Fixes to install workspace components to GKE with InCluster dependencies

components/ws-daemon/pkg/content/config.go

@@ -5,6 +5,7 @@
 package content
 
 import (
+	"encoding/json"
 	"strings"
 
 	"github.com/gitpod-io/gitpod/common-go/util"
@@ -63,6 +64,16 @@ type UserNamespacesConfig struct {
 
 type FSShiftMethod api.FSShiftMethod
 
+// MarshalJSON marshals the api.FSShiftMethod to the api.FSShiftMethod_value
+func (m FSShiftMethod) MarshalJSON() ([]byte, error) {
+	methodInt := int32(m)
+	v, ok := api.FSShiftMethod_name[methodInt]
+	if !ok {
+		return nil, xerrors.Errorf("invalid shift method: %i", methodInt)
+	}
+	return json.Marshal(v)
+}
+
 // UnmarshalJSON unmarshals the lowercase shift method string as defined in
 // api.FSShiftMethod_value to api.FSShiftMethod
 func (m *FSShiftMethod) UnmarshalJSON(data []byte) error {

installer/BUILD.yaml

@@ -10,6 +10,7 @@ packages:
       - "pkg/components/**/*.crt"
       - "pkg/components/**/*.key"
       - "pkg/components/**/*.pem"
+      - "pkg/components/**/*.sql"
       - "third_party/**/*"
     deps:
       - components/common-go:lib

installer/cmd/render.go

@@ -58,10 +58,9 @@ A config file is required which can be generated with the init command.`,
 			}
 		}
 
-		ctx := &common.RenderContext{
-			Config:          *cfg,
-			VersionManifest: versionMF,
-			Namespace:       renderOpts.Namespace,
+		ctx, err := common.NewRenderContext(*cfg, versionMF, renderOpts.Namespace)
+		if err != nil {
+			return err
 		}
 
 		var renderable common.RenderFunc
@@ -80,12 +79,12 @@ A config file is required which can be generated with the init command.`,
 			return fmt.Errorf("unsupported installation kind: %s", cfg.Kind)
 		}
 
-		objs, err := renderable(ctx)
+		objs, err := common.CompositeRenderFunc(renderable, components.CommonObjects)(ctx)
 		if err != nil {
 			return err
 		}
 
-		charts, err := helmCharts(ctx)
+		charts, err := common.CompositeHelmFunc(helmCharts, components.CommonHelmDependencies)(ctx)
 		if err != nil {
 			return err
 		}

installer/cmd/versions.yaml

@@ -2,91 +2,93 @@
 # Licensed under the GNU Affero General Public License (AGPL).
 # See License-AGPL.txt in the project root for license information.
 
-version: not-a-valid-version
+version: main.1640
 components:
   agentSmith:
-    version: not-a-valid-version
+    version: pd-add-missing-go-dep2-fork.0
 
   blobserve:
-    version: not-a-valid-version
+    version: commit-4e89f0f82d746317af800032439f7c790edfaec8
 
   contentService:
-    version: not-a-valid-version
+    version: commit-93170cc9bf3c9c08dc9c50c5522b480cfc27e5ab
 
   dashboard:
-    version: not-a-valid-version
+    version: commit-0c4c21259571ce3eaf3cbeb60e2b559ecc899dee
 
   dbMigrations:
-    version: not-a-valid-version
+    version: commit-4425adc68e4141544adb783867a3e398359f8ecc
 
   dbSync:
-    version: not-a-valid-version
+    version: commit-4425adc68e4141544adb783867a3e398359f8ecc
 
   imageBuilder:
-    version: not-a-valid-version
+    version: commit-1d7d20c9cb289a047b8559b2141adf73ecf3876f
 
   imageBuilderMk3:
     builderImage:
-      version: not-a-valid-version
+      version: 93170cc9bf3c9c08dc9c50c5522b480cfc27e5ab
 
-    version: not-a-valid-version
+    version: commit-1d7d20c9cb289a047b8559b2141adf73ecf3876f
 
   integrationTest:
-    version: not-a-valid-version
+    version: commit-1d7d20c9cb289a047b8559b2141adf73ecf3876f
 
   kedge:
-    version: not-a-valid-version
+    version: commit-93170cc9bf3c9c08dc9c50c5522b480cfc27e5ab
+
+  openVsxProxy:
+    version: commit-93170cc9bf3c9c08dc9c50c5522b480cfc27e5ab
 
   paymentEndpoint:
-    version: not-a-valid-version
+    version: commit-4425adc68e4141544adb783867a3e398359f8ecc
 
   proxy:
-    version: not-a-valid-version
+    version: commit-cb09a691840416451c628515ddc35e721759ebc3
 
   registryFacade:
-    version: not-a-valid-version
+    version: commit-93170cc9bf3c9c08dc9c50c5522b480cfc27e5ab
 
   server:
-    version: not-a-valid-version
+    version: commit-1d7d20c9cb289a047b8559b2141adf73ecf3876f
 
   serviceWaiter:
-    version: not-a-valid-version
+    version: commit-93170cc9bf3c9c08dc9c50c5522b480cfc27e5ab
 
   workspace:
     codeImage:
-      version: not-a-valid-version
+      version: commit-5c97db5258faab662b945211469f0d2d715cb44a
 
     codeImageStable:
       version: not-a-valid-version
 
     dockerUp:
-      version: not-a-valid-version
+      version: commit-cb09a691840416451c628515ddc35e721759ebc3
 
     supervisor:
-      version: not-a-valid-version
+      version: commit-93170cc9bf3c9c08dc9c50c5522b480cfc27e5ab
 
     theiaImage:
-      version: not-a-valid-version
+      version: commit-cb09a691840416451c628515ddc35e721759ebc3
 
   wsDaemon:
     userNamespaces:
       seccompProfileInstaller:
-        version: not-a-valid-version
+        version: commit-cb09a691840416451c628515ddc35e721759ebc3
 
       shiftfsModuleLoader:
-        version: not-a-valid-version
+        version: commit-cb09a691840416451c628515ddc35e721759ebc3
 
-    version: not-a-valid-version
+    version: commit-93170cc9bf3c9c08dc9c50c5522b480cfc27e5ab
 
   wsManager:
-    version: not-a-valid-version
+    version: commit-1d7d20c9cb289a047b8559b2141adf73ecf3876f
 
   wsManagerBridge:
-    version: not-a-valid-version
+    version: commit-4425adc68e4141544adb783867a3e398359f8ecc
 
   wsProxy:
-    version: not-a-valid-version
+    version: commit-93170cc9bf3c9c08dc9c50c5522b480cfc27e5ab
 
   wsScheduler:
-    version: not-a-valid-version
-
+    version: commit-93170cc9bf3c9c08dc9c50c5522b480cfc27e5ab

installer/example-config.yaml

@@ -27,4 +27,5 @@ workspace:
       memory: 2Gi
   runtime:
     containerdRuntimeDir: /run/containerd/io.containerd.runtime.v2.task/k8s.io
+    containerdSocket: /run/containerd/containerd.sock
     fsShiftMethod: fuse

installer/pkg/common/common.go

@@ -446,6 +446,10 @@ var (
 		APIVersion: "cert-manager.io/v1",
 		Kind:       "Certificate",
 	}
+	TypeMetaCertificateIssuer = metav1.TypeMeta{
+		APIVersion: "cert-manager.io/v1",
+		Kind:       "Issuer",
+	}
 	TypeMetaSecret = metav1.TypeMeta{
 		APIVersion: "v1",
 		Kind:       "Secret",
@@ -454,6 +458,10 @@ var (
 		APIVersion: "policy/v1beta1",
 		Kind:       "PodSecurityPolicy",
 	}
+	TypeMetaResourceQuota = metav1.TypeMeta{
+		APIVersion: "v1",
+		Kind:       "ResourceQuota",
+	}
 )
 
 type TLS struct {

installer/pkg/common/constants.go

@@ -8,11 +8,19 @@ package common
 
 const (
 	BlobServeServicePort      = 4000
+	CertManagerCAIssuer       = "ca-issuer"
 	DockerRegistryName        = "registry"
 	InClusterDbSecret         = "mysql"
 	InClusterMessageQueueName = "rabbitmq"
 	InClusterMessageQueueTLS  = "messagebus-certificates-secret-core"
 	MonitoringChart           = "monitoring"
 	ProxyComponent            = "proxy"
+	RegistryFacadeComponent   = "registry-facade"
+	RegistryFacadeServicePort = 3000
 	ServerComponent           = "server"
+	SystemNodeCritical        = "system-node-critical"
+	WSManagerComponent        = "ws-manager"
+	WSManagerBridgeComponent  = "ws-manager-bridge"
+	WSProxyComponent          = "ws-proxy"
+	WSSchedulerComponent      = "ws-scheduler"
 )

installer/pkg/common/objects.go

@@ -6,8 +6,8 @@ package common
 
 import (
 	"fmt"
+	storageconfig "github.com/gitpod-io/gitpod/content-service/api/config"
 	corev1 "k8s.io/api/core/v1"
-	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/intstr"
@@ -35,7 +35,7 @@ type ServicePort struct {
 	ServicePort   int32
 }
 
-func GenerateService(component string, ports map[string]ServicePort, clusterIP *string) RenderFunc {
+func GenerateService(component string, ports map[string]ServicePort, mod ...func(spec *corev1.ServiceSpec)) RenderFunc {
 	return func(cfg *RenderContext) ([]runtime.Object, error) {
 		labels := DefaultLabels(component)
 
@@ -49,9 +49,15 @@ func GenerateService(component string, ports map[string]ServicePort, clusterIP *
 			})
 		}
 
-		specClusterIp := "None"
-		if clusterIP != nil {
-			specClusterIp = *clusterIP
+		spec := &corev1.ServiceSpec{
+			Ports:    servicePorts,
+			Selector: labels,
+			Type:     corev1.ServiceTypeClusterIP,
+		}
+
+		for _, m := range mod {
+			// Apply any custom modifications to the spec
+			m(spec)
 		}
 
 		return []runtime.Object{&corev1.Service{
@@ -61,47 +67,32 @@ func GenerateService(component string, ports map[string]ServicePort, clusterIP *
 				Namespace: cfg.Namespace,
 				Labels:    labels,
 			},
-			Spec: corev1.ServiceSpec{
-				Ports:     servicePorts,
-				Selector:  map[string]string{"Component": component},
-				Type:      corev1.ServiceTypeClusterIP,
-				ClusterIP: specClusterIp,
-			},
+			Spec: *spec,
 		}}, nil
 	}
 }
 
-// GlobalObjects is any objects which are outside the scope of components, but
-// required for the application to function. Typically, these will be ClusterRole,
-// ClusterRoleBindings and similar cluster-level objects
-func GlobalObjects(ctx *RenderContext) ([]runtime.Object, error) {
-	return []runtime.Object{
-		&rbacv1.ClusterRole{
-			TypeMeta: TypeMetaClusterRole,
-			ObjectMeta: metav1.ObjectMeta{
-				Name: fmt.Sprintf("%s-kube-rbac-proxy", ctx.Namespace),
-			},
-			Rules: []rbacv1.PolicyRule{{
-				APIGroups: []string{"authentication.k8s.io"},
-				Resources: []string{"tokenreviews"},
-				Verbs:     []string{"create"},
-			}, {
-				APIGroups: []string{"authorization.k8s.io"},
-				Resources: []string{"subjectaccessreviews"},
-				Verbs:     []string{"create"},
-			}},
-		},
-		&rbacv1.ClusterRole{
-			TypeMeta: TypeMetaClusterRole,
-			ObjectMeta: metav1.ObjectMeta{
-				Name: fmt.Sprintf("%s-ns-psp:unprivileged", ctx.Namespace),
-			},
-			Rules: []rbacv1.PolicyRule{{
-				APIGroups:     []string{"policy"},
-				Resources:     []string{"podsecuritypolicies"},
-				Verbs:         []string{"use"},
-				ResourceNames: []string{fmt.Sprintf("%s-ns-unprivileged", ctx.Namespace)},
-			}},
+func StorageConfiguration(ctx *RenderContext) (*storageconfig.StorageConfig, error) {
+	accessKey := ctx.Values.StorageAccessKey
+	if accessKey == "" {
+		return nil, fmt.Errorf("unknown value: storage access key")
+	}
+	secretKey := ctx.Values.StorageSecretKey
+	if secretKey == "" {
+		return nil, fmt.Errorf("unknown value: storage secret key")
+	}
+
+	// todo(sje): support non-Minio storage configuration
+	// todo(sje): this has been set up with only the default values - receive configuration
+	return &storageconfig.StorageConfig{
+		Kind:      "minio",
+		BlobQuota: 0,
+		MinIOConfig: storageconfig.MinIOConfig{
+			Endpoint:        fmt.Sprintf("minio.%s", ctx.Config.Domain),
+			AccessKeyID:     accessKey,
+			SecretAccessKey: secretKey,
+			Secure:          false,
+			Region:          "local",
 		},
 	}, nil
 }

installer/pkg/common/render.go

@@ -77,8 +77,48 @@ func DependencySortingRenderFunc(f RenderFunc) RenderFunc {
 	}
 }
 
+type GeneratedValues struct {
+	StorageAccessKey string
+	StorageSecretKey string
+}
+
 type RenderContext struct {
 	VersionManifest versions.Manifest
 	Config          config.Config
 	Namespace       string
+	Values          GeneratedValues
+}
+
+// generateValues generates the random values used throughout the context
+// todo(sje): find a way of persisting these values for updates
+func (r *RenderContext) generateValues() error {
+	storageAccessKey, err := RandomString(20)
+	if err != nil {
+		return err
+	}
+	r.Values.StorageAccessKey = storageAccessKey
+
+	storageSecretKey, err := RandomString(20)
+	if err != nil {
+		return err
+	}
+	r.Values.StorageSecretKey = storageSecretKey
+
+	return nil
+}
+
+// NewRenderContext constructor function to create a new RenderContext with the values generated
+func NewRenderContext(cfg config.Config, versionManifest versions.Manifest, namespace string) (*RenderContext, error) {
+	ctx := &RenderContext{
+		Config:          cfg,
+		VersionManifest: versionManifest,
+		Namespace:       namespace,
+	}
+
+	err := ctx.generateValues()
+	if err != nil {
+		return nil, err
+	}
+
+	return ctx, nil
 }