coder
diff --git a/‎admin/access-control/user-roles.md
Lines changed: 14 additions & 0 deletions b/‎admin/access-control/user-roles.md
Lines changed: 14 additions & 0 deletions
diff --git a/‎admin/registries/ecr.md
Lines changed: 117 additions & 25 deletions b/‎admin/registries/ecr.md
Lines changed: 117 additions & 25 deletions
diff --git a/‎admin/workspace-management/self-contained-builds.md
Lines changed: 27 additions & 0 deletions b/‎admin/workspace-management/self-contained-builds.md
Lines changed: 27 additions & 0 deletions
diff --git a/‎admin/workspace-providers/management.md
Lines changed: 28 additions & 2 deletions b/‎admin/workspace-providers/management.md
Lines changed: 28 additions & 2 deletions
diff --git a/‎assets/workspaces/create-devurl.png
-47 KB b/‎assets/workspaces/create-devurl.png
-47 KB
diff --git a/‎changelog/1.25.0.md
Lines changed: 92 additions & 0 deletions b/‎changelog/1.25.0.md
Lines changed: 92 additions & 0 deletions
@@ -39,6 +39,20 @@ There are four roles available:
     </tbody>
 </table>
 
+### Additive permissions
+
+The following tables detail what permissions Coder grants to each of the four
+roles, but a summary of the roles are:
+
+- All users are (or have the permissions of) a **member**
+- An **auditor** has the permissions of a member, plus the ability to work with
+  audit logs
+- A **site manager** has the permissions of a member or an auditor, plus
+  additional administrative rights
+- A **site admin** has the permissions of a member, auditor, and site manager,
+  as well as additional admin rights (e.g., creating site managers, access to
+  API keys)
+
 ### Site admin permissions
 
 <table>
 
@@ -6,41 +6,131 @@ description: Add a private Amazon ECR to Coder.
 This article will show you how to add your private ECR to Coder. If you're using
 a public ECR registry, you do not need to follow the steps below.
 
-Amazon requires users to [request temporary login credentials to access a
-private Elastic Container Registry (ECR)
-registry](https://docs.aws.amazon.com/AmazonECR/latest/userguide/registry_auth.html).
-When interacting with ECR, Coder will request temporary credentials from the
-registry using the AWS credentials linked to the registry.
+Amazon requires users to
+[request temporary login credentials](https://docs.aws.amazon.com/AmazonECR/latest/userguide/registry_auth.html)
+to access a private Elastic Container Registry (ECR) registry. When interacting
+with ECR, Coder will request temporary credentials from the registry using the
+AWS credentials linked to the registry.
 
-## Step 1: Setting up your AWS credentials
+## Step 1: Setting up authentication for Coder
 
-To access a private ECR registry, Coder needs AWS credentials (specifically your
-**access key ID** and **secret access key**) with authorization to access the
-provided registry. You can either use AWS credentials tied to your own AWS
-account *or* credentials tied to an IAM user specifically for Coder (we
-recommend the latter option).
+To access a private ECR registry, Coder needs to authenticate with AWS. Coder
+supports two methods of authentication with AWS ECR:
 
-Note that you are not limited to providing one single set of AWS credentials.
-For example, you can use a set of credentials with access to all of your ECR
-repositories, or you can use individual sets of credentials, each with access to
-a single repository.
+- Static credentials
+- **Alpha:** IAM roles for service accounts
 
-To provision AWS credentials for Coder:
+### Option A: Provision static credentials for Coder
 
-1. **Optional:** [Create an IAM user for
-   Coder](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html)
+You can use an **Access Key ID** and **Secret Access Key** tied to either your
+own AWS account _or_ credentials tied to a dedicated IAM user (we recommend the
+latter option).
+
+> You are not limited to providing a single set of AWS credentials. For example,
+> you can use a set of credentials with access to all of your ECR repositories,
+> or you can use individual sets of credentials, each with access to a single
+> repository.
+
+To provision static credentials for Coder:
+
+1. **Optional:**
+   [Create an IAM user for Coder](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html)
    to access ECR. You can either attach the AWS-managed policy
-   `AmazonEC2ContainerRegistryReadOnly` to the user, or you can [create your
-   own](https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-policy-examples.html).
+   `AmazonEC2ContainerRegistryReadOnly` to the user, or you can
+   [create your own](https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-policy-examples.html).
 
-1. [Create an access
-   key](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html)
+1. [Create an access key](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html)
    for the IAM user to be used with Coder (if one does not already exist).
 
+### Option B: Link an AWS IAM role to the Coder Kubernetes service account (IRSA)
+
+**Note:** This is currently an **alpha** feature.
+
+Coder can use an
+[IAM role linked to Coder's Kubernetes service account](https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/),
+though this is only supported when Coder is running in AWS EKS. This is because
+the
+[EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook/)
+is required to provision and inject the required token into the `coderd` pod.
+
+> For more information on IAM Roles for Service Accounts (IRSA), please consult
+> the
+> [AWS Documentation](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
+
+To link an IAM role to Coder's Kubernetes service account:
+
+1. Enable the feature under Manage > Admin > Infrastructure > ECR IAM Role
+   Authentication.
+
+1. Create an IAM OIDC Provider for your EKS cluster (if it does not already
+   exist).
+
+1. [Create the IAM role](https://docs.aws.amazon.com/eks/latest/userguide/create-service-account-iam-policy-and-role.html#create-service-account-iam-role)
+   to be used by Coder, if it does not already exist.
+
+   **Note:** Ensure that you also create and attach a trust policy that permits
+   the Coder service account the action `sts:AssumeRoleWithWebIdentity`. The
+   trust policy will look similar to the following:
+
+   ```json
+   {
+     "Version": "2012-10-17",
+     "Statement": [
+       {
+         "Effect": "Allow",
+         "Principal": {
+           "Federated": "arn:aws:iam::${ACCT_ID}:oidc-provider/${OIDC_PROVIDER}"
+         },
+         "Action": "sts:AssumeRoleWithWebIdentity",
+         "Condition": {
+           "StringEquals": {
+             "${OIDC_PROVIDER}:sub": "system:serviceaccount:${NAMESPACE}:${SERVICE_ACCOUNT}"
+           }
+         }
+       }
+     ]
+   }
+   ```
+
+1. Annotate the Coder service account with the role ARN:
+
+   a) Add the following to your `values.yaml` for your Coder helm deployment:
+
+   ```yaml
+   coderd:
+    ...
+    builtinProviderServiceAccount:
+      ...
+      annotations:
+        eks.amazonaws.com/role-arn: my-role-arn
+   ```
+
+   b) Update the Helm deployment:
+
+   ```shell
+   helm upgrade coder coder/coder --values values.yaml
+   ```
+
+   c) Verify that the Coder service account now has the correct annotation:
+
+   ```shell
+   kubectl get serviceaccount coder -o yaml | grep eks.amazonaws.com/role-arn
+     eks.amazonaws.com/role-arn: my-role-arn
+   ```
+
+1. Validate that pods created with the `coder` service account have permission
+   to assume the role:
+
+```shell
+kubectl run -it --rm awscli --image=amazon/aws-cli \
+  --overrides='{"spec":{"serviceAccount":"coder"}}' \
+  --command aws ecr describe-repositories
+```
+
 ## Step 2: Add your private ECR registry to Coder
 
-You can add your private ECR registry at the same time that you [add your
-images](../../images/index.md). To import an image:
+You can add your private ECR registry at the same time that you
+[add your images](../../images/index.md). To import an image:
 
 1. In Coder, go to **Images** and click on **Import Image** in the upper-right.
 
@@ -51,7 +141,9 @@ images](../../images/index.md). To import an image:
 1. Provide a **registry name** and the **registry**.
 
 1. Set the **registry kind** to **ECR** and provide your **Access Key ID** and
-   **Secret Access Key**.
+   **Secret Access Key**, if required. If you want to use IRSA instead of static
+   credentials, to authenticate with ECR, leave **Access Key ID** and **Secret
+   Access Key** blank.
 
 1. Continue with the process of [adding your image](../../images/index.md).
 
 
@@ -0,0 +1,27 @@
+---
+title: "Self-contained workspace builds"
+description: Learn how to enable self-contained workspace builds.
+state: alpha
+---
+
+By default the Coder workspace boot sequence occurs remotely -- Coder uploads
+assets (including the Coder agent, code-server, and JetBrains Projector) from
+`coderd` to a workspace.
+
+However, Coder offers the option of using **self-contained workspace builds**.
+Enabling this option changes the Coder deployment so that workspaces control the
+boot sequence internally, with the workspace downloading assets from `coderd`.
+
+> At this time, Coder does not support certificate injectioin with
+> self-contained workspace builds.
+
+To enable self-contained workspace builds:
+
+1. Log into Coder.
+1. Go to Manage > Admin.
+1. On the Infrastructure page, scroll down to **Workspace container runtime**.
+1. Under **Enable self-contained workspace builds**, flip the toggle to **On**.
+1. Click **Save workspaces**.
+
+> Build errors are typically more verbose for remote builds than with
+> self-contained builds.
@@ -61,7 +61,8 @@ At this point, you can:
   > `coder config-ssh`.
 
 - Specify the Kubernetes `pod_tolerations`, `pod_node_selector`, and
-  `service_account_annotations` for the workspaces deployed with this provider:
+  `service_account_annotations`, and affinity for the workspaces deployed with
+  this provider:
 
   ```json
   {
@@ -73,10 +74,35 @@ At this point, you can:
       }
     ],
     "pod_node_selector": {},
-    "service_account_annotations": {}
+    "service_account_annotations": {},
+    "affinity": {}
   }
   ```
 
+  Configuring affinities allows you to control how workspaces are scheduled
+  across nodes. Enabling affinities allows Coder to schedule workspaces across
+  nodes, instead of being scheduled together onto a single node:
+
+  ```json
+  "affinity": {
+        "podAffinity": {
+            "preferredDuringSchedulingIgnoredDuringExecution": [
+                {
+                    "weight": 1,
+                    "podAffinityTerm": {
+                        "labelSelector": {
+                            "matchLabels": {
+                                "com.coder.resource": "true"
+                            }
+                        },
+                        "topologyKey": "kubernetes.io/hostname"
+                    }
+                }
+            ]
+        }
+    }
+  ```
+
 Once you've made your changes, click **Update Provider** to save and continue.
 
 ## Delete a workspace provider
 
@@ -0,0 +1,92 @@
+---
+title: "1.25.0"
+description: "Released on 11/17/2021"
+---
+
+> The final patch release of Kubernetes 1.19 was published on 28 October 2021.
+> As such, the _subsequent_ versions of Coder (v1.26 and later) will require the
+> use of Kubernetes 1.20 or later. See Coder's [version support policy] for more
+> information.
+
+<!-- Turn off linting to avoid changing the link -->
+<!-- markdownlint-disable MD044 -->
+
+[version support policy]:
+  ../setup/kubernetes/index.md#supported-kubernetes-versions
+
+<!-- markdownlint-enable MD044 -->
+
+### Breaking changes ❗
+
+- web: updated dev URLs to use a double hyphen as the delimiter. Please update
+  bookmarks accordingly.
+
+### Features ✨
+
+- EC2: added support for workspace providers deployed on EC2 instances.
+- Coder for Docker: added ability for macOS users with Docker Desktop to quickly
+  deploy Coder.
+- web: added support for
+  [IRSA authentication](https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/)
+  with AWS ECR. This can be enabled under **Manage > Admin > Infrastructure >
+  ECR IAM Role Authentication**.
+- web: removed the workspace create interstitial page for selecting custom or
+  templated workspaces and replaced with a drop-down button.
+- web: updated the **Create a Workspace** screen so that the **Advanced**
+  section is collapsed by default.
+- web: added support for hyphens in usernames.
+- web: improved length validation on dev URL names to conform with hostname
+  length limit.
+- web: improved support for high-availability deployments by allowing admins to
+  control affinities, or how Coder schedules workspaces across nodes.
+- web: improved performance of the Coder UI.
+- cli: added ability to set auto-off times on a per-workspace basis.
+- infra: added the `CODER_ORGANIZATION_ID`environment variable.
+- infra: added ability to pass custom headers to workspace applications.
+- infra: added ability to check for non-200 status codes related to workspace
+  applications.
+- infra: added
+  [permissions for service account creation](https://github.com/cdr/enterprise-helm/blob/main/templates/rbac.yaml#L33)
+  to the RBAC Helm charts.
+- infra: added functionality to create Kubernetes service accounts for
+  workspaces when service account annotations are set for the workspace
+  provider.
+- infra: added option to enable self-contained workspace builds, eliminating
+  dependency on `kube exec`.
+- infra: updated to Next.js 12.
+- infra: updated JetBrains Projector to Agent v1.7 and Client v1.4.
+- infra: added logging for workspace applications.
+
+### Bug fixes 🐛
+
+- web: fixed audit log rendering issues.
+- web: fixed feedback form loading and rendering errors.
+- cli: fixed issue with user login overwriting configuration used by the Coder
+  Agent.
+- cli: fixed issue with the web terminal not loading information correctly when
+  running `--help`.
+- cli: added `tunnel` to the Coder CLI help listing.
+- infra: fixed issue with CVMs due to `shiftfs` failing to compile on kernel
+  v5.11+.
+- infra: reverted Sysbox version due to memory corruption issues with Nix.
+- infra: fixed memory leak.
+- infra: fixed issue with `coder sync` not functioning properly.
+- infra: fixed issue with TLS certificates not properly updating at runtime.
+
+### Security updates 🔐
+
+- api: restricted ability to list all users and workspaces through the API to
+  site managers and site admins.
+- api: removed ability to return OIDC IdP client secret using admin
+  authentication API.
+- infra: implemented `update-crypto-policies` in images to ensure there's no use
+  of insecure cryptography in images.
+
+### Known issues 🔧
+
+- web: the service banner (if enabled) reappears for all users, even if they've
+  previously dismissed it.
+- web: using the web terminal in Coder can occasionally result in the connection
+  being reset and needing to be restarted.
+- web: the **Switch workspace** drop-down menu shows a workspace's status as
+  **Building** even though the build process is completed.