Use new stripe secret in preview environments

[andrew-farries]

Description

Following on from #10552 which added the stripe-api-keys secret to preview environment clusters, this PR makes the server component use the secret and removes the old stripe-config secret from the repo.

Related Issue(s)

Part of #9036 and https://github.com/gitpod-io/ops/issues/2554

How to test

Manually trigger a werft job for this branch (Notion doc), setting with-payment=true.

Check that server is in a running state in the preview environment cluster and that it has successfully mounted the stripe-api-keys secret:

> kubectl describe pod <server pod>

Release Notes

NONE

[andrew-farries]

/hold

[jankeromnes]

Cool, many thanks @andrew-farries!

I want to try something:

/werft run github -j .werft/build.yaml -a with-payment=true -a updateGitHubStatus=gitpod-io/gitpod -f

👍 started the job as gitpod-build-af-use-stripe-secret-in-preview.2
(with .werft/ from main)

[jankeromnes]

Well that didn't work.

I also tried running werft run github -j .werft/build.yaml -a with-payment=true -f in a Gitpod workspace, but this seems to have failed:

https://werft.gitpod-dev.com/job/gitpod-custom-af-use-stripe-secret-in-preview.1/raw

[Adding preview-specific configuration] STDERR: Error from server (Conflict): error when applying patch:
[Adding preview-specific configuration] {"metadata":{"creationTimestamp":"2022-06-09T09:57:08Z","resourceVersion":"289359424","uid":"17b131a5-96ae-4b78-9e82-b97211a41c31"}}
[Adding preview-specific configuration] to:
[Adding preview-specific configuration] Resource: "/v1, Resource=secrets", GroupVersionKind: "/v1, Kind=Secret"
[Adding preview-specific configuration] Name: "stripe-api-keys", Namespace: "default"
[Adding preview-specific configuration] for: "stripe-api-keys.secret.yaml": Operation cannot be fulfilled on secrets "stripe-api-keys": the object has been modified; please apply your changes to the latest version and try again

[deploy|FAIL] Error: Error: kubectl --kubeconfig "/workspace/gitpod/kubeconfigs/k3s" apply -f stripe-api-keys.secret.yaml exit with non-zero status code.

Did I do something wrong?

[andrew-farries]

Does it work from a clean slate deployment?

[andrew-farries]

Maybe the kubectl apply here:

gitpod/.werft/jobs/build/installer/installer.ts

Line 172 in 4b1b513

exec(`kubectl --kubeconfig "${this.options.kubeconfigPath}" apply -f stripe-api-keys.secret.yaml`, { slice });

Should be a kubectl create to match here:

gitpod/.werft/jobs/build/installer/installer.ts

Lines 157 to 162 in 4b1b513

	kubectl create secret generic "$providerId" \
	--namespace "${this.options.deploymentNamespace}" \
	--kubeconfig "${this.options.kubeconfigPath}" \
	--from-literal=provider="$data" \
	--dry-run=client -o yaml | \
	kubectl --kubeconfig "${this.options.kubeconfigPath}" replace --force -f -

[andrew-farries]

Looks like the kubectl apply is the problem. See here.

[andrew-farries]

This should be working now @jankeromnes. Could you try again?

[jankeromnes]

Many thanks! Will give this another go.

By the way, the test instructions I tried in #10563 (comment) are still current, right?

[andrew-farries]

Yes, if you run those same instructions again, I think the secret will apply properly this time.

[jankeromnes]

Many thanks! 🙏 Okay, I tried again, and here is how far I got this time:

Build worked ✅ https://werft.gitpod-dev.com/job/gitpod-custom-af-use-stripe-secret-in-preview.4

The preview deployment seems to work ✅ https://af-use-strfbd5d8d72f.preview.gitpod-dev.com/workspaces

However, testing the Stripe integration didn't work:

1. Create a Team called "Gitpod" (or "Gitpod1", "Gitpod2", etc -- first one that isn't already taken)
2. Go to Team Billing
3. Try to upgrade to Usage-Based by adding a payment method

Credit card input never appears	Console shows these errors

Checking on the server pod, I get these relevant errors:

Could not load Stripe settings

Error: ENOENT: no such file or directory, open '/stripe/settings'
    at Object.openSync (node:fs:585:3)
    at Object.readFileSync (node:fs:453:35)
    at loadAndCompleteConfig (/app/node_modules/@gitpod/server/dist/src/config.js:57:48)

Request getStripeSetupIntentClientSecret unsuccessful: 500/"Failed to create Stripe SetupIntent"

Error: Stripe is not properly configured
    at StripeService.getStripe (/app/node_modules/@gitpod/server/dist/ee/src/user/stripe-service.js:36:23)

Maybe there is something that needs to be adjusted so that the server can access the new secret values via the config? Sorry for not knowing much further here. 🙈

[andrew-farries]

/werft run

👍 started the job as gitpod-build-af-use-stripe-secret-in-preview.14
(with .werft/ from main)

[andrew-farries]

@jankeromnes This should be resolved now. The problem was the key in the secret data had changed from config to apikeys. As we discussed last week, we should use a secret for the keys and a configmap for other non-sensitive config, so I've renamed things here so that makes sense.

I've run through the steps in your comment and I can get to the payment UI.

[jankeromnes]

Awesome, many thanks @andrew-farries!

Code looks good and works as advertised. ✅

Feel free to merge when you want, but I believe one line could still be removed in this PR. 🧹

/hold

[jankeromnes]

Shouldn't the line above be removed?

Suggested change

	StripeSettingsFile string `json:"stripeSettingsFile"`
	StripeSecretsFile string `json:"stripeSecretsFile"`
	StripeSecretsFile string `json:"stripeSecretsFile"`

[andrew-farries]

Yes, I think you are right. It will probably come back again in another PR but let's remove it for now.

7da5eab

[andrew-farries]

/unhold