From 32d4bd78f8e67f8ba8f48c12da64c46223d1556b Mon Sep 17 00:00:00 2001 From: Cian Johnston Date: Thu, 17 Oct 2024 12:12:40 +0100 Subject: [PATCH 1/4] feat(helm/provisioner): add support for provisioner keys, add note re psk --- helm/provisioner/templates/NOTES.txt | 12 ++ helm/provisioner/templates/_coder.tpl | 9 ++ helm/provisioner/tests/chart_test.go | 8 + .../tests/testdata/provisionerd_key.golden | 137 +++++++++++++++++ .../tests/testdata/provisionerd_key.yaml | 10 ++ .../testdata/provisionerd_psk_and_key.golden | 142 ++++++++++++++++++ .../testdata/provisionerd_psk_and_key.yaml | 10 ++ helm/provisioner/values.yaml | 20 ++- 8 files changed, 345 insertions(+), 3 deletions(-) create mode 100644 helm/provisioner/templates/NOTES.txt create mode 100644 helm/provisioner/tests/testdata/provisionerd_key.golden create mode 100644 helm/provisioner/tests/testdata/provisionerd_key.yaml create mode 100644 helm/provisioner/tests/testdata/provisionerd_psk_and_key.golden create mode 100644 helm/provisioner/tests/testdata/provisionerd_psk_and_key.yaml diff --git a/helm/provisioner/templates/NOTES.txt b/helm/provisioner/templates/NOTES.txt new file mode 100644 index 0000000000000..8af04c505bf38 --- /dev/null +++ b/helm/provisioner/templates/NOTES.txt @@ -0,0 +1,12 @@ +{{/* +Deprecation notices: +*/}} + +{{- if .Values.provisionerDaemon.pskSecretName }} +Note: Provisioner Daemon PSKs are no longer recommended for use with external +provisioners. Consider migrating to scoped provisioner keys instead. For more +information, see: https://coder.com/docs/admin/provisioners#authentication +{{- end }} + +Enjoy Coder! Please create an issue at https://github.com/coder/coder if you run +into any problems! :) diff --git a/helm/provisioner/templates/_coder.tpl b/helm/provisioner/templates/_coder.tpl index b84b7d8c4e48c..101c855c46f74 100644 --- a/helm/provisioner/templates/_coder.tpl +++ b/helm/provisioner/templates/_coder.tpl @@ -32,11 +32,20 @@ args: env: - name: CODER_PROMETHEUS_ADDRESS value: "0.0.0.0:2112" +{{- if .Values.provisionerDaemon.pskSecretName }} - name: CODER_PROVISIONER_DAEMON_PSK valueFrom: secretKeyRef: name: {{ .Values.provisionerDaemon.pskSecretName | quote }} key: psk +{{- end }} +{{- if and .Values.provisionerDaemon.keySecretName .Values.provisionerDaemon.keySecretKey }} +- name: CODER_PROVISIONER_DAEMON_KEY + valueFrom: + secretKeyRef: + name: {{ .Values.provisionerDaemon.keySecretName | quote }} + key: {{ .Values.provisionerDaemon.keySecretKey | quote }} +{{- end }} {{- if include "provisioner.tags" . }} - name: CODER_PROVISIONERD_TAGS value: {{ include "provisioner.tags" . }} diff --git a/helm/provisioner/tests/chart_test.go b/helm/provisioner/tests/chart_test.go index 78567b5b481d3..f6ca9321d2855 100644 --- a/helm/provisioner/tests/chart_test.go +++ b/helm/provisioner/tests/chart_test.go @@ -52,6 +52,14 @@ var testCases = []testCase{ name: "provisionerd_psk", expectedError: "", }, + { + name: "provisionerd_key", + expectedError: "", + }, + { + name: "provisionerd_psk_and_key", + expectedError: "", + }, { name: "extra_templates", expectedError: "", diff --git a/helm/provisioner/tests/testdata/provisionerd_key.golden b/helm/provisioner/tests/testdata/provisionerd_key.golden new file mode 100644 index 0000000000000..c4f33f766df43 --- /dev/null +++ b/helm/provisioner/tests/testdata/provisionerd_key.golden @@ -0,0 +1,137 @@ +--- +# Source: coder-provisioner/templates/coder.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: {} + labels: + app.kubernetes.io/instance: release-name + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: coder-provisioner + app.kubernetes.io/part-of: coder-provisioner + app.kubernetes.io/version: 0.1.0 + helm.sh/chart: coder-provisioner-0.1.0 + name: coder-provisioner +--- +# Source: coder-provisioner/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: coder-provisioner-workspace-perms +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - apps + resources: + - deployments + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +--- +# Source: coder-provisioner/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: "coder-provisioner" +subjects: + - kind: ServiceAccount + name: "coder-provisioner" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: coder-provisioner-workspace-perms +--- +# Source: coder-provisioner/templates/coder.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + labels: + app.kubernetes.io/instance: release-name + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: coder-provisioner + app.kubernetes.io/part-of: coder-provisioner + app.kubernetes.io/version: 0.1.0 + helm.sh/chart: coder-provisioner-0.1.0 + name: coder-provisioner +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: release-name + app.kubernetes.io/name: coder-provisioner + template: + metadata: + annotations: {} + labels: + app.kubernetes.io/instance: release-name + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: coder-provisioner + app.kubernetes.io/part-of: coder-provisioner + app.kubernetes.io/version: 0.1.0 + helm.sh/chart: coder-provisioner-0.1.0 + spec: + containers: + - args: + - provisionerd + - start + command: + - /opt/coder + env: + - name: CODER_PROMETHEUS_ADDRESS + value: 0.0.0.0:2112 + - name: CODER_PROVISIONER_DAEMON_KEY + valueFrom: + secretKeyRef: + key: provisionerd-key + name: coder-provisionerd-key + - name: CODER_PROVISIONERD_TAGS + value: clusterType=k8s,location=auh + - name: CODER_URL + value: http://coder.default.svc.cluster.local + image: ghcr.io/coder/coder:latest + imagePullPolicy: IfNotPresent + lifecycle: {} + name: coder + ports: null + resources: {} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: null + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: [] + restartPolicy: Always + serviceAccountName: coder-provisioner + terminationGracePeriodSeconds: 600 + volumes: [] diff --git a/helm/provisioner/tests/testdata/provisionerd_key.yaml b/helm/provisioner/tests/testdata/provisionerd_key.yaml new file mode 100644 index 0000000000000..c5ab331a45078 --- /dev/null +++ b/helm/provisioner/tests/testdata/provisionerd_key.yaml @@ -0,0 +1,10 @@ +coder: + image: + tag: latest +provisionerDaemon: + pskSecretName: "" + keySecretName: "coder-provisionerd-key" + keySecretKey: "provisionerd-key" + tags: + location: auh + clusterType: k8s diff --git a/helm/provisioner/tests/testdata/provisionerd_psk_and_key.golden b/helm/provisioner/tests/testdata/provisionerd_psk_and_key.golden new file mode 100644 index 0000000000000..6ddaf8f292211 --- /dev/null +++ b/helm/provisioner/tests/testdata/provisionerd_psk_and_key.golden @@ -0,0 +1,142 @@ +--- +# Source: coder-provisioner/templates/coder.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: {} + labels: + app.kubernetes.io/instance: release-name + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: coder-provisioner + app.kubernetes.io/part-of: coder-provisioner + app.kubernetes.io/version: 0.1.0 + helm.sh/chart: coder-provisioner-0.1.0 + name: coder-provisioner +--- +# Source: coder-provisioner/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: coder-provisioner-workspace-perms +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - apps + resources: + - deployments + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +--- +# Source: coder-provisioner/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: "coder-provisioner" +subjects: + - kind: ServiceAccount + name: "coder-provisioner" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: coder-provisioner-workspace-perms +--- +# Source: coder-provisioner/templates/coder.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + labels: + app.kubernetes.io/instance: release-name + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: coder-provisioner + app.kubernetes.io/part-of: coder-provisioner + app.kubernetes.io/version: 0.1.0 + helm.sh/chart: coder-provisioner-0.1.0 + name: coder-provisioner +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: release-name + app.kubernetes.io/name: coder-provisioner + template: + metadata: + annotations: {} + labels: + app.kubernetes.io/instance: release-name + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: coder-provisioner + app.kubernetes.io/part-of: coder-provisioner + app.kubernetes.io/version: 0.1.0 + helm.sh/chart: coder-provisioner-0.1.0 + spec: + containers: + - args: + - provisionerd + - start + command: + - /opt/coder + env: + - name: CODER_PROMETHEUS_ADDRESS + value: 0.0.0.0:2112 + - name: CODER_PROVISIONER_DAEMON_PSK + valueFrom: + secretKeyRef: + key: psk + name: coder-provisionerd-psk + - name: CODER_PROVISIONER_DAEMON_KEY + valueFrom: + secretKeyRef: + key: provisionerd-key + name: coder-provisionerd-key + - name: CODER_PROVISIONERD_TAGS + value: clusterType=k8s,location=auh + - name: CODER_URL + value: http://coder.default.svc.cluster.local + image: ghcr.io/coder/coder:latest + imagePullPolicy: IfNotPresent + lifecycle: {} + name: coder + ports: null + resources: {} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: null + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: [] + restartPolicy: Always + serviceAccountName: coder-provisioner + terminationGracePeriodSeconds: 600 + volumes: [] diff --git a/helm/provisioner/tests/testdata/provisionerd_psk_and_key.yaml b/helm/provisioner/tests/testdata/provisionerd_psk_and_key.yaml new file mode 100644 index 0000000000000..530f48807edff --- /dev/null +++ b/helm/provisioner/tests/testdata/provisionerd_psk_and_key.yaml @@ -0,0 +1,10 @@ +coder: + image: + tag: latest +provisionerDaemon: + pskSecretName: "coder-provisionerd-psk" + keySecretName: "coder-provisionerd-key" + keySecretKey: "provisionerd-key" + tags: + location: auh + clusterType: k8s diff --git a/helm/provisioner/values.yaml b/helm/provisioner/values.yaml index 273a74bd759b1..d12003f76fb50 100644 --- a/helm/provisioner/values.yaml +++ b/helm/provisioner/values.yaml @@ -192,12 +192,26 @@ coder: # provisionerDaemon -- Provisioner Daemon configuration options provisionerDaemon: - # provisionerDaemon.pskSecretName -- The name of the Kubernetes secret that contains the + # provisionerDaemon.pskSecretName -- (deprecated) The name of the Kubernetes secret that contains the # Pre-Shared Key (PSK) to use to authenticate with Coder. The secret must be in the same namespace - # as the Helm deployment, and contain an item called "psk" which contains the pre-shared key. + # as the Helm deployment, and contain an item called "psk" which contains the + # pre-shared key. + # WARNING: this field is deprecated and will be removed in a future release. + # Please use provisionerDaemon.keySecretName instead and generate a + # provisioner key instead of a PSK. pskSecretName: "coder-provisioner-psk" - # provisionerDaemon.tags -- Tags to filter provisioner jobs by + # provisionerDaemon.keySecretName -- The name of the Kubernetes + # secret that contains a provisioner key to use to authenticate with Coder. + # See: https://coder.com/docs/admin/provisioners#authentication + keySecretName: "" + # provisionerDaemon.keySecretKey -- The key of the Kubernetes + # secret specified in provisionerDaemon.keySecretName that contains + # the provisioner key. Defaults to "key". + keySecretKey: "key" + + # provisionerDaemon.tags -- Tags to filter provisioner jobs by. + # See: https://coder.com/docs/admin/provisioners#provisioner-tags tags: {} # location: usa From c47c8400e4aa051582109a7b1322f8673d518f8e Mon Sep 17 00:00:00 2001 From: Cian Johnston Date: Thu, 17 Oct 2024 12:16:07 +0100 Subject: [PATCH 2/4] adjust notes formatting --- helm/provisioner/templates/NOTES.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/helm/provisioner/templates/NOTES.txt b/helm/provisioner/templates/NOTES.txt index 8af04c505bf38..4d1f285d847ef 100644 --- a/helm/provisioner/templates/NOTES.txt +++ b/helm/provisioner/templates/NOTES.txt @@ -3,9 +3,9 @@ Deprecation notices: */}} {{- if .Values.provisionerDaemon.pskSecretName }} -Note: Provisioner Daemon PSKs are no longer recommended for use with external -provisioners. Consider migrating to scoped provisioner keys instead. For more -information, see: https://coder.com/docs/admin/provisioners#authentication +* Provisioner Daemon PSKs are no longer recommended for use with external + provisioners. Consider migrating to scoped provisioner keys instead. For more + information, see: https://coder.com/docs/admin/provisioners#authentication {{- end }} Enjoy Coder! Please create an issue at https://github.com/coder/coder if you run From c9936e0a306713f708bcea3cb7fd1af133cae689 Mon Sep 17 00:00:00 2001 From: Cian Johnston Date: Thu, 17 Oct 2024 12:22:53 +0100 Subject: [PATCH 3/4] require either provisioner key or psk to be set --- helm/provisioner/templates/_coder.tpl | 3 +++ helm/provisioner/tests/chart_test.go | 4 ++++ .../tests/testdata/provisionerd_no_psk_or_key.yaml | 9 +++++++++ 3 files changed, 16 insertions(+) create mode 100644 helm/provisioner/tests/testdata/provisionerd_no_psk_or_key.yaml diff --git a/helm/provisioner/templates/_coder.tpl b/helm/provisioner/templates/_coder.tpl index 101c855c46f74..108edc5795aab 100644 --- a/helm/provisioner/templates/_coder.tpl +++ b/helm/provisioner/templates/_coder.tpl @@ -32,6 +32,9 @@ args: env: - name: CODER_PROMETHEUS_ADDRESS value: "0.0.0.0:2112" +{{- if and (empty .Values.provisionerDaemon.pskSecretName) (empty .Values.provisionerDaemon.keySecretName) }} +{{ fail "Either provisionerDaemon.pskSecretName or provisionerDaemon.keySecretName must be specified." }} +{{- end }} {{- if .Values.provisionerDaemon.pskSecretName }} - name: CODER_PROVISIONER_DAEMON_PSK valueFrom: diff --git a/helm/provisioner/tests/chart_test.go b/helm/provisioner/tests/chart_test.go index f6ca9321d2855..7eb69fe36f822 100644 --- a/helm/provisioner/tests/chart_test.go +++ b/helm/provisioner/tests/chart_test.go @@ -60,6 +60,10 @@ var testCases = []testCase{ name: "provisionerd_psk_and_key", expectedError: "", }, + { + name: "provisionerd_no_psk_or_key", + expectedError: `Either provisionerDaemon.pskSecretName or provisionerDaemon.keySecretName must be specified.`, + }, { name: "extra_templates", expectedError: "", diff --git a/helm/provisioner/tests/testdata/provisionerd_no_psk_or_key.yaml b/helm/provisioner/tests/testdata/provisionerd_no_psk_or_key.yaml new file mode 100644 index 0000000000000..dbb0eca812de9 --- /dev/null +++ b/helm/provisioner/tests/testdata/provisionerd_no_psk_or_key.yaml @@ -0,0 +1,9 @@ +coder: + image: + tag: latest +provisionerDaemon: + pskSecretName: "" + keySecretName: "" + tags: + location: auh + clusterType: k8s From 7c993639d8f7c9732913958c88f17bc1052496b1 Mon Sep 17 00:00:00 2001 From: Cian Johnston Date: Thu, 17 Oct 2024 14:37:32 +0100 Subject: [PATCH 4/4] soften deprecation to recommendation --- helm/provisioner/values.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/helm/provisioner/values.yaml b/helm/provisioner/values.yaml index d12003f76fb50..446a4605db677 100644 --- a/helm/provisioner/values.yaml +++ b/helm/provisioner/values.yaml @@ -192,13 +192,13 @@ coder: # provisionerDaemon -- Provisioner Daemon configuration options provisionerDaemon: - # provisionerDaemon.pskSecretName -- (deprecated) The name of the Kubernetes secret that contains the - # Pre-Shared Key (PSK) to use to authenticate with Coder. The secret must be in the same namespace - # as the Helm deployment, and contain an item called "psk" which contains the - # pre-shared key. - # WARNING: this field is deprecated and will be removed in a future release. - # Please use provisionerDaemon.keySecretName instead and generate a - # provisioner key instead of a PSK. + # provisionerDaemon.pskSecretName -- The name of the Kubernetes secret that contains the + # Pre-Shared Key (PSK) to use to authenticate with Coder. The secret must be + # in the same namespace as the Helm deployment, and contain an item called + # "psk" which contains the pre-shared key. + # NOTE: We no longer recommend using PSKs. Please consider using provisioner + # keys instead. They have a number of benefits, including the ability to + # rotate them easily. pskSecretName: "coder-provisioner-psk" # provisionerDaemon.keySecretName -- The name of the Kubernetes