From 5661c624868f44a3ca81c30e7899bdfa54988191 Mon Sep 17 00:00:00 2001 From: Cian Johnston Date: Wed, 6 Nov 2024 22:18:15 +0000 Subject: [PATCH 1/5] fix(helm/provisioner): prefer provisioner key if both psk and key are set --- helm/provisioner/templates/_coder.tpl | 18 +-- helm/provisioner/tests/chart_test.go | 2 +- .../tests/testdata/provisionerd_key.yaml | 1 - .../testdata/provisionerd_psk_and_key.golden | 137 ++++++++++++++++++ helm/provisioner/values.yaml | 3 + 5 files changed, 148 insertions(+), 13 deletions(-) create mode 100644 helm/provisioner/tests/testdata/provisionerd_psk_and_key.golden diff --git a/helm/provisioner/templates/_coder.tpl b/helm/provisioner/templates/_coder.tpl index 9c2b2dece130f..214a3af0fac0d 100644 --- a/helm/provisioner/templates/_coder.tpl +++ b/helm/provisioner/templates/_coder.tpl @@ -34,22 +34,18 @@ env: value: "0.0.0.0:2112" {{- if and (empty .Values.provisionerDaemon.pskSecretName) (empty .Values.provisionerDaemon.keySecretName) }} {{ fail "Either provisionerDaemon.pskSecretName or provisionerDaemon.keySecretName must be specified." }} -{{- else if and (.Values.provisionerDaemon.pskSecretName) (.Values.provisionerDaemon.keySecretName) }} -{{ fail "Either provisionerDaemon.pskSecretName or provisionerDaemon.keySecretName must be specified, but not both." }} -{{- end }} -{{- if .Values.provisionerDaemon.pskSecretName }} -- name: CODER_PROVISIONER_DAEMON_PSK - valueFrom: - secretKeyRef: - name: {{ .Values.provisionerDaemon.pskSecretName | quote }} - key: psk -{{- end }} -{{- if and .Values.provisionerDaemon.keySecretName .Values.provisionerDaemon.keySecretKey }} +{{- else if and .Values.provisionerDaemon.keySecretName .Values.provisionerDaemon.keySecretKey }} - name: CODER_PROVISIONER_DAEMON_KEY valueFrom: secretKeyRef: name: {{ .Values.provisionerDaemon.keySecretName | quote }} key: {{ .Values.provisionerDaemon.keySecretKey | quote }} +{{- else }} +- name: CODER_PROVISIONER_DAEMON_PSK + valueFrom: + secretKeyRef: + name: {{ .Values.provisionerDaemon.pskSecretName | quote }} + key: psk {{- end }} {{- if include "provisioner.tags" . }} - name: CODER_PROVISIONERD_TAGS diff --git a/helm/provisioner/tests/chart_test.go b/helm/provisioner/tests/chart_test.go index ab6d8445e8f61..d94fa104abf88 100644 --- a/helm/provisioner/tests/chart_test.go +++ b/helm/provisioner/tests/chart_test.go @@ -58,7 +58,7 @@ var testCases = []testCase{ }, { name: "provisionerd_psk_and_key", - expectedError: `Either provisionerDaemon.pskSecretName or provisionerDaemon.keySecretName must be specified, but not both.`, + expectedError: ``, }, { name: "provisionerd_no_psk_or_key", diff --git a/helm/provisioner/tests/testdata/provisionerd_key.yaml b/helm/provisioner/tests/testdata/provisionerd_key.yaml index c5ab331a45078..7cb35f0052918 100644 --- a/helm/provisioner/tests/testdata/provisionerd_key.yaml +++ b/helm/provisioner/tests/testdata/provisionerd_key.yaml @@ -2,7 +2,6 @@ coder: image: tag: latest provisionerDaemon: - pskSecretName: "" keySecretName: "coder-provisionerd-key" keySecretKey: "provisionerd-key" tags: diff --git a/helm/provisioner/tests/testdata/provisionerd_psk_and_key.golden b/helm/provisioner/tests/testdata/provisionerd_psk_and_key.golden new file mode 100644 index 0000000000000..c4f33f766df43 --- /dev/null +++ b/helm/provisioner/tests/testdata/provisionerd_psk_and_key.golden @@ -0,0 +1,137 @@ +--- +# Source: coder-provisioner/templates/coder.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: {} + labels: + app.kubernetes.io/instance: release-name + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: coder-provisioner + app.kubernetes.io/part-of: coder-provisioner + app.kubernetes.io/version: 0.1.0 + helm.sh/chart: coder-provisioner-0.1.0 + name: coder-provisioner +--- +# Source: coder-provisioner/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: coder-provisioner-workspace-perms +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - apps + resources: + - deployments + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +--- +# Source: coder-provisioner/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: "coder-provisioner" +subjects: + - kind: ServiceAccount + name: "coder-provisioner" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: coder-provisioner-workspace-perms +--- +# Source: coder-provisioner/templates/coder.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + labels: + app.kubernetes.io/instance: release-name + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: coder-provisioner + app.kubernetes.io/part-of: coder-provisioner + app.kubernetes.io/version: 0.1.0 + helm.sh/chart: coder-provisioner-0.1.0 + name: coder-provisioner +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: release-name + app.kubernetes.io/name: coder-provisioner + template: + metadata: + annotations: {} + labels: + app.kubernetes.io/instance: release-name + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: coder-provisioner + app.kubernetes.io/part-of: coder-provisioner + app.kubernetes.io/version: 0.1.0 + helm.sh/chart: coder-provisioner-0.1.0 + spec: + containers: + - args: + - provisionerd + - start + command: + - /opt/coder + env: + - name: CODER_PROMETHEUS_ADDRESS + value: 0.0.0.0:2112 + - name: CODER_PROVISIONER_DAEMON_KEY + valueFrom: + secretKeyRef: + key: provisionerd-key + name: coder-provisionerd-key + - name: CODER_PROVISIONERD_TAGS + value: clusterType=k8s,location=auh + - name: CODER_URL + value: http://coder.default.svc.cluster.local + image: ghcr.io/coder/coder:latest + imagePullPolicy: IfNotPresent + lifecycle: {} + name: coder + ports: null + resources: {} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: null + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: [] + restartPolicy: Always + serviceAccountName: coder-provisioner + terminationGracePeriodSeconds: 600 + volumes: [] diff --git a/helm/provisioner/values.yaml b/helm/provisioner/values.yaml index 446a4605db677..81f2224aacbdb 100644 --- a/helm/provisioner/values.yaml +++ b/helm/provisioner/values.yaml @@ -204,6 +204,9 @@ provisionerDaemon: # provisionerDaemon.keySecretName -- The name of the Kubernetes # secret that contains a provisioner key to use to authenticate with Coder. # See: https://coder.com/docs/admin/provisioners#authentication + # NOTE: if keySecretName and pskSecretName are both set, pskSecretName will + # take precedence, as Coder provisioners will refuse to start if both a PSK + # and key are set. keySecretName: "" # provisionerDaemon.keySecretKey -- The key of the Kubernetes # secret specified in provisionerDaemon.keySecretName that contains From 112c46ab657bc07f22fa03a71991704b082b1947 Mon Sep 17 00:00:00 2001 From: Cian Johnston Date: Wed, 6 Nov 2024 22:29:42 +0000 Subject: [PATCH 2/5] IMPORTANT DISTINCTION --- helm/provisioner/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm/provisioner/values.yaml b/helm/provisioner/values.yaml index 81f2224aacbdb..9eec551e7756e 100644 --- a/helm/provisioner/values.yaml +++ b/helm/provisioner/values.yaml @@ -204,7 +204,7 @@ provisionerDaemon: # provisionerDaemon.keySecretName -- The name of the Kubernetes # secret that contains a provisioner key to use to authenticate with Coder. # See: https://coder.com/docs/admin/provisioners#authentication - # NOTE: if keySecretName and pskSecretName are both set, pskSecretName will + # NOTE: if keySecretName and pskSecretName are both set, keySecretName will # take precedence, as Coder provisioners will refuse to start if both a PSK # and key are set. keySecretName: "" From 58aafcc287b8242aa6a9613e7ac02282682fff64 Mon Sep 17 00:00:00 2001 From: Cian Johnston Date: Thu, 7 Nov 2024 11:55:58 +0000 Subject: [PATCH 3/5] adjust logic to only override if pskSecretName is the default value --- helm/provisioner/templates/_coder.tpl | 5 + helm/provisioner/tests/chart_test.go | 6 +- .../tests/testdata/provisionerd_key.golden | 2 - .../tests/testdata/provisionerd_key.yaml | 3 - .../tests/testdata/provisionerd_key_tags.yaml | 9 ++ .../testdata/provisionerd_no_psk_or_key.yaml | 3 - .../testdata/provisionerd_psk_and_key.golden | 137 ------------------ .../testdata/provisionerd_psk_and_key.yaml | 2 +- helm/provisioner/values.yaml | 14 +- 9 files changed, 30 insertions(+), 151 deletions(-) create mode 100644 helm/provisioner/tests/testdata/provisionerd_key_tags.yaml delete mode 100644 helm/provisioner/tests/testdata/provisionerd_psk_and_key.golden diff --git a/helm/provisioner/templates/_coder.tpl b/helm/provisioner/templates/_coder.tpl index 214a3af0fac0d..85d4c96bd09ac 100644 --- a/helm/provisioner/templates/_coder.tpl +++ b/helm/provisioner/templates/_coder.tpl @@ -35,6 +35,11 @@ env: {{- if and (empty .Values.provisionerDaemon.pskSecretName) (empty .Values.provisionerDaemon.keySecretName) }} {{ fail "Either provisionerDaemon.pskSecretName or provisionerDaemon.keySecretName must be specified." }} {{- else if and .Values.provisionerDaemon.keySecretName .Values.provisionerDaemon.keySecretKey }} + {{- if ne .Values.provisionerDaemon.pskSecretName "coder-provisioner-psk" }} + {{ fail "Either provisionerDaemon.pskSecretName or provisionerDaemon.keySecretName must be specified, but not both." }} + {{- else if .Values.provisionerDaemon.tags }} + {{ fail "provisionerDaemon.tags may not be specified with provisionerDaemon.keySecretName." }} + {{- end }} - name: CODER_PROVISIONER_DAEMON_KEY valueFrom: secretKeyRef: diff --git a/helm/provisioner/tests/chart_test.go b/helm/provisioner/tests/chart_test.go index d94fa104abf88..aa04c7b0e69ec 100644 --- a/helm/provisioner/tests/chart_test.go +++ b/helm/provisioner/tests/chart_test.go @@ -58,12 +58,16 @@ var testCases = []testCase{ }, { name: "provisionerd_psk_and_key", - expectedError: ``, + expectedError: `Either provisionerDaemon.pskSecretName or provisionerDaemon.keySecretName must be specified, but not both.`, }, { name: "provisionerd_no_psk_or_key", expectedError: `Either provisionerDaemon.pskSecretName or provisionerDaemon.keySecretName must be specified.`, }, + { + name: "provisionerd_key_tags", + expectedError: `provisionerDaemon.tags may not be specified with provisionerDaemon.keySecretName.`, + }, { name: "extra_templates", expectedError: "", diff --git a/helm/provisioner/tests/testdata/provisionerd_key.golden b/helm/provisioner/tests/testdata/provisionerd_key.golden index c4f33f766df43..c4c23ec6da2a3 100644 --- a/helm/provisioner/tests/testdata/provisionerd_key.golden +++ b/helm/provisioner/tests/testdata/provisionerd_key.golden @@ -112,8 +112,6 @@ spec: secretKeyRef: key: provisionerd-key name: coder-provisionerd-key - - name: CODER_PROVISIONERD_TAGS - value: clusterType=k8s,location=auh - name: CODER_URL value: http://coder.default.svc.cluster.local image: ghcr.io/coder/coder:latest diff --git a/helm/provisioner/tests/testdata/provisionerd_key.yaml b/helm/provisioner/tests/testdata/provisionerd_key.yaml index 7cb35f0052918..82f786637ee19 100644 --- a/helm/provisioner/tests/testdata/provisionerd_key.yaml +++ b/helm/provisioner/tests/testdata/provisionerd_key.yaml @@ -4,6 +4,3 @@ coder: provisionerDaemon: keySecretName: "coder-provisionerd-key" keySecretKey: "provisionerd-key" - tags: - location: auh - clusterType: k8s diff --git a/helm/provisioner/tests/testdata/provisionerd_key_tags.yaml b/helm/provisioner/tests/testdata/provisionerd_key_tags.yaml new file mode 100644 index 0000000000000..7cb35f0052918 --- /dev/null +++ b/helm/provisioner/tests/testdata/provisionerd_key_tags.yaml @@ -0,0 +1,9 @@ +coder: + image: + tag: latest +provisionerDaemon: + keySecretName: "coder-provisionerd-key" + keySecretKey: "provisionerd-key" + tags: + location: auh + clusterType: k8s diff --git a/helm/provisioner/tests/testdata/provisionerd_no_psk_or_key.yaml b/helm/provisioner/tests/testdata/provisionerd_no_psk_or_key.yaml index dbb0eca812de9..4d883a59fcb06 100644 --- a/helm/provisioner/tests/testdata/provisionerd_no_psk_or_key.yaml +++ b/helm/provisioner/tests/testdata/provisionerd_no_psk_or_key.yaml @@ -4,6 +4,3 @@ coder: provisionerDaemon: pskSecretName: "" keySecretName: "" - tags: - location: auh - clusterType: k8s diff --git a/helm/provisioner/tests/testdata/provisionerd_psk_and_key.golden b/helm/provisioner/tests/testdata/provisionerd_psk_and_key.golden deleted file mode 100644 index c4f33f766df43..0000000000000 --- a/helm/provisioner/tests/testdata/provisionerd_psk_and_key.golden +++ /dev/null @@ -1,137 +0,0 @@ ---- -# Source: coder-provisioner/templates/coder.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - annotations: {} - labels: - app.kubernetes.io/instance: release-name - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: coder-provisioner - app.kubernetes.io/part-of: coder-provisioner - app.kubernetes.io/version: 0.1.0 - helm.sh/chart: coder-provisioner-0.1.0 - name: coder-provisioner ---- -# Source: coder-provisioner/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: coder-provisioner-workspace-perms -rules: - - apiGroups: [""] - resources: ["pods"] - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch - - apiGroups: [""] - resources: ["persistentvolumeclaims"] - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch - - apiGroups: - - apps - resources: - - deployments - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch ---- -# Source: coder-provisioner/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: "coder-provisioner" -subjects: - - kind: ServiceAccount - name: "coder-provisioner" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: coder-provisioner-workspace-perms ---- -# Source: coder-provisioner/templates/coder.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: {} - labels: - app.kubernetes.io/instance: release-name - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: coder-provisioner - app.kubernetes.io/part-of: coder-provisioner - app.kubernetes.io/version: 0.1.0 - helm.sh/chart: coder-provisioner-0.1.0 - name: coder-provisioner -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: release-name - app.kubernetes.io/name: coder-provisioner - template: - metadata: - annotations: {} - labels: - app.kubernetes.io/instance: release-name - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: coder-provisioner - app.kubernetes.io/part-of: coder-provisioner - app.kubernetes.io/version: 0.1.0 - helm.sh/chart: coder-provisioner-0.1.0 - spec: - containers: - - args: - - provisionerd - - start - command: - - /opt/coder - env: - - name: CODER_PROMETHEUS_ADDRESS - value: 0.0.0.0:2112 - - name: CODER_PROVISIONER_DAEMON_KEY - valueFrom: - secretKeyRef: - key: provisionerd-key - name: coder-provisionerd-key - - name: CODER_PROVISIONERD_TAGS - value: clusterType=k8s,location=auh - - name: CODER_URL - value: http://coder.default.svc.cluster.local - image: ghcr.io/coder/coder:latest - imagePullPolicy: IfNotPresent - lifecycle: {} - name: coder - ports: null - resources: {} - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: null - runAsGroup: 1000 - runAsNonRoot: true - runAsUser: 1000 - seccompProfile: - type: RuntimeDefault - volumeMounts: [] - restartPolicy: Always - serviceAccountName: coder-provisioner - terminationGracePeriodSeconds: 600 - volumes: [] diff --git a/helm/provisioner/tests/testdata/provisionerd_psk_and_key.yaml b/helm/provisioner/tests/testdata/provisionerd_psk_and_key.yaml index 530f48807edff..d2da1c370d422 100644 --- a/helm/provisioner/tests/testdata/provisionerd_psk_and_key.yaml +++ b/helm/provisioner/tests/testdata/provisionerd_psk_and_key.yaml @@ -2,7 +2,7 @@ coder: image: tag: latest provisionerDaemon: - pskSecretName: "coder-provisionerd-psk" + pskSecretName: "not-the-default-coder-provisioner-psk" keySecretName: "coder-provisionerd-key" keySecretKey: "provisionerd-key" tags: diff --git a/helm/provisioner/values.yaml b/helm/provisioner/values.yaml index 9eec551e7756e..869ddc876c78b 100644 --- a/helm/provisioner/values.yaml +++ b/helm/provisioner/values.yaml @@ -204,17 +204,23 @@ provisionerDaemon: # provisionerDaemon.keySecretName -- The name of the Kubernetes # secret that contains a provisioner key to use to authenticate with Coder. # See: https://coder.com/docs/admin/provisioners#authentication - # NOTE: if keySecretName and pskSecretName are both set, keySecretName will - # take precedence, as Coder provisioners will refuse to start if both a PSK - # and key are set. + # NOTE: it is not permitted to specify both provisionerDaemon.keySecretName + # and provisionerDaemon.pskSecretName. An exception is made for the purposes + # of backwards-compatibility: if provisionerDaemon.pskSecretName is unchanged + # from the default value and provisionerDaemon.keySecretName is set, then + # provisionerDaemon.keySecretName and provisionerDaemon.keySecretKey will take + # precedence over provisionerDaemon.pskSecretName. keySecretName: "" # provisionerDaemon.keySecretKey -- The key of the Kubernetes # secret specified in provisionerDaemon.keySecretName that contains # the provisioner key. Defaults to "key". keySecretKey: "key" - # provisionerDaemon.tags -- Tags to filter provisioner jobs by. + # provisionerDaemon.tags -- If using a PSK, specify the set of provisioner + # job tags for which this provisioner daemon is responsible. # See: https://coder.com/docs/admin/provisioners#provisioner-tags + # NOTE: it is not permitted to specify both provisionerDaemon.tags and + # provsionerDaemon.keySecretName. tags: {} # location: usa From 9b8cda7471ce7a6d569158a6bcbcd4ebee2b6d9f Mon Sep 17 00:00:00 2001 From: Cian Johnston Date: Thu, 7 Nov 2024 11:57:39 +0000 Subject: [PATCH 4/5] fixup! adjust logic to only override if pskSecretName is the default value --- helm/provisioner/tests/testdata/provisionerd_psk.golden | 2 +- helm/provisioner/tests/testdata/provisionerd_psk.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/helm/provisioner/tests/testdata/provisionerd_psk.golden b/helm/provisioner/tests/testdata/provisionerd_psk.golden index b641ee0db37cb..c1d9421c3c9dd 100644 --- a/helm/provisioner/tests/testdata/provisionerd_psk.golden +++ b/helm/provisioner/tests/testdata/provisionerd_psk.golden @@ -111,7 +111,7 @@ spec: valueFrom: secretKeyRef: key: psk - name: coder-provisionerd-psk + name: not-the-default-coder-provisioner-psk - name: CODER_PROVISIONERD_TAGS value: clusterType=k8s,location=auh - name: CODER_URL diff --git a/helm/provisioner/tests/testdata/provisionerd_psk.yaml b/helm/provisioner/tests/testdata/provisionerd_psk.yaml index f891b007db539..c53958d4b856b 100644 --- a/helm/provisioner/tests/testdata/provisionerd_psk.yaml +++ b/helm/provisioner/tests/testdata/provisionerd_psk.yaml @@ -2,7 +2,7 @@ coder: image: tag: latest provisionerDaemon: - pskSecretName: "coder-provisionerd-psk" + pskSecretName: "not-the-default-coder-provisioner-psk" tags: location: auh clusterType: k8s From e6f31863138b8ee6bcebabca91b242d46d674a75 Mon Sep 17 00:00:00 2001 From: Cian Johnston Date: Thu, 7 Nov 2024 12:17:30 +0000 Subject: [PATCH 5/5] continue to support pskSecretName="" workaround --- helm/provisioner/templates/_coder.tpl | 2 +- helm/provisioner/tests/chart_test.go | 6 + ...ovisionerd_key_psk_empty_workaround.golden | 135 ++++++++++++++++++ ...provisionerd_key_psk_empty_workaround.yaml | 7 + 4 files changed, 149 insertions(+), 1 deletion(-) create mode 100644 helm/provisioner/tests/testdata/provisionerd_key_psk_empty_workaround.golden create mode 100644 helm/provisioner/tests/testdata/provisionerd_key_psk_empty_workaround.yaml diff --git a/helm/provisioner/templates/_coder.tpl b/helm/provisioner/templates/_coder.tpl index 85d4c96bd09ac..585393a6bf118 100644 --- a/helm/provisioner/templates/_coder.tpl +++ b/helm/provisioner/templates/_coder.tpl @@ -35,7 +35,7 @@ env: {{- if and (empty .Values.provisionerDaemon.pskSecretName) (empty .Values.provisionerDaemon.keySecretName) }} {{ fail "Either provisionerDaemon.pskSecretName or provisionerDaemon.keySecretName must be specified." }} {{- else if and .Values.provisionerDaemon.keySecretName .Values.provisionerDaemon.keySecretKey }} - {{- if ne .Values.provisionerDaemon.pskSecretName "coder-provisioner-psk" }} + {{- if and (not (empty .Values.provisionerDaemon.pskSecretName)) (ne .Values.provisionerDaemon.pskSecretName "coder-provisioner-psk") }} {{ fail "Either provisionerDaemon.pskSecretName or provisionerDaemon.keySecretName must be specified, but not both." }} {{- else if .Values.provisionerDaemon.tags }} {{ fail "provisionerDaemon.tags may not be specified with provisionerDaemon.keySecretName." }} diff --git a/helm/provisioner/tests/chart_test.go b/helm/provisioner/tests/chart_test.go index aa04c7b0e69ec..4bb54e2d787ed 100644 --- a/helm/provisioner/tests/chart_test.go +++ b/helm/provisioner/tests/chart_test.go @@ -56,6 +56,12 @@ var testCases = []testCase{ name: "provisionerd_key", expectedError: "", }, + // Test explicitly for the workaround where setting provisionerDaemon.pskSecretName="" + // was required to use provisioner keys. + { + name: "provisionerd_key_psk_empty_workaround", + expectedError: "", + }, { name: "provisionerd_psk_and_key", expectedError: `Either provisionerDaemon.pskSecretName or provisionerDaemon.keySecretName must be specified, but not both.`, diff --git a/helm/provisioner/tests/testdata/provisionerd_key_psk_empty_workaround.golden b/helm/provisioner/tests/testdata/provisionerd_key_psk_empty_workaround.golden new file mode 100644 index 0000000000000..c4c23ec6da2a3 --- /dev/null +++ b/helm/provisioner/tests/testdata/provisionerd_key_psk_empty_workaround.golden @@ -0,0 +1,135 @@ +--- +# Source: coder-provisioner/templates/coder.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: {} + labels: + app.kubernetes.io/instance: release-name + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: coder-provisioner + app.kubernetes.io/part-of: coder-provisioner + app.kubernetes.io/version: 0.1.0 + helm.sh/chart: coder-provisioner-0.1.0 + name: coder-provisioner +--- +# Source: coder-provisioner/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: coder-provisioner-workspace-perms +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - apps + resources: + - deployments + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +--- +# Source: coder-provisioner/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: "coder-provisioner" +subjects: + - kind: ServiceAccount + name: "coder-provisioner" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: coder-provisioner-workspace-perms +--- +# Source: coder-provisioner/templates/coder.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + labels: + app.kubernetes.io/instance: release-name + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: coder-provisioner + app.kubernetes.io/part-of: coder-provisioner + app.kubernetes.io/version: 0.1.0 + helm.sh/chart: coder-provisioner-0.1.0 + name: coder-provisioner +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: release-name + app.kubernetes.io/name: coder-provisioner + template: + metadata: + annotations: {} + labels: + app.kubernetes.io/instance: release-name + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: coder-provisioner + app.kubernetes.io/part-of: coder-provisioner + app.kubernetes.io/version: 0.1.0 + helm.sh/chart: coder-provisioner-0.1.0 + spec: + containers: + - args: + - provisionerd + - start + command: + - /opt/coder + env: + - name: CODER_PROMETHEUS_ADDRESS + value: 0.0.0.0:2112 + - name: CODER_PROVISIONER_DAEMON_KEY + valueFrom: + secretKeyRef: + key: provisionerd-key + name: coder-provisionerd-key + - name: CODER_URL + value: http://coder.default.svc.cluster.local + image: ghcr.io/coder/coder:latest + imagePullPolicy: IfNotPresent + lifecycle: {} + name: coder + ports: null + resources: {} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: null + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: [] + restartPolicy: Always + serviceAccountName: coder-provisioner + terminationGracePeriodSeconds: 600 + volumes: [] diff --git a/helm/provisioner/tests/testdata/provisionerd_key_psk_empty_workaround.yaml b/helm/provisioner/tests/testdata/provisionerd_key_psk_empty_workaround.yaml new file mode 100644 index 0000000000000..cfa46974c3e9a --- /dev/null +++ b/helm/provisioner/tests/testdata/provisionerd_key_psk_empty_workaround.yaml @@ -0,0 +1,7 @@ +coder: + image: + tag: latest +provisionerDaemon: + pskSecretName: "" + keySecretName: "coder-provisionerd-key" + keySecretKey: "provisionerd-key"