coder
diff --git a/‎.github/workflows/ci.yaml
Lines changed: 2 additions & 1 deletion b/‎.github/workflows/ci.yaml
Lines changed: 2 additions & 1 deletion
diff --git a/‎.github/workflows/scorecard.yml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/scorecard.yml
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/security.yaml
Lines changed: 5 additions & 5 deletions b/‎.github/workflows/security.yaml
Lines changed: 5 additions & 5 deletions
diff --git a/‎coderd/tailnet.go
Lines changed: 22 additions & 9 deletions b/‎coderd/tailnet.go
Lines changed: 22 additions & 9 deletions
diff --git a/‎docs/README.md
Lines changed: 1 addition & 0 deletions b/‎docs/README.md
Lines changed: 1 addition & 0 deletions
diff --git a/‎docs/admin/networking/workspace-proxies.md
Lines changed: 5 additions & 6 deletions b/‎docs/admin/networking/workspace-proxies.md
Lines changed: 5 additions & 6 deletions
diff --git a/‎docs/admin/provisioners.md
Lines changed: 54 additions & 34 deletions b/‎docs/admin/provisioners.md
Lines changed: 54 additions & 34 deletions
diff --git a/‎docs/admin/templates/managing-templates/index.md
Lines changed: 3 additions & 3 deletions b/‎docs/admin/templates/managing-templates/index.md
Lines changed: 3 additions & 3 deletions
diff --git a/‎docs/images/admin/networking/workspace-proxies/proxydiagram.png
-159 KB b/‎docs/images/admin/networking/workspace-proxies/proxydiagram.png
-159 KB
diff --git a/‎docs/images/screenshots/create-template.png
80.1 KB b/‎docs/images/screenshots/create-template.png
80.1 KB
diff --git a/‎docs/images/screenshots/welcome-create-admin-user.png
46.7 KB b/‎docs/images/screenshots/welcome-create-admin-user.png
46.7 KB
diff --git a/‎docs/images/screenshots/workspace-running-with-topbar.png
57.6 KB b/‎docs/images/screenshots/workspace-running-with-topbar.png
57.6 KB
diff --git a/‎docs/install/index.md
Lines changed: 1 addition & 1 deletion b/‎docs/install/index.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/manifest.json
Lines changed: 8 additions & 3 deletions b/‎docs/manifest.json
Lines changed: 8 additions & 3 deletions
@@ -90,6 +90,7 @@ jobs:
               - "coderd/**"
               - "enterprise/**"
               - "examples/*"
+              - "helm/**"
               - "provisioner/**"
               - "provisionerd/**"
               - "provisionersdk/**"
@@ -970,7 +971,7 @@ jobs:
         uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1
 
       - name: Set up Flux CLI
-        uses: fluxcd/flux2/action@9b3958825a314eb79495c6993ef397ddbf87f32f # v2.2.1
+        uses: fluxcd/flux2/action@5350425cdcd5fa015337e09fa502153c0275bd4b # v2.4.0
         with:
           # Keep this and the github action up to date with the version of flux installed in dogfood cluster
           version: "2.2.1"
 
@@ -47,6 +47,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12
+        uses: github/codeql-action/upload-sarif@f779452ac5af1c261dce0346a8f964149f49322b # v3.26.13
         with:
           sarif_file: results.sarif
@@ -37,7 +37,7 @@ jobs:
         uses: ./.github/actions/setup-go
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12
+        uses: github/codeql-action/init@f779452ac5af1c261dce0346a8f964149f49322b # v3.26.13
         with:
           languages: go, javascript
 
@@ -47,7 +47,7 @@ jobs:
           rm Makefile
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12
+        uses: github/codeql-action/analyze@f779452ac5af1c261dce0346a8f964149f49322b # v3.26.13
 
       - name: Send Slack notification on failure
         if: ${{ failure() }}
@@ -124,15 +124,15 @@ jobs:
           echo "image=$(cat "$image_job")" >> $GITHUB_OUTPUT
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@5681af892cd0f4997658e2bacc62bd0a894cf564
+        uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2
         with:
           image-ref: ${{ steps.build.outputs.image }}
           format: sarif
           output: trivy-results.sarif
           severity: "CRITICAL,HIGH"
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12
+        uses: github/codeql-action/upload-sarif@f779452ac5af1c261dce0346a8f964149f49322b # v3.26.13
         with:
           sarif_file: trivy-results.sarif
           category: "Trivy"
@@ -147,7 +147,7 @@ jobs:
       # Prisma cloud scan runs last because it fails the entire job if it
       # detects vulnerabilities. :|
       - name: Run Prisma Cloud image scan
-        uses: PaloAltoNetworks/prisma-cloud-scan@1f38c94d789ff9b01a4e80070b442294ebd3e362 # v1.4.0
+        uses: PaloAltoNetworks/prisma-cloud-scan@124b48d8325c23f58a35da0f1b4d9a6b54301d05 # v1.6.7
         with:
           pcc_console_url: ${{ secrets.PRISMA_CLOUD_URL }}
           pcc_user: ${{ secrets.PRISMA_CLOUD_ACCESS_KEY }}
 
@@ -91,13 +91,15 @@ func NewServerTailnet(
 		})
 	}
 
-	derpMapUpdaterClosed := make(chan struct{})
+	bgRoutines := &sync.WaitGroup{}
 	originalDerpMap := derpMapFn()
 	// it's important to set the DERPRegionDialer above _before_ we set the DERP map so that if
 	// there is an embedded relay, we use the local in-memory dialer.
 	conn.SetDERPMap(originalDerpMap)
+	bgRoutines.Add(1)
 	go func() {
-		defer close(derpMapUpdaterClosed)
+		defer bgRoutines.Done()
+		defer logger.Debug(ctx, "polling DERPMap exited")
 
 		ticker := time.NewTicker(5 * time.Second)
 		defer ticker.Stop()
@@ -120,7 +122,7 @@ func NewServerTailnet(
 	tn := &ServerTailnet{
 		ctx:                  serverCtx,
 		cancel:               cancel,
-		derpMapUpdaterClosed: derpMapUpdaterClosed,
+		bgRoutines:           bgRoutines,
 		logger:               logger,
 		tracer:               traceProvider.Tracer(tracing.TracerName),
 		conn:                 conn,
@@ -170,8 +172,15 @@ func NewServerTailnet(
 	// registering the callback also triggers send of the initial node
 	tn.coordinatee.SetNodeCallback(tn.nodeCallback)
 
-	go tn.watchAgentUpdates()
-	go tn.expireOldAgents()
+	tn.bgRoutines.Add(2)
+	go func() {
+		defer tn.bgRoutines.Done()
+		tn.watchAgentUpdates()
+	}()
+	go func() {
+		defer tn.bgRoutines.Done()
+		tn.expireOldAgents()
+	}()
 	return tn, nil
 }
 
@@ -204,6 +213,7 @@ func (s *ServerTailnet) Collect(metrics chan<- prometheus.Metric) {
 }
 
 func (s *ServerTailnet) expireOldAgents() {
+	defer s.logger.Debug(s.ctx, "stopped expiring old agents")
 	const (
 		tick   = 5 * time.Minute
 		cutoff = 30 * time.Minute
@@ -255,6 +265,7 @@ func (s *ServerTailnet) doExpireOldAgents(cutoff time.Duration) {
 }
 
 func (s *ServerTailnet) watchAgentUpdates() {
+	defer s.logger.Debug(s.ctx, "stopped watching agent updates")
 	for {
 		conn := s.getAgentConn()
 		resp, ok := conn.NextUpdate(s.ctx)
@@ -317,9 +328,9 @@ func (s *ServerTailnet) reinitCoordinator() {
 }
 
 type ServerTailnet struct {
-	ctx                  context.Context
-	cancel               func()
-	derpMapUpdaterClosed chan struct{}
+	ctx        context.Context
+	cancel     func()
+	bgRoutines *sync.WaitGroup
 
 	logger slog.Logger
 	tracer trace.Tracer
@@ -532,10 +543,12 @@ func (c *netConnCloser) Close() error {
 }
 
 func (s *ServerTailnet) Close() error {
+	s.logger.Info(s.ctx, "closing server tailnet")
+	defer s.logger.Debug(s.ctx, "server tailnet close complete")
 	s.cancel()
 	_ = s.conn.Close()
 	s.transport.CloseIdleConnections()
-	<-s.derpMapUpdaterClosed
+	s.bgRoutines.Wait()
 	return nil
 }
 
 
@@ -143,3 +143,4 @@ or [the v2 migration guide and FAQ](https://coder.com/docs/v1/guides/v2-faq).
 
 - Learn about [Templates](./admin/templates/index.md)
 - [Install Coder](./install/index.md)
+- Follow the [Quickstart guide](./tutorials/quickstart.md) to try Coder out for yourself.
@@ -13,8 +13,6 @@ connecting with their workspace over SSH, a workspace app, port forwarding, etc.
 Dashboard connections and API calls (e.g. the workspaces list) are not served
 over workspace proxies.
 
-![ProxyDiagram](../../images/admin/networking/workspace-proxies/proxydiagram.png)
-
 # Deploy a workspace proxy
 
 Each workspace proxy should be a unique instance. At no point should 2 workspace
@@ -56,12 +54,13 @@ Deploying the workspace proxy will also register the proxy with coderd and make
 the workspace proxy usable. If the proxy deployment is successful,
 `coder wsproxy ls` will show an `ok` status code:
 
-```
+```shell
 $ coder wsproxy ls
 NAME              URL                         STATUS STATUS
-brazil-saopaulo   https://brazil.example.com  ok
-europe-frankfurt  https://europe.example.com  ok
-sydney            https://sydney.example.com  ok
+primary           https://dev.coder.com        ok
+brazil-saopaulo   https://brazil.example.com   ok
+europe-frankfurt  https://europe.example.com   ok
+sydney            https://sydney.example.com   ok
 ```
 
 Other Status codes:
 
@@ -41,36 +41,40 @@ The provisioner daemon must authenticate with your Coder deployment.
 ## Scoped Key (Recommended)
 
 We recommend creating finely-scoped keys for provisioners. Keys are scoped to an
-organization.
+organization, and optionally to a specific set of tags.
 
-```sh
-coder provisioner keys create my-key \
-  --org default
+1. Use `coder provisioner` to create the key:
 
-Successfully created provisioner key my-key! Save this authentication token, it will not be shown again.
+   - To create a key for an organization that will match untagged jobs:
 
-<key omitted>
-```
+     ```sh
+     coder provisioner keys create my-key \
+       --org default
 
-Or, restrict the provisioner to jobs with specific tags
+     Successfully created provisioner key   my-key! Save this authentication token, it   will not be shown    again.
 
-```sh
-coder provisioner keys create kubernetes-key \
-  --org default \
-  --tag environment=kubernetes
+     <key omitted>
+     ```
 
-Successfully created provisioner key kubernetes-key! Save this authentication token, it will not be shown again.
+   - To restrict the provisioner to jobs with specific tags:
 
-<key omitted>
-```
+     ```sh
+     coder provisioner keys create kubernetes-key \
+       --org default \
+       --tag environment=kubernetes
 
-To start the provisioner:
+     Successfully created provisioner key kubernetes-key! Save this    authentication token, it will not be    shown again.
 
-```sh
-export CODER_URL=https://<your-coder-url>
-export CODER_PROVISIONER_DAEMON_KEY=<key>
-coder provisioner start
-```
+     <key omitted>
+     ```
+
+1. Start the provisioner with the specified key:
+
+   ```sh
+   export CODER_URL=https://<your-coder-url>
+   export CODER_PROVISIONER_DAEMON_KEY=<key>
+   coder provisioner start
+   ```
 
 Keep reading to see instructions for running provisioners on
 Kubernetes/Docker/etc.
@@ -98,11 +102,15 @@ Note: Any user can start [user-scoped provisioners](#user-scoped-provisioners),
 but this will also require a template on your deployment with the corresponding
 tags.
 
-## Global PSK
+## Global PSK (Not Recommended)
+
+> Global pre-shared keys (PSK) make it difficult to rotate keys or isolate
+> provisioners.
+>
+> We do not recommend using global PSK.
 
-A deployment-wide PSK can be used to authenticate any provisioner. We do not
-recommend this approach anymore, as it makes key rotation or isolating
-provisioners far more difficult. To use a global PSK, set a
+A deployment-wide PSK can be used to authenticate any provisioner. To use a
+global PSK, set a
 [provisioner daemon pre-shared key (PSK)](../reference/cli/server.md#--provisioner-daemon-psk)
 on the Coder server.
 
@@ -275,18 +283,32 @@ coder templates push on-prem \
 Coder provides a Helm chart for running external provisioner daemons, which you
 will use in concert with the Helm chart for deploying the Coder server.
 
-1. Create a long, random pre-shared key (PSK) and store it in a Kubernetes
-   secret
+1. Create a provisioner key:
+
+   ```sh
+   coder provisioner keys create my-cool-key --org default
+   # Optionally, you can specify tags for the provisioner key:
+   # coder provisioner keys create my-cool-key --org default --tags location=auh kind=k8s
+   ```
+
+   Successfully created provisioner key kubernetes-key! Save this authentication
+   token, it will not be shown again.
+
+   <key omitted>
+   ```
+
+1. Store the key in a kubernetes secret:
 
    ```sh
-   kubectl create secret generic coder-provisioner-psk --from-literal=psk=`head /dev/urandom | base64 | tr -dc A-Za-z0-9 | head -c 26`
+   kubectl create secret generic coder-provisioner-psk --from-literal=key1=`<key omitted>`
    ```
 
 1. Modify your Coder `values.yaml` to include
 
    ```yaml
    provisionerDaemon:
-     pskSecretName: "coder-provisioner-psk"
+     keySecretName: "coder-provisioner-keys"
+     keySecretKey: "key1"
    ```
 
 1. Redeploy Coder with the new `values.yaml` to roll out the PSK. You can omit
@@ -300,7 +322,7 @@ will use in concert with the Helm chart for deploying the Coder server.
    ```
 
 1. Create a `provisioner-values.yaml` file for the provisioner daemons Helm
-   chart. For example
+   chart. For example:
 
    ```yaml
    coder:
@@ -309,10 +331,8 @@ will use in concert with the Helm chart for deploying the Coder server.
          value: "https://coder.example.com"
      replicaCount: 10
    provisionerDaemon:
-     pskSecretName: "coder-provisioner-psk"
-     tags:
-       location: auh
-       kind: k8s
+     keySecretName: "coder-provisioner-keys"
+     keySecretKey: "key1"
    ```
 
    This example creates a deployment of 10 provisioner daemons (for 10
 
@@ -1,8 +1,8 @@
 # Working with templates
 
-You create and edit Coder templates as [Terraform](../../../start/coder-tour.md)
-configuration files (`.tf`) and any supporting files, like a README or
-configuration files for other services.
+You create and edit Coder templates as
+[Terraform](../../../tutorials/quickstart.md) configuration files (`.tf`) and
+any supporting files, like a README or configuration files for other services.
 
 ## Who creates templates?
 
 
@@ -64,5 +64,5 @@ coder login https://coder.example.com
 
 ## Next steps
 
-- [Set up your first deployment](../start/coder-tour.md)
+- [Set up your first deployment](../tutorials/quickstart.md)
 - [Expose your control plane to other users](../admin/setup/index.md)
@@ -8,9 +8,9 @@
 			"icon_path": "./images/icons/home.svg",
 			"children": [
 				{
-					"title": "Tour Coder",
-					"description": "Tour Coder by creating a deployment with Docker",
-					"path": "./start/coder-tour.md"
+					"title": "Coder quickstart",
+					"description": "Try it out for yourself",
+					"path": "./tutorials/quickstart.md"
 				},
 				{
 					"title": "Screenshots",
@@ -634,6 +634,11 @@
 			"path": "./tutorials/index.md",
 			"icon_path": "./images/icons/generic.svg",
 			"children": [
+				{
+					"title": "Get started with Coder",
+					"description": "Learn how to install and run Coder quickly",
+					"path": "./tutorials/quickstart.md"
+				},
 				{
 					"title": "Write a Template from Scratch",
 					"description": "Learn how to author Coder templates",
Original file line number	Diff line number	Diff line change
`@@ -143,3 +143,4 @@ or [the v2 migration guide and FAQ](https://coder.com/docs/v1/guides/v2-faq).`
`143`	`143`
`144`	`144`	`- Learn about [Templates](./admin/templates/index.md)`
`145`	`145`	`- [Install Coder](./install/index.md)`
	`146`	`+- Follow the [Quickstart guide](./tutorials/quickstart.md) to try Coder out for yourself.`