"| Provisioner Tags | Job Tags | Same Org | Can Run Job? |",

"|------------------|----------|----------|--------------|",

sameOrg := "✅"

if tt.unmatchedOrg {

sameOrg = "❌"

}

s := fmt.Sprintf("| %s | %s | %s | %s |", kvs(tt.acquireJobTags), kvs(tt.provisionerJobTags), sameOrg, acquire)

The external provisioner in the above example can run build jobs in the same

organization with tags:

from templates with the tag `scope=user` set, or build jobs from templates in

different organizations.

| Provisioner Tags | Job Tags | Same Org | Can Run Job? |

| ----------------------------------------------------------------- | ---------------------------------------------------------------- | -------- | ------------ |

| scope=organization owner= | scope=organization owner= | ✅ | ✅ |

| scope=organization owner= environment=on-prem | scope=organization owner= environment=on-prem | ✅ | ✅ |

| scope=organization owner= environment=on-prem datacenter=chicago | scope=organization owner= environment=on-prem | ✅ | ✅ |

| scope=organization owner= environment=on-prem datacenter=chicago | scope=organization owner= environment=on-prem datacenter=chicago | ✅ | ✅ |

| scope=user owner=aaa | scope=user owner=aaa | ✅ | ✅ |

| scope=user owner=aaa environment=on-prem | scope=user owner=aaa | ✅ | ✅ |

| scope=user owner=aaa environment=on-prem | scope=user owner=aaa environment=on-prem | ✅ | ✅ |

| scope=user owner=aaa environment=on-prem datacenter=chicago | scope=user owner=aaa environment=on-prem | ✅ | ✅ |

| scope=user owner=aaa environment=on-prem datacenter=chicago | scope=user owner=aaa environment=on-prem datacenter=chicago | ✅ | ✅ |

| scope=organization owner= | scope=organization owner= environment=on-prem | ✅ | ❌ |

| scope=organization owner= environment=on-prem | scope=organization owner= | ✅ | ❌ |

| scope=organization owner= environment=on-prem | scope=organization owner= environment=on-prem datacenter=chicago | ✅ | ❌ |

| scope=organization owner= environment=on-prem datacenter=new_york | scope=organization owner= environment=on-prem datacenter=chicago | ✅ | ❌ |

| scope=user owner=aaa | scope=organization owner= | ✅ | ❌ |

| scope=user owner=aaa | scope=user owner=bbb | ✅ | ❌ |

| scope=organization owner= | scope=user owner=aaa | ✅ | ❌ |

| scope=organization owner= | scope=user owner=aaa environment=on-prem | ✅ | ❌ |

| scope=user owner=aaa | scope=user owner=aaa environment=on-prem | ✅ | ❌ |

| scope=user owner=aaa environment=on-prem | scope=user owner=aaa environment=on-prem datacenter=chicago | ✅ | ❌ |

| scope=user owner=aaa environment=on-prem datacenter=chicago | scope=user owner=aaa environment=on-prem datacenter=new_york | ✅ | ❌ |

| scope=organization owner= environment=on-prem | scope=organization owner= environment=on-prem | ❌ | ❌ |

kubectl create secret generic coder-provisioner-psk --from-literal=my-cool-key=`<key omitted>`

concurrent builds) authenticating using the above key. The daemons will

authenticate using the provisioner key created in the previous step and

acquire jobs matching the tags specified when the provisioner key was

created. The set of tags is inferred automatically from the provisioner key.

{{- else if and .Values.provisionerDaemon.keySecretName .Values.provisionerDaemon.keySecretKey }}

{{- if and (not (empty .Values.provisionerDaemon.pskSecretName)) (ne .Values.provisionerDaemon.pskSecretName "coder-provisioner-psk") }}

{{ fail "Either provisionerDaemon.pskSecretName or provisionerDaemon.keySecretName must be specified, but not both." }}

{{- else if .Values.provisionerDaemon.tags }}

{{ fail "provisionerDaemon.tags may not be specified with provisionerDaemon.keySecretName." }}

{{- end }}

{{- else }}

- name: CODER_PROVISIONER_DAEMON_PSK

valueFrom:

secretKeyRef:

name: {{ .Values.provisionerDaemon.pskSecretName | quote }}

key: psk

// Test explicitly for the workaround where setting provisionerDaemon.pskSecretName=""

// was required to use provisioner keys.

{

name: "provisionerd_key_psk_empty_workaround",

expectedError: "",

},

{

name: "provisionerd_key_tags",

expectedError: `provisionerDaemon.tags may not be specified with provisionerDaemon.keySecretName.`,

},

---

# Source: coder-provisioner/templates/coder.yaml

apiVersion: v1

kind: ServiceAccount

metadata:

annotations: {}

labels:

app.kubernetes.io/instance: release-name

app.kubernetes.io/managed-by: Helm

app.kubernetes.io/name: coder-provisioner

app.kubernetes.io/part-of: coder-provisioner

app.kubernetes.io/version: 0.1.0

helm.sh/chart: coder-provisioner-0.1.0

name: coder-provisioner

---

# Source: coder-provisioner/templates/rbac.yaml

apiVersion: rbac.authorization.k8s.io/v1

kind: Role

metadata:

name: coder-provisioner-workspace-perms

rules:

- apiGroups: [""]

resources: ["pods"]

verbs:

- create

- delete

- deletecollection

- get

- list

- patch

- update

- watch

- apiGroups: [""]

resources: ["persistentvolumeclaims"]

verbs:

- create

- delete

- deletecollection

- get

- list

- patch

- update

- watch

- apiGroups:

- apps

resources:

- deployments

verbs:

- create

- delete

- deletecollection

- get

- list

- patch

- update

- watch

---

# Source: coder-provisioner/templates/rbac.yaml

apiVersion: rbac.authorization.k8s.io/v1

kind: RoleBinding

metadata:

name: "coder-provisioner"

subjects:

- kind: ServiceAccount

name: "coder-provisioner"

roleRef:

apiGroup: rbac.authorization.k8s.io

kind: Role

name: coder-provisioner-workspace-perms

---

# Source: coder-provisioner/templates/coder.yaml

apiVersion: apps/v1

kind: Deployment

metadata:

annotations: {}

labels:

app.kubernetes.io/instance: release-name

app.kubernetes.io/managed-by: Helm

app.kubernetes.io/name: coder-provisioner

app.kubernetes.io/part-of: coder-provisioner

app.kubernetes.io/version: 0.1.0

helm.sh/chart: coder-provisioner-0.1.0

name: coder-provisioner

spec:

replicas: 1

selector:

matchLabels:

app.kubernetes.io/instance: release-name

app.kubernetes.io/name: coder-provisioner

template:

metadata:

annotations: {}

labels:

app.kubernetes.io/instance: release-name

app.kubernetes.io/managed-by: Helm

app.kubernetes.io/name: coder-provisioner

app.kubernetes.io/part-of: coder-provisioner

app.kubernetes.io/version: 0.1.0

helm.sh/chart: coder-provisioner-0.1.0

spec:

containers:

- args:

- provisionerd

- start

command:

- /opt/coder

env:

- name: CODER_PROMETHEUS_ADDRESS

value: 0.0.0.0:2112

- name: CODER_PROVISIONER_DAEMON_KEY

valueFrom:

secretKeyRef:

key: provisionerd-key

name: coder-provisionerd-key

- name: CODER_URL

value: http://coder.default.svc.cluster.local

image: ghcr.io/coder/coder:latest

imagePullPolicy: IfNotPresent

lifecycle: {}

name: coder

ports: null

resources: {}

securityContext:

allowPrivilegeEscalation: false

readOnlyRootFilesystem: null

runAsGroup: 1000

runAsNonRoot: true

runAsUser: 1000

seccompProfile:

type: RuntimeDefault

volumeMounts: []

restartPolicy: Always

serviceAccountName: coder-provisioner

terminationGracePeriodSeconds: 600

volumes: []

coder:

image:

tag: latest

provisionerDaemon:

pskSecretName: ""

keySecretName: "coder-provisionerd-key"

keySecretKey: "provisionerd-key"

coder:

image:

tag: latest

provisionerDaemon:

keySecretName: "coder-provisionerd-key"

keySecretKey: "provisionerd-key"

tags:

location: auh

clusterType: k8s