Skip to content

Commit b9e2d0a

Browse files
johnstcnjohnstcn
authored
fix(coderd): mark provisioner daemon psk as secret (#12322)
* fix(coderd): mark provisioner daemon psk as secret Marks provisioner daemon PSK with the secret annotation. This ensures it will be scrubbed from API requests to /api/v2/deployment/config. * make gen
1 parent 19baca5 commit b9e2d0a

File tree

5 files changed

+6
-5
lines changed

5 files changed

+6
-5
lines changed

cli/testdata/server-config.yaml.golden

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -383,9 +383,6 @@ provisioning:
383383
# Time to force cancel provisioning tasks that are stuck.
384384
# (default: 10m0s, type: duration)
385385
forceCancelInterval: 10m0s
386-
# Pre-shared key to authenticate external provisioner daemons to Coder server.
387-
# (default: <unset>, type: string)
388-
daemonPSK: ""
389386
# Enable one or more experiments. These are not ready for production. Separate
390387
# multiple experiments with commas, or enter '*' to opt-in to all available
391388
# experiments.

coderd/deployment_test.go

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,7 @@ func TestDeploymentValues(t *testing.T) {
2727
cfg.PostgresURL.Set(hi)
2828
cfg.SCIMAPIKey.Set(hi)
2929
cfg.ExternalTokenEncryptionKeys.Set("the_random_key_we_never_expected,an_other_key_we_never_unexpected")
30+
cfg.Provisioner.DaemonPSK = "provisionersftw"
3031

3132
client := coderdtest.New(t, &coderdtest.Options{
3233
DeploymentValues: cfg,
@@ -46,6 +47,7 @@ func TestDeploymentValues(t *testing.T) {
4647
require.Empty(t, scrubbed.Values.PostgresURL.Value())
4748
require.Empty(t, scrubbed.Values.SCIMAPIKey.Value())
4849
require.Empty(t, scrubbed.Values.ExternalTokenEncryptionKeys.Value())
50+
require.Empty(t, scrubbed.Values.Provisioner.DaemonPSK.Value())
4951
}
5052

5153
func TestDeploymentStats(t *testing.T) {

codersdk/deployment.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1408,7 +1408,7 @@ when required by your organization's security policy.`,
14081408
Env: "CODER_PROVISIONER_DAEMON_PSK",
14091409
Value: &c.Provisioner.DaemonPSK,
14101410
Group: &deploymentGroupProvisioning,
1411-
YAML: "daemonPSK",
1411+
Annotations: clibase.Annotations{}.Mark(annotationSecretKey, "true"),
14121412
},
14131413
// RateLimit settings
14141414
{

codersdk/deployment_test.go

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -71,6 +71,9 @@ func TestDeploymentValues_HighlyConfigurable(t *testing.T) {
7171
flag: true,
7272
env: true,
7373
},
74+
"Provisioner Daemon Pre-shared Key (PSK)": {
75+
yaml: true,
76+
},
7477
}
7578

7679
set := (&codersdk.DeploymentValues{}).Options()

docs/cli/server.md

Lines changed: 0 additions & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)