@@ -40,8 +40,10 @@ The provisioner daemon must authenticate with your Coder deployment.
4040
4141## Scoped Key (Recommended)
4242
43- We recommend creating finely-scoped keys for provisioners. Keys are scoped to an
44- organization.
43+ We recommend creating finely-scoped keys for provisioners.
44+ Keys are scoped to an organization, and optionally to a specific set of tags.
45+
46+ To create a key for an organization that will match untagged jobs:
4547
4648``` sh
4749coder provisioner keys create my-key \
@@ -52,7 +54,7 @@ Successfully created provisioner key my-key! Save this authentication token, it
5254< key omitted>
5355```
5456
55- Or, restrict the provisioner to jobs with specific tags
57+ To restrict the provisioner to jobs with specific tags:
5658
5759``` sh
5860coder provisioner keys create kubernetes-key \
@@ -64,7 +66,7 @@ Successfully created provisioner key kubernetes-key! Save this authentication to
6466< key omitted>
6567```
6668
67- To start the provisioner:
69+ You can then start the provisioner with the specified key :
6870
6971``` sh
7072export CODER_URL=https://< your-coder-url>
@@ -98,11 +100,12 @@ Note: Any user can start [user-scoped provisioners](#user-scoped-provisioners),
98100but this will also require a template on your deployment with the corresponding
99101tags.
100102
101- ## Global PSK
103+ ## Global PSK (Not Recommended)
104+
105+ > [ !NOTE] We do not recommend this approach anymore, as it makes
106+ > key rotation or isolating provisioners far more difficult.
102107
103- A deployment-wide PSK can be used to authenticate any provisioner. We do not
104- recommend this approach anymore, as it makes key rotation or isolating
105- provisioners far more difficult. To use a global PSK, set a
108+ A deployment-wide PSK can be used to authenticate any provisioner. To use a global PSK, set a
106109[ provisioner daemon pre-shared key (PSK)] ( ../reference/cli/server.md#--provisioner-daemon-psk )
107110on the Coder server.
108111
@@ -275,18 +278,31 @@ coder templates push on-prem \
275278Coder provides a Helm chart for running external provisioner daemons, which you
276279will use in concert with the Helm chart for deploying the Coder server.
277280
278- 1 . Create a long, random pre-shared key (PSK) and store it in a Kubernetes
279- secret
281+ 1 . Create a provisioner key:
282+
283+ ``` sh
284+ coder provisioner keys create my-cool-key --org default
285+ # Optionally, you can specify tags for the provsioner key:
286+ # coder provisioner keys create my-cool-key --org default --tags location=auh kind=k8s
287+ ```
288+
289+ Successfully created provisioner key kubernetes-key! Save this authentication token, it will not be shown again.
290+
291+ <key omitted >
292+ ```
293+
294+ Store the key in a kubernetes secret:
280295
281296 ```sh
282- kubectl create secret generic coder-provisioner-psk --from-literal=psk= ` head /dev/urandom | base64 | tr -dc A-Za-z0-9 | head -c 26 `
297+ kubectl create secret generic coder-provisioner-psk --from-literal=key1=`<key omitted> `
283298```
284299
2853001 . Modify your Coder ` values.yaml ` to include
286301
287302 ``` yaml
288303 provisionerDaemon :
289- pskSecretName : " coder-provisioner-psk"
304+ keySecretName : " coder-provisioner-keys"
305+ keySecretKey : " key1"
290306 ` ` `
291307
2923081. Redeploy Coder with the new ` values.yaml` to roll out the PSK. You can omit
@@ -300,7 +316,7 @@ will use in concert with the Helm chart for deploying the Coder server.
300316 ` ` `
301317
3023181. Create a `provisioner-values.yaml` file for the provisioner daemons Helm
303- chart. For example
319+ chart. For example :
304320
305321 ` ` ` yaml
306322 coder:
@@ -309,10 +325,8 @@ will use in concert with the Helm chart for deploying the Coder server.
309325 value: "https://coder.example.com"
310326 replicaCount: 10
311327 provisionerDaemon:
312- pskSecretName: "coder-provisioner-psk"
313- tags:
314- location: auh
315- kind: k8s
328+ keySecretName: "coder-provisioner-keys"
329+ keySecretKey: "key1"
316330 ` ` `
317331
318332 This example creates a deployment of 10 provisioner daemons (for 10
0 commit comments