[installer] Registry facade should not use a port from node ports range

[aledbf]

Description

Some CNI providers (as Cilium) do not allow overlap between hostPorts and nodePorts

Release Notes

[installer] Registry facade should not use a port from node ports range

[codecov]

Codecov Report

Merging #8580 (a6ed7e3) into main (7ac5d9d) will decrease coverage by 4.94%.
The diff coverage is 0.00%.

❗ Current head a6ed7e3 differs from pull request most recent head feb6d5f. Consider uploading reports for the commit feb6d5f to get more accurate results

@@            Coverage Diff            @@
##             main   #8580      +/-   ##
=========================================
- Coverage   12.31%   7.37%   -4.95%     
=========================================
  Files          20      32      +12     
  Lines        1161    2225    +1064     
=========================================
+ Hits          143     164      +21     
- Misses       1014    2058    +1044     
+ Partials        4       3       -1     

Flag	Coverage Δ
components-gitpod-cli-app	11.17% <ø> (ø)
components-local-app-app-darwin-amd64	?
components-local-app-app-darwin-arm64	?
components-local-app-app-linux-amd64	?
components-local-app-app-linux-arm64	?
components-local-app-app-windows-386	?
components-local-app-app-windows-amd64	?
components-local-app-app-windows-arm64	?
install-installer-raw-app	4.30% <0.00%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
install/installer/pkg/common/networkpolicies.go	0.00% <0.00%> (ø)
components/local-app/pkg/auth/pkce.go
components/local-app/pkg/auth/auth.go
...staller/pkg/components/ws-manager/networkpolicy.go	0.00% <0.00%> (ø)
install/installer/pkg/common/ca.go	0.00% <0.00%> (ø)
...l/installer/pkg/components/ws-manager/tlssecret.go	0.00% <0.00%> (ø)
install/installer/pkg/common/objects.go	0.00% <0.00%> (ø)
install/installer/pkg/common/storage.go	0.00% <0.00%> (ø)
...nstall/installer/pkg/components/ws-manager/role.go	0.00% <0.00%> (ø)
install/installer/pkg/common/render.go	0.00% <0.00%> (ø)
... and 6 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 7ac5d9d...feb6d5f. Read the comment docs.

[mrsimonemms]

/hold

Approving, but adding hold so @aledbf or @sagor999 can merge when ready

[aledbf]

/hold cancel

[aledbf]

with the changes, we can run Gitpod in a cluster using Cilium

and use Hubble to see dropped packages

[csweichel]

with the changes, we can run Gitpod in a cluster using Cilium

and use Hubble to see dropped packages

Nice. Is there alerting that could use? E.g. an alert if a package makes its way through to the Google Metadata API server?

[aledbf]

Nice. Is there alerting that could use? E.g. an alert if a package makes its way through to the Google Metadata API server?

We can add one using the drop metric https://docs.cilium.io/en/stable/operations/metrics/#drop

[mrsimonemms]

/hold

Happy with that, just on the question raised. If that's fine, just remove the hold

[iQQBot]

Unfortunately, this breaks our preview environment @aledbf

[sagor999]

Ah, I think preview env is still using helm chart? So maybe that change needs to be done in there too now

[iQQBot]

no, it's using installer

[iQQBot]

In order to install multiple gitpod in a single kubernetes, we modified the hostport of registry-facade using the post-install script, but not in the PodSecurityPolicy, which prevented the registry-facade from starting

[aledbf]

Now is clear why we had a range in the policy

Fix #8612