From 0e4a5a67c851eb29c7fff82e268425ef35775fb5 Mon Sep 17 00:00:00 2001
From: Cian Johnston <cian@coder.com>
Date: Wed, 21 Sep 2022 23:18:17 +0100
Subject: [PATCH 1/2] chore: initial version of 1.35.0 changelog (#1126)

* chore: initial version of 1.35.0 changelog

* add SSE fix

* fix typo

* typo, formatting

Co-authored-by: David Wahler <david@coder.com>
---
 changelog/1.35.0.md | 43 +++++++++++++++++++++++++++++++++++++++++++
 manifest.json       |  5 ++++-
 2 files changed, 47 insertions(+), 1 deletion(-)
 create mode 100644 changelog/1.35.0.md

diff --git a/changelog/1.35.0.md b/changelog/1.35.0.md
new file mode 100644
index 000000000..525970877
--- /dev/null
+++ b/changelog/1.35.0.md
@@ -0,0 +1,43 @@
+---
+title: "1.35.0"
+description: "Released on TBD"
+---
+
+### Breaking changes ❗
+
+There are no breaking changes in 1.35.0.
+
+### Features ✨
+
+- infra: Coder now supports reading the database password from a file (specified
+  by environment variable `DB_PASSWORD_PATH`) instead of directly from an
+  environment variable. This is configurable via the Helm option
+  `postgres.noPasswordEnv`.
+- infra: Workspace templates now allow specifying seccomp profiles for workspace
+  pods.
+
+### Bug fixes 🐛
+
+- web: Fixed an issue where non-Admin users were unable to create "Open in
+  Coder" buttons.
+- web: Fixed broken links in the offline docs.
+- web: Added a workaround for an issue in Projector where the IDE would crash
+  when running a unit test
+  [(IDEA-300226](https://youtrack.jetbrains.com/issue/IDEA-300226)).
+- web: Fixed an issue where custom font glyphs were not being rendered correctly
+  in the web terminal.
+- web: `coderd` now automatically reloads TLS certificates without a restart.
+- web: fixed an issue blocking the usage of Server-Sent Events (SSE).
+- infra: Improved connection caching logic.
+- infra: Fixed an issue where building multiple workspaces in parallel would
+  result in excessive queuing.
+- infra: Improved logging of workspace builds and websocket connection errors.
+
+### Security updates 🔐
+
+There are no security updates in 1.35.
+
+### Notes ℹ️
+
+- Our bundled version of JetBrains Projector is now built with JDK 17 to match
+  the version used by more recent Jetbrains IDEs.
diff --git a/manifest.json b/manifest.json
index 090563ffe..567232216 100644
--- a/manifest.json
+++ b/manifest.json
@@ -1,5 +1,5 @@
 {
-  "versions": ["v1.34", "v1.33", "v1.32", "v1.31", "v1.30"],
+  "versions": ["v1.35", "v1.34", "v1.33", "v1.32", "v1.31", "v1.30"],
   "routes": [
     {
       "path": "./index.md",
@@ -575,6 +575,9 @@
     {
       "path": "./changelog/index.md",
       "children": [
+        {
+          "path": "./changelog/1.35.0.md"
+        },
         {
           "path": "./changelog/1.34.0.md"
         },

From f0a1fa8a1ba984f94ee7b4973435ba4d615d3400 Mon Sep 17 00:00:00 2001
From: Cian Johnston <cian@coder.com>
Date: Wed, 28 Sep 2022 20:48:18 +0100
Subject: [PATCH 2/2] [1.35 cherry] document postgres.noPasswordEnv and
 seccompProfile workspace template fields (#1132)

* chore: document postgres.noPasswordEnv (#1131)

* chore: document postgres.noPasswordEnv

* fixup! chore: document postgres.noPasswordEnv

(cherry picked from commit 089544b2b5da525051e5dca66d9194a5be0fb824)

* feat: add docs for seccompProfile workspace template fields (#1130)

(cherry picked from commit bad98953063407ef75b27f1dc9d826b3a0302d15)

Co-authored-by: David Wahler <david@coder.com>
---
 guides/deployments/postgres.md              |  8 ++++
 workspaces/workspace-templates/templates.md | 45 +++++++++++++++++++++
 2 files changed, 53 insertions(+)

diff --git a/guides/deployments/postgres.md b/guides/deployments/postgres.md
index 5ed264cc7..fbf620af2 100644
--- a/guides/deployments/postgres.md
+++ b/guides/deployments/postgres.md
@@ -44,6 +44,14 @@ or cluster.
    the console, to avoid inadvertently storing credentials in shell history
    files.
 
+   > Normally, we set the PostgreSQL password as an environment variable in the
+   > `coderd` deployment with a reference to the Kubernetes secret. If this is
+   > not desirable, you can instead mount the secret as a file which Coder will
+   > read at startup. To do this, set the Helm value `postgres.noPasswordEnv` to
+   > `true`. This will mount the secret under
+   > `/run/secrets/<.Values.postgres.passwordSecret>/password` and set the
+   > environment variable `DB_PASSWORD_PATH` for `coderd` to that value.
+
 1. Get the port number for your PostgreSQL instance:
 
    ```sql
diff --git a/workspaces/workspace-templates/templates.md b/workspaces/workspace-templates/templates.md
index 9838e71e0..4671e7032 100644
--- a/workspaces/workspace-templates/templates.md
+++ b/workspaces/workspace-templates/templates.md
@@ -64,6 +64,10 @@ workspace:
         value:
           - key: annotation-key
             value: annotation-value
+      seccomp-profile-type:
+        value: Localhost
+      seccomp-profile-localhost-profile:
+        value: profiles/custom-profile.json
   configure:
     start:
       value:
@@ -262,6 +266,47 @@ node-selector:
 
 `node-selector` is disabled by default and must be enabled by a site admin.
 
+#### workspace.specs.kubernetes.seccomp-profile-type.value
+
+Applies a [seccomp profile](https://kubernetes.io/docs/tutorials/security/seccomp/)
+to the workspace pod. The value is a string, corresponding to the `type`
+subfield of the PodSecurityContext `seccompProfile` attribute.
+
+For example, the following snippet would explicitly disable seccomp protection:
+
+```yaml
+seccomp-profile-type:
+  value: Unconfined
+```
+
+`seccomp-profile-type` is disabled by default and must be enabled by a site
+admin.
+
+#### workspace.specs.kubernetes.seccomp-profile-localhost-profile.value
+
+Applies a custom [seccomp profile](https://kubernetes.io/docs/tutorials/security/seccomp/)
+to the workspace pod. The value is a string, corresponding to the
+`localhostProfile` subfield of the PodSecurityContext `seccompProfile`
+attribute.
+
+Per the [Kubernetes
+documentation](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#seccompprofile-v1-core),
+this attribute is only valid if used in combination with the `Localhost` seccomp
+profile type. Its value must correspond to the path of a valid JSON profile that
+is already configured on the Kubernetes worker nodes.
+
+The following snippet demonstrates setting a custom profile:
+
+```yaml
+seccomp-profile-type:
+  value: Localhost
+seccomp-profile-localhost-profile:
+  value: profiles/my-custom-profile.json
+```
+
+`seccomp-profile-localhost-profile` is disabled by default and must be enabled
+by a site admin.
+
 #### workspace.configure
 
 This section lists the commands that run within the workspace after Coder builds