[installer] move workspaceImage out of experimental config

install/installer/pkg/components/server/configmap.go

@@ -36,13 +36,10 @@ func configmap(ctx *common.RenderContext) ([]runtime.Object, error) {
 		license = licenseFilePath
 	}
 
-	workspaceImage := ctx.ImageName(common.ThirdPartyContainerRepo(ctx.Config.Repository, ""), workspace.DefaultWorkspaceImage, workspace.DefaultWorkspaceImageVersion)
-	_ = ctx.WithExperimental(func(cfg *experimental.Config) error {
-		if cfg.WebApp != nil && cfg.WebApp.Server != nil && cfg.WebApp.Server.WorkspaceDefaults.WorkspaceImage != "" {
-			workspaceImage = cfg.WebApp.Server.WorkspaceDefaults.WorkspaceImage
-		}
-		return nil
-	})
+	workspaceImage := ctx.Config.Workspace.WorkspaceImage
+	if workspaceImage == "" {
+		workspaceImage = ctx.ImageName(common.ThirdPartyContainerRepo(ctx.Config.Repository, ""), workspace.DefaultWorkspaceImage, workspace.DefaultWorkspaceImageVersion)
+	}
 
 	sessionSecret := "Important!Really-Change-This-Key!"
 	_ = ctx.WithExperimental(func(cfg *experimental.Config) error {
@@ -77,14 +74,10 @@ func configmap(ctx *common.RenderContext) ([]runtime.Object, error) {
 	})
 
 	defaultBaseImageRegistryWhitelist := []string{}
-	_ = ctx.WithExperimental(func(cfg *experimental.Config) error {
-		if cfg.WebApp != nil && cfg.WebApp.Server != nil {
-			if cfg.WebApp.Server.DefaultBaseImageRegistryWhiteList != nil {
-				defaultBaseImageRegistryWhitelist = cfg.WebApp.Server.DefaultBaseImageRegistryWhiteList
-			}
-		}
-		return nil
-	})
+	allowList := ctx.Config.ContainerRegistry.PrivateBaseImageAllowList
+	if len(allowList) > 0 {
+		defaultBaseImageRegistryWhitelist = allowList
+	}
 
 	chargebeeSecret := ""
 	_ = ctx.WithExperimental(func(cfg *experimental.Config) error {

install/installer/pkg/components/server/configmap_test.go

@@ -53,17 +53,19 @@ func TestConfigMap(t *testing.T) {
 	}
 
 	ctx, err := common.NewRenderContext(config.Config{
+		Workspace: config.Workspace{
+			WorkspaceImage: expectation.WorkspaceImage,
+		},
+		ContainerRegistry: config.ContainerRegistry{
+			PrivateBaseImageAllowList: expectation.DefaultBaseImageRegistryWhiteList,
+		},
 		Experimental: &experimental.Config{
 			WebApp: &experimental.WebAppConfig{
 				Server: &experimental.ServerConfig{
 					DisableDynamicAuthProviderLogin:   expectation.DisableDynamicAuthProviderLogin,
 					EnableLocalApp:                    pointer.Bool(expectation.EnableLocalApp),
 					RunDbDeleter:                      pointer.Bool(expectation.RunDbDeleter),
 					DisableWorkspaceGarbageCollection: expectation.DisableWorkspaceGarbageCollection,
-					DefaultBaseImageRegistryWhiteList: expectation.DefaultBaseImageRegistryWhiteList,
-					WorkspaceDefaults: experimental.WorkspaceDefaults{
-						WorkspaceImage: expectation.WorkspaceImage,
-					},
 					OAuthServer: experimental.OAuthServer{
 						JWTSecret: expectation.JWTSecret,
 					},

install/installer/pkg/config/v1/config.go

@@ -56,6 +56,7 @@ func (v version) Defaults(in interface{}) error {
 		},
 	}
 	cfg.ContainerRegistry.InCluster = pointer.Bool(true)
+	cfg.ContainerRegistry.PrivateBaseImageAllowList = []string{}
 	cfg.Workspace.Resources.Requests = corev1.ResourceList{
 		corev1.ResourceCPU:    resource.MustParse("1000m"),
 		corev1.ResourceMemory: resource.MustParse("2Gi"),
@@ -78,23 +79,52 @@ func (v version) CheckDeprecated(rawCfg interface{}) (map[string]interface{}, []
 	conflicts := make([]string, 0)
 	cfg := rawCfg.(*Config)
 
-	if cfg.Experimental != nil && cfg.Experimental.WebApp != nil && cfg.Experimental.WebApp.ProxyConfig != nil && cfg.Experimental.WebApp.ProxyConfig.ServiceType != nil {
-		warnings["experimental.webapp.proxy.serviceType"] = *cfg.Experimental.WebApp.ProxyConfig.ServiceType
-
-		if cfg.Components != nil && cfg.Components.Proxy != nil && cfg.Components.Proxy.Service != nil && cfg.Components.Proxy.Service.ServiceType != nil {
-			conflicts = append(conflicts, "Cannot set proxy service type in both components and experimental")
-		} else {
-			// Promote the experimental value to the components
-			if cfg.Components == nil {
-				cfg.Components = &Components{}
+	if cfg.Experimental != nil && cfg.Experimental.WebApp != nil {
+		// service type of proxy is now configurable from main config
+		if cfg.Experimental.WebApp.ProxyConfig != nil && cfg.Experimental.WebApp.ProxyConfig.ServiceType != nil {
+			warnings["experimental.webapp.proxy.serviceType"] = *cfg.Experimental.WebApp.ProxyConfig.ServiceType
+
+			if cfg.Components != nil && cfg.Components.Proxy != nil && cfg.Components.Proxy.Service != nil && cfg.Components.Proxy.Service.ServiceType != nil {
+				conflicts = append(conflicts, "Cannot set proxy service type in both components and experimental")
+			} else {
+				// Promote the experimental value to the components
+				if cfg.Components == nil {
+					cfg.Components = &Components{}
+				}
+				if cfg.Components.Proxy == nil {
+					cfg.Components.Proxy = &ProxyComponent{}
+				}
+				if cfg.Components.Proxy.Service == nil {
+					cfg.Components.Proxy.Service = &ComponentTypeService{}
+				}
+				cfg.Components.Proxy.Service.ServiceType = cfg.Experimental.WebApp.ProxyConfig.ServiceType
 			}
-			if cfg.Components.Proxy == nil {
-				cfg.Components.Proxy = &ProxyComponent{}
+		}
+
+		// default workspace base image is now configurable from main config
+		if cfg.Experimental.WebApp.Server != nil {
+
+			workspaceImage := cfg.Experimental.WebApp.Server.WorkspaceDefaults.WorkspaceImage
+			if workspaceImage != "" {
+				warnings["experimental.webapp.server.workspaceDefaults.workspaceImage"] = workspaceImage
+
+				if cfg.Workspace.WorkspaceImage != "" {
+					conflicts = append(conflicts, "Cannot set default workspace image in both workspaces and experimental")
+				} else {
+					cfg.Workspace.WorkspaceImage = workspaceImage
+				}
 			}
-			if cfg.Components.Proxy.Service == nil {
-				cfg.Components.Proxy.Service = &ComponentTypeService{}
+
+			registryAllowList := cfg.Experimental.WebApp.Server.DefaultBaseImageRegistryWhiteList
+			if registryAllowList != nil {
+				warnings["experimental.webapp.server.defaultBaseImageRegistryWhitelist"] = registryAllowList
+
+				if len(cfg.ContainerRegistry.PrivateBaseImageAllowList) > 0 {
+					conflicts = append(conflicts, "Cannot set allow list for private base image in both containerRegistry and experimental")
+				} else {
+					cfg.ContainerRegistry.PrivateBaseImageAllowList = registryAllowList
+				}
 			}
-			cfg.Components.Proxy.Service.ServiceType = cfg.Experimental.WebApp.ProxyConfig.ServiceType
 		}
 	}
 
@@ -235,9 +265,10 @@ const (
 )
 
 type ContainerRegistry struct {
-	InCluster *bool                      `json:"inCluster,omitempty" validate:"required"`
-	External  *ContainerRegistryExternal `json:"external,omitempty" validate:"required_if=InCluster false"`
-	S3Storage *S3Storage                 `json:"s3storage,omitempty"`
+	InCluster                 *bool                      `json:"inCluster,omitempty" validate:"required"`
+	External                  *ContainerRegistryExternal `json:"external,omitempty" validate:"required_if=InCluster false"`
+	S3Storage                 *S3Storage                 `json:"s3storage,omitempty"`
+	PrivateBaseImageAllowList []string                   `json:"privateBaseImageAllowList"`
 }
 
 type ContainerRegistryExternal struct {
@@ -320,6 +351,8 @@ type Workspace struct {
 
 	// TimeoutAfterClose is the time a workspace timed out after it has been closed (“closed” means that it does not get a heartbeat from an IDE anymore)
 	TimeoutAfterClose *util.Duration `json:"timeoutAfterClose,omitempty"`
+
+	WorkspaceImage string `json:"workspaceImage,omitempty"`
 }
 
 type OpenVSX struct {

install/installer/pkg/config/v1/config.md

@@ -9,6 +9,7 @@ Config defines the v1 version structure of the gitpod config file
 |`kind`|string|N| `Meta`, `Workspace`, `Full` ||
 |`domain`|string|Y|  |  The domain to deploy to|
 |`metadata.region`|string|Y|  |  Location for your objectStorage provider|
+|`metadata.shortname`|string|N|  |  InstallationShortname establishes the "identity" of the (application) cluster.|
 |`repository`|string|Y|  ||
 |`observability.logLevel`|string|N| `trace`, `debug`, `info`, `warning`, `error`, `fatal`, `panic` |Taken from github.com/gitpod-io/gitpod/components/gitpod-protocol/src/util/logging.ts|
 |`observability.tracing.endpoint`|string|N|  ||
@@ -25,18 +26,27 @@ Config defines the v1 version structure of the gitpod config file
 |`objectStorage.s3.endpoint`|string|Y|  ||
 |`objectStorage.s3.credentials.kind`|string|N| `secret` ||
 |`objectStorage.s3.credentials.name`|string|Y|  ||
+|`objectStorage.s3.bucket`|string|N|  |  BucketName sets the name of an existing bucket to enable the "single bucket mode"  If no name is configured, the old "one bucket per user" behaviour kicks in.|
 |`objectStorage.cloudStorage.serviceAccount.kind`|string|N| `secret` ||
 |`objectStorage.cloudStorage.serviceAccount.name`|string|Y|  ||
 |`objectStorage.cloudStorage.project`|string|Y|  ||
 |`objectStorage.azure.credentials.kind`|string|N| `secret` ||
 |`objectStorage.azure.credentials.name`|string|Y|  ||
+|`objectStorage.maximumBackupCount`|int|N|  ||
+|`objectStorage.blobQuota`|int64|N|  ||
+|`objectStorage.resources.requests`||Y|  |  todo(sje): add custom validation to corev1.ResourceList|
+|`objectStorage.resources.limits`||N|  ||
+|`objectStorage.resources.dynamicLimits`||N|  ||
 |`containerRegistry.inCluster`|bool|Y|  ||
 |`containerRegistry.external.url`|string|Y|  ||
 |`containerRegistry.external.certificate.kind`|string|N| `secret` ||
 |`containerRegistry.external.certificate.name`|string|Y|  ||
 |`containerRegistry.s3storage.bucket`|string|Y|  ||
+|`containerRegistry.s3storage.region`|string|Y|  ||
+|`containerRegistry.s3storage.endpoint`|string|Y|  ||
 |`containerRegistry.s3storage.certificate.kind`|string|N| `secret` ||
 |`containerRegistry.s3storage.certificate.name`|string|Y|  ||
+|`containerRegistry.privateBaseImageAllowList[ ]`|[]string|N|  ||
 |`certificate.kind`|string|N| `secret` ||
 |`certificate.name`|string|Y|  ||
 |`imagePullSecrets[ ].kind`|string|N| `secret` ||
@@ -49,14 +59,16 @@ Config defines the v1 version structure of the gitpod config file
 |`workspace.resources.dynamicLimits`||N|  ||
 |`workspace.templates.default`||N|  ||
 |`workspace.templates.prebuild`||N|  ||
-|`workspace.templates.ghost`||N|  ||
 |`workspace.templates.imagebuild`||N|  ||
 |`workspace.templates.regular`||N|  ||
-|`workspace.templates.probe`||N|  ||
+|`workspace.pvc.size`||Y|  |  Size is a size of persistent volume claim to use|
+|`workspace.pvc.storageClass`|string|N|  |  StorageClass is a storage class of persistent volume claim to use|
+|`workspace.pvc.snapshotClass`|string|N|  |  SnapshotClass is a snapshot class name that is used to create volume snapshot|
 |`workspace.maxLifetime`||Y|  |  MaxLifetime is the maximum time a workspace is allowed to run. After that, the workspace times out despite activity|
 |`workspace.timeoutDefault`||N|  |  TimeoutDefault is the default timeout of a regular workspace|
 |`workspace.timeoutExtended`||N|  |  TimeoutExtended is the workspace timeout that a user can extend to for one workspace|
 |`workspace.timeoutAfterClose`||N|  |  TimeoutAfterClose is the time a workspace timed out after it has been closed (“closed” means that it does not get a heartbeat from an IDE anymore)|
+|`workspace.workspaceImage`|string|N|  ||
 |`openVSX.url`|string|N|  ||
 |`authProviders[ ].kind`|string|N| `secret` ||
 |`authProviders[ ].name`|string|Y|  ||
@@ -67,6 +79,11 @@ Config defines the v1 version structure of the gitpod config file
 |`sshGatewayHostKey.kind`|string|N| `secret` ||
 |`sshGatewayHostKey.name`|string|Y|  ||
 |`disableDefinitelyGp`|bool|N|  ||
+|`customCACert.kind`|string|N| `secret` ||
+|`customCACert.name`|string|Y|  ||
+|`dropImageRepo`|bool|N|  ||
+|`customization`||N|  ||
+|`components.proxy.service.serviceType`||N|  ||
 |`apiVersion`|string|Y|  |API version of the Gitpod config defintion. `v1` in this version of Config|
 
 
@@ -80,9 +97,58 @@ Additional config parameters that are in experimental state
 |`experimental.workspace.tracing.samplerType`|string|N| `const`, `probabilistic`, `rateLimiting`, `remote` |Values taken from https://github.com/jaegertracing/jaeger-client-go/blob/967f9c36f0fa5a2617c9a0993b03f9a3279fadc8/config/config.go#L71|
 |`experimental.workspace.tracing.samplerParam`|float64|N|  ||
 |`experimental.workspace.stage`|string|N|  ||
-|`experimental.workspace.stage`|string|N|  ||
+|`experimental.workspace.schedulerName`|string|N|  ||
+|`experimental.workspace.hostURL`|string|N|  ||
+|`experimental.workspace.workspaceClusterHost`|string|N|  ||
+|`experimental.workspace.workspaceURLTemplate`|string|N|  ||
+|`experimental.workspace.workspacePortURLTemplate`|string|N|  ||
+|`experimental.workspace.workspacePortURLTemplate`|string|N|  ||
+|`experimental.workspace.ioLimits`||N|  ||
+|`experimental.workspace.procLimit`|int64|N|  ||
+|`experimental.workspace.wsManagerRateLimits`||N|  ||
 |`experimental.workspace.registryFacade`||N|  ||
-|`experimental.webapp`|WebAppConfig|N|  ||
-|`experimental.ide`|IDEConfig|N|  ||
-
-
+|`experimental.workspace.wsDaemon`||N|  ||
+|`experimental.workspace.classes`||N|  ||
+|`experimental.workspace.wsProxy`||N|  ||
+|`experimental.webapp.publicApi.enabled`|bool|N|  ||
+|`experimental.webapp.server.workspaceDefaults.workspaceImage`|string|N|  |  @deprecated use workspace.workspaceImage instead|
+|`experimental.webapp.server.oauthServer.jwtSecret`|string|N|  ||
+|`experimental.webapp.server.session.secret`|string|N|  ||
+|`experimental.webapp.server.githubApp.appId`|int32|N|  ||
+|`experimental.webapp.server.githubApp.authProviderId`|string|N|  ||
+|`experimental.webapp.server.githubApp.baseUrl`|string|N|  ||
+|`experimental.webapp.server.githubApp.certPath`|string|N|  ||
+|`experimental.webapp.server.githubApp.enabled`|bool|N|  ||
+|`experimental.webapp.server.githubApp.logLevel`|string|N|  ||
+|`experimental.webapp.server.githubApp.marketplaceName`|string|N|  ||
+|`experimental.webapp.server.githubApp.webhookSecret`|string|N|  ||
+|`experimental.webapp.server.githubApp.certSecretName`|string|N|  ||
+|`experimental.webapp.server.chargebeeSecret`|string|N|  ||
+|`experimental.webapp.server.stripeSecret`|string|N|  ||
+|`experimental.webapp.server.stripeConfig`|string|N|  ||
+|`experimental.webapp.server.disableDynamicAuthProviderLogin`|bool|N|  ||
+|`experimental.webapp.server.enableLocalApp`|bool|N|  ||
+|`experimental.webapp.server.runDbDeleter`|bool|N|  ||
+|`experimental.webapp.server.defaultBaseImageRegistryWhitelist[ ]`|[]string|N|  |  @deprecated use containerRegistry.privateBaseImageAllowList instead|
+|`experimental.webapp.server.disableWorkspaceGarbageCollection`|bool|N|  ||
+|`experimental.webapp.server.blockedRepositories[ ].urlRegExp`|string|N|  ||
+|`experimental.webapp.server.blockedRepositories[ ].blockUser`|bool|N|  ||
+|`experimental.webapp.proxy.staticIP`|string|N|  ||
+|`experimental.webapp.proxy.serviceAnnotations`||N|  ||
+|`experimental.webapp.proxy.serviceType`||N|  |  @deprecated use components.proxy.service.serviceType instead|
+|`experimental.webapp.wsManagerBridge.skipSelf`|bool|N|  ||
+|`experimental.webapp.tracing.samplerType`|string|N| `const`, `probabilistic`, `rateLimiting`, `remote` |Values taken from https://github.com/jaegertracing/jaeger-client-go/blob/967f9c36f0fa5a2617c9a0993b03f9a3279fadc8/config/config.go#L71|
+|`experimental.webapp.tracing.samplerParam`|float64|N|  ||
+|`experimental.webapp.usePodAntiAffinity`|bool|N|  ||
+|`experimental.webapp.disableMigration`|bool|N|  ||
+|`experimental.webapp.usage.enabled`|bool|N|  ||
+|`experimental.webapp.usage.schedule`|string|N|  ||
+|`experimental.webapp.usage.creditsPerMinuteByWorkspaceClass`||N|  ||
+|`experimental.webapp.configcatKey`|string|N|  ||
+|`experimental.ide.resolveLatest`|bool|N|  |  Disable resolution of latest images and use bundled latest versions instead|
+|`experimental.ide.ideProxy.serviceAnnotations`||N|  ||
+|`experimental.ide.openvsxProxy.serviceAnnotations`||N|  ||
+|`experimental.common.podConfig`||N|  ||
+|`experimental.common.staticMessagebusPassword`|string|N|  ||
+|`experimental.telemetry.data`||N|  ||
+|`experimental.agentSmith`||N|  ||

install/installer/pkg/config/v1/experimental/experimental.go

@@ -147,6 +147,7 @@ type WebAppConfig struct {
 }
 
 type WorkspaceDefaults struct {
+	// @deprecated use workspace.workspaceImage instead
 	WorkspaceImage string `json:"workspaceImage"`
 }
 
@@ -185,8 +186,10 @@ type ServerConfig struct {
 	DisableDynamicAuthProviderLogin   bool              `json:"disableDynamicAuthProviderLogin"`
 	EnableLocalApp                    *bool             `json:"enableLocalApp"`
 	RunDbDeleter                      *bool             `json:"runDbDeleter"`
-	DefaultBaseImageRegistryWhiteList []string          `json:"defaultBaseImageRegistryWhitelist"`
 	DisableWorkspaceGarbageCollection bool              `json:"disableWorkspaceGarbageCollection"`
+
+	// @deprecated use containerRegistry.privateBaseImageAllowList instead
+	DefaultBaseImageRegistryWhiteList []string `json:"defaultBaseImageRegistryWhitelist"`
 }
 
 type ProxyConfig struct {

install/kots/manifests/gitpod-installation-status.yaml

@@ -30,7 +30,7 @@ spec:
       containers:
         - name: installation-status
           # This will normally be the release tag
-          image: "eu.gcr.io/gitpod-core-dev/build/installer:sje-installer-post-process.6"
+          image: "eu.gcr.io/gitpod-core-dev/build/installer:nvn-fix-11408.15"
           command:
             - /bin/sh
             - -c

install/kots/manifests/gitpod-installer-job.yaml

@@ -28,7 +28,7 @@ spec:
       containers:
         - name: installer
           # This will normally be the release tag
-          image: "eu.gcr.io/gitpod-core-dev/build/installer:sje-installer-post-process.6"
+          image: "eu.gcr.io/gitpod-core-dev/build/installer:nvn-fix-11408.15"
           volumeMounts:
             - mountPath: /config-patch
               name: config-patch
@@ -156,7 +156,7 @@ spec:
               echo "{{repl LocalRegistryImagePullSecret }}" | base64 -d > /tmp/kotsregistry.json
 
               # Add the registries to the server allowlist
-              yq e -i ".experimental.webApp.server.defaultBaseImageRegistryWhitelist += $(cat /tmp/kotsregistry.json | jq '.auths' | jq -rc 'keys')" "${CONFIG_FILE}"
+              yq e -i ".containerRegistry.privateBaseImageAllowList += $(cat /tmp/kotsregistry.json | jq '.auths' | jq -rc 'keys')" "${CONFIG_FILE}"
 
               if [ '{{repl ConfigOptionEquals "reg_incluster" "0" }}' = "true" ];
               then