provisioner keys instead. For more -information, see: https://coder.com/docs/admin/provisioners#authentication +* Provisioner Daemon PSKs are no longer recommended for use with external + provisioners. Consider migrating to scoped provisioner keys instead. For more + information, see: https://coder.com/docs/admin/provisioners#authentication {{- end }} Enjoy Coder! Please create an issue at https://github.com/coder/coder if you run From c9936e0a306713f708bcea3cb7fd1af133cae689 Mon Sep 17 00:00:00 2001 From: Cian Johnston Date: Thu, 17 Oct 2024 12:22:53 +0100 Subject: [PATCH 3/4] require either provisioner key or psk to be set --- helm/provisioner/templates/_coder.tpl | 3 +++ helm/provisioner/tests/chart_test.go | 4 ++++ .../tests/testdata/provisionerd_no_psk_or_key.yaml | 9 +++++++++ 3 files changed, 16 insertions(+) create mode 100644 helm/provisioner/tests/testdata/provisionerd_no_psk_or_key.yaml diff --git a/helm/provisioner/templates/_coder.tpl b/helm/provisioner/templates/_coder.tpl index 101c855c46f74..108edc5795aab 100644 --- a/helm/provisioner/templates/_coder.tpl +++ b/helm/provisioner/templates/_coder.tpl @@ -32,6 +32,9 @@ args: env: - name: CODER_PROMETHEUS_ADDRESS value: "0.0.0.0:2112" +{{- if and (empty .Values.provisionerDaemon.pskSecretName) (empty .Values.provisionerDaemon.keySecretName) }} +{{ fail "Either provisionerDaemon.pskSecretName or provisionerDaemon.keySecretName must be specified." }} +{{- end }} {{- if .Values.provisionerDaemon.pskSecretName }} - name: CODER_PROVISIONER_DAEMON_PSK valueFrom: diff --git a/helm/provisioner/tests/chart_test.go b/helm/provisioner/tests/chart_test.go index f6ca9321d2855..7eb69fe36f822 100644 --- a/helm/provisioner/tests/chart_test.go +++ b/helm/provisioner/tests/chart_test.go @@ -60,6 +60,10 @@ var testCases = []testCase{ name: "provisionerd_psk_and_key", expectedError: "", }, + { + name: "provisionerd_no_psk_or_key", + expectedError: `Either provisionerDaemon.pskSecretName or provisionerDaemon.keySecretName must be specified.`, + }, { name: "extra_templates", expectedError: "", diff --git a/helm/provisioner/tests/testdata/provisionerd_no_psk_or_key.yaml b/helm/provisioner/tests/testdata/provisionerd_no_psk_or_key.yaml new file mode 100644 index 0000000000000..dbb0eca812de9 --- /dev/null +++ b/helm/provisioner/tests/testdata/provisionerd_no_psk_or_key.yaml @@ -0,0 +1,9 @@ +coder: + image: + tag: latest +provisionerDaemon: + pskSecretName: "" + keySecretName: "" + tags: + location: auh + clusterType: k8s From 7c993639d8f7c9732913958c88f17bc1052496b1 Mon Sep 17 00:00:00 2001 From: Cian Johnston Date: Thu, 17 Oct 2024 14:37:32 +0100 Subject: [PATCH 4/4] soften deprecation to recommendation --- helm/provisioner/values.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/helm/provisioner/values.yaml b/helm/provisioner/values.yaml index d12003f76fb50..446a4605db677 100644 --- a/helm/provisioner/values.yaml +++ b/helm/provisioner/values.yaml @@ -192,13 +192,13 @@ coder: # provisionerDaemon -- Provisioner Daemon configuration options provisionerDaemon: - # provisionerDaemon.pskSecretName -- (deprecated) The name of the Kubernetes secret that contains the - # Pre-Shared Key (PSK) to use to authenticate with Coder. The secret must be in the same namespace - # as the Helm deployment, and contain an item called "psk" which contains the - # pre-shared key. - # WARNING: this field is deprecated and will be removed in a future release. - # Please use provisionerDaemon.keySecretName instead and generate a - # provisioner key instead of a PSK. + # provisionerDaemon.pskSecretName -- The name of the Kubernetes secret that contains the + # Pre-Shared Key (PSK) to use to authenticate with Coder. The secret must be + # in the same namespace as the Helm deployment, and contain an item called + # "psk" which contains the pre-shared key. + # NOTE: We no longer recommend using PSKs. Please consider using provisioner + # keys instead. They have a number of benefits, including the ability to + # rotate them easily. pskSecretName: "coder-provisioner-psk" # provisionerDaemon.keySecretName -- The name of the Kubernetes pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy