gitpod-io · roboquat · Jul 22, 2021 · Jun 18, 2021 · Jun 18, 2021 · Jun 18, 2021
diff --git a/chart/templates/image-builder-configmap.yaml b/chart/templates/image-builder-configmap.yaml
@@ -4,16 +4,6 @@
 {{ $comp := .Values.components.imageBuilder -}}
 {{- $this := dict "root" . "gp" $.Values "comp" $comp -}}
 
-{{- define "registry-name" -}}
-{{- $comp := .comp -}}
-{{- $ := .root -}}
-{{- if eq $comp.registry.name "builtin" -}}
-{{ template "gitpod.builtinRegistry.name" $ }}
-{{- else -}}
-{{ $comp.registry.name }}
-{{- end -}}
-{{- end -}}
-
 {{- if not $comp.disabled -}}
 apiVersion: v1
 kind: ConfigMap

diff --git a/chart/templates/image-builder-mk3-authkey-secret.yaml b/chart/templates/image-builder-mk3-authkey-secret.yaml
@@ -0,0 +1,15 @@
+# Copyright (c) 2021 Gitpod GmbH. All rights reserved.
+# Licensed under the MIT License. See License-MIT.txt in the project root for license information.
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: image-builder-mk3-authkey
+  labels:
+    app: {{ template "gitpod.fullname" . }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+type: Opaque
+data:
+  keyfile: {{ randAlphaNum 32 | b64enc }}
diff --git a/chart/templates/image-builder-mk3-configmap.yaml b/chart/templates/image-builder-mk3-configmap.yaml
@@ -0,0 +1,67 @@
+# Copyright (c) 2020 Gitpod GmbH. All rights reserved.
+# Licensed under the MIT License. See License-MIT.txt in the project root for license information.
+
+{{ $comp := .Values.components.imageBuilderMk3 -}}
+{{ $compImgbldr := .Values.components.imageBuilder -}}
+{{- $this := dict "root" . "gp" $.Values "comp" $comp "compImgbldr" $compImgbldr -}}
+
+{{- define "registry-name" -}}
+{{- $comp := .comp -}}
+{{- $compImgbldr := .compImgbldr -}}
+{{- $ := .root -}}
+{{- if eq (default $comp.registry $compImgbldr.registry).name "builtin" -}}
+{{ template "gitpod.builtinRegistry.name" $ }}
+{{- else -}}
+{{ (default $comp.registry $compImgbldr.registry).name }}
+{{- end -}}
+{{- end -}}
+
+{{- if not $comp.disabled -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: image-builder-mk3-config
+  labels:
+    app: {{ template "gitpod.fullname" . }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+data:
+  image-builder.json: |-
+    {
+        "orchestrator": {
+            {{- if (default $comp.registry $compImgbldr.registry).secretName -}}"authFile": "/config/pull-secret.json",{{- end -}}
+            "gitpodLayerLoc": "/app/workspace-image-layer.tar.gz",
+            "baseImageRepository": "{{ or (default $comp.registry $compImgbldr.registry).baseImageName (print (include "registry-name" $this) "/base-images") }}",
+            "workspaceImageRepository": "{{ or (default $comp.registry $compImgbldr.registry).workspaceImageName (print (include "registry-name" $this) "/workspace-images") }}",
+            "imageBuildSalt": "{{ $comp.imageBuildSalt | default "" }}",
+            {{- if $comp.wsman -}}
+            {{ $comp.wsman | fromYaml | toJson }}
+            {{- else -}}
+            "wsman": {
+                "address": "ws-manager:8080",
+                "tls": {
+                    "ca": "/wsman-certs/ca.crt",
+                    "crt": "/wsman-certs/tls.crt",
+                    "key": "/wsman-certs/tls.key"
+                }
+            },
+            {{- end -}}
+            "builderImage": "{{ template "gitpod.comp.imageFull" (dict "root" . "gp" $.Values "comp" $comp.builderImage) }}",
+            "builderAuthKeyFile": "/config/authkey"
+        },
+        "refCache": {
+            "interval": "6h",
+            "refs": ["{{ template "gitpod.comp.imageFull" (dict "root" . "gp" $.Values "comp" .Values.components.workspace.defaultImage) }}"]
+        },
+        "pprof": {
+            "address": ":6060"
+        },
+        "prometheus": {
+            "address": "127.0.0.1:9500"
+        },
+        "service": {
+            "address": ":8080"
+        }
+    }
+{{- end -}}
diff --git a/chart/templates/image-builder-mk3-deployment.yaml b/chart/templates/image-builder-mk3-deployment.yaml
@@ -0,0 +1,107 @@
+# Copyright (c) 2020 Gitpod GmbH. All rights reserved.
+# Licensed under the MIT License. See License-MIT.txt in the project root for license information.
+
+{{ $comp := .Values.components.imageBuilderMk3 -}}
+{{ $compImgbldr := .Values.components.imageBuilder -}}
+{{- $this := dict "root" . "gp" $.Values "comp" $comp "compImgbldr" $compImgbldr -}}
+{{- if not $comp.disabled -}}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: image-builder-mk3
+  labels:
+    app: {{ template "gitpod.fullname" . }}
+    component: image-builder-mk3
+    kind: deployment
+    stage: {{ .Values.installation.stage }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ template "gitpod.fullname" . }}
+      component: image-builder-mk3
+      kind: pod
+      stage: {{ .Values.installation.stage }}
+  replicas: {{ $comp.replicas | default 1 }}
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+  template:
+    metadata:
+      name: image-builder-mk3
+      labels:
+        app: {{ template "gitpod.fullname" . }}
+        component: image-builder-mk3
+        kind: pod
+        stage: {{ .Values.installation.stage }}
+      annotations:
+{{- if index .Values "docker-registry" "enabled" }}
+        checksum/builtin-registry-auth: {{ include (print $.Template.BasePath "/builtin-registry-auth-secret.yaml") . | sha256sum }}
+{{- end -}}
+{{ include "gitpod.pod.dependsOn" $this | indent 8 }}
+    spec:
+{{ include "gitpod.workspaceAffinity" $this | indent 6 }}
+      serviceAccountName: image-builder-mk3
+      volumes:
+      - name: configuration
+        configMap:
+          name: {{ template "gitpod.comp.configMap" $this }}
+      - name: authkey
+        secret:
+          secretName: image-builder-mk3-authkey
+      {{- if (default $compImgbldr.registry).secretName }}
+      - name: pull-secret
+        secret:
+          secretName: {{ (default $compImgbldr.registry).secretName }}
+      {{- end }}
+{{- range $idx, $sec := (default $comp.registryCerts $compImgbldr.registryCerts) }}
+      - name: docker-tls-certs-{{ $idx }}
+        secret:
+          secretName: {{ $sec.secret }}
+{{- end }}
+      - name: wsman-tls-certs
+        secret:
+          secretName: {{ .Values.components.wsManager.tls.server.secretName }}
+      enableServiceLinks: false
+      containers:
+{{ include "gitpod.kube-rbac-proxy" $this | indent 6 }}
+      - name: image-builder-mk3
+{{ include "gitpod.container.defaultEnv" $this | indent 8 }}
+{{ include "gitpod.container.tracingEnv" $this | indent 8 }}
+        image: {{ template "gitpod.comp.imageFull" $this }}
+        args:
+        - "run"
+        - "-v"
+        - "--config"
+        - "/config/image-builder.json"
+{{ include "gitpod.container.imagePullPolicy" $this | indent 8 }}
+        volumeMounts:
+        - mountPath: /config/image-builder.json
+          subPath: "image-builder.json"
+          name: configuration
+        - mountPath: /config/authkey
+          subPath: "keyfile"
+          name: authkey
+        - mountPath: /wsman-certs
+          name: wsman-tls-certs
+          readOnly: true
+{{- if (default $comp $compImgbldr).registry }}
+{{- if (default $comp $compImgbldr).registry.secretName }}
+        - mountPath: /config/pull-secret.json
+          subPath: .dockerconfigjson
+          name: pull-secret
+{{- end }}
+{{- end }}
+        resources:
+          requests:
+            cpu: {{ $.Values.resources.default.cpu }}
+            memory: {{ $.Values.resources.default.memory }}
+{{ include "gitpod.container.ports" $this | indent 8 }}
+        securityContext:
+          runAsUser: 33333
+          privileged: false
+{{ include "gitpod.container.defaultEnv" $this | indent 8 }}
+{{ include "gitpod.container.tracingEnv" $this | indent 8 }}
+{{ toYaml .Values.defaults | indent 6 }}
+{{ end }}
diff --git a/chart/templates/image-builder-mk3-networkpolicy.yaml b/chart/templates/image-builder-mk3-networkpolicy.yaml
@@ -0,0 +1,37 @@
+# Copyright (c) 2020 Gitpod GmbH. All rights reserved.
+# Licensed under the MIT License. See License-MIT.txt in the project root for license information.
+
+{{ if .Values.installNetworkPolicies -}}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: image-builder-mk3
+  labels:
+    app: {{ template "gitpod.fullname" . }}
+    component: image-builder-mk3
+    kind: networkpolicy
+    stage: {{ .Values.installation.stage }}
+spec:
+  podSelector:
+    matchLabels:
+      app: {{ template "gitpod.fullname" . }}
+      component: image-builder-mk3
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+    # server
+  - from:
+    - podSelector:
+        matchLabels:
+          app: {{ template "gitpod.fullname" $ }}
+          component: {{ .Values.components.server.name }}
+  egress:
+  - to:
+    # Allow egress to everywhere, except...
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        except:
+        # Google Compute engine special, reserved VM metadata IP
+        - 169.254.169.254/32
+{{- end -}}
diff --git a/chart/templates/image-builder-mk3-psp-clusterrole.yaml b/chart/templates/image-builder-mk3-psp-clusterrole.yaml
@@ -0,0 +1,20 @@
+# Copyright (c) 2020 Gitpod GmbH. All rights reserved.
+# Licensed under the MIT License. See License-MIT.txt in the project root for license information.
+
+{{ if .Values.installPodSecurityPolicies -}}
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Release.Namespace }}-ns-image-builder-mk3
+  labels:
+    app: {{ template "gitpod.fullname" . }}
+    component: cluster
+    kind: clusterrole
+    stage: {{ .Values.installation.stage }}
+rules:
+  - apiGroups: ["policy"]
+    resources: ["podsecuritypolicies"]
+    verbs: ["use"]
+    resourceNames:
+    - {{ .Release.Namespace }}-ns-privileged-unconfined
+{{- end -}}
diff --git a/chart/templates/image-builder-mk3-rolebinding.yaml b/chart/templates/image-builder-mk3-rolebinding.yaml
@@ -0,0 +1,39 @@
+# Copyright (c) 2020 Gitpod GmbH. All rights reserved.
+# Licensed under the MIT License. See License-MIT.txt in the project root for license information.
+
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: image-builder-mk3-rb
+  labels:
+    app: {{ template "gitpod.fullname" . }}
+    component: image-builder-mk3
+    kind: role-binding
+    stage: {{ .Values.installation.stage }}
+subjects:
+- kind: ServiceAccount
+  name: image-builder-mk3
+roleRef:
+  kind: ClusterRole
+  name: {{ .Release.Namespace }}-ns-image-builder-mk3
+  apiGroup: rbac.authorization.k8s.io
+
+---
+
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Release.Namespace }}-image-builder-mk3-kube-rbac-proxy
+  labels:
+    app: {{ template "gitpod.fullname" . }}
+    component: image-builder-mk3
+    kind: role-binding
+    stage: {{ .Values.installation.stage }}
+subjects:
+- kind: ServiceAccount
+  name: image-builder-mk3
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name:  {{ .Release.Namespace }}-kube-rbac-proxy
+  apiGroup: rbac.authorization.k8s.io
diff --git a/chart/templates/image-builder-mk3-service.yaml b/chart/templates/image-builder-mk3-service.yaml
@@ -0,0 +1,4 @@
+# Copyright (c) 2020 Gitpod GmbH. All rights reserved.
+# Licensed under the MIT License. See License-MIT.txt in the project root for license information.
+
+{{ template "gitpod.service.default" dict "root" . "gp" .Values "comp" .Values.components.imageBuilderMk3 }}
diff --git a/chart/templates/image-builder-mk3-serviceaccount.yaml b/chart/templates/image-builder-mk3-serviceaccount.yaml
@@ -0,0 +1,12 @@
+# Copyright (c) 2020 Gitpod GmbH. All rights reserved.
+# Licensed under the MIT License. See License-MIT.txt in the project root for license information.
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: image-builder-mk3
+  labels:
+    app: {{ template "gitpod.fullname" . }}
+    component: image-builder-mk3
+    kind: service-account
+    stage: {{ .Values.installation.stage }}
diff --git a/chart/templates/workspace-template.yaml b/chart/templates/workspace-template.yaml
@@ -53,6 +53,10 @@ data:
   "ghost.yaml": |
 {{ dict | merge ($comp.templates.ghost | default dict) (include "coreWorkspaceAffinity" (dict "comp" $comp "tpe" "ghost") | fromYaml) | toJson | indent 4 }}
 {{- end }}
+{{ if (or $comp.templates.imagebuild $comp.affinity) }}
+  "imagebuild.yaml": |
+{{ dict | merge ($comp.templates.imagebuild | default dict) (include "coreWorkspaceAffinity" (dict "comp" $comp "tpe" "imagebuild") | fromYaml) | toJson | indent 4 }}
+{{- end }}
 {{ if (or $comp.templates.regular $comp.affinity) }}
   "regular.yaml": |
 {{ dict | merge ($comp.templates.regular | default dict) (include "coreWorkspaceAffinity" (dict "comp" $comp "tpe" "regular") | fromYaml) | toJson | indent 4 }}

diff --git a/chart/values.yaml b/chart/values.yaml
@@ -234,6 +234,18 @@ components:
         expose: true
         containerPort: 8080
 
+  imageBuilderMk3:
+    name: "image-builder-mk3"
+    dependsOn:
+    - "image-builder-mk3-configmap.yaml"
+    alpineImage: alpine:3.13
+    builderImage:
+      imageName: "image-builder-mk3/bob"
+    ports:
+      rpc:
+        expose: true
+        containerPort: 8080
+
   kedge:
     name: "kedge"
     disabled: true

diff --git a/components/BUILD.yaml b/components/BUILD.yaml
@@ -44,6 +44,8 @@ packages:
       - components/ide/code:docker
       - components/ide/theia:docker
       - components/image-builder:docker
+      - components/image-builder-mk3:docker
+      - components/image-builder-bob:docker
       - components/local-app:docker
       - components/proxy:docker
       - components/registry-facade:docker