feat: add --key flag to provisionerd start

f0ssel · f0ssel · commit 5d4cbc0ac2fc · 2024-07-24T19:10:00.000Z
diff --git a/enterprise/cli/provisionerdaemonstart.go b/enterprise/cli/provisionerdaemonstart.go
@@ -46,6 +46,7 @@ func (r *RootCmd) provisionerDaemonStart() *serpent.Command {
 		pollInterval   time.Duration
 		pollJitter     time.Duration
 		preSharedKey   string
+		provisionerKey string
 		verbose        bool
 
 		prometheusEnable  bool
@@ -113,6 +114,19 @@ func (r *RootCmd) provisionerDaemonStart() *serpent.Command {
 				return err
 			}
 
+			if provisionerKey != "" {
+				if preSharedKey != "" {
+					return xerrors.New("cannot provide both provisioner key --key and pre-shared key --psk")
+				}
+				if len(rawTags) > 0 {
+					return xerrors.New("cannot provide tags when using provisioner key")
+				}
+				// _, err := provisionerkey.Parse(provisionerKey)
+				// if err != nil {
+				// 	return xerrors.Errorf("parse provisioner key: %w", err)
+				// }
+			}
+
 			logOpts := []clilog.Option{
 				clilog.WithFilter(logFilter...),
 				clilog.WithHuman(logHuman),
@@ -136,10 +150,10 @@ func (r *RootCmd) provisionerDaemonStart() *serpent.Command {
 				logger.Info(ctx, "note: untagged provisioners can only pick up jobs from untagged templates")
 			}
 
-			// When authorizing with a PSK, we automatically scope the provisionerd
-			// to organization. Scoping to user with PSK auth is not a valid configuration.
-			if preSharedKey != "" {
-				logger.Info(ctx, "psk auth automatically sets tag "+provisionersdk.TagScope+"="+provisionersdk.ScopeOrganization)
+			// When authorizing with a PSK / provisioner key, we automatically scope the provisionerd
+			// to organization. Scoping to user with PSK / provisioner key auth is not a valid configuration.
+			if preSharedKey != "" || provisionerKey != "" {
+				logger.Info(ctx, "psk or provisioner key auth automatically sets tag "+provisionersdk.TagScope+"="+provisionersdk.ScopeOrganization)
 				tags[provisionersdk.TagScope] = provisionersdk.ScopeOrganization
 			}
 
@@ -213,6 +227,7 @@ func (r *RootCmd) provisionerDaemonStart() *serpent.Command {
 					Tags:         tags,
 					PreSharedKey: preSharedKey,
 					Organization: org.ID,
+					// ProvisionerKey: provisionerKey,
 				})
 			}, &provisionerd.Options{
 				Logger:         logger,
@@ -296,6 +311,13 @@ func (r *RootCmd) provisionerDaemonStart() *serpent.Command {
 			Description: "Pre-shared key to authenticate with Coder server.",
 			Value:       serpent.StringOf(&preSharedKey),
 		},
+		{
+			Flag:        "key",
+			Env:         "CODER_PROVISIONER_DAEMON_KEY",
+			Description: "Provisioner key to authenticate with Coder server.",
+			Value:       serpent.StringOf(&provisionerKey),
+			Hidden:      true,
+		},
 		{
 			Flag:        "name",
 			Env:         "CODER_PROVISIONER_DAEMON_NAME",
diff --git a/enterprise/cli/provisionerdaemonstart_test.go b/enterprise/cli/provisionerdaemonstart_test.go
@@ -301,6 +301,15 @@ func TestProvisionerDaemon_SessionToken(t *testing.T) {
 	})
 }
 
+func TestProvisionerDaemon_ProvisionerKey(t *testing.T) {
+	t.Parallel()
+
+	t.Run("OK", func(t *testing.T) {
+		t.Parallel()
+
+	})
+}
+
 //nolint:paralleltest,tparallel // Test uses a static port.
 func TestProvisionerDaemon_PrometheusEnabled(t *testing.T) {
 	// Ephemeral ports have a tendency to conflict and fail with `bind: address already in use` error.
