From c64d34195ad9b6d66b10a3d9fd16b8a807647931 Mon Sep 17 00:00:00 2001 From: Andrew Farries Date: Fri, 10 Jun 2022 09:26:49 +0000 Subject: [PATCH 1/4] Copy stripe secret into preview cluster --- .werft/jobs/build/installer/installer.ts | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/.werft/jobs/build/installer/installer.ts b/.werft/jobs/build/installer/installer.ts index edf381ac33141a..98cd2849eff820 100644 --- a/.werft/jobs/build/installer/installer.ts +++ b/.werft/jobs/build/installer/installer.ts @@ -3,6 +3,7 @@ import { exec } from "../../../util/shell"; import { Werft } from "../../../util/werft"; import { getNodePoolIndex } from "../deploy-to-preview-environment"; import { renderPayment } from "../payment/render"; +import { CORE_DEV_KUBECONFIG_PATH } from "../const"; const BLOCK_NEW_USER_CONFIG_PATH = './blockNewUsers'; const WORKSPACE_SIZE_CONFIG_PATH = './workspaceSizing'; @@ -66,6 +67,7 @@ export class Installer { this.configureIDE(slice) this.configureObservability(slice) this.configureAuthProviders(slice) + this.configureStripeAPIKeys(slice) this.configureSSHGateway(slice) this.configurePublicAPIServer(slice) this.configureUsage(slice) @@ -161,6 +163,19 @@ EOF`) done`, { slice: slice }) } + private configureStripeAPIKeys(slice: string) { + exec( + `kubectl --kubeconfig ${CORE_DEV_KUBECONFIG_PATH} -n werft get secret stripe-api-keys -o yaml > stripe-api-keys.secret.yaml`, + { slice }, + ); + exec(`yq w -i stripe-api-keys.secret.yaml metadata.namespace "default"`, { slice }); + exec(`yq d -i stripe-api-keys.secret.yaml metadata.creationTimestamp`, { slice }); + exec(`yq d -i stripe-api-keys.secret.yaml metadata.uid`, { slice }); + exec(`yq d -i stripe-api-keys.secret.yaml metadata.resourceVersion`, { slice }); + exec(`kubectl --kubeconfig "${this.options.kubeconfigPath}" apply -f stripe-api-keys.secret.yaml`, { slice }); + exec(`rm -f stripe-api-keys.secret.yaml`, { slice }); + } + private configureSSHGateway(slice: string) { exec(`cat /workspace/host-key.yaml \ | yq w - metadata.namespace ${this.options.deploymentNamespace} \ From eafd1f730fcd85d2b9bcb79778bef11d23fd3403 Mon Sep 17 00:00:00 2001 From: Andrew Farries Date: Thu, 9 Jun 2022 15:29:06 +0000 Subject: [PATCH 2/4] Configure server to use stripe secret --- .werft/jobs/build/helm/values.payment.yaml | 4 ++-- .werft/jobs/build/installer/installer.ts | 3 ++- .../server/ee/src/user/stripe-service.ts | 4 ++-- .../ee/src/workspace/gitpod-server-impl.ts | 2 +- components/server/src/config.ts | 18 ++++++++++-------- .../pkg/components/server/configmap.go | 2 +- .../pkg/components/server/deployment.go | 4 ++-- .../installer/pkg/components/server/types.go | 1 + 8 files changed, 21 insertions(+), 17 deletions(-) diff --git a/.werft/jobs/build/helm/values.payment.yaml b/.werft/jobs/build/helm/values.payment.yaml index 2793cf8ab99de2..9ef4746ca98190 100644 --- a/.werft/jobs/build/helm/values.payment.yaml +++ b/.werft/jobs/build/helm/values.payment.yaml @@ -15,7 +15,7 @@ components: secretName: chargebee-config - name: stripe-config secret: - secretName: stripe-config + secretName: stripe-api-keys paymentEndpoint: - disabled: false \ No newline at end of file + disabled: false diff --git a/.werft/jobs/build/installer/installer.ts b/.werft/jobs/build/installer/installer.ts index 98cd2849eff820..b5af4bde1a03f1 100644 --- a/.werft/jobs/build/installer/installer.ts +++ b/.werft/jobs/build/installer/installer.ts @@ -81,8 +81,9 @@ export class Installer { if (this.options.withPayment) { // let installer know that there is a chargbee config exec(`yq w -i ${this.options.installerConfigPath} experimental.webapp.server.chargebeeSecret chargebee-config`, { slice: slice }); + // let installer know that there is a stripe config - exec(`yq w -i ${this.options.installerConfigPath} experimental.webapp.server.stripeSecret stripe-config`, { slice: slice }); + exec(`yq w -i ${this.options.installerConfigPath} experimental.webapp.server.stripeSecret stripe-api-keys`, { slice: slice }); } } catch (err) { diff --git a/components/server/ee/src/user/stripe-service.ts b/components/server/ee/src/user/stripe-service.ts index d172ae15736901..b3b8dea37057a9 100644 --- a/components/server/ee/src/user/stripe-service.ts +++ b/components/server/ee/src/user/stripe-service.ts @@ -17,10 +17,10 @@ export class StripeService { protected getStripe(): Stripe { if (!this._stripe) { - if (!this.config.stripeSettings?.secretKey) { + if (!this.config.stripeSecrets?.secretKey) { throw new Error("Stripe is not properly configured"); } - this._stripe = new Stripe(this.config.stripeSettings.secretKey, { apiVersion: "2020-08-27" }); + this._stripe = new Stripe(this.config.stripeSecrets.secretKey, { apiVersion: "2020-08-27" }); } return this._stripe; } diff --git a/components/server/ee/src/workspace/gitpod-server-impl.ts b/components/server/ee/src/workspace/gitpod-server-impl.ts index 905328e977d1d9..a858e356e8d621 100644 --- a/components/server/ee/src/workspace/gitpod-server-impl.ts +++ b/components/server/ee/src/workspace/gitpod-server-impl.ts @@ -1851,7 +1851,7 @@ export class GitpodServerEEImpl extends GitpodServerImpl { async getStripePublishableKey(ctx: TraceContext): Promise { const user = this.checkAndBlockUser("getStripePublishableKey"); await this.ensureIsUsageBasedFeatureFlagEnabled(user); - const publishableKey = this.config.stripeSettings?.publishableKey; + const publishableKey = this.config.stripeSecrets?.publishableKey; if (!publishableKey) { throw new ResponseError( ErrorCodes.INTERNAL_SERVER_ERROR, diff --git a/components/server/src/config.ts b/components/server/src/config.ts index 1870c539bc6b90..bcb69f86b3ad22 100644 --- a/components/server/src/config.ts +++ b/components/server/src/config.ts @@ -20,12 +20,12 @@ import { filePathTelepresenceAware } from "@gitpod/gitpod-protocol/lib/env"; export const Config = Symbol("Config"); export type Config = Omit< ConfigSerialized, - "blockedRepositories" | "hostUrl" | "chargebeeProviderOptionsFile" | "stripeSettingsFile" | "licenseFile" + "blockedRepositories" | "hostUrl" | "chargebeeProviderOptionsFile" | "stripeSecretsFile" | "licenseFile" > & { hostUrl: GitpodHostUrl; workspaceDefaults: WorkspaceDefaults; chargebeeProviderOptions?: ChargebeeProviderOptions; - stripeSettings?: { publishableKey: string; secretKey: string }; + stripeSecrets?: { publishableKey: string; secretKey: string }; builtinAuthProvidersConfigured: boolean; blockedRepositories: { urlRegExp: RegExp; blockUser: boolean }[]; inactivityPeriodForRepos?: number; @@ -151,7 +151,7 @@ export interface ConfigSerialized { * Payment related options */ chargebeeProviderOptionsFile?: string; - stripeSettingsFile?: string; + stripeSecretsFile?: string; enablePayment?: boolean; /** @@ -215,12 +215,14 @@ export namespace ConfigFile { const chargebeeProviderOptions = readOptionsFromFile( filePathTelepresenceAware(config.chargebeeProviderOptionsFile || ""), ); - let stripeSettings: { publishableKey: string; secretKey: string } | undefined; - if (config.enablePayment && config.stripeSettingsFile) { + let stripeSecrets: { publishableKey: string; secretKey: string } | undefined; + if (config.enablePayment && config.stripeSecretsFile) { try { - stripeSettings = JSON.parse(fs.readFileSync(filePathTelepresenceAware(config.stripeSettingsFile), "utf-8")); + stripeSecrets = JSON.parse( + fs.readFileSync(filePathTelepresenceAware(config.stripeSecretsFile), "utf-8"), + ); } catch (error) { - console.error("Could not load Stripe settings", error); + console.error("Could not load Stripe secrets", error); } } let license = config.license; @@ -249,7 +251,7 @@ export namespace ConfigFile { authProviderConfigs, builtinAuthProvidersConfigured, chargebeeProviderOptions, - stripeSettings, + stripeSecrets, license, workspaceGarbageCollection: { ...config.workspaceGarbageCollection, diff --git a/install/installer/pkg/components/server/configmap.go b/install/installer/pkg/components/server/configmap.go index cc134d52f9fc46..c27b32e08a07d6 100644 --- a/install/installer/pkg/components/server/configmap.go +++ b/install/installer/pkg/components/server/configmap.go @@ -218,7 +218,7 @@ func configmap(ctx *common.RenderContext) ([]runtime.Object, error) { VSXRegistryUrl: fmt.Sprintf("https://open-vsx.%s", ctx.Config.Domain), // todo(sje): or "https://{{ .Values.vsxRegistry.host | default "open-vsx.org" }}" if not using OpenVSX proxy EnablePayment: chargebeeSecret != "" || stripeSecret != "", ChargebeeProviderOptionsFile: fmt.Sprintf("%s/providerOptions", chargebeeMountPath), - StripeSettingsFile: fmt.Sprintf("%s/settings", stripeMountPath), + StripeSecretsFile: fmt.Sprintf("%s/apikeys", stripeMountPath), InsecureNoDomain: false, PrebuildLimiter: map[string]int{ // default limit for all cloneURLs diff --git a/install/installer/pkg/components/server/deployment.go b/install/installer/pkg/components/server/deployment.go index a2a0e11f73bbf9..1e8bb59675987c 100644 --- a/install/installer/pkg/components/server/deployment.go +++ b/install/installer/pkg/components/server/deployment.go @@ -194,7 +194,7 @@ func deployment(ctx *common.RenderContext) ([]runtime.Object, error) { volumes = append(volumes, corev1.Volume{ - Name: "stripe-config", + Name: "stripe-secret", VolumeSource: corev1.VolumeSource{ Secret: &corev1.SecretVolumeSource{ SecretName: stripeSecret, @@ -203,7 +203,7 @@ func deployment(ctx *common.RenderContext) ([]runtime.Object, error) { }) volumeMounts = append(volumeMounts, corev1.VolumeMount{ - Name: "stripe-config", + Name: "stripe-secret", MountPath: stripeMountPath, ReadOnly: true, }) diff --git a/install/installer/pkg/components/server/types.go b/install/installer/pkg/components/server/types.go index 2a6757b7365f8f..b24880f7a092d2 100644 --- a/install/installer/pkg/components/server/types.go +++ b/install/installer/pkg/components/server/types.go @@ -33,6 +33,7 @@ type ConfigSerialized struct { VSXRegistryUrl string `json:"vsxRegistryUrl"` ChargebeeProviderOptionsFile string `json:"chargebeeProviderOptionsFile"` StripeSettingsFile string `json:"stripeSettingsFile"` + StripeSecretsFile string `json:"stripeSecretsFile"` EnablePayment bool `json:"enablePayment"` WorkspaceHeartbeat WorkspaceHeartbeat `json:"workspaceHeartbeat"` From bc9964532b42cad928f2b1ae951de15ab42f8ec5 Mon Sep 17 00:00:00 2001 From: Andrew Farries Date: Thu, 9 Jun 2022 15:29:21 +0000 Subject: [PATCH 3/4] Remove stripe config secret This now comes into clusters via GCP Secret Manager and terraform. --- .werft/jobs/build/payment/stripe-config-secret.yaml | 8 -------- 1 file changed, 8 deletions(-) delete mode 100644 .werft/jobs/build/payment/stripe-config-secret.yaml diff --git a/.werft/jobs/build/payment/stripe-config-secret.yaml b/.werft/jobs/build/payment/stripe-config-secret.yaml deleted file mode 100644 index 99d0599812211f..00000000000000 --- a/.werft/jobs/build/payment/stripe-config-secret.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -data: - settings: eyJwdWJsaXNoYWJsZUtleSI6InBrX3Rlc3RfNTFLeHVyN0dhZFJYbTUwbzNJNXJKQTNvbnkxdGNmdTNkM0NOd3BUWFR6QURkWTJISmlvRk1XTGdTa2M1d2h0UkZRam85UG5kM3pYYUdlcktQcXRmN0REQ3kwMFhBb01kbjZhIiwic2VjcmV0S2V5Ijoic2tfdGVzdF81MUt4dXI3R2FkUlhtNTBvM0NtVFJWc1Q2Q0xqd0VlSlhsWWtmdjZHajREQm42aVlVeDJQWUlUNDhjVlI5dlNUS0s1b2hwQTVCdWdycU5NUU9WVzN0NVJIODAwS011T3lEZ1QifQo= -kind: Secret -metadata: - name: stripe-config - namespace: ${NAMESPACE} -type: Opaque From 1ddaa164fdd1245e5f03a72443380bdc2c3f56e2 Mon Sep 17 00:00:00 2001 From: Andrew Farries Date: Mon, 13 Jun 2022 14:46:27 +0000 Subject: [PATCH 4/4] Remove stripeSettingsFile from server config --- install/installer/pkg/components/server/types.go | 1 - 1 file changed, 1 deletion(-) diff --git a/install/installer/pkg/components/server/types.go b/install/installer/pkg/components/server/types.go index b24880f7a092d2..80709b6d5d7768 100644 --- a/install/installer/pkg/components/server/types.go +++ b/install/installer/pkg/components/server/types.go @@ -32,7 +32,6 @@ type ConfigSerialized struct { ImageBuilderAddr string `json:"imageBuilderAddr"` VSXRegistryUrl string `json:"vsxRegistryUrl"` ChargebeeProviderOptionsFile string `json:"chargebeeProviderOptionsFile"` - StripeSettingsFile string `json:"stripeSettingsFile"` StripeSecretsFile string `json:"stripeSecretsFile"` EnablePayment bool `json:"enablePayment"`