@@ -41,36 +41,40 @@ The provisioner daemon must authenticate with your Coder deployment.
4141##Scoped Key (Recommended)
4242
4343We recommend creating finely-scoped keys for provisioners. Keys are scoped to an
44- organization.
44+ organization, and optionally to a specific set of tags .
4545
46- ``` sh
47- coder provisioner keys create my-key \
48- --org default
46+ 1 . Use` coder provisioner ` to create the key:
4947
50- Successfully created provisioner key my-key ! Save this authentication token, it will not be shown again.
48+ - To create a key for an organization that will match untagged jobs:
5149
52- < key omitted>
53- ```
50+ ``` sh
51+ coder provisioner keys create my-key \
52+ --org default
5453
55- Or, restrict the provisionerto jobs with specific tags
54+ Successfully created provisionerkey my-key ! Save this authentication token, it will not be shown again.
5655
57- ``` sh
58- coder provisioner keys create kubernetes-key \
59- --org default \
60- --tag environment=kubernetes
56+ < key omitted>
57+ ```
6158
62- Successfully created provisioner key kubernetes-key ! Save this authentication token, it will not be shown again.
59+ - To restrict the provisioner to jobs with specific tags:
6360
64- < key omitted>
65- ```
61+ ` ` ` sh
62+ coder provisioner keys create kubernetes-key \
63+ --org default \
64+ --tag environment=kubernetes
6665
67- To start the provisioner:
66+ Successfully created provisioner key kubernetes-key ! Save this authentication token, it will not be shown again.
6867
69- ``` sh
70- export CODER_URL=https://< your-coder-url>
71- export CODER_PROVISIONER_DAEMON_KEY=< key>
72- coder provisioner start
73- ```
68+ < key omitted>
69+ ` ` `
70+
71+ 1. Start the provisioner with the specified key:
72+
73+ ` ` ` sh
74+ export CODER_URL=https://< your-coder-url>
75+ export CODER_PROVISIONER_DAEMON_KEY=< key>
76+ coder provisioner start
77+ ` ` `
7478
7579Keep reading to see instructionsfor running provisioners on
7680Kubernetes/Docker/etc.
@@ -98,11 +102,15 @@ Note: Any user can start [user-scoped provisioners](#user-scoped-provisioners),
98102but this will also require a template on your deployment with the corresponding
99103tags.
100104
101- ##Global PSK
105+ # # Global PSK (Not Recommended)
106+
107+ > Global pre-shared keys (PSK) make it difficult to rotate keys or isolate
108+ > provisioners.
109+ >
110+ > Wedo not recommend using global PSK.
102111
103- A deployment-wide PSK can be used to authenticate any provisioner. We do not
104- recommend this approach anymore, as it makes key rotation or isolating
105- provisioners far more difficult. To use a global PSK, set a
112+ A deployment-wide PSK can be used to authenticate any provisioner. To use a
113+ global PSK,set a
106114[provisioner daemon pre-shared key (PSK)](../reference/cli/server.md#--provisioner-daemon-psk)
107115on the Coder server.
108116
@@ -275,18 +283,32 @@ coder templates push on-prem \
275283Coder provides a Helm chartfor running external provisioner daemons, which you
276284will usein concert with the Helm chartfor deploying the Coder server.
277285
278- 1 . Create a long, random pre-shared key (PSK) and store it in a Kubernetes
279- secret
286+ 1. Create a provisioner key:
287+
288+ ` ` ` sh
289+ coder provisioner keys create my-cool-key --org default
290+ # Optionally, you can specify tags for the provisioner key:
291+ # coder provisioner keys create my-cool-key --org default --tags location=auh kind=k8s
292+ ` ` `
293+
294+ Successfully created provisioner key kubernetes-key! Save this authentication
295+ token, it will not be shown again.
296+
297+ < key omitted>
298+ ` ` `
299+
300+ 1. Store the keyin a kubernetes secret:
280301
281302` ` `
282- kubectl create secret generic coder-provisioner-psk --from-literal=psk= ` head /dev/urandom | base64 | tr -dc A-Za-z0-9 | head -c 26 `
303+ kubectl create secret generic coder-provisioner-psk --from-literal=key1= ` < key omitted > `
283304` ` `
284305
2853061. Modify your Coder` values.yaml` to include
286307
287308` ` `
288309 provisionerDaemon:
289- pskSecretName :" coder-provisioner-psk"
310+ keySecretName:" coder-provisioner-keys"
311+ keySecretKey:" key1"
290312` ` `
291313
2923141. Redeploy Coder with the new` values.yaml` to roll out the PSK. You can omit
@@ -300,7 +322,7 @@ will use in concert with the Helm chart for deploying the Coder server.
300322` ` `
301323
3023241. Create a` provisioner-values.yaml` filefor the provisioner daemons Helm
303- chart. For example
325+ chart. For example:
304326
305327` ` `
306328 coder:
@@ -309,10 +331,8 @@ will use in concert with the Helm chart for deploying the Coder server.
309331 value:" https://coder.example.com"
310332 replicaCount: 10
311333 provisionerDaemon:
312- pskSecretName: "coder-provisioner-psk"
313- tags:
314- location: auh
315- kind: k8s
334+ keySecretName:" coder-provisioner-keys"
335+ keySecretKey:" key1"
316336` ` `
317337
318338 This example creates a deployment of 10 provisioner daemons (for 10