From 8035ac47ca602edbdfa22fca0d30ba2272fbccc5 Mon Sep 17 00:00:00 2001 From: Thomas Schubart Date: Fri, 21 Oct 2022 10:44:38 +0000 Subject: [PATCH 1/3] [ws-manager] Make protected secrets the default --- components/ws-manager/pkg/manager/create.go | 46 +++++++++++--------- components/ws-manager/pkg/manager/manager.go | 43 ++++++++---------- 2 files changed, 42 insertions(+), 47 deletions(-) diff --git a/components/ws-manager/pkg/manager/create.go b/components/ws-manager/pkg/manager/create.go index 9df292831e332d..cb6c083b402628 100644 --- a/components/ws-manager/pkg/manager/create.go +++ b/components/ws-manager/pkg/manager/create.go @@ -555,6 +555,8 @@ func (m *Manager) createDefiniteWorkspacePod(startContext *startWorkspaceContext pod.Finalizers = append(pod.Finalizers, "gitpod.io/debugfinalizer") } + setProtectedSecrets(&pod, req) + ffidx := make(map[api.WorkspaceFeatureFlag]struct{}) for _, feature := range startContext.Request.Spec.FeatureFlags { if _, seen := ffidx[feature]; seen { @@ -590,27 +592,6 @@ func (m *Manager) createDefiniteWorkspacePod(startContext *startWorkspaceContext gitpodGUID := int64(133332) pod.Spec.SecurityContext.FSGroup = &gitpodGUID - case api.WorkspaceFeatureFlag_PROTECTED_SECRETS: - for _, c := range pod.Spec.Containers { - if c.Name != "workspace" { - continue - } - - for i, env := range c.Env { - if !isProtectedEnvVar(env.Name, req.Spec.SysEnvvars) { - continue - } - - env.Value = "" - env.ValueFrom = &corev1.EnvVarSource{ - SecretKeyRef: &corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{Name: pod.Name}, - Key: fmt.Sprintf("%x", sha256.Sum256([]byte(env.Name))), - }, - } - c.Env[i] = env - } - } case api.WorkspaceFeatureFlag_WORKSPACE_CLASS_LIMITING: limits := startContext.Class.Container.Limits if limits != nil && limits.CPU != nil { @@ -651,6 +632,29 @@ func (m *Manager) createDefiniteWorkspacePod(startContext *startWorkspaceContext return &pod, nil } +func setProtectedSecrets(pod *corev1.Pod, req *api.StartWorkspaceRequest) { + for _, c := range pod.Spec.Containers { + if c.Name != "workspace" { + continue + } + + for i, env := range c.Env { + if !isProtectedEnvVar(env.Name, req.Spec.SysEnvvars) { + continue + } + + env.Value = "" + env.ValueFrom = &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{Name: pod.Name}, + Key: fmt.Sprintf("%x", sha256.Sum256([]byte(env.Name))), + }, + } + c.Env[i] = env + } + } +} + func removeVolume(pod *corev1.Pod, name string) { var vols []corev1.Volume for _, v := range pod.Spec.Volumes { diff --git a/components/ws-manager/pkg/manager/manager.go b/components/ws-manager/pkg/manager/manager.go index 5b45619211dc42..ec0e4b783bbd69 100644 --- a/components/ws-manager/pkg/manager/manager.go +++ b/components/ws-manager/pkg/manager/manager.go @@ -311,34 +311,25 @@ func (m *Manager) StartWorkspace(ctx context.Context, req *api.StartWorkspaceReq } } - var createSecret bool - for _, feature := range startContext.Request.Spec.FeatureFlags { - if feature == api.WorkspaceFeatureFlag_PROTECTED_SECRETS { - createSecret = true - break - } - } - if createSecret { - secrets, _ := buildWorkspaceSecrets(startContext.Request.Spec) + secrets, _ := buildWorkspaceSecrets(startContext.Request.Spec) - // This call actually modifies the initializer and removes the secrets. - // Prior to the `InitWorkspace` call, we inject the secrets back into the initializer. - // We do this so that no Git token is stored as annotation on the pod, but solely - // remains within the Kubernetes secret. - _ = csapi.ExtractAndReplaceSecretsFromInitializer(startContext.Request.Spec.Initializer) + // This call actually modifies the initializer and removes the secrets. + // Prior to the `InitWorkspace` call, we inject the secrets back into the initializer. + // We do this so that no Git token is stored as annotation on the pod, but solely + // remains within the Kubernetes secret. + _ = csapi.ExtractAndReplaceSecretsFromInitializer(startContext.Request.Spec.Initializer) - secret := &corev1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: podName(startContext.Request), - Namespace: m.Config.Namespace, - Labels: startContext.Labels, - }, - StringData: secrets, - } - err = m.Clientset.Create(ctx, secret) - if err != nil && !k8serr.IsAlreadyExists(err) { - return nil, xerrors.Errorf("cannot create secret for workspace pod: %w", err) - } + secret := &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: podName(startContext.Request), + Namespace: m.Config.Namespace, + Labels: startContext.Labels, + }, + StringData: secrets, + } + err = m.Clientset.Create(ctx, secret) + if err != nil && !k8serr.IsAlreadyExists(err) { + return nil, xerrors.Errorf("cannot create secret for workspace pod: %w", err) } err = m.Clientset.Create(ctx, pod) From 085a6821487030751ad39f235849993cad1ede11 Mon Sep 17 00:00:00 2001 From: Thomas Schubart Date: Fri, 21 Oct 2022 11:26:38 +0000 Subject: [PATCH 2/3] [ws-manager] Update test files --- .../pkg/manager/testdata/cdwp_admission.golden | 9 +++++++-- .../pkg/manager/testdata/cdwp_class.golden | 9 +++++++-- .../manager/testdata/cdwp_empty_resource_req.golden | 9 +++++++-- .../pkg/manager/testdata/cdwp_envvars.golden | 13 +++++++++---- .../testdata/cdwp_fullworkspacebackup.golden | 9 +++++++-- .../pkg/manager/testdata/cdwp_imagebuild.golden | 9 +++++++-- .../testdata/cdwp_imagebuild_template.golden | 9 +++++++-- .../pkg/manager/testdata/cdwp_no_ideimage.golden | 9 +++++++-- .../pkg/manager/testdata/cdwp_prebuild.golden | 9 +++++++-- .../manager/testdata/cdwp_prebuild_template.golden | 9 +++++++-- ...cdwp_prebuild_template_override_resources.golden | 9 +++++++-- .../pkg/manager/testdata/cdwp_readinessprobe.golden | 9 +++++++-- .../pkg/manager/testdata/cdwp_sshkeys.golden | 9 +++++++-- .../pkg/manager/testdata/cdwp_sys_envvars.golden | 13 +++++++++---- .../pkg/manager/testdata/cdwp_tasks.golden | 9 +++++++-- .../pkg/manager/testdata/cdwp_template.golden | 9 +++++++-- .../pkg/manager/testdata/cdwp_timeout.golden | 9 +++++++-- .../pkg/manager/testdata/cdwp_userns.golden | 9 +++++++-- .../testdata/cdwp_with_ephemeral_storage.golden | 9 +++++++-- .../testdata/cdwp_withaffinity_regular.golden | 9 +++++++-- .../testdata/cdwp_withaffinityheadless.golden | 9 +++++++-- 21 files changed, 151 insertions(+), 46 deletions(-) diff --git a/components/ws-manager/pkg/manager/testdata/cdwp_admission.golden b/components/ws-manager/pkg/manager/testdata/cdwp_admission.golden index f7d7808a22b4bb..070205a9dfd301 100644 --- a/components/ws-manager/pkg/manager/testdata/cdwp_admission.golden +++ b/components/ws-manager/pkg/manager/testdata/cdwp_admission.golden @@ -136,7 +136,12 @@ }, { "name": "foo", - "value": "bar" + "valueFrom": { + "secretKeyRef": { + "name": "ws-test", + "key": "2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae" + } + } }, { "name": "GITPOD_INTERVAL", @@ -270,4 +275,4 @@ }, "status": {} } -} \ No newline at end of file +} diff --git a/components/ws-manager/pkg/manager/testdata/cdwp_class.golden b/components/ws-manager/pkg/manager/testdata/cdwp_class.golden index fb26aef8ac3163..9fb3c2aeb6600b 100644 --- a/components/ws-manager/pkg/manager/testdata/cdwp_class.golden +++ b/components/ws-manager/pkg/manager/testdata/cdwp_class.golden @@ -136,7 +136,12 @@ }, { "name": "foo", - "value": "bar" + "valueFrom": { + "secretKeyRef": { + "name": "ws-test", + "key": "2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae" + } + } }, { "name": "GITPOD_INTERVAL", @@ -290,4 +295,4 @@ }, "status": {} } -} \ No newline at end of file +} diff --git a/components/ws-manager/pkg/manager/testdata/cdwp_empty_resource_req.golden b/components/ws-manager/pkg/manager/testdata/cdwp_empty_resource_req.golden index fa29bcf33cfe84..ec52aeea6e1209 100644 --- a/components/ws-manager/pkg/manager/testdata/cdwp_empty_resource_req.golden +++ b/components/ws-manager/pkg/manager/testdata/cdwp_empty_resource_req.golden @@ -132,7 +132,12 @@ }, { "name": "foo", - "value": "bar" + "valueFrom": { + "secretKeyRef": { + "name": "ws-test", + "key": "2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae" + } + } }, { "name": "GITPOD_INTERVAL", @@ -263,4 +268,4 @@ }, "status": {} } -} \ No newline at end of file +} diff --git a/components/ws-manager/pkg/manager/testdata/cdwp_envvars.golden b/components/ws-manager/pkg/manager/testdata/cdwp_envvars.golden index d7a78576a04add..55dedeb25078e9 100644 --- a/components/ws-manager/pkg/manager/testdata/cdwp_envvars.golden +++ b/components/ws-manager/pkg/manager/testdata/cdwp_envvars.golden @@ -160,14 +160,19 @@ }, { "name": "something_without_gitpod", - "value": "will make it" + "valueFrom": { + "secretKeyRef": { + "name": "ws-test", + "key": "c1cf1305c2eb1eb4b0ce3f327b383751e785615720db2bcafc5227788067761c" + } + } }, { "name": "one_from_a_secret", "valueFrom": { "secretKeyRef": { - "name": "some-secret", - "key": "some-key" + "name": "ws-test", + "key": "31ba5230e08a8d69893703c936aaf570c76246cac7a2f7d4cfd28b8ab180631b" } } }, @@ -303,4 +308,4 @@ }, "status": {} } -} \ No newline at end of file +} diff --git a/components/ws-manager/pkg/manager/testdata/cdwp_fullworkspacebackup.golden b/components/ws-manager/pkg/manager/testdata/cdwp_fullworkspacebackup.golden index dc8bffedb94e54..8bedfebbb33ce7 100644 --- a/components/ws-manager/pkg/manager/testdata/cdwp_fullworkspacebackup.golden +++ b/components/ws-manager/pkg/manager/testdata/cdwp_fullworkspacebackup.golden @@ -126,7 +126,12 @@ }, { "name": "foo", - "value": "bar" + "valueFrom": { + "secretKeyRef": { + "name": "ws-test", + "key": "2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae" + } + } }, { "name": "GITPOD_INTERVAL", @@ -255,4 +260,4 @@ }, "status": {} } -} \ No newline at end of file +} diff --git a/components/ws-manager/pkg/manager/testdata/cdwp_imagebuild.golden b/components/ws-manager/pkg/manager/testdata/cdwp_imagebuild.golden index 9585523ee4691d..7940789da8887e 100644 --- a/components/ws-manager/pkg/manager/testdata/cdwp_imagebuild.golden +++ b/components/ws-manager/pkg/manager/testdata/cdwp_imagebuild.golden @@ -144,7 +144,12 @@ }, { "name": "foo", - "value": "bar" + "valueFrom": { + "secretKeyRef": { + "name": "imagebuild-foobar", + "key": "2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae" + } + } }, { "name": "GITPOD_INTERVAL", @@ -288,4 +293,4 @@ }, "status": {} } -} \ No newline at end of file +} diff --git a/components/ws-manager/pkg/manager/testdata/cdwp_imagebuild_template.golden b/components/ws-manager/pkg/manager/testdata/cdwp_imagebuild_template.golden index 9585523ee4691d..7940789da8887e 100644 --- a/components/ws-manager/pkg/manager/testdata/cdwp_imagebuild_template.golden +++ b/components/ws-manager/pkg/manager/testdata/cdwp_imagebuild_template.golden @@ -144,7 +144,12 @@ }, { "name": "foo", - "value": "bar" + "valueFrom": { + "secretKeyRef": { + "name": "imagebuild-foobar", + "key": "2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae" + } + } }, { "name": "GITPOD_INTERVAL", @@ -288,4 +293,4 @@ }, "status": {} } -} \ No newline at end of file +} diff --git a/components/ws-manager/pkg/manager/testdata/cdwp_no_ideimage.golden b/components/ws-manager/pkg/manager/testdata/cdwp_no_ideimage.golden index 6e63c6e552351a..98e9b37a40dc4b 100644 --- a/components/ws-manager/pkg/manager/testdata/cdwp_no_ideimage.golden +++ b/components/ws-manager/pkg/manager/testdata/cdwp_no_ideimage.golden @@ -132,7 +132,12 @@ }, { "name": "foo", - "value": "bar" + "valueFrom": { + "secretKeyRef": { + "name": "ws-test", + "key": "2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae" + } + } }, { "name": "GITPOD_INTERVAL", @@ -260,4 +265,4 @@ }, "status": {} } -} \ No newline at end of file +} diff --git a/components/ws-manager/pkg/manager/testdata/cdwp_prebuild.golden b/components/ws-manager/pkg/manager/testdata/cdwp_prebuild.golden index 95ec5aea78e262..ea7969574daaba 100644 --- a/components/ws-manager/pkg/manager/testdata/cdwp_prebuild.golden +++ b/components/ws-manager/pkg/manager/testdata/cdwp_prebuild.golden @@ -132,7 +132,12 @@ }, { "name": "foo", - "value": "bar" + "valueFrom": { + "secretKeyRef": { + "name": "prebuild-foobar", + "key": "2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae" + } + } }, { "name": "GITPOD_INTERVAL", @@ -270,4 +275,4 @@ }, "status": {} } -} \ No newline at end of file +} diff --git a/components/ws-manager/pkg/manager/testdata/cdwp_prebuild_template.golden b/components/ws-manager/pkg/manager/testdata/cdwp_prebuild_template.golden index 95ec5aea78e262..ea7969574daaba 100644 --- a/components/ws-manager/pkg/manager/testdata/cdwp_prebuild_template.golden +++ b/components/ws-manager/pkg/manager/testdata/cdwp_prebuild_template.golden @@ -132,7 +132,12 @@ }, { "name": "foo", - "value": "bar" + "valueFrom": { + "secretKeyRef": { + "name": "prebuild-foobar", + "key": "2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae" + } + } }, { "name": "GITPOD_INTERVAL", @@ -270,4 +275,4 @@ }, "status": {} } -} \ No newline at end of file +} diff --git a/components/ws-manager/pkg/manager/testdata/cdwp_prebuild_template_override_resources.golden b/components/ws-manager/pkg/manager/testdata/cdwp_prebuild_template_override_resources.golden index 369e0a44a4c77e..696db20896b6a6 100644 --- a/components/ws-manager/pkg/manager/testdata/cdwp_prebuild_template_override_resources.golden +++ b/components/ws-manager/pkg/manager/testdata/cdwp_prebuild_template_override_resources.golden @@ -132,7 +132,12 @@ }, { "name": "foo", - "value": "bar" + "valueFrom": { + "secretKeyRef": { + "name": "prebuild-foobar", + "key": "2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae" + } + } }, { "name": "GITPOD_INTERVAL", @@ -270,4 +275,4 @@ }, "status": {} } -} \ No newline at end of file +} diff --git a/components/ws-manager/pkg/manager/testdata/cdwp_readinessprobe.golden b/components/ws-manager/pkg/manager/testdata/cdwp_readinessprobe.golden index 1a20730db04a29..56d52af9fe5eb3 100644 --- a/components/ws-manager/pkg/manager/testdata/cdwp_readinessprobe.golden +++ b/components/ws-manager/pkg/manager/testdata/cdwp_readinessprobe.golden @@ -132,7 +132,12 @@ }, { "name": "foo", - "value": "bar" + "valueFrom": { + "secretKeyRef": { + "name": "ws-test", + "key": "2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae" + } + } }, { "name": "GITPOD_INTERVAL", @@ -266,4 +271,4 @@ }, "status": {} } -} \ No newline at end of file +} diff --git a/components/ws-manager/pkg/manager/testdata/cdwp_sshkeys.golden b/components/ws-manager/pkg/manager/testdata/cdwp_sshkeys.golden index 42569e5002ad99..50be2b6b7181e6 100644 --- a/components/ws-manager/pkg/manager/testdata/cdwp_sshkeys.golden +++ b/components/ws-manager/pkg/manager/testdata/cdwp_sshkeys.golden @@ -133,7 +133,12 @@ }, { "name": "foo", - "value": "bar" + "valueFrom": { + "secretKeyRef": { + "name": "ws-test", + "key": "2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae" + } + } }, { "name": "GITPOD_INTERVAL", @@ -267,4 +272,4 @@ }, "status": {} } -} \ No newline at end of file +} diff --git a/components/ws-manager/pkg/manager/testdata/cdwp_sys_envvars.golden b/components/ws-manager/pkg/manager/testdata/cdwp_sys_envvars.golden index 8d328547d29d23..d33ec049b3bf79 100644 --- a/components/ws-manager/pkg/manager/testdata/cdwp_sys_envvars.golden +++ b/components/ws-manager/pkg/manager/testdata/cdwp_sys_envvars.golden @@ -164,14 +164,19 @@ }, { "name": "something_without_gitpod", - "value": "will make it" + "valueFrom": { + "secretKeyRef": { + "name": "ws-test", + "key": "c1cf1305c2eb1eb4b0ce3f327b383751e785615720db2bcafc5227788067761c" + } + } }, { "name": "one_from_a_secret", "valueFrom": { "secretKeyRef": { - "name": "some-secret", - "key": "some-key" + "name": "ws-test", + "key": "31ba5230e08a8d69893703c936aaf570c76246cac7a2f7d4cfd28b8ab180631b" } } }, @@ -307,4 +312,4 @@ }, "status": {} } -} \ No newline at end of file +} diff --git a/components/ws-manager/pkg/manager/testdata/cdwp_tasks.golden b/components/ws-manager/pkg/manager/testdata/cdwp_tasks.golden index 355d3d62da448e..226701fcb9057a 100644 --- a/components/ws-manager/pkg/manager/testdata/cdwp_tasks.golden +++ b/components/ws-manager/pkg/manager/testdata/cdwp_tasks.golden @@ -136,7 +136,12 @@ }, { "name": "foo", - "value": "bar" + "valueFrom": { + "secretKeyRef": { + "name": "ws-test", + "key": "2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae" + } + } }, { "name": "GITPOD_INTERVAL", @@ -270,4 +275,4 @@ }, "status": {} } -} \ No newline at end of file +} diff --git a/components/ws-manager/pkg/manager/testdata/cdwp_template.golden b/components/ws-manager/pkg/manager/testdata/cdwp_template.golden index 14e68e5b192555..39eeffd1ceb827 100644 --- a/components/ws-manager/pkg/manager/testdata/cdwp_template.golden +++ b/components/ws-manager/pkg/manager/testdata/cdwp_template.golden @@ -132,7 +132,12 @@ }, { "name": "foo", - "value": "bar" + "valueFrom": { + "secretKeyRef": { + "name": "ws-test", + "key": "2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae" + } + } }, { "name": "GITPOD_INTERVAL", @@ -266,4 +271,4 @@ }, "status": {} } -} \ No newline at end of file +} diff --git a/components/ws-manager/pkg/manager/testdata/cdwp_timeout.golden b/components/ws-manager/pkg/manager/testdata/cdwp_timeout.golden index 423cdd71c4b1eb..b8f1035bfa4bfd 100644 --- a/components/ws-manager/pkg/manager/testdata/cdwp_timeout.golden +++ b/components/ws-manager/pkg/manager/testdata/cdwp_timeout.golden @@ -137,7 +137,12 @@ }, { "name": "foo", - "value": "bar" + "valueFrom": { + "secretKeyRef": { + "name": "ws-test", + "key": "2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae" + } + } }, { "name": "GITPOD_INTERVAL", @@ -271,4 +276,4 @@ }, "status": {} } -} \ No newline at end of file +} diff --git a/components/ws-manager/pkg/manager/testdata/cdwp_userns.golden b/components/ws-manager/pkg/manager/testdata/cdwp_userns.golden index 041c28f2bde3cc..04ab00872c395a 100644 --- a/components/ws-manager/pkg/manager/testdata/cdwp_userns.golden +++ b/components/ws-manager/pkg/manager/testdata/cdwp_userns.golden @@ -132,7 +132,12 @@ }, { "name": "foo", - "value": "bar" + "valueFrom": { + "secretKeyRef": { + "name": "ws-test", + "key": "2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae" + } + } }, { "name": "GITPOD_INTERVAL", @@ -266,4 +271,4 @@ }, "status": {} } -} \ No newline at end of file +} diff --git a/components/ws-manager/pkg/manager/testdata/cdwp_with_ephemeral_storage.golden b/components/ws-manager/pkg/manager/testdata/cdwp_with_ephemeral_storage.golden index 78f24f59a41696..dcc33e10217be7 100644 --- a/components/ws-manager/pkg/manager/testdata/cdwp_with_ephemeral_storage.golden +++ b/components/ws-manager/pkg/manager/testdata/cdwp_with_ephemeral_storage.golden @@ -144,7 +144,12 @@ }, { "name": "foo", - "value": "bar" + "valueFrom": { + "secretKeyRef": { + "name": "imagebuild-foobar", + "key": "2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae" + } + } }, { "name": "GITPOD_INTERVAL", @@ -285,4 +290,4 @@ }, "status": {} } -} \ No newline at end of file +} diff --git a/components/ws-manager/pkg/manager/testdata/cdwp_withaffinity_regular.golden b/components/ws-manager/pkg/manager/testdata/cdwp_withaffinity_regular.golden index 14e68e5b192555..39eeffd1ceb827 100644 --- a/components/ws-manager/pkg/manager/testdata/cdwp_withaffinity_regular.golden +++ b/components/ws-manager/pkg/manager/testdata/cdwp_withaffinity_regular.golden @@ -132,7 +132,12 @@ }, { "name": "foo", - "value": "bar" + "valueFrom": { + "secretKeyRef": { + "name": "ws-test", + "key": "2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae" + } + } }, { "name": "GITPOD_INTERVAL", @@ -266,4 +271,4 @@ }, "status": {} } -} \ No newline at end of file +} diff --git a/components/ws-manager/pkg/manager/testdata/cdwp_withaffinityheadless.golden b/components/ws-manager/pkg/manager/testdata/cdwp_withaffinityheadless.golden index 9585523ee4691d..7940789da8887e 100644 --- a/components/ws-manager/pkg/manager/testdata/cdwp_withaffinityheadless.golden +++ b/components/ws-manager/pkg/manager/testdata/cdwp_withaffinityheadless.golden @@ -144,7 +144,12 @@ }, { "name": "foo", - "value": "bar" + "valueFrom": { + "secretKeyRef": { + "name": "imagebuild-foobar", + "key": "2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae" + } + } }, { "name": "GITPOD_INTERVAL", @@ -288,4 +293,4 @@ }, "status": {} } -} \ No newline at end of file +} From f457b672e94feb07dbfc2c66e049fb2e9272cbc3 Mon Sep 17 00:00:00 2001 From: Thomas Schubart Date: Mon, 24 Oct 2022 09:14:31 +0000 Subject: [PATCH 3/3] [ws-manager] Ensure values are not overwritten If a variable is already sourced from a reference do not overwrite it. --- components/ws-manager/pkg/manager/create.go | 5 +++++ .../ws-manager/pkg/manager/testdata/cdwp_envvars.golden | 4 ++-- .../ws-manager/pkg/manager/testdata/cdwp_sys_envvars.golden | 4 ++-- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/components/ws-manager/pkg/manager/create.go b/components/ws-manager/pkg/manager/create.go index cb6c083b402628..87804190581ab3 100644 --- a/components/ws-manager/pkg/manager/create.go +++ b/components/ws-manager/pkg/manager/create.go @@ -643,6 +643,11 @@ func setProtectedSecrets(pod *corev1.Pod, req *api.StartWorkspaceRequest) { continue } + // already sourced from somewhere else + if env.ValueFrom != nil { + continue + } + env.Value = "" env.ValueFrom = &corev1.EnvVarSource{ SecretKeyRef: &corev1.SecretKeySelector{ diff --git a/components/ws-manager/pkg/manager/testdata/cdwp_envvars.golden b/components/ws-manager/pkg/manager/testdata/cdwp_envvars.golden index 55dedeb25078e9..d776b973b6c5e8 100644 --- a/components/ws-manager/pkg/manager/testdata/cdwp_envvars.golden +++ b/components/ws-manager/pkg/manager/testdata/cdwp_envvars.golden @@ -171,8 +171,8 @@ "name": "one_from_a_secret", "valueFrom": { "secretKeyRef": { - "name": "ws-test", - "key": "31ba5230e08a8d69893703c936aaf570c76246cac7a2f7d4cfd28b8ab180631b" + "name": "some-secret", + "key": "some-key" } } }, diff --git a/components/ws-manager/pkg/manager/testdata/cdwp_sys_envvars.golden b/components/ws-manager/pkg/manager/testdata/cdwp_sys_envvars.golden index d33ec049b3bf79..161347cc07842d 100644 --- a/components/ws-manager/pkg/manager/testdata/cdwp_sys_envvars.golden +++ b/components/ws-manager/pkg/manager/testdata/cdwp_sys_envvars.golden @@ -175,8 +175,8 @@ "name": "one_from_a_secret", "valueFrom": { "secretKeyRef": { - "name": "ws-test", - "key": "31ba5230e08a8d69893703c936aaf570c76246cac7a2f7d4cfd28b8ab180631b" + "name": "some-secret", + "key": "some-key" } } },