coder
diff --git a/‎cli/root.go
+14-4 b/‎cli/root.go
+14-4
diff --git a/‎cli/testdata/coder_server_--help.golden
+4 b/‎cli/testdata/coder_server_--help.golden
+4
diff --git a/‎cli/testdata/server-config.yaml.golden
+3 b/‎cli/testdata/server-config.yaml.golden
+3
diff --git a/‎coderd/apidoc/docs.go
+3 b/‎coderd/apidoc/docs.go
+3
diff --git a/‎coderd/apidoc/swagger.json
+3 b/‎coderd/apidoc/swagger.json
+3
diff --git a/‎coderd/coderdtest/coderdtest.go
+5-1 b/‎coderd/coderdtest/coderdtest.go
+5-1
diff --git a/‎codersdk/client.go
+3 b/‎codersdk/client.go
+3
diff --git a/‎codersdk/deployment.go
+10 b/‎codersdk/deployment.go
+10
diff --git a/‎codersdk/organizations.go
+3-2 b/‎codersdk/organizations.go
+3-2
diff --git a/‎codersdk/provisionerdaemons.go
+37-14 b/‎codersdk/provisionerdaemons.go
+37-14
diff --git a/‎docs/api/general.md
+1 b/‎docs/api/general.md
+1
diff --git a/‎docs/api/schemas.md
+4 b/‎docs/api/schemas.md
+4
diff --git a/‎docs/cli/provisionerd_start.md
+9 b/‎docs/cli/provisionerd_start.md
+9
diff --git a/‎docs/cli/server.md
+10 b/‎docs/cli/server.md
+10
diff --git a/‎enterprise/cli/provisionerdaemons.go
+15-9 b/‎enterprise/cli/provisionerdaemons.go
+15-9
@@ -494,6 +494,15 @@ func addTelemetryHeader(client *codersdk.Client, inv *clibase.Invocation) {
 // InitClient sets client to a new client.
 // It reads from global configuration files if flags are not set.
 func (r *RootCmd) InitClient(client *codersdk.Client) clibase.MiddlewareFunc {
+	return r.initClientInternal(client, false)
+}
+
+func (r *RootCmd) InitClientMissingTokenOK(client *codersdk.Client) clibase.MiddlewareFunc {
+	return r.initClientInternal(client, true)
+}
+
+// nolint: revive
+func (r *RootCmd) initClientInternal(client *codersdk.Client, allowTokenMissing bool) clibase.MiddlewareFunc {
 	if client == nil {
 		panic("client is nil")
 	}
@@ -508,7 +517,7 @@ func (r *RootCmd) InitClient(client *codersdk.Client) clibase.MiddlewareFunc {
 				rawURL, err := conf.URL().Read()
 				// If the configuration files are absent, the user is logged out
 				if os.IsNotExist(err) {
-					return (errUnauthenticated)
+					return errUnauthenticated
 				}
 				if err != nil {
 					return err
@@ -524,9 +533,10 @@ func (r *RootCmd) InitClient(client *codersdk.Client) clibase.MiddlewareFunc {
 				r.token, err = conf.Session().Read()
 				// If the configuration files are absent, the user is logged out
 				if os.IsNotExist(err) {
-					return (errUnauthenticated)
-				}
-				if err != nil {
+					if !allowTokenMissing {
+						return errUnauthenticated
+					}
+				} else if err != nil {
 					return err
 				}
 			}
 
@@ -373,6 +373,10 @@ updating, and deleting workspace resources.
       --provisioner-daemon-poll-jitter duration, $CODER_PROVISIONER_DAEMON_POLL_JITTER (default: 100ms)
           Random jitter added to the poll interval.
 
+      --provisioner-daemon-psk string, $CODER_PROVISIONER_DAEMON_PSK
+          Pre-shared key to authenticate external provisioner daemons to Coder
+          server.
+
       --provisioner-daemons int, $CODER_PROVISIONER_DAEMONS (default: 3)
           Number of provisioner daemons to create on start. If builds are stuck
           in queued state for a long time, consider increasing this.
 
@@ -327,6 +327,9 @@ provisioning:
   # Time to force cancel provisioning tasks that are stuck.
   # (default: 10m0s, type: duration)
   forceCancelInterval: 10m0s
+  # Pre-shared key to authenticate external provisioner daemons to Coder server.
+  # (default: <unset>, type: string)
+  daemonPSK: ""
 # Enable one or more experiments. These are not ready for production. Separate
 # multiple experiments with commas, or enter '*' to opt-in to all available
 # experiments.
 
@@ -497,7 +497,11 @@ func NewExternalProvisionerDaemon(t *testing.T, client *codersdk.Client, org uui
 	}()
 
 	closer := provisionerd.New(func(ctx context.Context) (provisionerdproto.DRPCProvisionerDaemonClient, error) {
-		return client.ServeProvisionerDaemon(ctx, org, []codersdk.ProvisionerType{codersdk.ProvisionerTypeEcho}, tags)
+		return client.ServeProvisionerDaemon(ctx, codersdk.ServeProvisionerDaemonRequest{
+			Organization: org,
+			Provisioners: []codersdk.ProvisionerType{codersdk.ProvisionerTypeEcho},
+			Tags:         tags,
+		})
 	}, &provisionerd.Options{
 		Filesystem:          fs,
 		Logger:              slogtest.Make(t, nil).Named("provisionerd").Leveled(slog.LevelDebug),
 
@@ -71,6 +71,9 @@ const (
 	// command that was invoked to produce the request. It is for internal use
 	// only.
 	CLITelemetryHeader = "Coder-CLI-Telemetry"
+
+	// ProvisionerDaemonPSK contains the authentication pre-shared key for an external provisioner daemon
+	ProvisionerDaemonPSK = "Coder-Provisioner-Daemon-PSK"
 )
 
 // loggableMimeTypes is a list of MIME types that are safe to log
 
@@ -328,6 +328,7 @@ type ProvisionerConfig struct {
 	DaemonPollInterval  clibase.Duration `json:"daemon_poll_interval" typescript:",notnull"`
 	DaemonPollJitter    clibase.Duration `json:"daemon_poll_jitter" typescript:",notnull"`
 	ForceCancelInterval clibase.Duration `json:"force_cancel_interval" typescript:",notnull"`
+	DaemonPSK           clibase.String   `json:"daemon_psk" typescript:",notnull"`
 }
 
 type RateLimitConfig struct {
@@ -1230,6 +1231,15 @@ when required by your organization's security policy.`,
 			Group:       &deploymentGroupProvisioning,
 			YAML:        "forceCancelInterval",
 		},
+		{
+			Name:        "Provisioner Daemon Pre-shared Key (PSK)",
+			Description: "Pre-shared key to authenticate external provisioner daemons to Coder server.",
+			Flag:        "provisioner-daemon-psk",
+			Env:         "CODER_PROVISIONER_DAEMON_PSK",
+			Value:       &c.Provisioner.DaemonPSK,
+			Group:       &deploymentGroupProvisioning,
+			YAML:        "daemonPSK",
+		},
 		// RateLimit settings
 		{
 			Name:        "Disable All Rate Limits",
 
@@ -149,10 +149,11 @@ func (c *Client) Organization(ctx context.Context, id uuid.UUID) (Organization,
 	return organization, json.NewDecoder(res.Body).Decode(&organization)
 }
 
-// ProvisionerDaemonsByOrganization returns provisioner daemons available for an organization.
+// ProvisionerDaemons returns provisioner daemons available.
 func (c *Client) ProvisionerDaemons(ctx context.Context) ([]ProvisionerDaemon, error) {
 	res, err := c.Request(ctx, http.MethodGet,
-		"/api/v2/provisionerdaemons",
+		// TODO: the organization path parameter is currently ignored.
+		"/api/v2/organizations/default/provisionerdaemons",
 		nil,
 	)
 	if err != nil {
 
@@ -164,38 +164,61 @@ func (c *Client) provisionerJobLogsAfter(ctx context.Context, path string, after
 	}), nil
 }
 
-// ListenProvisionerDaemon returns the gRPC service for a provisioner daemon
+// ServeProvisionerDaemonRequest are the parameters to call ServeProvisionerDaemon with
+// @typescript-ignore ServeProvisionerDaemonRequest
+type ServeProvisionerDaemonRequest struct {
+	// Organization is the organization for the URL.  At present provisioner daemons ARE NOT scoped to organizations
+	// and so the organization ID is optional.
+	Organization uuid.UUID `json:"organization" format:"uuid"`
+	// Provisioners is a list of provisioner types hosted by the provisioner daemon
+	Provisioners []ProvisionerType `json:"provisioners"`
+	// Tags is a map of key-value pairs that tag the jobs this provisioner daemon can handle
+	Tags map[string]string `json:"tags"`
+	// PreSharedKey is an authentication key to use on the API instead of the normal session token from the client.
+	PreSharedKey string `json:"pre_shared_key"`
+}
+
+// ServeProvisionerDaemon returns the gRPC service for a provisioner daemon
 // implementation. The context is during dial, not during the lifetime of the
 // client. Client should be closed after use.
-func (c *Client) ServeProvisionerDaemon(ctx context.Context, organization uuid.UUID, provisioners []ProvisionerType, tags map[string]string) (proto.DRPCProvisionerDaemonClient, error) {
-	serverURL, err := c.URL.Parse(fmt.Sprintf("/api/v2/organizations/%s/provisionerdaemons/serve", organization))
+func (c *Client) ServeProvisionerDaemon(ctx context.Context, req ServeProvisionerDaemonRequest) (proto.DRPCProvisionerDaemonClient, error) {
+	serverURL, err := c.URL.Parse(fmt.Sprintf("/api/v2/organizations/%s/provisionerdaemons/serve", req.Organization))
 	if err != nil {
 		return nil, xerrors.Errorf("parse url: %w", err)
 	}
 	query := serverURL.Query()
-	for _, provisioner := range provisioners {
+	for _, provisioner := range req.Provisioners {
 		query.Add("provisioner", string(provisioner))
 	}
-	for key, value := range tags {
+	for key, value := range req.Tags {
 		query.Add("tag", fmt.Sprintf("%s=%s", key, value))
 	}
 	serverURL.RawQuery = query.Encode()
-	jar, err := cookiejar.New(nil)
-	if err != nil {
-		return nil, xerrors.Errorf("create cookie jar: %w", err)
-	}
-	jar.SetCookies(serverURL, []*http.Cookie{{
-		Name:  SessionTokenCookie,
-		Value: c.SessionToken(),
-	}})
 	httpClient := &http.Client{
-		Jar:       jar,
 		Transport: c.HTTPClient.Transport,
 	}
+	headers := http.Header{}
+
+	if req.PreSharedKey == "" {
+		// use session token if we don't have a PSK.
+		jar, err := cookiejar.New(nil)
+		if err != nil {
+			return nil, xerrors.Errorf("create cookie jar: %w", err)
+		}
+		jar.SetCookies(serverURL, []*http.Cookie{{
+			Name:  SessionTokenCookie,
+			Value: c.SessionToken(),
+		}})
+		httpClient.Jar = jar
+	} else {
+		headers.Set(ProvisionerDaemonPSK, req.PreSharedKey)
+	}
+
 	conn, res, err := websocket.Dial(ctx, serverURL.String(), &websocket.DialOptions{
 		HTTPClient: httpClient,
 		// Need to disable compression to avoid a data-race.
 		CompressionMode: websocket.CompressionDisabled,
+		HTTPHeader:      headers,
 	})
 	if err != nil {
 		if res == nil {
 
@@ -44,13 +44,14 @@ func (r *RootCmd) provisionerDaemonStart() *clibase.Cmd {
 		rawTags      []string
 		pollInterval time.Duration
 		pollJitter   time.Duration
+		preSharedKey string
 	)
 	client := new(codersdk.Client)
 	cmd := &clibase.Cmd{
 		Use:   "start",
 		Short: "Run a provisioner daemon",
 		Middleware: clibase.Chain(
-			r.InitClient(client),
+			r.InitClientMissingTokenOK(client),
 		),
 		Handler: func(inv *clibase.Invocation) error {
 			ctx, cancel := context.WithCancel(inv.Context())
@@ -59,11 +60,6 @@ func (r *RootCmd) provisionerDaemonStart() *clibase.Cmd {
 			notifyCtx, notifyStop := signal.NotifyContext(ctx, agpl.InterruptSignals...)
 			defer notifyStop()
 
-			org, err := agpl.CurrentOrganization(inv, client)
-			if err != nil {
-				return xerrors.Errorf("get current organization: %w", err)
-			}
-
 			tags, err := agpl.ParseProvisionerTags(rawTags)
 			if err != nil {
 				return err
@@ -112,9 +108,13 @@ func (r *RootCmd) provisionerDaemonStart() *clibase.Cmd {
 				string(database.ProvisionerTypeTerraform): proto.NewDRPCProvisionerClient(terraformClient),
 			}
 			srv := provisionerd.New(func(ctx context.Context) (provisionerdproto.DRPCProvisionerDaemonClient, error) {
-				return client.ServeProvisionerDaemon(ctx, org.ID, []codersdk.ProvisionerType{
-					codersdk.ProvisionerTypeTerraform,
-				}, tags)
+				return client.ServeProvisionerDaemon(ctx, codersdk.ServeProvisionerDaemonRequest{
+					Provisioners: []codersdk.ProvisionerType{
+						codersdk.ProvisionerTypeTerraform,
+					},
+					Tags:         tags,
+					PreSharedKey: preSharedKey,
+				})
 			}, &provisionerd.Options{
 				Logger:          logger,
 				JobPollInterval: pollInterval,
@@ -182,6 +182,12 @@ func (r *RootCmd) provisionerDaemonStart() *clibase.Cmd {
 			Default:     (100 * time.Millisecond).String(),
 			Value:       clibase.DurationOf(&pollJitter),
 		},
+		{
+			Flag:        "psk",
+			Env:         "CODER_PROVISIONER_DAEMON_PSK",
+			Description: "Pre-shared key to authenticate with Coder server.",
+			Value:       clibase.StringOf(&preSharedKey),
+		},
 	}
 
 	return cmd
Original file line number	Diff line number	Diff line change
`@@ -71,6 +71,9 @@ const (`
`71`	`71`	`// command that was invoked to produce the request. It is for internal use`
`72`	`72`	`// only.`
`73`	`73`	`CLITelemetryHeader = "Coder-CLI-Telemetry"`
	`74`	`+`
	`75`	`+ // ProvisionerDaemonPSK contains the authentication pre-shared key for an external provisioner daemon`
	`76`	`+ ProvisionerDaemonPSK = "Coder-Provisioner-Daemon-PSK"`
`74`	`77`	`)`
`75`	`78`
`76`	`79`	`// loggableMimeTypes is a list of MIME types that are safe to log`
Original file line number	Diff line number	Diff line change
`@@ -149,10 +149,11 @@ func (c *Client) Organization(ctx context.Context, id uuid.UUID) (Organization,`
`149`	`149`	`return organization, json.NewDecoder(res.Body).Decode(&organization)`
`150`	`150`	`}`
`151`	`151`
`152`		`-// ProvisionerDaemonsByOrganization returns provisioner daemons available for an organization.`
	`152`	`+// ProvisionerDaemons returns provisioner daemons available.`
`153`	`153`	`func (c *Client) ProvisionerDaemons(ctx context.Context) ([]ProvisionerDaemon, error) {`
`154`	`154`	`res, err := c.Request(ctx, http.MethodGet,`
`155`		`- "/api/v2/provisionerdaemons",`
	`155`	`+ // TODO: the organization path parameter is currently ignored.`
	`156`	`+ "/api/v2/organizations/default/provisionerdaemons",`
`156`	`157`	`nil,`
`157`	`158`	`)`
`158`	`159`	`if err != nil {`