If I install a custom provisioner in an on-prem data center, I likely want the provisioner to only pick up jobs from specific templates. However, the current behavior allows tagged provisioners to pick up any generic job as well.

coder provisionerd start \
  --tag environment=on_prem \
  --tag data_center=chicago

# In another terminal, create/push
# a template that requires this provisioner
coder templates create on-prem \
  --provisioner-tag environment=on_prem

# Or, match the provisioner exactly
coder templates create on-prem-chicago \
  --provisioner-tag environment=on_prem \
  --provisioner-tag data_center=chicago

# ⚠️ It is possible that this job is assigned to the on_prem provisioner
coder templates create random-template

Workarounds

• Do not run any built-in provisioners, start all provisioners with tags, ensure all templates target a tag

Ideas for potential fixes (in Coder)

• Set some default provisoner-tag for the built-in provisioners and templates
• Rework tags to work more like Kubernetes taints/tolerations
• Specific tags to determine behavior of provisioner:

  coder provisionerd start --tag data_center=on_prem --tag tag_policy=<match-all/match-one/forgiving>

  Definitely need a different naming convention, though, I'm sure there is prior art in other things