coder
diff --git a/‎helm/coder/Chart.yaml
+1-1 b/‎helm/coder/Chart.yaml
+1-1
diff --git a/‎helm/coder/templates/coder.yaml
+7 b/‎helm/coder/templates/coder.yaml
+7
diff --git a/‎helm/coder/tests/chart_test.go
+4 b/‎helm/coder/tests/chart_test.go
+4
diff --git a/‎helm/coder/tests/testdata/provisionerd_psk.golden
+194 b/‎helm/coder/tests/testdata/provisionerd_psk.golden
+194
diff --git a/‎helm/coder/tests/testdata/provisionerd_psk.yaml
+4 b/‎helm/coder/tests/testdata/provisionerd_psk.yaml
+4
diff --git a/‎helm/coder/values.yaml
+8 b/‎helm/coder/values.yaml
+8
diff --git a/‎helm/libcoder/templates/_helpers.tpl
+17-9 b/‎helm/libcoder/templates/_helpers.tpl
+17-9
diff --git a/‎helm/libcoder/templates/_rbac.yaml
+2-2 b/‎helm/libcoder/templates/_rbac.yaml
+2-2
diff --git a/‎helm/provisioner/Chart.yaml
+34 b/‎helm/provisioner/Chart.yaml
+34
diff --git a/‎helm/provisioner/charts/libcoder-0.1.0.tgz
2.92 KB b/‎helm/provisioner/charts/libcoder-0.1.0.tgz
2.92 KB
@@ -21,7 +21,7 @@ keywords:
   - coder
   - terraform
 sources:
-  - https://github.com/coder/coder/tree/main/helm
+  - https://github.com/coder/coder/tree/main/helm/coder
 icon: https://helm.coder.com/coder_logo_black.png
 maintainers:
   - name: Coder Technologies, Inc.
 
@@ -30,6 +30,13 @@ env:
   value: "0.0.0.0:8080"
 - name: CODER_PROMETHEUS_ADDRESS
   value: "0.0.0.0:2112"
+{{- if .Values.coder.provisionerDaemonPSKSecretName }}
+- name: CODER_PROVISIONER_DAEMON_PSK
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.coder.provisionerDaemonPSKSecretName | quote }}
+      key: psk
+{{- end }}
   # Set the default access URL so a `helm apply` works by default.
   # See: https://github.com/coder/coder/issues/5024
 {{- $hasAccessURL := false }}
 
@@ -56,6 +56,10 @@ var TestCases = []TestCase{
 		name:          "command_args",
 		expectedError: "",
 	},
+	{
+		name:          "provisionerd_psk",
+		expectedError: "",
+	},
 }
 
 type TestCase struct {
 
@@ -0,0 +1,194 @@
+---
+# Source: coder/templates/coder.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations: {}
+  labels:
+    app.kubernetes.io/instance: release-name
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: coder
+    app.kubernetes.io/part-of: coder
+    app.kubernetes.io/version: 0.1.0
+    helm.sh/chart: coder-0.1.0
+  name: coder
+---
+# Source: coder/templates/rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: coder-workspace-perms
+rules:
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs:
+    - create
+    - delete
+    - deletecollection
+    - get
+    - list
+    - patch
+    - update
+    - watch
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims"]
+    verbs:
+    - create
+    - delete
+    - deletecollection
+    - get
+    - list
+    - patch
+    - update
+    - watch
+  - apiGroups:
+    - apps
+    resources:
+    - deployments
+    verbs:
+    - create
+    - delete
+    - deletecollection
+    - get
+    - list
+    - patch
+    - update
+    - watch
+---
+# Source: coder/templates/rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: "coder"
+subjects:
+  - kind: ServiceAccount
+    name: "coder"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: coder-workspace-perms
+---
+# Source: coder/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: coder
+  labels:
+    helm.sh/chart: coder-0.1.0
+    app.kubernetes.io/name: coder
+    app.kubernetes.io/instance: release-name
+    app.kubernetes.io/part-of: coder
+    app.kubernetes.io/version: "0.1.0"
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+    {}
+spec:
+  type: LoadBalancer
+  sessionAffinity: ClientIP
+  ports:
+    - name: "http"
+      port: 80
+      targetPort: "http"
+      protocol: TCP
+  externalTrafficPolicy: "Cluster"
+  selector:
+    app.kubernetes.io/name: coder
+    app.kubernetes.io/instance: release-name
+---
+# Source: coder/templates/coder.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  annotations: {}
+  labels:
+    app.kubernetes.io/instance: release-name
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: coder
+    app.kubernetes.io/part-of: coder
+    app.kubernetes.io/version: 0.1.0
+    helm.sh/chart: coder-0.1.0
+  name: coder
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: release-name
+      app.kubernetes.io/name: coder
+  template:
+    metadata:
+      annotations: {}
+      labels:
+        app.kubernetes.io/instance: release-name
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: coder
+        app.kubernetes.io/part-of: coder
+        app.kubernetes.io/version: 0.1.0
+        helm.sh/chart: coder-0.1.0
+    spec:
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - podAffinityTerm:
+              labelSelector:
+                matchExpressions:
+                - key: app.kubernetes.io/instance
+                  operator: In
+                  values:
+                  - coder
+              topologyKey: kubernetes.io/hostname
+            weight: 1
+      containers:
+      - args:
+        - server
+        command:
+        - /opt/coder
+        env:
+        - name: CODER_HTTP_ADDRESS
+          value: 0.0.0.0:8080
+        - name: CODER_PROMETHEUS_ADDRESS
+          value: 0.0.0.0:2112
+        - name: CODER_PROVISIONER_DAEMON_PSK
+          valueFrom:
+            secretKeyRef:
+              key: psk
+              name: coder-provisionerd-psk
+        - name: CODER_ACCESS_URL
+          value: http://coder.default.svc.cluster.local
+        - name: KUBE_POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: CODER_DERP_SERVER_RELAY_URL
+          value: http://$(KUBE_POD_IP):8080
+        image: ghcr.io/coder/coder:latest
+        imagePullPolicy: IfNotPresent
+        lifecycle: {}
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: http
+            scheme: HTTP
+        name: coder
+        ports:
+        - containerPort: 8080
+          name: http
+          protocol: TCP
+        readinessProbe:
+          httpGet:
+            path: /healthz
+            port: http
+            scheme: HTTP
+        resources: {}
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: null
+          runAsGroup: 1000
+          runAsNonRoot: true
+          runAsUser: 1000
+          seccompProfile:
+            type: RuntimeDefault
+        volumeMounts: []
+      restartPolicy: Always
+      serviceAccountName: coder
+      terminationGracePeriodSeconds: 60
+      volumes: []
@@ -0,0 +1,4 @@
+coder:
+  image:
+    tag: latest
+  provisionerDaemonPSKSecretName: "coder-provisionerd-psk"
@@ -280,6 +280,14 @@ coder:
   # coder.commandArgs -- Set arguments for the entrypoint command of the Coder pod.
   commandArgs: []
 
+  # coder.provisionerDaemonPSKSecretName -- The name of the Kubernetes secret that contains the
+  # Pre-Shared Key (PSK) to use to authenticate external provisioner daemons with Coder.  The
+  # secret must be in the same namespace as the Helm deployment, and contain an item called "psk"
+  # which contains the pre-shared key.
+  #
+  # This is an Enterprise feature. Contact sales@coder.com.
+  provisionerDaemonPSKSecretName: ""
+
 # extraTemplates -- Array of extra objects to deploy with the release. Strings
 # are evaluated as a template and can use template expansions and functions. All
 # other objects are used as yaml.
 
@@ -49,11 +49,15 @@ Coder Docker image URI
 Coder TLS enabled.
 */}}
 {{- define "coder.tlsEnabled" -}}
-{{- if .Values.coder.tls.secretNames -}}
-true
-{{- else -}}
-false
-{{- end -}}
+    {{- if hasKey .Values.coder "tls" -}}
+      {{- if .Values.coder.tls.secretNames -}}
+        true
+      {{- else -}}
+        false
+      {{- end -}}
+    {{- else -}}
+      false
+    {{- end -}}
 {{- end }}
 
 {{/*
@@ -88,11 +92,13 @@ http
 Coder volume definitions.
 */}}
 {{- define "coder.volumeList" }}
-{{ range $secretName := .Values.coder.tls.secretNames -}}
+{{- if hasKey .Values.coder "tls" -}}
+  {{ range $secretName := .Values.coder.tls.secretNames -}}
 - name: "tls-{{ $secretName }}"
   secret:
     secretName: {{ $secretName | quote }}
-{{ end -}}
+  {{ end -}}
+{{- end }}
 {{ range $secret := .Values.coder.certs.secrets -}}
 - name: "ca-cert-{{ $secret.name }}"
   secret:
@@ -119,11 +125,13 @@ volumes: []
 Coder volume mounts.
 */}}
 {{- define "coder.volumeMountList" }}
-{{ range $secretName := .Values.coder.tls.secretNames -}}
+{{- if hasKey .Values.coder "tls" -}}
+  {{ range $secretName := .Values.coder.tls.secretNames -}}
 - name: "tls-{{ $secretName }}"
   mountPath: "/etc/ssl/certs/coder/{{ $secretName }}"
   readOnly: true
-{{ end -}}
+  {{ end -}}
+{{- end }}
 {{ range $secret := .Values.coder.certs.secrets -}}
 - name: "ca-cert-{{ $secret.name }}"
   mountPath: "/etc/ssl/certs/{{ $secret.name }}.crt"
 
@@ -4,7 +4,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: coder-workspace-perms
+  name: {{ .Values.coder.serviceAccount.name }}-workspace-perms
 rules:
   - apiGroups: [""]
     resources: ["pods"]
@@ -54,6 +54,6 @@ subjects:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: coder-workspace-perms
+  name: {{ .Values.coder.serviceAccount.name }}-workspace-perms
 {{- end }}
 {{- end -}}
@@ -0,0 +1,34 @@
+apiVersion: v2
+name: coder-provisioner
+description: "External provisioner daemon for Coder. This is an Enterprise feature; contact sales@coder.com."
+home: https://github.com/coder/coder
+
+# version and appVersion are injected at release and will always be shown as
+# 0.1.0 in the repository.
+#
+# If you're installing the Helm chart directly from git it will have this
+# version, which means the auto-generated image URI will be invalid. You can set
+# "coder.image.tag" to the desired tag manually.
+type: application
+version: "0.1.0"
+appVersion: "0.1.0"
+
+# Coder has a hard requirement on Kubernetes 1.19, as this version introduced
+# the networking.k8s.io/v1 API.
+kubeVersion: ">= 1.19.0-0"
+
+keywords:
+  - coder
+  - terraform
+sources:
+  - https://github.com/coder/coder/tree/main/helm/provisioner
+icon: https://helm.coder.com/coder_logo_black.png
+maintainers:
+  - name: Coder Technologies, Inc.
+    email: support@coder.com
+    url: https://coder.com/contact
+
+dependencies:
+  - name: libcoder
+    version: 0.1.0
+    repository: file://../libcoder
-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +coder:
 +  image:
 +    tag: latest
 +  provisionerDaemonPSKSecretName: "coder-provisionerd-psk"