Add OpenVSX proxy component

Author: corneliusludmann

.werft/values.dev.yaml

@@ -29,9 +29,6 @@ resources:
     # => 32Gi / 100 ~ 328Mi => 350Mi
     memory: 350Mi
 
-vsxRegistry:
-  proxy: true
-
 components:
 
   agentSmith:
@@ -108,6 +105,9 @@ components:
                 cpu: 1m
                 ephemeral-storage: 5Gi
                 memory: 4608Mi  # = 2 * 2304Mi
+  openVsxProxy:
+    disabled: false
+    replicas: 2
 
   # Allow per-branch ingress from another, in-cluster proxy
   proxy:

chart/templates/blobserve-configmap.yaml

@@ -32,10 +32,10 @@ data:
                     "replacements": [
                         { "search": "vscode-webview.net", "replacement": "{{ .Values.hostname }}", "path": "/ide/out/vs/workbench/workbench.web.api.js" },
                         { "search": "vscode-webview.net", "replacement": "{{ .Values.hostname }}", "path": "/ide/out/vs/workbench/services/extensions/worker/extensionHostWorker.js" }
-                        {{- if .Values.vsxRegistry.proxy }}
-                        , { "search": "open-vsx.org", "replacement": "open-vsx.{{ .Values.hostname }}", "path": "/ide/out/vs/workbench/workbench.web.api.js" }
-                        {{- else if (and .Values.vsxRegistry.host (ne .Values.vsxRegistry.host "open-vsx.org")) }}
-                        , { "search": "open-vsx.org", "replacement": "{{ .Values.vsxRegistry.host }}", "path": "/ide/out/vs/workbench/workbench.web.api.js" }
+                        {{- if not .Values.components.openVsxProxy.disabled }}
+                        , { "search": "https://open-vsx.org", "replacement": "https://open-vsx.{{ .Values.hostname }}", "path": "/ide/out/vs/workbench/workbench.web.api.js" }
+                        {{- else if (and .Values.components.openVsxProxy.vsxRegistryUrl (ne .Values.components.openVsxProxy.vsxRegistryUrl "https://open-vsx.org")) }}
+                        , { "search": "https://open-vsx.org", "replacement": "{{ .Values.components.openVsxProxy.vsxRegistryUrl }}", "path": "/ide/out/vs/workbench/workbench.web.api.js" }
                         {{- end }}
                     ],
                     "inlineStatic": [

chart/templates/openvsx-proxy-configmap.yaml

@@ -0,0 +1,32 @@
+# Copyright (c) 2021 Gitpod GmbH. All rights reserved.
+# Licensed under the MIT License. See License-MIT.txt in the project root for license information.
+
+{{ if not .Values.components.openVsxProxy.disabled -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Values.components.openVsxProxy.name }}-config
+  labels:
+    app: {{ template "gitpod.fullname" $ }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+data:
+  config.json: |
+    {
+      "log_debug": true,
+      "cache_duration_regular": "{{ .Values.components.openVsxProxy.cacheDurationRegular | default "1m" }}",
+      "cache_duration_backup": "{{ .Values.components.openVsxProxy.cacheDurationBackup | default "72h" }}",
+      "url_upstream": "{{ .Values.components.openVsxProxy.vsxRegistryUrl | default "https://open-vsx.org" }}",
+      "url_local": "https://open-vsx.{{ .Values.hostname }}",
+      "max_idle_conns": {{ .Values.components.openVsxProxy.maxIdleConns | default "1000" }},
+      "max_idle_conns_per_host": {{ .Values.components.openVsxProxy.maxIdleConnsPerHost | default "1000" }},
+      {{ if .Values.components.openVsxProxy.enableRedis }}"redis_addr": "localhost:6379",{{ end }}
+      "prometheusAddr": ":{{ .Values.components.openVsxProxy.ports.metrics.containerPort | default "9500" }}"
+    }
+  {{ if .Values.components.openVsxProxy.enableRedis }}
+  redis.conf: |
+    maxmemory {{ .Values.components.openVsxProxy.redisMaxMemory | default "100mb" }}
+    maxmemory-policy allkeys-lfu
+  {{ end }}
+{{ end }}

chart/templates/openvsx-proxy-deny-all-allow-explicit-networkpolicy.yaml

@@ -0,0 +1,40 @@
+# Copyright (c) 2021 Gitpod GmbH. All rights reserved.
+# Licensed under the MIT License. See License-MIT.txt in the project root for license information.
+
+{{ if .Values.installNetworkPolicies -}}
+{{ if not .Values.components.openVsxProxy.disabled -}}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: openvsx-proxy-deny-all-allow-explicit
+  labels:
+    app: {{ template "gitpod.fullname" . }}
+    component: openvsx-proxy
+    kind: networkpolicy
+    stage: {{ .Values.installation.stage }}
+spec:
+  podSelector:
+    matchLabels:
+      app: {{ template "gitpod.fullname" . }}
+      component: openvsx-proxy
+  policyTypes:
+  - Ingress
+  ingress:
+  # Allow access to HTTP on port 8080 from everywhere
+  - ports:
+    - protocol: TCP
+      port: 8080
+  # Allow prometheus scraping from openvsx-proxy /metrics endpoint
+  - ports:
+    - protocol: TCP
+      port: 9500
+    from:
+    - namespaceSelector:
+        matchLabels:
+          chart: monitoring
+    - podSelector:
+        matchLabels:
+          app: prometheus
+          component: server
+{{- end -}}
+{{- end -}}

chart/templates/openvsx-proxy-rolebinding.yaml

@@ -0,0 +1,43 @@
+# Copyright (c) 2021 Gitpod GmbH. All rights reserved.
+# Licensed under the MIT License. See License-MIT.txt in the project root for license information.
+
+{{ if not .Values.components.openVsxProxy.disabled -}}
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: openvsx-proxy
+  labels:
+    app: {{ template "gitpod.fullname" . }}
+    component: openvsx-proxy
+    kind: role-binding
+    stage: {{ .Values.installation.stage }}
+subjects:
+- kind: ServiceAccount
+  name: openvsx-proxy
+roleRef:
+  kind: ClusterRole
+  name: {{ .Release.Namespace }}-ns-psp:restricted-root-user
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+
+---
+
+{{ if not .Values.components.openVsxProxy.disabled -}}
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Release.Namespace }}-openvsx-proxy-kube-rbac-proxy
+  labels:
+    app: {{ template "gitpod.fullname" . }}
+    component: openvsx-proxy
+    kind: role-binding
+    stage: {{ .Values.installation.stage }}
+subjects:
+- kind: ServiceAccount
+  name: openvsx-proxy
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name:  {{ .Release.Namespace }}-kube-rbac-proxy
+  apiGroup: rbac.authorization.k8s.io
+{{- end -}}

chart/templates/openvsx-proxy-service.yaml

@@ -0,0 +1,4 @@
+# Copyright (c) 2021 Gitpod GmbH. All rights reserved.
+# Licensed under the MIT License. See License-MIT.txt in the project root for license information.
+
+{{ template "gitpod.service.default" dict "root" . "gp" .Values "comp" .Values.components.openVsxProxy }}

chart/templates/openvsx-proxy-serviceaccount.yaml

@@ -0,0 +1,14 @@
+# Copyright (c) 2021 Gitpod GmbH. All rights reserved.
+# Licensed under the MIT License. See License-MIT.txt in the project root for license information.
+
+{{ if not .Values.components.openVsxProxy.disabled -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: openvsx-proxy
+  labels:
+    app: {{ template "gitpod.fullname" . }}
+    component: openvsx-proxy
+    kind: service-account
+    stage: {{ .Values.installation.stage }}
+{{- end -}}

chart/templates/openvsx-proxy-statefulset.yaml

@@ -0,0 +1,93 @@
+# Copyright (c) 2021 Gitpod GmbH. All rights reserved.
+# Licensed under the MIT License. See License-MIT.txt in the project root for license information.
+
+{{ $comp := .Values.components.openVsxProxy -}}
+{{- $this := dict "root" . "gp" $.Values "comp" $comp -}}
+{{- if not $comp.disabled -}}
+kind: StatefulSet
+apiVersion: apps/v1
+metadata:
+  name: openvsx-proxy
+  labels:
+    app: {{ template "gitpod.fullname" . }}
+    component: openvsx-proxy
+    kind: statefulset
+    stage: {{ .Values.installation.stage }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ template "gitpod.fullname" . }}
+      component: openvsx-proxy
+      kind: pod
+      stage: {{ .Values.installation.stage }}
+  serviceName: openvsx-proxy
+  replicas: {{ $comp.replicas | default 1 }}
+  template:
+    metadata:
+      name: openvsx-proxy
+      labels:
+        app: {{ template "gitpod.fullname" . }}
+        component: openvsx-proxy
+        kind: pod
+        stage: {{ .Values.installation.stage }}
+    spec:
+{{ include "gitpod.pod.affinity" $this | indent 6 }}
+      serviceAccount: openvsx-proxy
+      containers:
+      - name: openvsx-proxy
+        image: {{ template "gitpod.comp.imageFull" $this }}
+        args:
+        - /config/config.json
+        readinessProbe:
+          httpGet:
+            path: /openvsx-proxy-status
+            port: 8080
+{{ include "gitpod.container.imagePullPolicy" $this | indent 8 }}
+{{ include "gitpod.container.resources" $this | indent 8 }}
+{{ include "gitpod.container.ports" $this | indent 8 }}
+        volumeMounts:
+        - name: config
+          mountPath: "/config"
+{{ include "gitpod.container.defaultEnv" (dict "root" . "gp" $.Values "comp" $comp) | indent 8 }}
+{{ if $comp.enableRedis }}
+      - name: redis
+        image: redis:6.2
+        command:
+        - redis-server
+        - "/config/redis.conf"
+        env:
+        - name: MASTER
+          value: "true"
+        ports:
+        - containerPort: 6379
+{{ include "gitpod.container.imagePullPolicy" $this | indent 8 }}
+{{ include "gitpod.container.resources" $this | indent 8 }}
+        volumeMounts:
+        - mountPath: /config
+          name: config
+        - mountPath: /data
+          name: redis-data
+{{ end }}
+      volumes:
+      - name: config
+        configMap:
+          name: {{ template "gitpod.comp.configMap" $this }}
+{{ toYaml .Values.defaults | indent 6 }}
+
+{{ if $comp.enableRedis }}
+  volumeClaimTemplates:
+  - metadata:
+      name: redis-data
+      labels:
+        app: {{ template "gitpod.fullname" . }}
+        component: openvsx-proxy
+        kind: volumeclaim
+        stage: {{ .Values.installation.stage }}
+    spec:
+      accessModes: [ "ReadWriteOnce" ]
+      resources:
+        requests:
+          storage: 8Gi
+{{ end }}
+
+{{ end }}

chart/templates/proxy-configmap.yaml

@@ -51,54 +51,15 @@ data:
       }
     }
 {{- end }}
-{{- if .Values.vsxRegistry.proxy }}
+{{- if not .Values.components.openVsxProxy.disabled }}
   vhost.open-vsx: |
-    # We cache the requests to the VSX registry and in case of an upstream server error we serve the the cached results.
     https://open-vsx.{$GITPOD_DOMAIN} {
       import enable_log_debug
       import remove_server_header
       import ssl_configuration
 
-      # The http_cache plugin does not allow to cache the HTTP OPTIONS method.
-      # That's why we simply serve a static respond instead of asking the upstream server.
-      @options method OPTIONS
-      header @options {
-        Access-Control-Allow-Credentials "true"
-        Access-Control-Allow-Headers "content-type,x-market-client-id,x-market-user-id,x-client-commit,x-client-name,x-client-version,x-machine-id"
-        Access-Control-Allow-Methods "OPTIONS,GET,POST,PATCH,PUT,DELETE"
-        Access-Control-Allow-Origin "*"
-      }
-      respond @options 204 {
-        close
-      }
-
-      reverse_proxy {
-        to https://{{ .Values.vsxRegistry.host | default "open-vsx.org" }}
-
-        # health_uri /api/-/search
-
-        header_up Host "{{ .Values.vsxRegistry.host | default "open-vsx.org" }}"
-        header_up -Connection
-
-        # Override/remove existing cache control headers from the upstream server.
-        header_down Cache-Control "max-age=30, public"  # cache for 30 seconds
-        header_down -Vary
-        header_down -Pragma
-        header_down -Expires
-      }
-
-      gitpod.body_intercept {
-        search "{{ .Values.vsxRegistry.host | default "open-vsx.org" }}"
-        replace "open-vsx.{$GITPOD_DOMAIN}"
-      }
-
-      http_cache {
-        cache_type file
-        path /tmp/openvsx-cache
-        match_path /
-        match_methods GET HEAD POST
-        stale_max_age 72h  # 3 days
-        cache_key "{http.request.method} {http.request.host}{http.request.uri.path}?{http.request.uri.query} {http.request.contentlength} {http.request.bodyhash}"
+      reverse_proxy  {
+        to openvsx-proxy.{$KUBE_NAMESPACE}.{$KUBE_DOMAIN}:{{.Values.components.openVsxProxy.ports.http.servicePort}}
       }
     }
 {{- end }}

chart/templates/server-configmap.yaml

@@ -61,10 +61,10 @@ data:
         "contentServiceAddr": {{ $comp.contentServiceAddr | quote }},
         "imageBuilderAddr": {{ $comp.imageBuilderAddr | quote }},
         "codeSync": {{ $comp.codeSync | toJson }},
-        {{- if .Values.vsxRegistry.proxy }}
+        {{- if not .Values.components.openVsxProxy.disabled }}
         "vsxRegistryUrl": "https://open-vsx.{{ .Values.hostname }}",
         {{- else }}
-        "vsxRegistryUrl": "https://{{ .Values.vsxRegistry.host | default "open-vsx.org" }}",
+        "vsxRegistryUrl": "{{ .Values.components.openVsxProxy.vsxRegistryUrl | default "https://open-vsx.org" }}",
         {{- end }}
         "enablePayment": {{ $comp.enablePayment }},
         "insecureNoDomain": {{ $comp.insecureNoDomain }},