Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

feat(helm/provisioner): add support for provisioner keys, add note re psk#15122

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
johnstcn merged 4 commits intomainfromcj/helm-provisionerd-provisionerkey
Oct 18, 2024

Conversation

@johnstcn
Copy link
Member

@johnstcnjohnstcn commentedOct 17, 2024
edited
Loading

Relates to#14985

  • AddsprovisionerDaemon.keySecretName andprovisionerDaemon.keySecretKey
  • OmittingprovisionerDaemon.pskSecretName will now cause the PSK secret to no longer be created.
  • Adds a note inNOTES.txt regarding provisioner PSKs.
  • Adds validation that eitherprovisionerDaemon.keySecretName orprovisionerDaemon.pskSecretName is specified, and will fail the install in this case.

Manual smoke-testing:

  1. With defaults:
helm install --namespace=tmp test-provisionerd . --set coder.image.tag=latest --dry-run NAME: test-provisionerdLAST DEPLOYED: Thu Oct 17 14:45:55 2024NAMESPACE: tmpSTATUS: pending-installREVISION: 1TEST SUITE: NoneHOOKS:MANIFEST: <yaml>NOTES:* Provisioner Daemon PSKs are no longer recommended for use with external  provisioners. Consider migrating to scoped provisioner keys instead. For more  information, see: https://coder.com/docs/admin/provisioners#authenticationEnjoy Coder! Please create an issue at https://github.com/coder/coder if you runinto any problems! :)
  1. With explicitly specifiedpskSecretName:
helm install --namespace=tmp test-provisionerd . --set coder.image.tag=latest --set provisionerDaemon.pskSecretName='foobar' --dry-runNAME: test-provisionerdLAST DEPLOYED: Thu Oct 17 14:43:08 2024NAMESPACE: tmpSTATUS: pending-installREVISION: 1TEST SUITE: NoneHOOKS:MANIFEST: <yaml>NOTES:* Provisioner Daemon PSKs are no longer recommended for use with external  provisioners. Consider migrating to scoped provisioner keys instead. For more  information, see: https://coder.com/docs/admin/provisioners#authenticationEnjoy Coder! Please create an issue at https://github.com/coder/coder if you runinto any problems! :)
  1. WithpskSecretName empty andkeySecretName specified:
helm install --namespace=tmp test-provisionerd . --set coder.image.tag=latest --set provisionerDaemon.pskSecretName='' --set provisionerDaemon.keySecretName='foobar' --dry-run NAME: test-provisionerdLAST DEPLOYED: Thu Oct 17 14:45:00 2024NAMESPACE: tmpSTATUS: pending-installREVISION: 1TEST SUITE: NoneHOOKS:MANIFEST: <yaml>NOTES:Enjoy Coder! Please create an issue at https://github.com/coder/coder if you runinto any problems! :)
  1. WithpskSecretName empty andkeySecretName empty:
helm install --namespace=tmp test-provisionerd . --set coder.image.tag=latest --set provisionerDaemon.pskSecretName='' --set provisionerDaemon.keySecretName='' --dry-runError: INSTALLATION FAILED: execution error at (coder-provisioner/templates/coder.yaml:5:3): Either provisionerDaemon.pskSecretName or provisionerDaemon.keySecretName must be specified.

Copy link
Member

@matifalimatifali left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

LGTM.

- name: CODER_PROVISIONER_DAEMON_PSK
valueFrom:
secretKeyRef:
key: psk
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

nit: any reason why this is calledpsk instead ofprovisionerd-psk?

Copy link
MemberAuthor

@johnstcnjohnstcnOct 18, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

The key name is currently hard-coded in_coder.tpl:

- name: CODER_PROVISIONER_DAEMON_PSK  valueFrom:    secretKeyRef:      name: {{ .Values.provisionerDaemon.pskSecretName | quote }}      key: psk{{- if include "provisioner.tags" . }}

This wasn't changed as part of this PR. I can add a separate PR to allow customizing the key name, if required.

@johnstcnjohnstcn merged commit413928b intomainOct 18, 2024
29 checks passed
@johnstcnjohnstcn deleted the cj/helm-provisionerd-provisionerkey branchOctober 18, 2024 10:33
@github-actionsgithub-actionsbot locked and limited conversation to collaboratorsOct 18, 2024
expectedError:"",
},
{
name:"provisionerd_psk_and_key",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Is it ever sensible to accept both? I think we can only accept one or other as the authentication credential

Copy link
MemberAuthor

@johnstcnjohnstcnOct 21, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Yep, you're correct:

error: cannot provide both provisioner key --key and pre-shared key --psk

I can remove this test and add a check in the Helm chart, but I'd worry about logic drift.

Sign up for freeto subscribe to this conversation on GitHub. Already have an account?Sign in.

Reviewers

@spikecurtisspikecurtisspikecurtis left review comments

@matifalimatifalimatifali approved these changes

@mtojekmtojekmtojek approved these changes

@ericpaulsenericpaulsenAwaiting requested review from ericpaulsen

Assignees

@johnstcnjohnstcn

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@johnstcn@spikecurtis@matifali@mtojek
[8]ページ先頭
©2009-2025 Movatter.jp