33By default, the Coder server runs
44[ built-in provisioner daemons] ( ../reference/cli/server.md#provisioner-daemons ) ,
55which execute` terraform ` during workspace and template builds. However, there
6- aresometimes benefits to running external provisioner daemons:
6+ areoften benefits to running external provisioner daemons:
77
88- ** Secure build environments:** Run build jobs in isolated containers,
9- preventing malicious templates from gainingshell access to the Coder host.
9+ preventing malicious templates from gainingsh access to the Coder host.
1010
1111- ** Isolate APIs:** Deploy provisioners in isolated environments (on-prem, AWS,
1212 Azure) instead of exposing APIs (Docker, Kubernetes, VMware) to the Coder
@@ -20,82 +20,101 @@ are sometimes benefits to running external provisioner daemons:
2020 times from the Coder server. See
2121[ Scaling Coder] ( scaling/scale-utility.md#recent-scale-tests ) for more details.
2222
23- Each provisionercan run a single
23+ Each provisionerruns a single
2424[ concurrent workspace build] ( scaling/scale-testing.md#control-plane-provisionerd ) .
2525For example, running 30 provisioner containers will allow 30 users to start
2626workspaces at the same time.
2727
2828Provisioners are started with the
29- [ coder provisionerd start] ( ../reference/cli/provisionerd_start.md ) command.
29+ [ ` coder provisionerd start ` ] ( ../reference/cli/provisionerd_start.md ) command in
30+ the[ full Coder binary] ( https://github.com/coder/coder/releases ) . Keep reading
31+ to learn how to start provisioners via Docker, Kubernetes, Systemd, etc.
3032
3133##Authentication
3234
33- The provisioner daemon must authenticate with your Coder deployment.
35+ The provisioner daemon must authenticate with your Coder deployment. If you have
36+ multiple[ organizations] ( ./organizations.md ) , you'll need at least 1 provisioner
37+ running for each organization.
3438
35- Set a
36- [ provisioner daemon pre-shared key (PSK)] ( ../reference/cli/server.md#--provisioner-daemon-psk )
37- on the Coder server and start the provisioner with
38- ` coder provisionerd start --psk <your-psk> ` . If you are
39- [ installing with Helm] ( ../install/kubernetes.md#install-coder-with-helm ) , see
40- the[ Helm example] ( #example-running-an-external-provisioner-with-helm ) below.
39+ <div class =" tabs " >
4140
42- > Coder still supports authenticating the provisioner daemon with a
43- > [ token] ( ../reference/cli/README.md#--token ) from a user with the Template
44- > Admin or Owner role. This method is deprecated in favor of the PSK, which only
45- > has permission to access provisioner daemon APIs. We recommend migrating to
46- > the PSK as soon as practical.
41+ ##Scoped Key (Recommended)
4742
48- ##Types of provisioners
43+ We recommend creating finely-scoped keys for provisioners. Keys are scoped to an
44+ organization.
4945
50- Provisioners can broadly be categorized by scope:` organization ` or` user ` . The
51- scope of a provisioner can be specified with
52- [ ` -tag=scope=<scope> ` ] ( ../reference/cli/provisionerd_start.md#t---tag ) when
53- starting the provisioner daemon. Only users with at least the
54- [ Template Admin] ( ../admin/users.md#roles ) role or higher may create
55- organization-scoped provisioner daemons.
46+ ``` sh
47+ coder provisioner keys create my-key \
48+ --org default
5649
57- There are two exceptions:
50+ Successfully created provisioner key my-key ! Save this authentication token, it will not be shown again.
5851
59- - [ Built-in provisioners] ( ../reference/cli/server.md#provisioner-daemons ) are
60- always organization-scoped.
61- - External provisioners started using a
62- [ pre-shared key (PSK)] ( ../reference/cli/provisionerd_start.md#psk ) are always
63- organization-scoped.
52+ < key omitted>
53+ ```
6454
65- ### Organization-Scoped Provisioners
55+ Or, restrict the provisioner to jobs with specific tags
6656
67- ** Organization-scoped Provisioners** can pick up build jobs created by any user.
68- These provisioners always have the implicit tags` scope=organization owner="" ` .
57+ ``` sh
58+ coder provisioner keys create kubernetes-key \
59+ --org default \
60+ --tag environment=kubernetes
6961
70- ``` shell
71- coder provisionerd start --org< organization_name>
62+ Successfully created provisioner key kubernetes-key! Save this authentication token, it will not be shown again.
63+
64+ < key omitted>
7265```
7366
74- If you omit the` --org ` argument, the provisioner will be assigned to the
75- default organization.
67+ To start the provisioner:
7668
77- ``` shell
69+ ``` sh
70+ export CODER_URL=https://< your-coder-url>
71+ export CODER_PROVISIONER_DAEMON_KEY=< key>
7872coder provisionerd start
7973```
8074
81- ###User-scoped Provisioners
75+ Keep reading to see instructions for running provisioners on
76+ Kubernetes/Docker/etc.
8277
83- ** User-scoped Provisioners** can only pick up build jobs created from
84- user-tagged templates. Unlike the other provisioner types, any Coder user can
85- run user provisioners, but they have no impact unless there exists at least one
86- template with the` scope=user ` provisioner tag.
78+ ##User Tokens
79+
80+ A user account with the role` Template Admin ` or` Owner ` can start provisioners
81+ using their user account. This may be beneficial if you are running provisioners
82+ via[ automation] ( ./automation.md ) .
83+
84+ ``` sh
85+ coder login https://< your-coder-url>
86+ coder provisionerd start
87+ ```
88+
89+ To start a provisioner with specific tags:
8790
88- ``` shell
91+ ``` sh
92+ coder login https://< your-coder-url>
8993coder provisionerd start \
90- --tag scope=user
94+ --tag environment=kubernetes
95+ ```
9196
92- # In another terminal, create/push
93- # a template that requires user provisioners
94- coder templates push on-prem \
95- --provisioner-tag scope=user
97+ Note: Any user can start[ user-scoped provisioners] ( #User-scoped-Provisioners ) ,
98+ but this will also require a template on your deployment with the corresponding
99+ tags.
100+
101+ ##Global PSK
102+
103+ A deployment-wide PSK can be used to authenticate any provisioner. We do not
104+ recommend this approach anymore, as it makes key rotation or isolating
105+ provisioners far more difficult. To use a global PSK, set a
106+ [ provisioner daemon pre-shared key (PSK)] ( ../reference/cli/server.md#--provisioner-daemon-psk )
107+ on the Coder server.
108+
109+ Next, start the provisioner:
110+
111+ ``` sh
112+ coder provisionerd start --psk< your-psk>
96113```
97114
98- ###Provisioner Tags
115+ </div >
116+
117+ ##Provisioner Tags
99118
100119You can use** provisioner tags** to control which provisioners can pick up build
101120jobs from templates (and corresponding workspaces) with matching explicit tags.
@@ -110,7 +129,7 @@ automatically.
110129
111130For example:
112131
113- ``` shell
132+ ``` sh
114133# Start a provisioner with the explicit tags
115134# environment=on_prem and datacenter=chicago
116135coder provisionerd start \
@@ -129,6 +148,10 @@ coder templates push on-prem-chicago \
129148 --provisioner-tag datacenter=chicago
130149```
131150
151+ Alternatively, a template can target a provisioner via
152+ [ workspace tags] ( https://github.com/coder/coder/tree/main/examples/workspace-tags )
153+ inside the Terraform.
154+
132155A provisioner can run a given build job if one of the below is true:
133156
1341571 . A job with no explicit tags can only be run on a provisioner with no explicit
@@ -179,6 +202,56 @@ This is illustrated in the below table:
179202> go test -v -count=1 ./coderd/provisionerdserver/ -test.run='^TestAcquirer_MatchTags/GenTable$'
180203> ```
181204
205+ ## Types of provisioners
206+
207+ Provisioners can broadly be categorized by scope: `organization` or `user`. The
208+ scope of a provisioner can be specified with
209+ [`-tag=scope=<scope>`](../reference/cli/provisionerd_start.md#t---tag) when
210+ starting the provisioner daemon. Only users with at least the
211+ [Template Admin](../admin/users.md#roles) role or higher may create
212+ organization-scoped provisioner daemons.
213+
214+ There are two exceptions:
215+
216+ - [Built-in provisioners](../reference/cli/server.md#provisioner-daemons) are
217+ always organization-scoped.
218+ - External provisioners started using a
219+ [pre-shared key (PSK)](../reference/cli/provisionerd_start.md#psk) are always
220+ organization-scoped.
221+
222+ ### Organization-Scoped Provisioners
223+
224+ **Organization-scoped Provisioners** can pick up build jobs created by any user.
225+ These provisioners always have the implicit tags `scope=organization owner=""`.
226+
227+ ```sh
228+ coder provisionerd start --org <organization_name>
229+ ```
230+
231+ If you omit the` --org ` argument, the provisioner will be assigned to the
232+ default organization.
233+
234+ ``` sh
235+ coder provisionerd start
236+ ```
237+
238+ ###User-scoped Provisioners
239+
240+ ** User-scoped Provisioners** can only pick up build jobs created from
241+ user-tagged templates. Unlike the other provisioner types, any Coder user can
242+ run user provisioners, but they have no impact unless there exists at least one
243+ template with the` scope=user ` provisioner tag.
244+
245+ ``` sh
246+ coder provisionerd start \
247+ --tag scope=user
248+
249+ # In another terminal, create/push
250+ # a template that requires user provisioners
251+ coder templates push on-prem \
252+ --provisioner-tag scope=user
253+ ```
254+
182255##Example: Running an external provisioner with Helm
183256
184257Coder provides a Helm chart for running external provisioner daemons, which you
@@ -187,7 +260,7 @@ will use in concert with the Helm chart for deploying the Coder server.
1872601 . Create a long, random pre-shared key (PSK) and store it in a Kubernetes
188261 secret
189262
190- ```shell
263+ ``` sh
191264 kubectl create secret generic coder-provisioner-psk --from-literal=psk=` head /dev/urandom| base64| tr -dc A-Za-z0-9| head -c 26`
192265```
193266
@@ -201,7 +274,7 @@ will use in concert with the Helm chart for deploying the Coder server.
2012741. Redeploy Coder with the new` values.yaml` to roll out the PSK. You can omit
202275` --version <your version>` to also upgrade Coder to the latest version.
203276
204- ` ` ` shell
277+ ` ` ` sh
205278 helm upgrade coder coder-v2/coder \
206279 --namespace coder \
207280 --version <your version> \
@@ -235,7 +308,7 @@ will use in concert with the Helm chart for deploying the Coder server.
235308
2363091. Install the provisioner daemon chart
237310
238- ` ` ` shell
311+ ` ` ` sh
239312 helm install coder-provisioner coder-v2/coder-provisioner \
240313 --namespace coder \
241314 --version <your version> \
@@ -248,7 +321,7 @@ will use in concert with the Helm chart for deploying the Coder server.
248321
249322# # Example: Running an external provisioner on a VM
250323
251- ` ` ` shell
324+ ` ` ` sh
252325curl -L https://coder.com/install.sh | sh
253326export CODER_URL=https://coder.example.com
254327export CODER_SESSION_TOKEN=your_token
@@ -257,7 +330,7 @@ coder provisionerd start
257330
258331# # Example: Running an external provisioner via Docker
259332
260- ` ` ` shell
333+ ` ` ` sh
261334docker run --rm -it \
262335 -e CODER_URL=https://coder.example.com/ \
263336 -e CODER_SESSION_TOKEN=your_token \
@@ -272,7 +345,7 @@ As mentioned above, the Coder server will run built-in provisioners by default.
272345This can be disabled with a server-wide
273346[flag or environment variable](../reference/cli/server.md#provisioner-daemons).
274347
275- ` ` ` shell
348+ ` ` ` sh
276349coder server --provisioner-daemons=0
277350` ` `
278351