[1.35 cherry] document postgres.noPasswordEnv and seccompProfile workspace template fields (coder#1132)

johnstcn · dwahler · web-flow · commit f0a1fa8a1ba9 · 2022-09-28T20:48:18.000+01:00
* chore: document postgres.noPasswordEnv (coder#1131) * chore: document postgres.noPasswordEnv * fixup! chore: document postgres.noPasswordEnv (cherry picked from commit 089544b) * feat: add docs for seccompProfile workspace template fields (coder#1130) (cherry picked from commit bad9895) Co-authored-by: David Wahler <david@coder.com>
diff --git a/guides/deployments/postgres.md b/guides/deployments/postgres.md
@@ -44,6 +44,14 @@ or cluster.
    the console, to avoid inadvertently storing credentials in shell history
    files.
 
+   > Normally, we set the PostgreSQL password as an environment variable in the
+   > `coderd` deployment with a reference to the Kubernetes secret. If this is
+   > not desirable, you can instead mount the secret as a file which Coder will
+   > read at startup. To do this, set the Helm value `postgres.noPasswordEnv` to
+   > `true`. This will mount the secret under
+   > `/run/secrets/<.Values.postgres.passwordSecret>/password` and set the
+   > environment variable `DB_PASSWORD_PATH` for `coderd` to that value.
+
 1. Get the port number for your PostgreSQL instance:
 
    ```sql
diff --git a/workspaces/workspace-templates/templates.md b/workspaces/workspace-templates/templates.md
@@ -64,6 +64,10 @@ workspace:
         value:
           - key: annotation-key
             value: annotation-value
+      seccomp-profile-type:
+        value: Localhost
+      seccomp-profile-localhost-profile:
+        value: profiles/custom-profile.json
   configure:
     start:
       value:
@@ -262,6 +266,47 @@ node-selector:
 
 `node-selector` is disabled by default and must be enabled by a site admin.
 
+#### workspace.specs.kubernetes.seccomp-profile-type.value
+
+Applies a [seccomp profile](https://kubernetes.io/docs/tutorials/security/seccomp/)
+to the workspace pod. The value is a string, corresponding to the `type`
+subfield of the PodSecurityContext `seccompProfile` attribute.
+
+For example, the following snippet would explicitly disable seccomp protection:
+
+```yaml
+seccomp-profile-type:
+  value: Unconfined
+```
+
+`seccomp-profile-type` is disabled by default and must be enabled by a site
+admin.
+
+#### workspace.specs.kubernetes.seccomp-profile-localhost-profile.value
+
+Applies a custom [seccomp profile](https://kubernetes.io/docs/tutorials/security/seccomp/)
+to the workspace pod. The value is a string, corresponding to the
+`localhostProfile` subfield of the PodSecurityContext `seccompProfile`
+attribute.
+
+Per the [Kubernetes
+documentation](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#seccompprofile-v1-core),
+this attribute is only valid if used in combination with the `Localhost` seccomp
+profile type. Its value must correspond to the path of a valid JSON profile that
+is already configured on the Kubernetes worker nodes.
+
+The following snippet demonstrates setting a custom profile:
+
+```yaml
+seccomp-profile-type:
+  value: Localhost
+seccomp-profile-localhost-profile:
+  value: profiles/my-custom-profile.json
+```
+
+`seccomp-profile-localhost-profile` is disabled by default and must be enabled
+by a site admin.
+
 #### workspace.configure
 
 This section lists the commands that run within the workspace after Coder builds
