diff --git a/install/installer/pkg/components/server/configmap.go b/install/installer/pkg/components/server/configmap.go index db0d8054f012f2..ce0798d91de6eb 100644 --- a/install/installer/pkg/components/server/configmap.go +++ b/install/installer/pkg/components/server/configmap.go @@ -36,13 +36,10 @@ func configmap(ctx *common.RenderContext) ([]runtime.Object, error) { license = licenseFilePath } - workspaceImage := ctx.ImageName(common.ThirdPartyContainerRepo(ctx.Config.Repository, ""), workspace.DefaultWorkspaceImage, workspace.DefaultWorkspaceImageVersion) - _ = ctx.WithExperimental(func(cfg *experimental.Config) error { - if cfg.WebApp != nil && cfg.WebApp.Server != nil && cfg.WebApp.Server.WorkspaceDefaults.WorkspaceImage != "" { - workspaceImage = cfg.WebApp.Server.WorkspaceDefaults.WorkspaceImage - } - return nil - }) + workspaceImage := ctx.Config.Workspace.WorkspaceImage + if workspaceImage == "" { + workspaceImage = ctx.ImageName(common.ThirdPartyContainerRepo(ctx.Config.Repository, ""), workspace.DefaultWorkspaceImage, workspace.DefaultWorkspaceImageVersion) + } sessionSecret := "Important!Really-Change-This-Key!" _ = ctx.WithExperimental(func(cfg *experimental.Config) error { @@ -77,14 +74,10 @@ func configmap(ctx *common.RenderContext) ([]runtime.Object, error) { }) defaultBaseImageRegistryWhitelist := []string{} - _ = ctx.WithExperimental(func(cfg *experimental.Config) error { - if cfg.WebApp != nil && cfg.WebApp.Server != nil { - if cfg.WebApp.Server.DefaultBaseImageRegistryWhiteList != nil { - defaultBaseImageRegistryWhitelist = cfg.WebApp.Server.DefaultBaseImageRegistryWhiteList - } - } - return nil - }) + allowList := ctx.Config.ContainerRegistry.PrivateBaseImageAllowList + if len(allowList) > 0 { + defaultBaseImageRegistryWhitelist = allowList + } chargebeeSecret := "" _ = ctx.WithExperimental(func(cfg *experimental.Config) error { diff --git a/install/installer/pkg/components/server/configmap_test.go b/install/installer/pkg/components/server/configmap_test.go index e29bc6380ca50d..e3d770fc969830 100644 --- a/install/installer/pkg/components/server/configmap_test.go +++ b/install/installer/pkg/components/server/configmap_test.go @@ -53,6 +53,12 @@ func TestConfigMap(t *testing.T) { } ctx, err := common.NewRenderContext(config.Config{ + Workspace: config.Workspace{ + WorkspaceImage: expectation.WorkspaceImage, + }, + ContainerRegistry: config.ContainerRegistry{ + PrivateBaseImageAllowList: expectation.DefaultBaseImageRegistryWhiteList, + }, Experimental: &experimental.Config{ WebApp: &experimental.WebAppConfig{ Server: &experimental.ServerConfig{ @@ -60,10 +66,6 @@ func TestConfigMap(t *testing.T) { EnableLocalApp: pointer.Bool(expectation.EnableLocalApp), RunDbDeleter: pointer.Bool(expectation.RunDbDeleter), DisableWorkspaceGarbageCollection: expectation.DisableWorkspaceGarbageCollection, - DefaultBaseImageRegistryWhiteList: expectation.DefaultBaseImageRegistryWhiteList, - WorkspaceDefaults: experimental.WorkspaceDefaults{ - WorkspaceImage: expectation.WorkspaceImage, - }, OAuthServer: experimental.OAuthServer{ JWTSecret: expectation.JWTSecret, }, diff --git a/install/installer/pkg/config/v1/config.go b/install/installer/pkg/config/v1/config.go index b52645d609f37f..e002bc3ef9a0a1 100644 --- a/install/installer/pkg/config/v1/config.go +++ b/install/installer/pkg/config/v1/config.go @@ -56,6 +56,7 @@ func (v version) Defaults(in interface{}) error { }, } cfg.ContainerRegistry.InCluster = pointer.Bool(true) + cfg.ContainerRegistry.PrivateBaseImageAllowList = []string{} cfg.Workspace.Resources.Requests = corev1.ResourceList{ corev1.ResourceCPU: resource.MustParse("1000m"), corev1.ResourceMemory: resource.MustParse("2Gi"), @@ -78,23 +79,52 @@ func (v version) CheckDeprecated(rawCfg interface{}) (map[string]interface{}, [] conflicts := make([]string, 0) cfg := rawCfg.(*Config) - if cfg.Experimental != nil && cfg.Experimental.WebApp != nil && cfg.Experimental.WebApp.ProxyConfig != nil && cfg.Experimental.WebApp.ProxyConfig.ServiceType != nil { - warnings["experimental.webapp.proxy.serviceType"] = *cfg.Experimental.WebApp.ProxyConfig.ServiceType - - if cfg.Components != nil && cfg.Components.Proxy != nil && cfg.Components.Proxy.Service != nil && cfg.Components.Proxy.Service.ServiceType != nil { - conflicts = append(conflicts, "Cannot set proxy service type in both components and experimental") - } else { - // Promote the experimental value to the components - if cfg.Components == nil { - cfg.Components = &Components{} + if cfg.Experimental != nil && cfg.Experimental.WebApp != nil { + // service type of proxy is now configurable from main config + if cfg.Experimental.WebApp.ProxyConfig != nil && cfg.Experimental.WebApp.ProxyConfig.ServiceType != nil { + warnings["experimental.webapp.proxy.serviceType"] = *cfg.Experimental.WebApp.ProxyConfig.ServiceType + + if cfg.Components != nil && cfg.Components.Proxy != nil && cfg.Components.Proxy.Service != nil && cfg.Components.Proxy.Service.ServiceType != nil { + conflicts = append(conflicts, "Cannot set proxy service type in both components and experimental") + } else { + // Promote the experimental value to the components + if cfg.Components == nil { + cfg.Components = &Components{} + } + if cfg.Components.Proxy == nil { + cfg.Components.Proxy = &ProxyComponent{} + } + if cfg.Components.Proxy.Service == nil { + cfg.Components.Proxy.Service = &ComponentTypeService{} + } + cfg.Components.Proxy.Service.ServiceType = cfg.Experimental.WebApp.ProxyConfig.ServiceType } - if cfg.Components.Proxy == nil { - cfg.Components.Proxy = &ProxyComponent{} + } + + // default workspace base image is now configurable from main config + if cfg.Experimental.WebApp.Server != nil { + + workspaceImage := cfg.Experimental.WebApp.Server.WorkspaceDefaults.WorkspaceImage + if workspaceImage != "" { + warnings["experimental.webapp.server.workspaceDefaults.workspaceImage"] = workspaceImage + + if cfg.Workspace.WorkspaceImage != "" { + conflicts = append(conflicts, "Cannot set default workspace image in both workspaces and experimental") + } else { + cfg.Workspace.WorkspaceImage = workspaceImage + } } - if cfg.Components.Proxy.Service == nil { - cfg.Components.Proxy.Service = &ComponentTypeService{} + + registryAllowList := cfg.Experimental.WebApp.Server.DefaultBaseImageRegistryWhiteList + if registryAllowList != nil { + warnings["experimental.webapp.server.defaultBaseImageRegistryWhitelist"] = registryAllowList + + if len(cfg.ContainerRegistry.PrivateBaseImageAllowList) > 0 { + conflicts = append(conflicts, "Cannot set allow list for private base image in both containerRegistry and experimental") + } else { + cfg.ContainerRegistry.PrivateBaseImageAllowList = registryAllowList + } } - cfg.Components.Proxy.Service.ServiceType = cfg.Experimental.WebApp.ProxyConfig.ServiceType } } @@ -235,9 +265,10 @@ const ( ) type ContainerRegistry struct { - InCluster *bool `json:"inCluster,omitempty" validate:"required"` - External *ContainerRegistryExternal `json:"external,omitempty" validate:"required_if=InCluster false"` - S3Storage *S3Storage `json:"s3storage,omitempty"` + InCluster *bool `json:"inCluster,omitempty" validate:"required"` + External *ContainerRegistryExternal `json:"external,omitempty" validate:"required_if=InCluster false"` + S3Storage *S3Storage `json:"s3storage,omitempty"` + PrivateBaseImageAllowList []string `json:"privateBaseImageAllowList"` } type ContainerRegistryExternal struct { @@ -320,6 +351,8 @@ type Workspace struct { // TimeoutAfterClose is the time a workspace timed out after it has been closed (“closed” means that it does not get a heartbeat from an IDE anymore) TimeoutAfterClose *util.Duration `json:"timeoutAfterClose,omitempty"` + + WorkspaceImage string `json:"workspaceImage,omitempty"` } type OpenVSX struct { diff --git a/install/installer/pkg/config/v1/config.md b/install/installer/pkg/config/v1/config.md index e7388b45e69e44..af2170e196e375 100644 --- a/install/installer/pkg/config/v1/config.md +++ b/install/installer/pkg/config/v1/config.md @@ -9,6 +9,7 @@ Config defines the v1 version structure of the gitpod config file |`kind`|string|N| `Meta`, `Workspace`, `Full` || |`domain`|string|Y| | The domain to deploy to| |`metadata.region`|string|Y| | Location for your objectStorage provider| +|`metadata.shortname`|string|N| | InstallationShortname establishes the "identity" of the (application) cluster.| |`repository`|string|Y| || |`observability.logLevel`|string|N| `trace`, `debug`, `info`, `warning`, `error`, `fatal`, `panic` |Taken from github.com/gitpod-io/gitpod/components/gitpod-protocol/src/util/logging.ts| |`observability.tracing.endpoint`|string|N| || @@ -25,18 +26,27 @@ Config defines the v1 version structure of the gitpod config file |`objectStorage.s3.endpoint`|string|Y| || |`objectStorage.s3.credentials.kind`|string|N| `secret` || |`objectStorage.s3.credentials.name`|string|Y| || +|`objectStorage.s3.bucket`|string|N| | BucketName sets the name of an existing bucket to enable the "single bucket mode" If no name is configured, the old "one bucket per user" behaviour kicks in.| |`objectStorage.cloudStorage.serviceAccount.kind`|string|N| `secret` || |`objectStorage.cloudStorage.serviceAccount.name`|string|Y| || |`objectStorage.cloudStorage.project`|string|Y| || |`objectStorage.azure.credentials.kind`|string|N| `secret` || |`objectStorage.azure.credentials.name`|string|Y| || +|`objectStorage.maximumBackupCount`|int|N| || +|`objectStorage.blobQuota`|int64|N| || +|`objectStorage.resources.requests`||Y| | todo(sje): add custom validation to corev1.ResourceList| +|`objectStorage.resources.limits`||N| || +|`objectStorage.resources.dynamicLimits`||N| || |`containerRegistry.inCluster`|bool|Y| || |`containerRegistry.external.url`|string|Y| || |`containerRegistry.external.certificate.kind`|string|N| `secret` || |`containerRegistry.external.certificate.name`|string|Y| || |`containerRegistry.s3storage.bucket`|string|Y| || +|`containerRegistry.s3storage.region`|string|Y| || +|`containerRegistry.s3storage.endpoint`|string|Y| || |`containerRegistry.s3storage.certificate.kind`|string|N| `secret` || |`containerRegistry.s3storage.certificate.name`|string|Y| || +|`containerRegistry.privateBaseImageAllowList[ ]`|[]string|N| || |`certificate.kind`|string|N| `secret` || |`certificate.name`|string|Y| || |`imagePullSecrets[ ].kind`|string|N| `secret` || @@ -49,14 +59,16 @@ Config defines the v1 version structure of the gitpod config file |`workspace.resources.dynamicLimits`||N| || |`workspace.templates.default`||N| || |`workspace.templates.prebuild`||N| || -|`workspace.templates.ghost`||N| || |`workspace.templates.imagebuild`||N| || |`workspace.templates.regular`||N| || -|`workspace.templates.probe`||N| || +|`workspace.pvc.size`||Y| | Size is a size of persistent volume claim to use| +|`workspace.pvc.storageClass`|string|N| | StorageClass is a storage class of persistent volume claim to use| +|`workspace.pvc.snapshotClass`|string|N| | SnapshotClass is a snapshot class name that is used to create volume snapshot| |`workspace.maxLifetime`||Y| | MaxLifetime is the maximum time a workspace is allowed to run. After that, the workspace times out despite activity| |`workspace.timeoutDefault`||N| | TimeoutDefault is the default timeout of a regular workspace| |`workspace.timeoutExtended`||N| | TimeoutExtended is the workspace timeout that a user can extend to for one workspace| |`workspace.timeoutAfterClose`||N| | TimeoutAfterClose is the time a workspace timed out after it has been closed (“closed” means that it does not get a heartbeat from an IDE anymore)| +|`workspace.workspaceImage`|string|N| || |`openVSX.url`|string|N| || |`authProviders[ ].kind`|string|N| `secret` || |`authProviders[ ].name`|string|Y| || @@ -67,6 +79,11 @@ Config defines the v1 version structure of the gitpod config file |`sshGatewayHostKey.kind`|string|N| `secret` || |`sshGatewayHostKey.name`|string|Y| || |`disableDefinitelyGp`|bool|N| || +|`customCACert.kind`|string|N| `secret` || +|`customCACert.name`|string|Y| || +|`dropImageRepo`|bool|N| || +|`customization`||N| || +|`components.proxy.service.serviceType`||N| || |`apiVersion`|string|Y| |API version of the Gitpod config defintion. `v1` in this version of Config| @@ -80,9 +97,58 @@ Additional config parameters that are in experimental state |`experimental.workspace.tracing.samplerType`|string|N| `const`, `probabilistic`, `rateLimiting`, `remote` |Values taken from https://github.com/jaegertracing/jaeger-client-go/blob/967f9c36f0fa5a2617c9a0993b03f9a3279fadc8/config/config.go#L71| |`experimental.workspace.tracing.samplerParam`|float64|N| || |`experimental.workspace.stage`|string|N| || -|`experimental.workspace.stage`|string|N| || +|`experimental.workspace.schedulerName`|string|N| || +|`experimental.workspace.hostURL`|string|N| || +|`experimental.workspace.workspaceClusterHost`|string|N| || +|`experimental.workspace.workspaceURLTemplate`|string|N| || +|`experimental.workspace.workspacePortURLTemplate`|string|N| || +|`experimental.workspace.workspacePortURLTemplate`|string|N| || +|`experimental.workspace.ioLimits`||N| || +|`experimental.workspace.procLimit`|int64|N| || +|`experimental.workspace.wsManagerRateLimits`||N| || |`experimental.workspace.registryFacade`||N| || -|`experimental.webapp`|WebAppConfig|N| || -|`experimental.ide`|IDEConfig|N| || - - +|`experimental.workspace.wsDaemon`||N| || +|`experimental.workspace.classes`||N| || +|`experimental.workspace.wsProxy`||N| || +|`experimental.webapp.publicApi.enabled`|bool|N| || +|`experimental.webapp.server.workspaceDefaults.workspaceImage`|string|N| | @deprecated use workspace.workspaceImage instead| +|`experimental.webapp.server.oauthServer.jwtSecret`|string|N| || +|`experimental.webapp.server.session.secret`|string|N| || +|`experimental.webapp.server.githubApp.appId`|int32|N| || +|`experimental.webapp.server.githubApp.authProviderId`|string|N| || +|`experimental.webapp.server.githubApp.baseUrl`|string|N| || +|`experimental.webapp.server.githubApp.certPath`|string|N| || +|`experimental.webapp.server.githubApp.enabled`|bool|N| || +|`experimental.webapp.server.githubApp.logLevel`|string|N| || +|`experimental.webapp.server.githubApp.marketplaceName`|string|N| || +|`experimental.webapp.server.githubApp.webhookSecret`|string|N| || +|`experimental.webapp.server.githubApp.certSecretName`|string|N| || +|`experimental.webapp.server.chargebeeSecret`|string|N| || +|`experimental.webapp.server.stripeSecret`|string|N| || +|`experimental.webapp.server.stripeConfig`|string|N| || +|`experimental.webapp.server.disableDynamicAuthProviderLogin`|bool|N| || +|`experimental.webapp.server.enableLocalApp`|bool|N| || +|`experimental.webapp.server.runDbDeleter`|bool|N| || +|`experimental.webapp.server.defaultBaseImageRegistryWhitelist[ ]`|[]string|N| | @deprecated use containerRegistry.privateBaseImageAllowList instead| +|`experimental.webapp.server.disableWorkspaceGarbageCollection`|bool|N| || +|`experimental.webapp.server.blockedRepositories[ ].urlRegExp`|string|N| || +|`experimental.webapp.server.blockedRepositories[ ].blockUser`|bool|N| || +|`experimental.webapp.proxy.staticIP`|string|N| || +|`experimental.webapp.proxy.serviceAnnotations`||N| || +|`experimental.webapp.proxy.serviceType`||N| | @deprecated use components.proxy.service.serviceType instead| +|`experimental.webapp.wsManagerBridge.skipSelf`|bool|N| || +|`experimental.webapp.tracing.samplerType`|string|N| `const`, `probabilistic`, `rateLimiting`, `remote` |Values taken from https://github.com/jaegertracing/jaeger-client-go/blob/967f9c36f0fa5a2617c9a0993b03f9a3279fadc8/config/config.go#L71| +|`experimental.webapp.tracing.samplerParam`|float64|N| || +|`experimental.webapp.usePodAntiAffinity`|bool|N| || +|`experimental.webapp.disableMigration`|bool|N| || +|`experimental.webapp.usage.enabled`|bool|N| || +|`experimental.webapp.usage.schedule`|string|N| || +|`experimental.webapp.usage.creditsPerMinuteByWorkspaceClass`||N| || +|`experimental.webapp.configcatKey`|string|N| || +|`experimental.ide.resolveLatest`|bool|N| | Disable resolution of latest images and use bundled latest versions instead| +|`experimental.ide.ideProxy.serviceAnnotations`||N| || +|`experimental.ide.openvsxProxy.serviceAnnotations`||N| || +|`experimental.common.podConfig`||N| || +|`experimental.common.staticMessagebusPassword`|string|N| || +|`experimental.telemetry.data`||N| || +|`experimental.agentSmith`||N| || diff --git a/install/installer/pkg/config/v1/experimental/experimental.go b/install/installer/pkg/config/v1/experimental/experimental.go index ac6c3e25055c9f..8847940f601c34 100644 --- a/install/installer/pkg/config/v1/experimental/experimental.go +++ b/install/installer/pkg/config/v1/experimental/experimental.go @@ -147,6 +147,7 @@ type WebAppConfig struct { } type WorkspaceDefaults struct { + // @deprecated use workspace.workspaceImage instead WorkspaceImage string `json:"workspaceImage"` } @@ -185,8 +186,10 @@ type ServerConfig struct { DisableDynamicAuthProviderLogin bool `json:"disableDynamicAuthProviderLogin"` EnableLocalApp *bool `json:"enableLocalApp"` RunDbDeleter *bool `json:"runDbDeleter"` - DefaultBaseImageRegistryWhiteList []string `json:"defaultBaseImageRegistryWhitelist"` DisableWorkspaceGarbageCollection bool `json:"disableWorkspaceGarbageCollection"` + + // @deprecated use containerRegistry.privateBaseImageAllowList instead + DefaultBaseImageRegistryWhiteList []string `json:"defaultBaseImageRegistryWhitelist"` } type ProxyConfig struct { diff --git a/install/kots/manifests/gitpod-installation-status.yaml b/install/kots/manifests/gitpod-installation-status.yaml index 93109363734f51..eb9d3763e5b400 100644 --- a/install/kots/manifests/gitpod-installation-status.yaml +++ b/install/kots/manifests/gitpod-installation-status.yaml @@ -30,7 +30,7 @@ spec: containers: - name: installation-status # This will normally be the release tag - image: "eu.gcr.io/gitpod-core-dev/build/installer:sje-installer-post-process.6" + image: "eu.gcr.io/gitpod-core-dev/build/installer:nvn-fix-11408.15" command: - /bin/sh - -c diff --git a/install/kots/manifests/gitpod-installer-job.yaml b/install/kots/manifests/gitpod-installer-job.yaml index 3d6bb58884b465..bad00875199c1a 100644 --- a/install/kots/manifests/gitpod-installer-job.yaml +++ b/install/kots/manifests/gitpod-installer-job.yaml @@ -28,7 +28,7 @@ spec: containers: - name: installer # This will normally be the release tag - image: "eu.gcr.io/gitpod-core-dev/build/installer:sje-installer-post-process.6" + image: "eu.gcr.io/gitpod-core-dev/build/installer:nvn-fix-11408.15" volumeMounts: - mountPath: /config-patch name: config-patch @@ -156,7 +156,7 @@ spec: echo "{{repl LocalRegistryImagePullSecret }}" | base64 -d > /tmp/kotsregistry.json # Add the registries to the server allowlist - yq e -i ".experimental.webApp.server.defaultBaseImageRegistryWhitelist += $(cat /tmp/kotsregistry.json | jq '.auths' | jq -rc 'keys')" "${CONFIG_FILE}" + yq e -i ".containerRegistry.privateBaseImageAllowList += $(cat /tmp/kotsregistry.json | jq '.auths' | jq -rc 'keys')" "${CONFIG_FILE}" if [ '{{repl ConfigOptionEquals "reg_incluster" "0" }}' = "true" ]; then