- Notifications
You must be signed in to change notification settings - Fork1.1k
docs: add organizations, provisioners, and premium license docs#14778
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Merged
Uh oh!
There was an error while loading.Please reload this page.
Merged
Changes from1 commit
Commits
Show all changes
33 commits Select commitHold shift + click to select a range
69d4f75 Add documentation for managing organizations
bpmct4c8a165 Update icon path in organizations guide
bpmct1595a72 Update RBAC documentation state in manifest
bpmct6cf30a7 Add beta notice to organizations documentation
bpmct5bc2c2e Remove references to enterprise page
bpmctabc156e Update provisioners documentation for clarity
bpmct0d76ed0 Update documentation to "premium" edition
bpmct13f0a0e Add documentation for licensing and group sync
bpmctfe895cd chore(docs): outline new feature stages (#14786)
EdwardAngertd8de325 progress
bpmctf48f21c Merge branch 'main' into orgs-licenses
bpmct67199d2 Add instructions for fetching role mappings
bpmct941d9c2 Update role sync documentation for clarity
bpmctff7a8e2 Update organization sync troubleshooting links
bpmct05369f6 Add org sync setup instructions to documentation
bpmctf08be61 Fix sync link text order in organizations guide
bpmct67ce5d4 Add section on custom roles to users guide
bpmct841fa65 Update links to include premium in sync docs
bpmct4473b2a Update provisioners documentation for clarity
bpmct2f0e14e Update create organization page description
bpmct10354d4 Remove subproject directories and update JSON format
bpmct30e291f fix(docs): correct license link path in org guide
bpmct15efb35 Update organization documentation link paths
bpmct6c2d6b2 Update paywall links to licensing doc
bpmcte100b55 Update documentation for Premium license references
bpmct821d9f2 Update licensing documentation for Premium plan
bpmct5b41d99 fix(docs): improve clarity in licensing intro
bpmctee69767 Suppress link checker for licensing doc update
bpmct6610084 Update manifest to improve readability and rename icon
bpmctc26db48 Refactor manifest state to use consistent arrays
bpmctf9c4202 fmt
bpmcte3b34ff Refactor route state field to support multiple states
bpmcteb71bfa fix: paywall doc link
jaaydenhFile filter
Filter by extension
Conversations
Failed to load comments.
Loading
Uh oh!
There was an error while loading.Please reload this page.
Jump to
Jump to file
Failed to load files.
Loading
Uh oh!
There was an error while loading.Please reload this page.
Diff view
Diff view
Update provisioners documentation for clarity
- Emphasize benefits of running external provisioners.- Update authentication information with detailed steps and examples.- Reorganize and clarify the types and scopes of provisioners.- Provide detailed example commands and common use cases for each type.- Enhance security guidance and best practices.```sh- Improved explanations of the types and scopes of provisioners- Added commands for creating and authenticating provisioners- Provided step-by-step instructions for running provisioners- Updated examples for Kubernetes, Docker, and VM setupsProvisioners are now easier to understand and configure, especially with new scoped key options and user token examples. This ensures better security and operational efficiency.
- Loading branch information
Uh oh!
There was an error while loading.Please reload this page.
commitabc156ed68e5ac7db08a6c63f2da80df428baf7c
There are no files selected for viewing
185 changes: 129 additions & 56 deletionsdocs/admin/provisioners.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -3,10 +3,10 @@ | ||
| By default, the Coder server runs | ||
| [built-in provisioner daemons](../reference/cli/server.md#provisioner-daemons), | ||
| which execute `terraform` during workspace and template builds. However, there | ||
| areoften benefits to running external provisioner daemons: | ||
| - **Secure build environments:** Run build jobs in isolated containers, | ||
| preventing malicious templates from gainingsh access to the Coder host. | ||
bpmct marked this conversation as resolved. Show resolvedHide resolvedUh oh!There was an error while loading.Please reload this page. | ||
| - **Isolate APIs:** Deploy provisioners in isolated environments (on-prem, AWS, | ||
| Azure) instead of exposing APIs (Docker, Kubernetes, VMware) to the Coder | ||
| @@ -20,82 +20,101 @@ are sometimes benefits to running external provisioner daemons: | ||
| times from the Coder server. See | ||
| [Scaling Coder](scaling/scale-utility.md#recent-scale-tests) for more details. | ||
| Each provisionerruns a single | ||
| [concurrent workspace build](scaling/scale-testing.md#control-plane-provisionerd). | ||
| For example, running 30 provisioner containers will allow 30 users to start | ||
| workspaces at the same time. | ||
| Provisioners are started with the | ||
| [`coder provisionerd start`](../reference/cli/provisionerd_start.md) command in | ||
| the [full Coder binary](https://github.com/coder/coder/releases). Keep reading | ||
| to learn how to start provisioners via Docker, Kubernetes, Systemd, etc. | ||
| ## Authentication | ||
| The provisioner daemon must authenticate with your Coder deployment. If you have | ||
| multiple [organizations](./organizations.md), you'll need at least 1 provisioner | ||
| running for each organization. | ||
| <div class="tabs"> | ||
| ## Scoped Key (Recommended) | ||
| We recommend creating finely-scoped keys for provisioners. Keys are scoped to an | ||
| organization. | ||
| ```sh | ||
| coder provisioner keys create my-key \ | ||
| --org default | ||
| Successfully created provisioner key my-key! Save this authentication token, it will not be shown again. | ||
| <key omitted> | ||
| ``` | ||
| Or, restrict the provisioner to jobs with specific tags | ||
| ```sh | ||
| coder provisioner keys create kubernetes-key \ | ||
| --org default \ | ||
| --tag environment=kubernetes | ||
| Successfully created provisioner key kubernetes-key! Save this authentication token, it will not be shown again. | ||
| <key omitted> | ||
| ``` | ||
| To start the provisioner: | ||
| ```sh | ||
| export CODER_URL=https://<your-coder-url> | ||
| export CODER_PROVISIONER_DAEMON_KEY=<key> | ||
| coder provisionerd start | ||
| ``` | ||
| Keep reading to see instructions for running provisioners on | ||
| Kubernetes/Docker/etc. | ||
| ## User Tokens | ||
| A user account with the role `Template Admin` or `Owner` can start provisioners | ||
| using their user account. This may be beneficial if you are running provisioners | ||
| via [automation](./automation.md). | ||
| ```sh | ||
| coder login https://<your-coder-url> | ||
| coder provisionerd start | ||
| ``` | ||
| To start a provisioner with specific tags: | ||
| ```sh | ||
| coder login https://<your-coder-url> | ||
| coder provisionerd start \ | ||
| --tag environment=kubernetes | ||
| ``` | ||
| Note: Any user can start [user-scoped provisioners](#User-scoped-Provisioners), | ||
| but this will also require a template on your deployment with the corresponding | ||
| tags. | ||
| ## Global PSK | ||
| A deployment-wide PSK can be used to authenticate any provisioner. We do not | ||
| recommend this approach anymore, as it makes key rotation or isolating | ||
| provisioners far more difficult. To use a global PSK, set a | ||
| [provisioner daemon pre-shared key (PSK)](../reference/cli/server.md#--provisioner-daemon-psk) | ||
| on the Coder server. | ||
| Next, start the provisioner: | ||
| ```sh | ||
| coder provisionerd start --psk <your-psk> | ||
| ``` | ||
| </div> | ||
| ## Provisioner Tags | ||
| You can use **provisioner tags** to control which provisioners can pick up build | ||
| jobs from templates (and corresponding workspaces) with matching explicit tags. | ||
| @@ -110,7 +129,7 @@ automatically. | ||
| For example: | ||
| ```sh | ||
| # Start a provisioner with the explicit tags | ||
| # environment=on_prem and datacenter=chicago | ||
| coder provisionerd start \ | ||
| @@ -129,6 +148,10 @@ coder templates push on-prem-chicago \ | ||
| --provisioner-tag datacenter=chicago | ||
| ``` | ||
| Alternatively, a template can target a provisioner via | ||
| [workspace tags](https://github.com/coder/coder/tree/main/examples/workspace-tags) | ||
| inside the Terraform. | ||
| A provisioner can run a given build job if one of the below is true: | ||
| 1. A job with no explicit tags can only be run on a provisioner with no explicit | ||
| @@ -179,6 +202,56 @@ This is illustrated in the below table: | ||
| > go test -v -count=1 ./coderd/provisionerdserver/ -test.run='^TestAcquirer_MatchTags/GenTable$' | ||
| > ``` | ||
| ## Types of provisioners | ||
| Provisioners can broadly be categorized by scope: `organization` or `user`. The | ||
| scope of a provisioner can be specified with | ||
| [`-tag=scope=<scope>`](../reference/cli/provisionerd_start.md#t---tag) when | ||
| starting the provisioner daemon. Only users with at least the | ||
| [Template Admin](../admin/users.md#roles) role or higher may create | ||
| organization-scoped provisioner daemons. | ||
| There are two exceptions: | ||
| - [Built-in provisioners](../reference/cli/server.md#provisioner-daemons) are | ||
| always organization-scoped. | ||
| - External provisioners started using a | ||
| [pre-shared key (PSK)](../reference/cli/provisionerd_start.md#psk) are always | ||
| organization-scoped. | ||
| ### Organization-Scoped Provisioners | ||
| **Organization-scoped Provisioners** can pick up build jobs created by any user. | ||
| These provisioners always have the implicit tags `scope=organization owner=""`. | ||
| ```sh | ||
| coder provisionerd start --org <organization_name> | ||
| ``` | ||
| If you omit the `--org` argument, the provisioner will be assigned to the | ||
| default organization. | ||
| ```sh | ||
| coder provisionerd start | ||
| ``` | ||
| ### User-scoped Provisioners | ||
| **User-scoped Provisioners** can only pick up build jobs created from | ||
| user-tagged templates. Unlike the other provisioner types, any Coder user can | ||
| run user provisioners, but they have no impact unless there exists at least one | ||
| template with the `scope=user` provisioner tag. | ||
| ```sh | ||
| coder provisionerd start \ | ||
| --tag scope=user | ||
| # In another terminal, create/push | ||
| # a template that requires user provisioners | ||
| coder templates push on-prem \ | ||
| --provisioner-tag scope=user | ||
| ``` | ||
| ## Example: Running an external provisioner with Helm | ||
| Coder provides a Helm chart for running external provisioner daemons, which you | ||
| @@ -187,7 +260,7 @@ will use in concert with the Helm chart for deploying the Coder server. | ||
| 1. Create a long, random pre-shared key (PSK) and store it in a Kubernetes | ||
| secret | ||
| ```sh | ||
| kubectl create secret generic coder-provisioner-psk --from-literal=psk=`head /dev/urandom | base64 | tr -dc A-Za-z0-9 | head -c 26` | ||
| ``` | ||
| @@ -201,7 +274,7 @@ will use in concert with the Helm chart for deploying the Coder server. | ||
| 1. Redeploy Coder with the new `values.yaml` to roll out the PSK. You can omit | ||
| `--version <your version>` to also upgrade Coder to the latest version. | ||
| ```sh | ||
| helm upgrade coder coder-v2/coder \ | ||
| --namespace coder \ | ||
| --version <your version> \ | ||
| @@ -235,7 +308,7 @@ will use in concert with the Helm chart for deploying the Coder server. | ||
| 1. Install the provisioner daemon chart | ||
| ```sh | ||
| helm install coder-provisioner coder-v2/coder-provisioner \ | ||
| --namespace coder \ | ||
| --version <your version> \ | ||
| @@ -248,7 +321,7 @@ will use in concert with the Helm chart for deploying the Coder server. | ||
| ## Example: Running an external provisioner on a VM | ||
| ```sh | ||
| curl -L https://coder.com/install.sh | sh | ||
| export CODER_URL=https://coder.example.com | ||
| export CODER_SESSION_TOKEN=your_token | ||
| @@ -257,7 +330,7 @@ coder provisionerd start | ||
| ## Example: Running an external provisioner via Docker | ||
| ```sh | ||
| docker run --rm -it \ | ||
| -e CODER_URL=https://coder.example.com/ \ | ||
| -e CODER_SESSION_TOKEN=your_token \ | ||
| @@ -272,7 +345,7 @@ As mentioned above, the Coder server will run built-in provisioners by default. | ||
| This can be disabled with a server-wide | ||
| [flag or environment variable](../reference/cli/server.md#provisioner-daemons). | ||
| ```sh | ||
| coder server --provisioner-daemons=0 | ||
| ``` | ||
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.