[installer]: general fixes for the workspace components

This now installs the workspace components to a cluster using an InCluster database and registry

Author: Simon Emms

installer/pkg/common/constants.go

@@ -15,6 +15,12 @@ const (
 	InClusterMessageQueueTLS  = "messagebus-certificates-secret-core"
 	MonitoringChart           = "monitoring"
 	ProxyComponent            = "proxy"
+	RegistryFacadeComponent   = "registry-facade"
+	RegistryFacadeServicePort = 3000
 	ServerComponent           = "server"
 	SystemNodeCritical        = "system-node-critical"
+	WSManagerComponent        = "ws-manager"
+	WSManagerBridgeComponent  = "ws-manager-bridge"
+	WSProxyComponent          = "ws-proxy"
+	WSSchedulerComponent      = "ws-scheduler"
 )

installer/pkg/common/objects.go

@@ -5,6 +5,8 @@
 package common
 
 import (
+	"fmt"
+	storageconfig "github.com/gitpod-io/gitpod/content-service/api/config"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -69,3 +71,28 @@ func GenerateService(component string, ports map[string]ServicePort, mod ...func
 		}}, nil
 	}
 }
+
+func StorageConfiguration(ctx *RenderContext) (*storageconfig.StorageConfig, error) {
+	accessKey := ctx.Values.StorageAccessKey
+	if accessKey == "" {
+		return nil, fmt.Errorf("unknown value: storage access key")
+	}
+	secretKey := ctx.Values.StorageSecretKey
+	if secretKey == "" {
+		return nil, fmt.Errorf("unknown value: storage secret key")
+	}
+
+	// todo(sje): support non-Minio storage configuration
+	// todo(sje): this has been set up with only the default values - receive configuration
+	return &storageconfig.StorageConfig{
+		Kind:      "minio",
+		BlobQuota: 0,
+		MinIOConfig: storageconfig.MinIOConfig{
+			Endpoint:        fmt.Sprintf("minio.%s", ctx.Config.Domain),
+			AccessKeyID:     accessKey,
+			SecretAccessKey: secretKey,
+			Secure:          false,
+			Region:          "local",
+		},
+	}, nil
+}

installer/pkg/components/blobserve/deployment.go

@@ -6,7 +6,7 @@ package blobserve
 
 import (
 	"github.com/gitpod-io/gitpod/installer/pkg/common"
-
+	dockerregistry "github.com/gitpod-io/gitpod/installer/pkg/components/docker-registry"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
@@ -18,6 +18,44 @@ import (
 func deployment(ctx *common.RenderContext) ([]runtime.Object, error) {
 	labels := common.DefaultLabels(Component)
 
+	volumes := []corev1.Volume{{
+		Name:         "cache",
+		VolumeSource: corev1.VolumeSource{EmptyDir: &corev1.EmptyDirVolumeSource{}},
+	}, {
+		Name: "config",
+		VolumeSource: corev1.VolumeSource{
+			ConfigMap: &corev1.ConfigMapVolumeSource{
+				LocalObjectReference: corev1.LocalObjectReference{Name: Component},
+			},
+		},
+	}}
+
+	volumeMounts := []corev1.VolumeMount{
+		{
+			Name:      "config",
+			MountPath: "/mnt/config",
+			ReadOnly:  true,
+		}, {
+			Name:      "cache",
+			MountPath: "/mnt/cache",
+		},
+	}
+
+	if pointer.BoolDeref(ctx.Config.ContainerRegistry.InCluster, false) {
+		volumeName := "pull-secret"
+		volumes = append(volumes, corev1.Volume{
+			Name: volumeName,
+			VolumeSource: corev1.VolumeSource{Secret: &corev1.SecretVolumeSource{
+				SecretName: dockerregistry.BuiltInRegistryAuth,
+			}},
+		})
+		volumeMounts = append(volumeMounts, corev1.VolumeMount{
+			Name:      volumeName,
+			MountPath: "/mnt/pull-secret.json",
+			SubPath:   ".dockerconfigjson",
+		})
+	}
+
 	return []runtime.Object{
 		&appsv1.Deployment{
 			TypeMeta: common.TypeMetaDeployment,
@@ -41,22 +79,7 @@ func deployment(ctx *common.RenderContext) ([]runtime.Object, error) {
 						Affinity:           &corev1.Affinity{},
 						ServiceAccountName: Component,
 						EnableServiceLinks: pointer.Bool(false),
-						Volumes: []corev1.Volume{{
-							Name:         "cache",
-							VolumeSource: corev1.VolumeSource{EmptyDir: &corev1.EmptyDirVolumeSource{}},
-						}, {
-							Name: "config",
-							VolumeSource: corev1.VolumeSource{
-								ConfigMap: &corev1.ConfigMapVolumeSource{
-									LocalObjectReference: corev1.LocalObjectReference{Name: Component},
-								},
-							},
-						}, {
-							Name: "pull-secret",
-							VolumeSource: corev1.VolumeSource{Secret: &corev1.SecretVolumeSource{
-								SecretName: "",
-							}},
-						}},
+						Volumes:            volumes,
 						Containers: []corev1.Container{{
 							Name:            Component,
 							Args:            []string{"run", "-v", "/mnt/config/config.json"},
@@ -80,14 +103,7 @@ func deployment(ctx *common.RenderContext) ([]runtime.Object, error) {
 								common.DefaultEnv(&ctx.Config),
 								common.TracingEnv(&ctx.Config),
 							),
-							VolumeMounts: []corev1.VolumeMount{{
-								Name:      "config",
-								MountPath: "/mnt/config",
-								ReadOnly:  true,
-							}, {
-								Name:      "cache",
-								MountPath: "/mnt/cache",
-							}},
+							VolumeMounts: volumeMounts,
 						}, *common.KubeRBACProxyContainer()},
 					},
 				},

installer/pkg/components/docker-registry/secret.go

@@ -8,7 +8,7 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
-	v1 "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"
+	certmanagerv1 "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"
 	cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"
 	"time"
 
@@ -64,14 +64,14 @@ func secret(ctx *common.RenderContext) ([]runtime.Object, error) {
 			"user":              []byte(user),
 			"password":          []byte(password),
 		},
-	}, &v1.Certificate{
+	}, &certmanagerv1.Certificate{
 		TypeMeta: common.TypeMetaCertificate,
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      BuiltInRegistryCerts,
 			Namespace: ctx.Namespace,
 			Labels:    common.DefaultLabels(Component),
 		},
-		Spec: v1.CertificateSpec{
+		Spec: certmanagerv1.CertificateSpec{
 			Duration:   oneYear,
 			SecretName: BuiltInRegistryCerts,
 			IssuerRef: cmmeta.ObjectReference{

installer/pkg/components/registry-facade/configmap.go

@@ -40,12 +40,11 @@ func configmap(ctx *common.RenderContext) ([]runtime.Object, error) {
 			TLS:         &tls,
 			Store:       "/mnt/cache/registry",
 			RequireAuth: false,
-			// todo(sje): figure out these values
 			StaticLayer: []regfac.StaticLayerCfg{{
-				Ref:  common.ImageName(ctx.Config.Repository, Component, "todo"),
+				Ref:  common.ImageName(ctx.Config.Repository, SupervisorImage, ctx.VersionManifest.Components.Workspace.Supervisor.Version),
 				Type: "image",
 			}, {
-				Ref:  common.ImageName(ctx.Config.Repository, Component, "todo"),
+				Ref:  common.ImageName(ctx.Config.Repository, DockerUpImage, ctx.VersionManifest.Components.Workspace.DockerUp.Version),
 				Type: "image",
 			}},
 		},

installer/pkg/components/registry-facade/constants.go

@@ -4,9 +4,16 @@
 
 package registryfacade
 
+import (
+	"github.com/gitpod-io/gitpod/installer/pkg/common"
+	"github.com/gitpod-io/gitpod/installer/pkg/components/workspace"
+)
+
 const (
-	Component         = "registry-facade"
+	Component         = common.RegistryFacadeComponent
 	ContainerPortName = "registry"
 	ContainerPort     = 32223
-	ServicePort       = 3000
+	ServicePort       = common.RegistryFacadeServicePort
+	DockerUpImage     = workspace.DockerUpImage
+	SupervisorImage   = workspace.SupervisorImage
 )

installer/pkg/components/registry-facade/podsecuritypolicy.go

@@ -5,6 +5,7 @@
 package registryfacade
 
 import (
+	"fmt"
 	"github.com/gitpod-io/gitpod/installer/pkg/common"
 
 	"k8s.io/api/policy/v1beta1"
@@ -16,7 +17,7 @@ func podsecuritypolicy(ctx *common.RenderContext) ([]runtime.Object, error) {
 	return []runtime.Object{&v1beta1.PodSecurityPolicy{
 		TypeMeta: common.TypeMetaPodSecurityPolicy,
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      Component,
+			Name:      fmt.Sprintf("%s-ns-%s", ctx.Namespace, Component),
 			Namespace: ctx.Namespace,
 			Labels:    common.DefaultLabels(Component),
 			Annotations: map[string]string{

installer/pkg/components/workspace/constants.go

@@ -5,7 +5,11 @@
 package workspace
 
 const (
+	ContainerPort                = 23000
 	DefaultWorkspaceImage        = "gitpod/workspace-full"
 	DefaultWorkspaceImageVersion = "latest"
 	IDEImageRepo                 = "ide/code" // todo(sje): does this need to be config driven?
+	DockerUpImage                = "docker-up"
+	SupervisorImage              = "supervisor"
+	SupervisorPort               = 22999
 )

installer/pkg/components/ws-daemon/clusterrole.go

@@ -21,7 +21,7 @@ func clusterrole(ctx *common.RenderContext) ([]runtime.Object, error) {
 		&rbacv1.ClusterRole{
 			TypeMeta: common.TypeMetaClusterRole,
 			ObjectMeta: metav1.ObjectMeta{
-				Name:      Component,
+				Name:      fmt.Sprintf("%s-ns-%s", ctx.Namespace, Component),
 				Namespace: ctx.Namespace,
 				Labels:    labels,
 			},

installer/pkg/components/ws-daemon/configmap.go

@@ -27,11 +27,6 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 )
 
-const (
-	locContainerWorkingArea = "/mnt/workingarea"
-	locNodeWorkingArea      = "/mnt/disks/ssd0/workspaces"
-)
-
 func configmap(ctx *common.RenderContext) ([]runtime.Object, error) {
 	var fsshift wsdapi.FSShiftMethod
 	switch ctx.Config.Workspace.Runtime.FSShiftMethod {
@@ -46,26 +41,38 @@ func configmap(ctx *common.RenderContext) ([]runtime.Object, error) {
 	wsdcfg := wsdconfig.Config{
 		Daemon: daemon.Config{
 			Runtime: daemon.RuntimeConfig{
+				KubernetesNamespace: ctx.Namespace,
 				Container: &container.Config{
 					Runtime: container.RuntimeContainerd,
+					Mapping: map[string]string{
+						ctx.Config.Workspace.Runtime.ContainerDRuntimeDir: "/mnt/node0",
+					},
 					Mounts: container.NodeMountsLookupConfig{
-						ProcLoc: "/mnt/rootfs/proc",
+						ProcLoc: "/mnt/mounts",
 					},
 					Containerd: &container.ContainerdConfig{
-						SocketPath: "/mnt/rootfs/run/containerd/containerd.sock",
+						SocketPath: "/mnt/containerd.sock",
 					},
 				},
 			},
 			Content: content.Config{
-				WorkingArea:     locContainerWorkingArea,
-				WorkingAreaNode: locNodeWorkingArea,
+				WorkingArea:     "/mnt/workingarea",
+				WorkingAreaNode: HostWorkspacePath,
+				TmpDir:          "/tmp",
 				UserNamespaces: content.UserNamespacesConfig{
 					FSShift: content.FSShiftMethod(fsshift),
 				},
 				Storage: common.StorageConfig(&ctx.Config),
+				Backup: content.BackupConfig{
+					Timeout:  util.Duration(time.Minute * 5),
+					Attempts: 3,
+				},
+				Initializer: content.InitializerConfig{
+					Command: "/app/content-initializer",
+				},
 			},
 			Uidmapper: iws.UidmapperConfig{
-				ProcLocation: "/mnt/rootfs/proc",
+				ProcLocation: "/proc",
 				RootRange: iws.UIDRange{
 					Start: 33333,
 					Size:  1,
@@ -84,7 +91,7 @@ func configmap(ctx *common.RenderContext) ([]runtime.Object, error) {
 				},
 				ControlPeriod:   "15m",
 				SamplingPeriod:  "10s",
-				CGroupsBasePath: "/mnt/rootfs/sys/fs/cgroup",
+				CGroupsBasePath: "/mnt/node-cgroups",
 				ProcessPriorities: map[resources.ProcessType]int{
 					resources.ProcessSupervisor: 0,
 					resources.ProcessTheia:      5,
@@ -94,7 +101,7 @@ func configmap(ctx *common.RenderContext) ([]runtime.Object, error) {
 			},
 			Hosts: hosts.Config{
 				Enabled:       true,
-				NodeHostsFile: "/mnt/rootfs/etc/hosts",
+				NodeHostsFile: "/mnt/hosts",
 				FixedHosts: map[string][]hosts.Host{
 					"registryFacade": {{
 						Name: fmt.Sprintf("reg.%s", ctx.Config.Domain),
@@ -110,11 +117,19 @@ func configmap(ctx *common.RenderContext) ([]runtime.Object, error) {
 				Enabled:  true,
 				Interval: util.Duration(5 * time.Minute),
 				Locations: []diskguard.LocationConfig{{
-					Path:          locContainerWorkingArea,
+					Path:          "/mnt/wsdaemon-workingarea",
 					MinBytesAvail: 21474836480,
 				}},
 			},
 		},
+		Service: wsdconfig.AddrTLS{
+			Addr: fmt.Sprintf(":%d", ServicePort),
+			TLS: &wsdconfig.TLS{
+				Authority:   "/certs/ca.crt",
+				Certificate: "/certs/tls.crt",
+				PrivateKey:  "/certs/tls.key",
+			},
+		},
 		Prometheus: wsdconfig.Addr{
 			Addr: "localhost:9500",
 		},