coder
diff --git a/‎Makefile
+5-1 b/‎Makefile
+5-1
diff --git a/‎helm/coder/Chart.lock
+6 b/‎helm/coder/Chart.lock
+6
diff --git a/‎helm/coder/Chart.yaml
+1-1 b/‎helm/coder/Chart.yaml
+1-1
diff --git a/‎helm/coder/charts/libcoder-0.1.0.tgz
41 Bytes b/‎helm/coder/charts/libcoder-0.1.0.tgz
41 Bytes
diff --git a/‎helm/coder/templates/coder.yaml
+7 b/‎helm/coder/templates/coder.yaml
+7
diff --git a/‎helm/coder/tests/chart_test.go
+4 b/‎helm/coder/tests/chart_test.go
+4
diff --git a/‎helm/coder/tests/testdata/provisionerd_psk.golden
+194 b/‎helm/coder/tests/testdata/provisionerd_psk.golden
+194
diff --git a/‎helm/coder/tests/testdata/provisionerd_psk.yaml
+5 b/‎helm/coder/tests/testdata/provisionerd_psk.yaml
+5
diff --git a/‎helm/coder/tests/testdata/sa.golden
+2-2 b/‎helm/coder/tests/testdata/sa.golden
+2-2
diff --git a/‎helm/coder/values.yaml
+10 b/‎helm/coder/values.yaml
+10
diff --git a/‎helm/libcoder/templates/_coder.yaml
+1-1 b/‎helm/libcoder/templates/_coder.yaml
+1-1
diff --git a/‎helm/libcoder/templates/_helpers.tpl
+14-6 b/‎helm/libcoder/templates/_helpers.tpl
+14-6
diff --git a/‎helm/libcoder/templates/_rbac.yaml
+2-2 b/‎helm/libcoder/templates/_rbac.yaml
+2-2
diff --git a/‎helm/provisioner/Chart.lock
+6 b/‎helm/provisioner/Chart.lock
+6
@@ -553,7 +553,7 @@ coderd/apidoc/swagger.json: $(shell find ./scripts/apidocgen $(FIND_EXCLUSIONS)
 	./scripts/apidocgen/generate.sh
 	pnpm run format:write:only ./docs/api ./docs/manifest.json ./coderd/apidoc/swagger.json
 
-update-golden-files: cli/testdata/.gen-golden helm/coder/tests/testdata/.gen-golden scripts/ci-report/testdata/.gen-golden enterprise/cli/testdata/.gen-golden
+update-golden-files: cli/testdata/.gen-golden helm/coder/tests/testdata/.gen-golden helm/provisioner/tests/testdata/.gen-golden scripts/ci-report/testdata/.gen-golden enterprise/cli/testdata/.gen-golden
 .PHONY: update-golden-files
 
 cli/testdata/.gen-golden: $(wildcard cli/testdata/*.golden) $(wildcard cli/*.tpl) $(GO_SRC_FILES) $(wildcard cli/*_test.go)
@@ -568,6 +568,10 @@ helm/coder/tests/testdata/.gen-golden: $(wildcard helm/coder/tests/testdata/*.ya
 	go test ./helm/coder/tests -run=TestUpdateGoldenFiles -update
 	touch "$@"
 
+helm/provisioner/tests/testdata/.gen-golden: $(wildcard helm/provisioner/tests/testdata/*.yaml) $(wildcard helm/provisioner/tests/testdata/*.golden) $(GO_SRC_FILES) $(wildcard helm/provisioner/tests/*_test.go)
+	go test ./helm/provisioner/tests -run=TestUpdateGoldenFiles -update
+	touch "$@"
+
 scripts/ci-report/testdata/.gen-golden: $(wildcard scripts/ci-report/testdata/*) $(wildcard scripts/ci-report/*.go)
 	go test ./scripts/ci-report -run=TestOutputMatchesGoldenFile -update
 	touch "$@"
 
@@ -0,0 +1,6 @@
+dependencies:
+- name: libcoder
+  repository: file://../libcoder
+  version: 0.1.0
+digest: sha256:5c9a99109258073b590a9f98268490ef387fde24c0c7c7ade9c1a8c7ef5e6e10
+generated: "2023-08-08T07:27:19.677972411Z"
@@ -21,7 +21,7 @@ keywords:
   - coder
   - terraform
 sources:
-  - https://github.com/coder/coder/tree/main/helm
+  - https://github.com/coder/coder/tree/main/helm/coder
 icon: https://helm.coder.com/coder_logo_black.png
 maintainers:
   - name: Coder Technologies, Inc.
 
@@ -30,6 +30,13 @@ env:
   value: "0.0.0.0:8080"
 - name: CODER_PROMETHEUS_ADDRESS
   value: "0.0.0.0:2112"
+{{- if .Values.provisionerDaemon.pskSecretName }}
+- name: CODER_PROVISIONER_DAEMON_PSK
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.provisionerDaemon.pskSecretName | quote }}
+      key: psk
+{{- end }}
   # Set the default access URL so a `helm apply` works by default.
   # See: https://github.com/coder/coder/issues/5024
 {{- $hasAccessURL := false }}
 
@@ -56,6 +56,10 @@ var TestCases = []TestCase{
 		name:          "command_args",
 		expectedError: "",
 	},
+	{
+		name:          "provisionerd_psk",
+		expectedError: "",
+	},
 }
 
 type TestCase struct {
 
@@ -0,0 +1,194 @@
+---
+# Source: coder/templates/coder.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations: {}
+  labels:
+    app.kubernetes.io/instance: release-name
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: coder
+    app.kubernetes.io/part-of: coder
+    app.kubernetes.io/version: 0.1.0
+    helm.sh/chart: coder-0.1.0
+  name: coder
+---
+# Source: coder/templates/rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: coder-workspace-perms
+rules:
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs:
+    - create
+    - delete
+    - deletecollection
+    - get
+    - list
+    - patch
+    - update
+    - watch
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims"]
+    verbs:
+    - create
+    - delete
+    - deletecollection
+    - get
+    - list
+    - patch
+    - update
+    - watch
+  - apiGroups:
+    - apps
+    resources:
+    - deployments
+    verbs:
+    - create
+    - delete
+    - deletecollection
+    - get
+    - list
+    - patch
+    - update
+    - watch
+---
+# Source: coder/templates/rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: "coder"
+subjects:
+  - kind: ServiceAccount
+    name: "coder"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: coder-workspace-perms
+---
+# Source: coder/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: coder
+  labels:
+    helm.sh/chart: coder-0.1.0
+    app.kubernetes.io/name: coder
+    app.kubernetes.io/instance: release-name
+    app.kubernetes.io/part-of: coder
+    app.kubernetes.io/version: "0.1.0"
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+    {}
+spec:
+  type: LoadBalancer
+  sessionAffinity: ClientIP
+  ports:
+    - name: "http"
+      port: 80
+      targetPort: "http"
+      protocol: TCP
+  externalTrafficPolicy: "Cluster"
+  selector:
+    app.kubernetes.io/name: coder
+    app.kubernetes.io/instance: release-name
+---
+# Source: coder/templates/coder.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  annotations: {}
+  labels:
+    app.kubernetes.io/instance: release-name
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: coder
+    app.kubernetes.io/part-of: coder
+    app.kubernetes.io/version: 0.1.0
+    helm.sh/chart: coder-0.1.0
+  name: coder
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: release-name
+      app.kubernetes.io/name: coder
+  template:
+    metadata:
+      annotations: {}
+      labels:
+        app.kubernetes.io/instance: release-name
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: coder
+        app.kubernetes.io/part-of: coder
+        app.kubernetes.io/version: 0.1.0
+        helm.sh/chart: coder-0.1.0
+    spec:
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - podAffinityTerm:
+              labelSelector:
+                matchExpressions:
+                - key: app.kubernetes.io/instance
+                  operator: In
+                  values:
+                  - coder
+              topologyKey: kubernetes.io/hostname
+            weight: 1
+      containers:
+      - args:
+        - server
+        command:
+        - /opt/coder
+        env:
+        - name: CODER_HTTP_ADDRESS
+          value: 0.0.0.0:8080
+        - name: CODER_PROMETHEUS_ADDRESS
+          value: 0.0.0.0:2112
+        - name: CODER_PROVISIONER_DAEMON_PSK
+          valueFrom:
+            secretKeyRef:
+              key: psk
+              name: coder-provisionerd-psk
+        - name: CODER_ACCESS_URL
+          value: http://coder.default.svc.cluster.local
+        - name: KUBE_POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: CODER_DERP_SERVER_RELAY_URL
+          value: http://$(KUBE_POD_IP):8080
+        image: ghcr.io/coder/coder:latest
+        imagePullPolicy: IfNotPresent
+        lifecycle: {}
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: http
+            scheme: HTTP
+        name: coder
+        ports:
+        - containerPort: 8080
+          name: http
+          protocol: TCP
+        readinessProbe:
+          httpGet:
+            path: /healthz
+            port: http
+            scheme: HTTP
+        resources: {}
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: null
+          runAsGroup: 1000
+          runAsNonRoot: true
+          runAsUser: 1000
+          seccompProfile:
+            type: RuntimeDefault
+        volumeMounts: []
+      restartPolicy: Always
+      serviceAccountName: coder
+      terminationGracePeriodSeconds: 60
+      volumes: []
@@ -0,0 +1,5 @@
+coder:
+  image:
+    tag: latest
+provisionerDaemon:
+  pskSecretName: "coder-provisionerd-psk"
@@ -18,7 +18,7 @@ metadata:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: coder-workspace-perms
+  name: coder-service-account-workspace-perms
 rules:
   - apiGroups: [""]
     resources: ["pods"]
@@ -67,7 +67,7 @@ subjects:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: coder-workspace-perms
+  name: coder-service-account-workspace-perms
 ---
 # Source: coder/templates/service.yaml
 apiVersion: v1
 
@@ -280,6 +280,16 @@ coder:
   # coder.commandArgs -- Set arguments for the entrypoint command of the Coder pod.
   commandArgs: []
 
+# provisionerDaemon -- Configuration for external provisioner daemons.
+#
+# This is an Enterprise feature. Contact sales@coder.com.
+provisionerDaemon:
+  # provisionerDaemon.pskSecretName -- The name of the Kubernetes secret that contains the
+  # Pre-Shared Key (PSK) to use to authenticate external provisioner daemons with Coder.  The
+  # secret must be in the same namespace as the Helm deployment, and contain an item called "psk"
+  # which contains the pre-shared key.
+  pskSecretName: ""
+
 # extraTemplates -- Array of extra objects to deploy with the release. Strings
 # are evaluated as a template and can use template expansions and functions. All
 # other objects are used as yaml.
 
@@ -2,7 +2,7 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: coder
+  name: {{ include "coder.name" .}}
   labels:
     {{- include "coder.labels" . | nindent 4 }}
     {{- with .Values.coder.labels }}
 
@@ -49,11 +49,15 @@ Coder Docker image URI
 Coder TLS enabled.
 */}}
 {{- define "coder.tlsEnabled" -}}
-{{- if .Values.coder.tls.secretNames -}}
-true
-{{- else -}}
-false
-{{- end -}}
+    {{- if hasKey .Values.coder "tls" -}}
+      {{- if .Values.coder.tls.secretNames -}}
+        true
+      {{- else -}}
+        false
+      {{- end -}}
+    {{- else -}}
+      false
+    {{- end -}}
 {{- end }}
 
 {{/*
@@ -88,11 +92,13 @@ http
 Coder volume definitions.
 */}}
 {{- define "coder.volumeList" }}
-{{ range $secretName := .Values.coder.tls.secretNames -}}
+{{- if hasKey .Values.coder "tls" -}}
+{{- range $secretName := .Values.coder.tls.secretNames }}
 - name: "tls-{{ $secretName }}"
   secret:
     secretName: {{ $secretName | quote }}
 {{ end -}}
+{{- end }}
 {{ range $secret := .Values.coder.certs.secrets -}}
 - name: "ca-cert-{{ $secret.name }}"
   secret:
@@ -119,11 +125,13 @@ volumes: []
 Coder volume mounts.
 */}}
 {{- define "coder.volumeMountList" }}
+{{- if hasKey .Values.coder "tls" }}
 {{ range $secretName := .Values.coder.tls.secretNames -}}
 - name: "tls-{{ $secretName }}"
   mountPath: "/etc/ssl/certs/coder/{{ $secretName }}"
   readOnly: true
 {{ end -}}
+{{- end }}
 {{ range $secret := .Values.coder.certs.secrets -}}
 - name: "ca-cert-{{ $secret.name }}"
   mountPath: "/etc/ssl/certs/{{ $secret.name }}.crt"
 
@@ -4,7 +4,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: coder-workspace-perms
+  name: {{ .Values.coder.serviceAccount.name }}-workspace-perms
 rules:
   - apiGroups: [""]
     resources: ["pods"]
@@ -54,6 +54,6 @@ subjects:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: coder-workspace-perms
+  name: {{ .Values.coder.serviceAccount.name }}-workspace-perms
 {{- end }}
 {{- end -}}
@@ -0,0 +1,6 @@
+dependencies:
+- name: libcoder
+  repository: file://../libcoder
+  version: 0.1.0
+digest: sha256:5c9a99109258073b590a9f98268490ef387fde24c0c7c7ade9c1a8c7ef5e6e10
+generated: "2023-08-07T12:43:45.49343898Z"