gitpod-io · aledbf · Jul 6, 2021 · Jul 6, 2021 · Jul 6, 2021 · Jul 6, 2021
diff --git a/chart/templates/_default.yaml b/chart/templates/_default.yaml
@@ -51,7 +51,6 @@ spec:
   {{- if $comp.clusterIP }}
   clusterIP: {{ $comp.clusterIP }}
   {{- end }}
-  sessionAffinity: {{ $comp.serviceSessionAffinity | default "None" }}
   {{ if $comp.serviceExternalTrafficPolicy -}}
   externalTrafficPolicy: {{ $comp.serviceExternalTrafficPolicy }}
   {{- end }}

diff --git a/chart/templates/_helpers.tpl b/chart/templates/_helpers.tpl
@@ -89,42 +89,13 @@ affinity:
 {{- define "gitpod.workspaceAffinity" -}}
 {{- $ := .root -}}
 {{- $gp := .gp -}}
-{{- $expr := dict -}}
-{{- if $gp.components.workspace.affinity -}}
-{{- if $gp.components.workspace.affinity.default -}}{{- $_ := set $expr $gp.components.workspace.affinity.default "" -}}{{- end -}}
-{{- if $gp.components.workspace.affinity.prebuild -}}{{- $_ := set $expr $gp.components.workspace.affinity.prebuild "" -}}{{- end -}}
-{{- if $gp.components.workspace.affinity.probe -}}{{- $_ := set $expr $gp.components.workspace.affinity.probe "" -}}{{- end -}}
-{{- if $gp.components.workspace.affinity.regular -}}{{- $_ := set $expr $gp.components.workspace.affinity.regular "" -}}{{- end -}}
-{{- end -}}
-{{- /*
-  In a previous iteration of the templates the node affinity was part of the workspace pod template.
-  In that case we need to extract the affinity from the template and add it to the workspace affinity set.
-*/ -}}
-{{- if $gp.components.workspace.template -}}
-{{- if $gp.components.workspace.template.spec -}}
-{{- if $gp.components.workspace.template.spec.affinity -}}
-{{- if $gp.components.workspace.template.spec.affinity.nodeAffinity -}}
-{{- if $gp.components.workspace.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution -}}
-{{- range $_, $t := $gp.components.workspace.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms -}}
-{{- range $_, $m := $t.matchExpressions -}}
-    {{- $_ := set $expr $m.key "" -}}
-{{- end -}}
-{{- end -}}
-{{- end -}}
-{{- end -}}
-{{- end -}}
-{{- end -}}
-{{- end -}}
-{{- if not (eq (len $expr) 0) -}}
+{{- $comp := .comp -}}
+{{- if $comp.affinity -}}
 affinity:
-  nodeAffinity:
-    requiredDuringSchedulingIgnoredDuringExecution:
-      nodeSelectorTerms:
-      {{- range $key, $val := $expr }}
-      - matchExpressions:
-        - key: {{ $key }}
-          operator: Exists
-      {{- end }}
+{{ $comp.affinity | toYaml | indent 2 }}
+{{- else if $gp.affinity -}}
+affinity:
+{{ $gp.affinity | toYaml | indent 2 }}
 {{- end -}}
 {{- end -}}
 
@@ -375,3 +346,40 @@ storage:
     runAsUser: 65532
   terminationMessagePolicy: FallbackToLogsOnError
 {{- end -}}
+
+{{/* Container definition to update ca-certificates and add gitpod self-signed CA certificate */}}
+{{- define "gitpod.ca-certificates.container" -}}
+- name: update-ca-certificates
+  image: alpine:3.14
+  command:
+  - sh
+  - -c
+  - |
+    set -e
+    apk add --update ca-certificates
+    cp /etc/ssl/gitpod-ca.crt /usr/local/share/ca-certificates
+    update-ca-certificates
+    cp /etc/ssl/certs/* /ssl-certs
+    echo "OK"
+  volumeMounts:
+    - name: cacerts
+      mountPath: "/ssl-certs"
+    - name: registry-certs
+      subPath: ca.crt
+      mountPath: /etc/ssl/gitpod-ca.crt
+{{- end -}}
+
+{{/* Volume mount for updated ca-certificates */}}
+{{- define "gitpod.ca-certificates.volumeMount" }}
+- name: cacerts
+  mountPath: /etc/ssl/certs
+{{- end -}}
+
+{{/* emptyDir volume ca-certificates */}}
+{{- define "gitpod.ca-certificates.volume" }}
+- name: cacerts
+  emptyDir: {}
+- name: registry-certs
+  secret:
+    secretName: builtin-registry-certs
+{{- end -}}
diff --git a/chart/templates/builtin-proxy-certs-secret.yaml b/chart/templates/builtin-proxy-certs-secret.yaml
@@ -0,0 +1,34 @@
+# Copyright (c) 2021 Gitpod GmbH. All rights reserved.
+# Licensed under the MIT License. See License-MIT.txt in the project root for license information.
+
+{{ $comp := .Values.components.proxy -}}
+{{ $certManager := (index .Values "cert-manager") }}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: proxy-config-certificates
+spec:
+  secretName: proxy-config-certificates
+  commonName: {{ .Values.hostname | quote }}
+  dnsNames:
+    - {{ .Values.hostname | quote }}
+    - "*.{{ .Values.hostname }}"
+    - "*.ws{{- if .Values.installation.shortname -}}-{{ .Values.installation.shortname }}{{- end -}}.{{ .Values.hostname }}"
+    {{- range $index, $dnsName := $certManager.certificate.additionalNames }}
+    - {{ $dnsName | quote }}
+    {{ end -}}
+  {{- if $comp.certManager }} {{/*  custom proxy certificate issuer */}}
+  {{ if $comp.certManager.issuerRef }} {{/*  use custom issuer */}}
+  issuerRef: {{ $comp.certManager.issuerRef }}
+  {{ else }}
+  issuerRef:
+    name: {{ if $comp.certManager.issuerName }}{{$comp.certManager.issuerName}}{{ else }}gitpod{{ end }}
+    kind: {{ if $comp.certManager.issuerKind }}{{$comp.certManager.issuerKind}}{{ else }}Issuer{{ end }}
+    group: cert-manager.io
+  {{ end }}
+  {{ else }}
+  issuerRef:
+    name: gitpod
+    kind: Issuer
+    group: cert-manager.io
+  {{ end }}
diff --git a/chart/templates/builtin-registry-certs-secret.yaml b/chart/templates/builtin-registry-certs-secret.yaml
@@ -3,9 +3,7 @@
 
 {{ if (index .Values "docker-registry" "enabled") }}
 {{- $regName := include "gitpod.builtinRegistry.name" . -}}
-{{ $cm := (index .Values "cert-manager") }}
-{{- if $cm.enabled }}
-
+{{ $certManager := (index .Values "cert-manager") }}
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -14,30 +12,7 @@ spec:
   secretName: builtin-registry-certs
   dnsNames: {{ ( list $regName ) | toJson }}
   issuerRef:
-    name: {{ $cm.ca.issuerName }}
+    name: {{ $certManager.ca.issuerName }}
     kind: Issuer
     group: cert-manager.io
-
-{{- else }}
-{{- $ca := genCA "wsdaemon-ca" 365 -}}
-{{- $cert := genSignedCert (include "gitpod.fullname" . ) nil ( list $regName ) 365 $ca -}}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: builtin-registry-certs
-  labels:
-    app: {{ template "gitpod.fullname" . }}
-    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
-    release: "{{ .Release.Name }}"
-    heritage: "{{ .Release.Service }}"
-  annotations:
-    checksum/cert: {{ $cert.Cert | indent 2 | sha256sum }}
-data:
-  ca.crt: {{ $ca.Cert | b64enc }}
-  tls.key: {{ $cert.Key | b64enc }}
-  # Docker registry needs this file to end with .crt
-  tls.crt: {{ $cert.Cert | b64enc }}
-  # Docker daemon needs this file to end with .cert
-  tls.cert: {{ $cert.Cert | b64enc }}
-{{- end }}
 {{- end }}
diff --git a/chart/templates/certmanager-ca.yaml b/chart/templates/certmanager-ca.yaml
@@ -1,27 +1,36 @@
 # Copyright (c) 2020 Gitpod GmbH. All rights reserved.
 # Licensed under the MIT License. See License-MIT.txt in the project root for license information.
 
-{{ $cm := (index .Values "cert-manager") }}
-{{- if $cm.enabled }}
-{{- if $cm.ca.certificate.selfSigned }}
-{{ $tls := genCA "gitpod-ca" 365 }}
-kind: Secret
-apiVersion: v1
+{{ $certManager := (index .Values "cert-manager") }}
+apiVersion: cert-manager.io/v1
+kind: Issuer
 metadata:
-  name: {{ $cm.ca.certificate.secretName }}
+  name: gitpod-selfsigned-issuer
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ $certManager.ca.secretName }}
   namespace: {{ .Release.Namespace }}
-data:
-  tls.crt: {{ $tls.Cert | b64enc }}
-  tls.key: {{ $tls.Key | b64enc }}
-type: kubernetes.io/tls
+spec:
+  isCA: true
+  commonName: {{ $certManager.ca.issuerName }}
+  secretName: {{ $certManager.ca.secretName }}
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: gitpod-selfsigned-issuer
+    kind: Issuer
+    group: cert-manager.io
 ---
-{{- end }}
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
-  name: {{ $cm.ca.issuerName }}
+  name: {{ $certManager.ca.issuerName }}
   namespace: {{ .Release.Namespace }}
 spec:
   ca:
-    secretName: {{ $cm.ca.certificate.secretName }}
-{{- end }}
+    secretName: {{ $certManager.ca.secretName }}
diff --git a/chart/templates/db-initscripts-configmap.yaml b/chart/templates/db-initscripts-configmap.yaml
@@ -1,7 +1,6 @@
 # Copyright (c) 2020 Gitpod GmbH. All rights reserved.
 # Licensed under the MIT License. See License-MIT.txt in the project root for license information.
 
-{{ if not .Values.components.db.gcloudSqlProxy.enabled -}}
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -17,7 +16,6 @@ metadata:
 data:
   init.sql: |-
 {{- $root := . }}
-{{- range $path, $bytes := .Files.Glob "config/db/init/**.sql" }}
+{{- range $path, $bytes := .Files.Glob "config/db/init/02-create-and-init-sessions-db.sql" }}
 {{ $root.Files.Get $path | indent 4 }}
 {{- end }}
-{{- end -}}
diff --git a/chart/templates/db-serviceaccount.yaml b/chart/templates/db-serviceaccount.yaml
@@ -10,4 +10,4 @@ metadata:
     component: db
     kind: service-account
     stage: {{ .Values.installation.stage }}
-automountServiceAccountToken: false
+automountServiceAccountToken: false
diff --git a/chart/templates/db-sessions-job.yaml b/chart/templates/db-sessions-job.yaml
@@ -0,0 +1,57 @@
+# Copyright (c) 2020 Gitpod GmbH. All rights reserved.
+# Licensed under the MIT License. See License-MIT.txt in the project root for license information.
+
+{{ $comp := .Values.components.db }}
+{{- $this := dict "root" . "gp" $.Values "comp" $comp -}}
+
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: database-sessions
+  labels:
+    app: {{ template "gitpod.fullname" . }}
+    component: database-sessions
+    kind: job
+    stage: {{ .Values.installation.stage }}
+  annotations:
+    # This is what defines this resource as a hook. Without this line, the
+    # job is considered part of the release.
+    # see https://github.com/helm/helm/blob/master/docs/charts_hooks.md
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-weight": "5"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
+    "helm.sh/hook-delete-timeout": "0"
+spec:
+  template:
+    metadata:
+      name: database-sessions
+      labels:
+        app: {{ template "gitpod.fullname" . }}
+        component: database-sessions
+        kind: job
+        stage: {{ .Values.installation.stage }}
+    spec:
+{{ include "gitpod.pod.affinity" $this | indent 6 }}
+      restartPolicy: Never
+      serviceAccountName: db
+      imagePullSecrets:
+      enableServiceLinks: false
+      containers:
+      - name: database-sessions
+        image: mysql:5.7.34
+        env:
+        - name: "MYSQL_PWD"
+          value: "{{ $.Values.db.password }}"
+        - name: "DB_PORT"
+          value: "{{ $.Values.db.port }}"
+        - name: "DB_HOST"
+          value: "{{ $.Values.db.host }}"
+        command: ["sh","-c","mysql -h $DB_HOST --port $DB_PORT -u gitpod < /db-init-scripts/init.sql"]
+        volumeMounts:
+        - name: db-init-scripts
+          mountPath: "/db-init-scripts"
+          readOnly: true
+      volumes:
+      - name: db-init-scripts
+        configMap:
+          name: db-init-scripts
diff --git a/chart/templates/image-builder-deployment.yaml b/chart/templates/image-builder-deployment.yaml
@@ -77,8 +77,18 @@ spec:
         - mountPath: /var/lib/docker
           name: dind-storage
 {{- range $idx, $sec := $comp.registryCerts }}
-        - mountPath: /etc/docker/certs.d/{{- if eq $sec.name "builtin" -}}{{ template "gitpod.builtinRegistry.name" $this.root }}{{ else }}{{ $sec.name }}{{ end }}
+        - mountPath: /etc/docker/certs.d/{{- if eq $sec.name "builtin" -}}{{ template "gitpod.builtinRegistry.name" $this.root }}{{ else }}{{ $sec.name }}{{ end }}/tls.cert
           name: docker-tls-certs-{{ $idx }}
+          subPath: tls.crt
+        - mountPath: /etc/docker/certs.d/{{- if eq $sec.name "builtin" -}}{{ template "gitpod.builtinRegistry.name" $this.root }}{{ else }}{{ $sec.name }}{{ end }}/tls.crt
+          name: docker-tls-certs-{{ $idx }}
+          subPath: tls.crt
+        - mountPath: /etc/docker/certs.d/{{- if eq $sec.name "builtin" -}}{{ template "gitpod.builtinRegistry.name" $this.root }}{{ else }}{{ $sec.name }}{{ end }}/tls.key
+          name: docker-tls-certs-{{ $idx }}
+          subPath: tls.key
+        - mountPath: /etc/docker/certs.d/{{- if eq $sec.name "builtin" -}}{{ template "gitpod.builtinRegistry.name" $this.root }}{{ else }}{{ $sec.name }}{{ end }}/ca.crt
+          name: docker-tls-certs-{{ $idx }}
+          subPath: ca.crt
 {{- end }}
 {{- if $comp.dindResources }}
         resources:

diff --git a/chart/templates/registry-facade-daemonset.yaml b/chart/templates/registry-facade-daemonset.yaml
@@ -32,9 +32,31 @@ spec:
         stage: {{ .Values.installation.stage }}
         gitpod.io/nodeService: registry-facade
     spec:
+      hostPID: true
 {{ include "gitpod.workspaceAffinity" $this | indent 6 }}
       serviceAccountName: registry-facade
       enableServiceLinks: false
+      initContainers:
+{{ include "gitpod.ca-certificates.container" $this | indent 8 }}
+        # Add gitpod self-signed CA certificate to containerd
+        # in order to pull images from the host without x509 errors
+        - name: update-containerd-certificates
+          command: ["nsenter"]
+          args: ["--mount=/proc/1/ns/mnt", "--", "sh", "-c", "$(SETUP_SCRIPT)"]
+          image: alpine:3.14
+          env:
+          - name: GITPOD_CA_CERT
+            valueFrom:
+              secretKeyRef:
+                name: builtin-registry-certs
+                key: ca.crt
+          - name: SETUP_SCRIPT
+            valueFrom:
+              configMapKeyRef:
+                name: update-containerd-certificates
+                key: setup.sh
+          securityContext:
+            privileged: true
       containers:
       - name: registry-facade
         image: {{ template "gitpod.comp.imageFull" $this }}
@@ -53,6 +75,7 @@ spec:
         - name: GRPC_GO_RETRY
           value: "on"
         volumeMounts:
+{{ include "gitpod.ca-certificates.volumeMount" $this | indent 8 }}
         - name: cache
           mountPath: "/mnt/cache"
         - name: config
@@ -90,5 +113,19 @@ spec:
         secret:
           secretName: {{ .Values.certificatesSecret.secretName }}
       {{- end }}
+{{- include "gitpod.ca-certificates.volume" $this | indent 6 }}
 {{ toYaml .Values.defaults | indent 6 }}
+
+---
+
+# Install gitpod ca.crt in containerd to allow pulls from the host
+# https://github.com/containerd/containerd/blob/main/docs/hosts.md
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: update-containerd-certificates
+data:
+  setup.sh: |
+    mkdir -p /etc/containerd/certs.d/{{- (printf "reg.%s:%v" (.Values.components.registryFacade.hostname | default .Values.hostname) .Values.components.registryFacade.ports.registry.servicePort) }} && echo "$GITPOD_CA_CERT" > /etc/containerd/certs.d/{{- (printf "reg.%s:%v" (.Values.components.registryFacade.hostname | default .Values.hostname) .Values.components.registryFacade.ports.registry.servicePort) -}}/ca.crt && echo "OK"
+
 {{ end }}