Learn about our the tools, techniques, and best practices to monitor Coder your Coder deployment.

Deploy Prometheus, Grafana, Alert Manager, and pre-built dashboards on your Kubernetes cluster to monitor the Coder control plane, provisioners, and workspaces.


Learn how to install & read the docs on the [Observability Helm Chart GitHub](https://github.com/coder/observability)

- [Logs](./logs.md): Learn how to access to Coder server logs, agent logs, and even how to expose Kubernetes pod scheduling logs.

- [Metrics](./metrics.md): Learn about the valuable metrics to measure on a Coder deployment, regardless of your monitoring stack.

- [Health Check](./health-check.md): Learn about the periodic health check and error codes that run on Coder deployments.


By default, the Coder server runs

[built-in provisioner daemons](../cli/server.md#provisioner-daemons), which

execute `terraform` during workspace and template builds. However, there are

sometimes benefits to running external provisioner daemons:

- **Secure build environments:** Run build jobs in isolated containers,

preventing malicious templates from gaining shell access to the Coder host.

- **Isolate APIs:** Deploy provisioners in isolated environments (on-prem, AWS,

Azure) instead of exposing APIs (Docker, Kubernetes, VMware) to the Coder

server. See [Provider Authentication](../templates/authentication.md) for more

details.

- **Isolate secrets**: Keep Coder unaware of cloud secrets, manage/rotate

secrets on provisioner servers.

- **Reduce server load**: External provisioners reduce load and build queue

times from the Coder server. See

[Scaling Coder](scaling/scale-utility.md#recent-scale-tests) for more details.

Each provisioner can run a single

[concurrent workspace build](scaling/scale-testing.md#control-plane-provisionerd).

For example, running 30 provisioner containers will allow 30 users to start

workspaces at the same time.

Provisioners are started with the

[coder provisionerd start](../cli/provisionerd_start.md) command.

The provisioner daemon must authenticate with your Coder deployment.

Set a

[provisioner daemon pre-shared key (PSK)](../cli/server.md#--provisioner-daemon-psk)

on the Coder server and start the provisioner with

`coder provisionerd start --psk <your-psk>`. If you are

[installing with Helm](../install/kubernetes.md#install-coder-with-helm), see

the [Helm example](#example-running-an-external-provisioner-with-helm) below.

Provisioners can broadly be categorized by scope: `organization` or `user`. The

scope of a provisioner can be specified with

[`-tag=scope=<scope>`](../cli/provisionerd_start.md#t---tag) when starting the

provisioner daemon. Only users with at least the

[Template Admin](../admin/users.md#roles) role or higher may create

organization-scoped provisioner daemons.

There are two exceptions:

- [Built-in provisioners](../cli/server.md#provisioner-daemons) are always

organization-scoped.

- External provisioners started using a

[pre-shared key (PSK)](../cli/provisionerd_start.md#psk) are always

organization-scoped.

**Organization-scoped Provisioners** can pick up build jobs created by any user.

These provisioners always have the implicit tags `scope=organization owner=""`.

coder provisionerd start

**User-scoped Provisioners** can only pick up build jobs created from

user-tagged templates. Unlike the other provisioner types, any Coder user can

run user provisioners, but they have no impact unless there exists at least one

template with the `scope=user` provisioner tag.

coder provisionerd start \

--tag scope=user

coder templates push on-prem \

--provisioner-tag scope=user

You can use **provisioner tags** to control which provisioners can pick up build

jobs from templates (and corresponding workspaces) with matching explicit tags.

Provisioners have two implicit tags: `scope` and `owner`. Coder sets these tags

automatically.

- Organization-scoped provisioners always have the implicit tags

`scope=organization owner=""`

- User-scoped provisioners always have the implicit tags

`scope=user owner=<uuid>`

For example:

coder provisionerd start \

--tag environment=on_prem \

--tag datacenter=chicago

coder templates push on-prem \

--provisioner-tag environment=on_prem

coder templates push on-prem-chicago \

--provisioner-tag environment=on_prem \

--provisioner-tag datacenter=chicago

A provisioner can run a given build job if one of the below is true:

1. A job with no explicit tags can only be run on a provisioner with no explicit

tags. This way you can introduce tagging into your deployment without

disrupting existing provisioners and jobs.

1. If a job has any explicit tags, it can only run on a provisioner with those

explicit tags (the provisioner could have additional tags).

The external provisioner in the above example can run build jobs with tags:

- `environment=on_prem`

- `datacenter=chicago`

- `environment=on_prem datacenter=chicago`

However, it will not pick up any build jobs that do not have either of the

`environment` or `datacenter` tags set. It will also not pick up any build jobs

from templates with the tag `scope=user` set.

This is illustrated in the below table:

| Provisioner Tags | Job Tags | Can Run Job? |

| ----------------------------------------------------------------- | ---------------------------------------------------------------- | ------------ |

| scope=organization owner= | scope=organization owner= | ✅ |

| scope=organization owner= environment=on-prem | scope=organization owner= environment=on-prem | ✅ |

| scope=organization owner= environment=on-prem datacenter=chicago | scope=organization owner= environment=on-prem | ✅ |

| scope=organization owner= environment=on-prem datacenter=chicago | scope=organization owner= environment=on-prem datacenter=chicago | ✅ |

| scope=user owner=aaa | scope=user owner=aaa | ✅ |

| scope=user owner=aaa environment=on-prem | scope=user owner=aaa | ✅ |

| scope=user owner=aaa environment=on-prem | scope=user owner=aaa environment=on-prem | ✅ |

| scope=user owner=aaa environment=on-prem datacenter=chicago | scope=user owner=aaa environment=on-prem | ✅ |

| scope=user owner=aaa environment=on-prem datacenter=chicago | scope=user owner=aaa environment=on-prem datacenter=chicago | ✅ |

| scope=organization owner= | scope=organization owner= environment=on-prem | ❌ |

| scope=organization owner= environment=on-prem | scope=organization owner= | ❌ |

| scope=organization owner= environment=on-prem | scope=organization owner= environment=on-prem datacenter=chicago | ❌ |

| scope=organization owner= environment=on-prem datacenter=new_york | scope=organization owner= environment=on-prem datacenter=chicago | ❌ |

| scope=user owner=aaa | scope=organization owner= | ❌ |

| scope=user owner=aaa | scope=user owner=bbb | ❌ |

| scope=organization owner= | scope=user owner=aaa | ❌ |

| scope=organization owner= | scope=user owner=aaa environment=on-prem | ❌ |

| scope=user owner=aaa | scope=user owner=aaa environment=on-prem | ❌ |

| scope=user owner=aaa environment=on-prem | scope=user owner=aaa environment=on-prem datacenter=chicago | ❌ |

| scope=user owner=aaa environment=on-prem datacenter=chicago | scope=user owner=aaa environment=on-prem datacenter=new_york | ❌ |

1. Modify your Coder `values.yaml` to include

```yaml

provisionerDaemon:

pskSecretName: "coder-provisioner-psk"

```

`--version <your version>` to also upgrade Coder to the latest version.

```shell

chart. For example

```yaml

This example creates a deployment of 10 provisioner daemons (for 10

concurrent builds) with the listed tags. For generic provisioners, remove the

tags.

> Refer to the

> [values.yaml](https://github.com/coder/coder/blob/main/helm/provisioner/values.yaml)

> file for the coder-provisioner chart for information on what values can be

> specified.

```shell

You can verify that your provisioner daemons have successfully connected to

Coderd by looking for a debug log message that says

`provisionerd: successfully connected to coderd` from each Pod.

`--prometheus-address <network-interface>:<port>` to select a different listen

Organizations are a logical bucket of users with unique administrators,

templates, provisioners, and workspaces into the Coder platform.

TODO

{

"title": "Organizations",

"path": "./admin/users/organizations.md",

"state": "enterprise"

},

{

"title": "Provisioners",

"description": "Learn how to run external provisioners with Coder",

"path": "./admin/provisioners.md"

},