You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Reconcile Coder application state that lives in the Coder DB/API (not
Kubernetes objects) through Argo Jobs and CI. A GitOps controller cannot natively
reconcile this. Plan: docs/plans/gitops-adoption.md (section 6.1).
Orgs + group/role IdP sync: Argo PostSync Job running setup-coder-idp-sync.py (idempotent discover-then-PATCH), gated to run after coderd is healthy.
Appearance banner: Argo PostSync Job running set-appearance.sh (idempotent PUT; premium-gated, depends on the license).
AI providers: Argo PostSync Job reconciling via the Coder API, reading the sk-ant-... key from ASM via ESO at runtime. The DB is authoritative with a seed-once env drift guard, so keep the Helm provider env frozen and manage providers through the API. Key never in git.
Provisioner keys (alpha-eks, bravo-eks): one-time bootstrap Job, "create only if absent in ASM", key written back to ASM for ESO to sync. Not a reconcile loop (re-create rotates the key).
Templates (coder templates push): in-boundary GitLab CI pipeline on the template repo, version pinned in git. A versioned publish action, not a reconcile.
License (JWT): out-of-band runbook, value in ASM; deliberate break-glass.
Secret-handling
Jobs need a Coder admin session: source admin creds from an ESO-synced Secret (ASM), scope tightly, prefer a dedicated automation account over the break-glass owner.
No Coder secrets in git; the AI key and license stay in ASM.
Why Jobs over a Terraform/Crossplane Coder provider
The community coderd provider does not cover appearance or AI providers and adds a second state store alongside Terraform-for-AWS. Reuse the existing idempotent scripts now; revisit a provider later only if the managed surface grows.
Goal
Reconcile Coder application state that lives in the Coder DB/API (not
Kubernetes objects) through Argo Jobs and CI. A GitOps controller cannot natively
reconcile this. Plan:
docs/plans/gitops-adoption.md(section 6.1).In scope
Organizations, group/role IdP sync settings, AI providers, appearance banner,
provisioner keys, templates, license. Existing idempotent automation:
scripts/setup-coder-idp-sync.py,scripts/set-appearance.sh.Recommendation (per surface)
setup-coder-idp-sync.py(idempotent discover-then-PATCH), gated to run after coderd is healthy.set-appearance.sh(idempotent PUT; premium-gated, depends on the license).sk-ant-...key from ASM via ESO at runtime. The DB is authoritative with a seed-once env drift guard, so keep the Helm provider env frozen and manage providers through the API. Key never in git.alpha-eks,bravo-eks): one-time bootstrap Job, "create only if absent in ASM", key written back to ASM for ESO to sync. Not a reconcile loop (re-create rotates the key).coder templates push): in-boundary GitLab CI pipeline on the template repo, version pinned in git. A versioned publish action, not a reconcile.Secret-handling
Why Jobs over a Terraform/Crossplane Coder provider
The community
coderdprovider does not cover appearance or AI providers and adds a second state store alongside Terraform-for-AWS. Reuse the existing idempotent scripts now; revisit a provider later only if the managed surface grows.Generated by Coder Agents.