Currently, external provisionerds need a template-admin Coder API token in order to authenticate.

This presents difficulty to deploying via Helm, since it requires a working Coderd before a token can be generated.

It also is a more powerful token than is required, since provisionerd does not need to modify any templates.

Spec

Add an environment variable/configuration field to Coderd to specify a pre-shared key for provisionerd authentication. When authenticating to the provisioner API, we check the provided token against this value in addition to standard API keys. The pre-shared key can only be used to authenticate against the provisioner API, not against other API endpoints.

environment variable: CODER_PROVISIONER_DAEMON_PSK
CLI flag --provisioner-daemon-psk
YAML provisioning.daemonPSK