You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
🤖 fix: stabilize CoderProvisioner reconcile and startup (#73)
## Summary
This PR fixes CoderProvisioner bring-up and reconcile stability issues
discovered in smoke testing.
## Background
During an end-to-end smoke test, `CoderProvisioner` failed to reach
Ready due to RBAC escalation issues and provisioner pod startup
failures. Logs also showed repeated metadata backfill/rotation activity
that could repeatedly hit coderd and trigger rate limiting when
reconcile retries occurred.
## Implementation
- Added manager RBAC markers for delegated provisioner role verbs on:
- `pods` (`get/list/watch/create/update/patch/delete`)
- `persistentvolumeclaims` (`get/list/watch/create/update/patch/delete`)
- Regenerated RBAC output so `config/rbac/role.yaml` includes those
verbs.
- Stopped coderd metadata-backfill churn when a usable key secret
already exists by stamping status baseline fields locally instead of
re-calling/rotating keys in that retry path.
- Updated provisioner pod launch wiring:
- explicit `command: ["coder"]`
- args use `coder provisioner start`
- removed `CODER_ORGANIZATION` injection for key-auth daemon startup
(avoids CLI rejection when `--key` is used).
- Updated controller tests accordingly.
- Regenerated CRD/docs for the updated API comment text.
## Validation
- `make verify-vendor`
- `make test`
- `make build`
- `make lint`
- `make test-integration`
- `make manifests`
- `make docs-reference`
- Runtime smoke verification in kind:
- `CoderProvisioner` reaches `phase=Ready`, `readyReplicas=1`
- provisioner pod logs include `successfully connected to coderd`
## Risks
- Low to moderate: changes are isolated to `CoderProvisioner`
reconcile/deployment composition and generated RBAC/docs.
- Main behavior change is intentionally avoiding metadata-backfill
coderd calls when a usable key secret already exists; this reduces
churn/rate-limit risk during retry loops.
---
_Generated with `mux` • Model: `openai:gpt-5.3-codex` • Thinking:
`xhigh` • Cost: `$0.00`_
<!-- mux-attribution: model=openai:gpt-5.3-codex thinking=xhigh
costs=0.00 -->
Copy file name to clipboardExpand all lines: docs/reference/api/coderprovisioner.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -20,7 +20,7 @@
20
20
|`replicas`| integer | Replicas is the desired number of provisioner pods. |
21
21
|`tags`| object (keys:string, values:string) | Tags are attached to the provisioner key for job routing. |
22
22
|`image`| string | Image is the container image. Defaults to the control plane image. |
23
-
|`extraArgs`| string array | ExtraArgs are appended after "provisionerd start". |
23
+
|`extraArgs`| string array | ExtraArgs are appended after "provisioner start". |
24
24
|`extraEnv`|[EnvVar](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.35/#envvar-v1-core) array | ExtraEnv are injected into the provisioner container. |
25
25
|`resources`|[ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.35/#resourcerequirements-v1-core)| Resources for the provisioner container. |
26
26
|`imagePullSecrets`|[LocalObjectReference](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.35/#localobjectreference-v1-core) array | ImagePullSecrets are used by the pod to pull private images. |
0 commit comments