diff --git a/.werft/jobs/build/installer/post-process.sh b/.werft/jobs/build/installer/post-process.sh index 9ec9125aaf87f4..345b1e034c6349 100755 --- a/.werft/jobs/build/installer/post-process.sh +++ b/.werft/jobs/build/installer/post-process.sh @@ -52,7 +52,7 @@ MATCHES="$(grep -c -- --- k8s.yaml)" # get the read number of K8s manifest docs # K8s object names and kinds are duplicated in a config map to faciliate deletion # subtract one (the config map) and then divide by 2 to get the actual # of docs we'll loop through -DOCS="$((((MATCHES - 1) / 2) + 1))" +DOCS="$(((MATCHES - 1) / 2))" documentIndex=0 while [ "$documentIndex" -le "$DOCS" ]; do diff --git a/components/ws-daemon/pkg/controller/workspace_controller.go b/components/ws-daemon/pkg/controller/workspace_controller.go index 8fd0826fc984b7..e2d676217b6292 100644 --- a/components/ws-daemon/pkg/controller/workspace_controller.go +++ b/components/ws-daemon/pkg/controller/workspace_controller.go @@ -22,7 +22,9 @@ import ( "github.com/prometheus/client_golang/prometheus" "google.golang.org/protobuf/proto" + corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/wait" "k8s.io/client-go/util/retry" ctrl "sigs.k8s.io/controller-runtime" @@ -55,9 +57,10 @@ type WorkspaceController struct { maxConcurrentReconciles int operations *WorkspaceOperations metrics *workspaceMetrics + secretNamespace string } -func NewWorkspaceController(c client.Client, nodeName string, maxConcurrentReconciles int, ops *WorkspaceOperations, reg prometheus.Registerer) (*WorkspaceController, error) { +func NewWorkspaceController(c client.Client, nodeName, secretNamespace string, maxConcurrentReconciles int, ops *WorkspaceOperations, reg prometheus.Registerer) (*WorkspaceController, error) { metrics := newWorkspaceMetrics() reg.Register(metrics) @@ -67,6 +70,7 @@ func NewWorkspaceController(c client.Client, nodeName string, maxConcurrentRecon maxConcurrentReconciles: maxConcurrentReconciles, operations: ops, metrics: metrics, + secretNamespace: secretNamespace, }, nil } @@ -139,10 +143,8 @@ func (wsc *WorkspaceController) handleWorkspaceInit(ctx context.Context, ws *wor defer tracing.FinishSpan(span, &err) if c := wsk8s.GetCondition(ws.Status.Conditions, string(workspacev1.WorkspaceConditionContentReady)); c == nil { - var init csapi.WorkspaceInitializer - err = proto.Unmarshal(ws.Spec.Initializer, &init) + init, err := wsc.prepareInitializer(ctx, ws) if err != nil { - err = fmt.Errorf("cannot unmarshal initializer config: %w", err) return ctrl.Result{}, err } @@ -153,7 +155,7 @@ func (wsc *WorkspaceController) handleWorkspaceInit(ctx context.Context, ws *wor WorkspaceId: ws.Spec.Ownership.WorkspaceID, InstanceId: ws.Name, }, - Initializer: &init, + Initializer: init, Headless: ws.IsHeadless(), }) @@ -300,6 +302,27 @@ func (wsc *WorkspaceController) handleWorkspaceStop(ctx context.Context, ws *wor return ctrl.Result{}, err } +func (wsc *WorkspaceController) prepareInitializer(ctx context.Context, ws *workspacev1.Workspace) (*csapi.WorkspaceInitializer, error) { + var init csapi.WorkspaceInitializer + err := proto.Unmarshal(ws.Spec.Initializer, &init) + if err != nil { + err = fmt.Errorf("cannot unmarshal initializer config: %w", err) + return nil, err + } + + var tokenSecret corev1.Secret + err = wsc.Get(ctx, types.NamespacedName{Name: fmt.Sprintf("%s-tokens", ws.Name), Namespace: wsc.secretNamespace}, &tokenSecret) + if err != nil { + return nil, fmt.Errorf("could not get token secret for workspace: %w", err) + } + + if err = csapi.InjectSecretsToInitializer(&init, tokenSecret.Data); err != nil { + return nil, fmt.Errorf("failed to inject secrets into initializer: %w", err) + } + + return &init, nil +} + func toWorkspaceGitStatus(status *csapi.GitStatus) *workspacev1.GitStatus { if status == nil { return nil diff --git a/components/ws-daemon/pkg/daemon/config.go b/components/ws-daemon/pkg/daemon/config.go index 43e0bbcd31d4a0..ac072c476919c2 100644 --- a/components/ws-daemon/pkg/daemon/config.go +++ b/components/ws-daemon/pkg/daemon/config.go @@ -42,6 +42,7 @@ type RuntimeConfig struct { Container *container.Config `json:"containerRuntime"` Kubeconfig string `json:"kubeconfig"` KubernetesNamespace string `json:"namespace"` + SecretsNamespace string `json:"secretsNamespace"` } type IOLimitConfig struct { diff --git a/components/ws-daemon/pkg/daemon/daemon.go b/components/ws-daemon/pkg/daemon/daemon.go index b582efda900e0a..736cd1756bec6f 100644 --- a/components/ws-daemon/pkg/daemon/daemon.go +++ b/components/ws-daemon/pkg/daemon/daemon.go @@ -22,6 +22,7 @@ import ( "k8s.io/client-go/rest" "k8s.io/client-go/tools/clientcmd" ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/cache" "sigs.k8s.io/controller-runtime/pkg/manager" "sigs.k8s.io/controller-runtime/pkg/metrics" @@ -175,6 +176,7 @@ func NewDaemon(config Config) (*Daemon, error) { Namespace: config.Runtime.KubernetesNamespace, HealthProbeBindAddress: "0", MetricsBindAddress: "0", // Metrics are exposed through baseserver. + NewCache: cache.MultiNamespacedCacheBuilder([]string{config.Runtime.KubernetesNamespace, config.Runtime.SecretsNamespace}), }) if err != nil { return nil, err @@ -207,7 +209,8 @@ func NewDaemon(config Config) (*Daemon, error) { return nil, err } - wsctrl, err := controller.NewWorkspaceController(mgr.GetClient(), nodename, config.WorkspaceController.MaxConcurrentReconciles, workspaceOps, wrappedReg) + wsctrl, err := controller.NewWorkspaceController( + mgr.GetClient(), nodename, config.Runtime.SecretsNamespace, config.WorkspaceController.MaxConcurrentReconciles, workspaceOps, wrappedReg) if err != nil { return nil, err } diff --git a/components/ws-manager-api/go/config/config.go b/components/ws-manager-api/go/config/config.go index 00dff49ebeb683..506d9f8ada6da4 100644 --- a/components/ws-manager-api/go/config/config.go +++ b/components/ws-manager-api/go/config/config.go @@ -77,6 +77,8 @@ type ServiceConfiguration struct { type Configuration struct { // Namespace is the kubernetes namespace the workspace manager operates in Namespace string `json:"namespace"` + // SecretsNamespace is the kubernetes namespace which contains workspace secrets + SecretsNamespace string `json:"secretsNamespace"` // SchedulerName is the name of the workspace scheduler all pods are created with SchedulerName string `json:"schedulerName"` // SeccompProfile names the seccomp profile workspaces will use diff --git a/components/ws-manager-mk2/controllers/maintenance_controller.go b/components/ws-manager-mk2/controllers/maintenance_controller.go index d2f2f14fb93fd5..a8422e6767d0b9 100644 --- a/components/ws-manager-mk2/controllers/maintenance_controller.go +++ b/components/ws-manager-mk2/controllers/maintenance_controller.go @@ -50,7 +50,6 @@ func (r *MaintenanceReconciler) Reconcile(ctx context.Context, req ctrl.Request) log := log.FromContext(ctx).WithValues("configMap", req.NamespacedName) if req.Name != configMapName { - log.Info("ignoring unexpected ConfigMap") return ctrl.Result{}, nil } diff --git a/components/ws-manager-mk2/controllers/suite_test.go b/components/ws-manager-mk2/controllers/suite_test.go index 1e41ce4e84e7d5..808a248b474274 100644 --- a/components/ws-manager-mk2/controllers/suite_test.go +++ b/components/ws-manager-mk2/controllers/suite_test.go @@ -24,6 +24,8 @@ import ( "github.com/gitpod-io/gitpod/ws-manager-mk2/pkg/activity" "github.com/gitpod-io/gitpod/ws-manager/api/config" workspacev1 "github.com/gitpod-io/gitpod/ws-manager/api/crd/v1" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" //+kubebuilder:scaffold:imports ) @@ -31,9 +33,10 @@ import ( // http://onsi.github.io/ginkgo/ to learn more about Ginkgo. const ( - timeout = time.Second * 20 - duration = time.Second * 2 - interval = time.Millisecond * 250 + timeout = time.Second * 20 + duration = time.Second * 2 + interval = time.Millisecond * 250 + secretsNamespace = "workspace-secrets" ) // var cfg *rest.Config @@ -113,6 +116,7 @@ var _ = BeforeSuite(func() { Expect(timeoutReconciler.SetupWithManager(k8sManager)).To(Succeed()) ctx, cancel = context.WithCancel(context.Background()) + _ = createNamespace(secretsNamespace) go func() { defer GinkgoRecover() @@ -127,6 +131,7 @@ func newTestConfig() config.Configuration { GitpodHostURL: "gitpod.io", HeartbeatInterval: util.Duration(30 * time.Second), Namespace: "default", + SecretsNamespace: secretsNamespace, SeccompProfile: "default.json", Timeouts: config.WorkspaceTimeoutConfiguration{ AfterClose: util.Duration(1 * time.Minute), @@ -156,6 +161,19 @@ func (f *fakeMaintenance) IsEnabled() bool { return f.enabled } +func createNamespace(name string) *corev1.Namespace { + GinkgoHelper() + + namespace := &corev1.Namespace{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + }, + } + + Expect(k8sClient.Create(ctx, namespace)).To(Succeed()) + return namespace +} + var _ = AfterSuite(func() { cancel() By("tearing down the test environment") diff --git a/components/ws-manager-mk2/controllers/workspace_controller.go b/components/ws-manager-mk2/controllers/workspace_controller.go index 1cf4afe3acbca3..4d358469b79083 100644 --- a/components/ws-manager-mk2/controllers/workspace_controller.go +++ b/components/ws-manager-mk2/controllers/workspace_controller.go @@ -358,6 +358,11 @@ func (r *WorkspaceReconciler) deleteWorkspaceSecrets(ctx context.Context, ws *wo if err != nil { log.Error(err, "could not delete environment secret", "workspace", ws.Name) } + + err = r.deleteSecret(ctx, fmt.Sprintf("%s-%s", ws.Name, "tokens"), r.Config.SecretsNamespace) + if err != nil { + log.Error(err, "could not delete token secret", "workspace", ws.Name) + } } func (r *WorkspaceReconciler) deleteSecret(ctx context.Context, name, namespace string) error { diff --git a/components/ws-manager-mk2/controllers/workspace_controller_test.go b/components/ws-manager-mk2/controllers/workspace_controller_test.go index d688dd61ec2fe0..7ab3db7f210dd3 100644 --- a/components/ws-manager-mk2/controllers/workspace_controller_test.go +++ b/components/ws-manager-mk2/controllers/workspace_controller_test.go @@ -33,8 +33,11 @@ var _ = Describe("WorkspaceController", func() { Context("with regular workspaces", func() { It("should handle successful workspace creation and stop request", func() { name := uuid.NewString() + + envSecret := createSecret(fmt.Sprintf("%s-env", name), "default") + tokenSecret := createSecret(fmt.Sprintf("%s-tokens", name), secretsNamespace) + ws := newWorkspace(name, "default") - secret := createSecret(fmt.Sprintf("%s-env", name), "default") m := collectMetricCounts(wsMetrics, ws) pod := createWorkspaceExpectPod(ws) @@ -73,7 +76,8 @@ var _ = Describe("WorkspaceController", func() { }) expectPhaseEventually(ws, workspacev1.WorkspacePhaseRunning) - expectSecretCleanup(secret) + expectSecretCleanup(envSecret) + expectSecretCleanup(tokenSecret) markContentReady(ws) @@ -255,7 +259,10 @@ var _ = Describe("WorkspaceController", func() { It("deleting workspace resource should gracefully clean up", func() { name := uuid.NewString() ws := newWorkspace(name, "default") - secret := createSecret(fmt.Sprintf("%s-env", name), "default") + + envSecret := createSecret(fmt.Sprintf("%s-env", name), "default") + tokenSecret := createSecret(fmt.Sprintf("%s-tokens", name), secretsNamespace) + m := collectMetricCounts(wsMetrics, ws) pod := createWorkspaceExpectPod(ws) @@ -269,7 +276,8 @@ var _ = Describe("WorkspaceController", func() { expectWorkspaceCleanup(ws, pod) - expectSecretCleanup(secret) + expectSecretCleanup(envSecret) + expectSecretCleanup(tokenSecret) expectMetricsDelta(m, collectMetricCounts(wsMetrics, ws), metricCounts{ restores: 1, diff --git a/components/ws-manager-mk2/main.go b/components/ws-manager-mk2/main.go index 302fc4951d8395..f802614895fe52 100644 --- a/components/ws-manager-mk2/main.go +++ b/components/ws-manager-mk2/main.go @@ -18,12 +18,9 @@ import ( "google.golang.org/grpc/credentials" "google.golang.org/grpc/credentials/insecure" _ "k8s.io/client-go/plugin/pkg/client/auth" - "k8s.io/client-go/rest" grpc_prometheus "github.com/grpc-ecosystem/go-grpc-prometheus" "github.com/prometheus/client_golang/prometheus" - corev1 "k8s.io/api/core/v1" - "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/runtime" utilruntime "k8s.io/apimachinery/pkg/util/runtime" clientgoscheme "k8s.io/client-go/kubernetes/scheme" @@ -109,16 +106,7 @@ func main() { HealthProbeBindAddress: cfg.Health.Addr, LeaderElection: enableLeaderElection, LeaderElectionID: "ws-manager-mk2-leader.gitpod.io", - Namespace: cfg.Manager.Namespace, - NewCache: func(conf *rest.Config, opts cache.Options) (cache.Cache, error) { - // Only watch the maintenance mode ConfigMap. - opts.SelectorsByObject = cache.SelectorsByObject{ - &corev1.ConfigMap{}: cache.ObjectSelector{ - Label: labels.SelectorFromSet(labels.Set{controllers.LabelMaintenance: "true"}), - }, - } - return cache.New(conf, opts) - }, + NewCache: cache.MultiNamespacedCacheBuilder([]string{cfg.Manager.Namespace, cfg.Manager.SecretsNamespace}), }) if err != nil { setupLog.Error(err, "unable to start manager") diff --git a/components/ws-manager-mk2/service/manager.go b/components/ws-manager-mk2/service/manager.go index 1a47a5a6688fef..026017ec512aac 100644 --- a/components/ws-manager-mk2/service/manager.go +++ b/components/ws-manager-mk2/service/manager.go @@ -33,6 +33,7 @@ import ( "github.com/gitpod-io/gitpod/ws-manager/api/config" workspacev1 "github.com/gitpod-io/gitpod/ws-manager/api/crd/v1" + csapi "github.com/gitpod-io/gitpod/content-service/api" "github.com/sirupsen/logrus" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/errors" @@ -116,11 +117,6 @@ func (wsm *WorkspaceManagerServer) StartWorkspace(ctx context.Context, req *wsma return nil, status.Errorf(codes.InvalidArgument, "unsupported workspace type: %v", req.Type) } - initializer, err := proto.Marshal(req.Spec.Initializer) - if err != nil { - return nil, status.Errorf(codes.InvalidArgument, "cannot serialise content initializer: %v", err) - } - var git *workspacev1.GitSpec if req.Spec.Git != nil { git = &workspacev1.GitSpec{ @@ -204,6 +200,12 @@ func (wsm *WorkspaceManagerServer) StartWorkspace(ctx context.Context, req *wsma userEnvVars, envData := extractWorkspaceUserEnv(envSecretName, req.Spec.Envvars, req.Spec.SysEnvvars) sysEnvVars := extractWorkspaceSysEnv(req.Spec.SysEnvvars) + tokenData := extractWorkspaceTokenData(req.Spec) + initializer, err := proto.Marshal(req.Spec.Initializer) + if err != nil { + return nil, status.Errorf(codes.InvalidArgument, "cannot serialise content initializer: %v", err) + } + ws := workspacev1.Workspace{ TypeMeta: metav1.TypeMeta{ APIVersion: workspacev1.GroupVersion.String(), @@ -256,6 +258,11 @@ func (wsm *WorkspaceManagerServer) StartWorkspace(ctx context.Context, req *wsma return nil, fmt.Errorf("cannot create env secret for workspace %s: %w", req.Id, err) } + err = wsm.createWorkspaceSecret(ctx, &ws, fmt.Sprintf("%s-%s", req.Id, "tokens"), wsm.Config.SecretsNamespace, tokenData) + if err != nil { + return nil, fmt.Errorf("cannot create token secret for workspace %s: %w", req.Id, err) + } + wsm.metrics.recordWorkspaceStart(&ws) err = wsm.Client.Create(ctx, &ws) if err != nil { @@ -857,6 +864,14 @@ func extractWorkspaceSysEnv(sysEnvs []*wsmanapi.EnvironmentVariable) []corev1.En return envs } +func extractWorkspaceTokenData(spec *wsmanapi.StartWorkspaceSpec) map[string]string { + secrets := make(map[string]string) + for k, v := range csapi.ExtractAndReplaceSecretsFromInitializer(spec.Initializer) { + secrets[k] = v + } + return secrets +} + func extractWorkspaceStatus(ws *workspacev1.Workspace) *wsmanapi.WorkspaceStatus { version, _ := strconv.ParseUint(ws.ResourceVersion, 10, 64) diff --git a/install/installer/cmd/testdata/render/agent-smith/output.golden b/install/installer/cmd/testdata/render/agent-smith/output.golden index 42f68e85d7c379..0f2e1fd16c1619 100644 --- a/install/installer/cmd/testdata/render/agent-smith/output.golden +++ b/install/installer/cmd/testdata/render/agent-smith/output.golden @@ -3146,6 +3146,16 @@ data: namespace: default --- apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + creationTimestamp: null + labels: + app: gitpod + component: ws-daemon + name: ws-daemon + namespace: workspace-secrets + --- + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null @@ -3202,6 +3212,13 @@ data: component: ws-daemon name: default-ws-daemon-rb --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + creationTimestamp: null + name: ws-daemon + namespace: workspace-secrets + --- apiVersion: v1 kind: Service metadata: @@ -5692,7 +5709,8 @@ data: } }, "kubeconfig": "", - "namespace": "default" + "namespace": "default", + "secretsNamespace": "workspace-secrets" }, "content": { "workingArea": "/mnt/workingarea", @@ -5809,6 +5827,7 @@ data: { "manager": { "namespace": "default", + "secretsNamespace": "", "schedulerName": "", "seccompProfile": "workspace_default_pd-ide-metrics.23.json", "timeouts": { @@ -6756,6 +6775,26 @@ rules: - patch - watch --- +# rbac.authorization.k8s.io/v1/Role ws-daemon +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + app: gitpod + component: ws-daemon + name: ws-daemon + namespace: workspace-secrets +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +--- # rbac.authorization.k8s.io/v1/Role ws-manager apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -7226,6 +7265,22 @@ subjects: - kind: ServiceAccount name: workspace --- +# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + name: ws-daemon + namespace: workspace-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ws-daemon +subjects: +- kind: ServiceAccount + name: ws-daemon + namespace: default +--- # rbac.authorization.k8s.io/v1/RoleBinding ws-manager apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -8316,7 +8371,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: c3f063b20c86e50d84ab6b62d85d5042146c1748f01c42dd37581239a888b9d8 + gitpod.io/checksum_config: 96b5a68d5c5c49ae0d0c9f68e9d28d40b15481832f04c7686a092963380f1093 creationTimestamp: null labels: app: gitpod @@ -10983,7 +11038,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 6bccb0af0666fedca427bf7e904bb6ad0760871f8272d37c095015b1917a8a3b + gitpod.io/checksum_config: 4a4578809a4c2f9cfbbd2781d720a47df569cc4e3b54be23b5c41f56c0296e77 creationTimestamp: null labels: app: gitpod diff --git a/install/installer/cmd/testdata/render/aws-setup/output.golden b/install/installer/cmd/testdata/render/aws-setup/output.golden index 3d8e89ebb70478..973b712ae23deb 100644 --- a/install/installer/cmd/testdata/render/aws-setup/output.golden +++ b/install/installer/cmd/testdata/render/aws-setup/output.golden @@ -2759,6 +2759,16 @@ data: namespace: default --- apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + creationTimestamp: null + labels: + app: gitpod + component: ws-daemon + name: ws-daemon + namespace: workspace-secrets + --- + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null @@ -2815,6 +2825,13 @@ data: component: ws-daemon name: default-ws-daemon-rb --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + creationTimestamp: null + name: ws-daemon + namespace: workspace-secrets + --- apiVersion: v1 kind: Service metadata: @@ -5033,7 +5050,8 @@ data: } }, "kubeconfig": "", - "namespace": "default" + "namespace": "default", + "secretsNamespace": "workspace-secrets" }, "content": { "workingArea": "/mnt/workingarea", @@ -5154,6 +5172,7 @@ data: { "manager": { "namespace": "default", + "secretsNamespace": "", "schedulerName": "", "seccompProfile": "workspace_default_pd-ide-metrics.23.json", "timeouts": { @@ -6067,6 +6086,26 @@ rules: - patch - watch --- +# rbac.authorization.k8s.io/v1/Role ws-daemon +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + app: gitpod + component: ws-daemon + name: ws-daemon + namespace: workspace-secrets +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +--- # rbac.authorization.k8s.io/v1/Role ws-manager apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -6519,6 +6558,22 @@ subjects: - kind: ServiceAccount name: workspace --- +# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + name: ws-daemon + namespace: workspace-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ws-daemon +subjects: +- kind: ServiceAccount + name: ws-daemon + namespace: default +--- # rbac.authorization.k8s.io/v1/RoleBinding ws-manager apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -7484,7 +7539,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 573f5fc567df7be7fba63ecdc681e3aa5f059daa207992586a41bba4106d2545 + gitpod.io/checksum_config: a23a04a77f794df58d7dffe59383242db628f6da2c0e4bac7620b1d968996243 creationTimestamp: null labels: app: gitpod @@ -9796,7 +9851,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: b7da41879471e13b5f45ca5d34265974ed68c3c77c93f8d9b6c0d188ac9724e5 + gitpod.io/checksum_config: 9e4ebf60455939d2a4b5781c2c4e3b84c9029ee7f841dfcb5f3ccc8f7179599e creationTimestamp: null labels: app: gitpod diff --git a/install/installer/cmd/testdata/render/custom-pull-repository/output.golden b/install/installer/cmd/testdata/render/custom-pull-repository/output.golden index 53fb91ec5fbb88..c72480df822dd8 100644 --- a/install/installer/cmd/testdata/render/custom-pull-repository/output.golden +++ b/install/installer/cmd/testdata/render/custom-pull-repository/output.golden @@ -2963,6 +2963,16 @@ data: namespace: default --- apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + creationTimestamp: null + labels: + app: gitpod + component: ws-daemon + name: ws-daemon + namespace: workspace-secrets + --- + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null @@ -3019,6 +3029,13 @@ data: component: ws-daemon name: default-ws-daemon-rb --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + creationTimestamp: null + name: ws-daemon + namespace: workspace-secrets + --- apiVersion: v1 kind: Service metadata: @@ -5509,7 +5526,8 @@ data: } }, "kubeconfig": "", - "namespace": "default" + "namespace": "default", + "secretsNamespace": "workspace-secrets" }, "content": { "workingArea": "/mnt/workingarea", @@ -5626,6 +5644,7 @@ data: { "manager": { "namespace": "default", + "secretsNamespace": "", "schedulerName": "", "seccompProfile": "workspace_default_pd-ide-metrics.23.json", "timeouts": { @@ -6573,6 +6592,26 @@ rules: - patch - watch --- +# rbac.authorization.k8s.io/v1/Role ws-daemon +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + app: gitpod + component: ws-daemon + name: ws-daemon + namespace: workspace-secrets +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +--- # rbac.authorization.k8s.io/v1/Role ws-manager apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -7043,6 +7082,22 @@ subjects: - kind: ServiceAccount name: workspace --- +# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + name: ws-daemon + namespace: workspace-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ws-daemon +subjects: +- kind: ServiceAccount + name: ws-daemon + namespace: default +--- # rbac.authorization.k8s.io/v1/RoleBinding ws-manager apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -8133,7 +8188,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: c3f063b20c86e50d84ab6b62d85d5042146c1748f01c42dd37581239a888b9d8 + gitpod.io/checksum_config: 96b5a68d5c5c49ae0d0c9f68e9d28d40b15481832f04c7686a092963380f1093 creationTimestamp: null labels: app: gitpod @@ -10800,7 +10855,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 6bccb0af0666fedca427bf7e904bb6ad0760871f8272d37c095015b1917a8a3b + gitpod.io/checksum_config: 4a4578809a4c2f9cfbbd2781d720a47df569cc4e3b54be23b5c41f56c0296e77 creationTimestamp: null labels: app: gitpod diff --git a/install/installer/cmd/testdata/render/customization/output.golden b/install/installer/cmd/testdata/render/customization/output.golden index c4ec44917ffd6c..1d831a72d6f9f4 100644 --- a/install/installer/cmd/testdata/render/customization/output.golden +++ b/install/installer/cmd/testdata/render/customization/output.golden @@ -3427,6 +3427,16 @@ data: namespace: default --- apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + creationTimestamp: null + labels: + app: gitpod + component: ws-daemon + name: ws-daemon + namespace: workspace-secrets + --- + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null @@ -3498,6 +3508,13 @@ data: component: ws-daemon name: default-ws-daemon-rb --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + creationTimestamp: null + name: ws-daemon + namespace: workspace-secrets + --- apiVersion: v1 kind: Service metadata: @@ -6126,7 +6143,8 @@ data: } }, "kubeconfig": "", - "namespace": "default" + "namespace": "default", + "secretsNamespace": "workspace-secrets" }, "content": { "workingArea": "/mnt/workingarea", @@ -6248,6 +6266,7 @@ data: { "manager": { "namespace": "default", + "secretsNamespace": "", "schedulerName": "", "seccompProfile": "workspace_default_pd-ide-metrics.23.json", "timeouts": { @@ -7210,6 +7229,26 @@ rules: - patch - watch --- +# rbac.authorization.k8s.io/v1/Role ws-daemon +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + app: gitpod + component: ws-daemon + name: ws-daemon + namespace: workspace-secrets +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +--- # rbac.authorization.k8s.io/v1/Role ws-manager apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -7680,6 +7719,22 @@ subjects: - kind: ServiceAccount name: workspace --- +# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + name: ws-daemon + namespace: workspace-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ws-daemon +subjects: +- kind: ServiceAccount + name: ws-daemon + namespace: default +--- # rbac.authorization.k8s.io/v1/RoleBinding ws-manager apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -8886,7 +8941,7 @@ spec: metadata: annotations: gitpod.io: hello - gitpod.io/checksum_config: e72f036b19d3287feece7409ecc0991d1c4f58ad96da7b901ce565b0f5208039 + gitpod.io/checksum_config: 0f892bd4e952cbaa5d71eaaea340ba2838a5763f0caca3f2e6f1b1591c104000 hello: world creationTimestamp: null labels: @@ -11685,7 +11740,7 @@ spec: metadata: annotations: gitpod.io: hello - gitpod.io/checksum_config: 6ea687679b10a3046a6840985edd56495c512b0d5bf4b5a9f85d46f41de49036 + gitpod.io/checksum_config: 14b2091d899fef2d7a41550f7baf02deebc76d64734f5d9b812acd7f937eed88 hello: world creationTimestamp: null labels: diff --git a/install/installer/cmd/testdata/render/external-registry/output.golden b/install/installer/cmd/testdata/render/external-registry/output.golden index 3db0467025f40d..5a10a9703ac342 100644 --- a/install/installer/cmd/testdata/render/external-registry/output.golden +++ b/install/installer/cmd/testdata/render/external-registry/output.golden @@ -2857,6 +2857,16 @@ data: namespace: default --- apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + creationTimestamp: null + labels: + app: gitpod + component: ws-daemon + name: ws-daemon + namespace: workspace-secrets + --- + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null @@ -2913,6 +2923,13 @@ data: component: ws-daemon name: default-ws-daemon-rb --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + creationTimestamp: null + name: ws-daemon + namespace: workspace-secrets + --- apiVersion: v1 kind: Service metadata: @@ -5289,7 +5306,8 @@ data: } }, "kubeconfig": "", - "namespace": "default" + "namespace": "default", + "secretsNamespace": "workspace-secrets" }, "content": { "workingArea": "/mnt/workingarea", @@ -5406,6 +5424,7 @@ data: { "manager": { "namespace": "default", + "secretsNamespace": "", "schedulerName": "", "seccompProfile": "workspace_default_pd-ide-metrics.23.json", "timeouts": { @@ -6334,6 +6353,26 @@ rules: - patch - watch --- +# rbac.authorization.k8s.io/v1/Role ws-daemon +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + app: gitpod + component: ws-daemon + name: ws-daemon + namespace: workspace-secrets +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +--- # rbac.authorization.k8s.io/v1/Role ws-manager apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -6786,6 +6825,22 @@ subjects: - kind: ServiceAccount name: workspace --- +# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + name: ws-daemon + namespace: workspace-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ws-daemon +subjects: +- kind: ServiceAccount + name: ws-daemon + namespace: default +--- # rbac.authorization.k8s.io/v1/RoleBinding ws-manager apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -7853,7 +7908,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: c3f063b20c86e50d84ab6b62d85d5042146c1748f01c42dd37581239a888b9d8 + gitpod.io/checksum_config: 96b5a68d5c5c49ae0d0c9f68e9d28d40b15481832f04c7686a092963380f1093 creationTimestamp: null labels: app: gitpod @@ -10423,7 +10478,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 6bccb0af0666fedca427bf7e904bb6ad0760871f8272d37c095015b1917a8a3b + gitpod.io/checksum_config: 4a4578809a4c2f9cfbbd2781d720a47df569cc4e3b54be23b5c41f56c0296e77 creationTimestamp: null labels: app: gitpod diff --git a/install/installer/cmd/testdata/render/gcp-setup/output.golden b/install/installer/cmd/testdata/render/gcp-setup/output.golden index e670282ae24073..1d2b707828c6e0 100644 --- a/install/installer/cmd/testdata/render/gcp-setup/output.golden +++ b/install/installer/cmd/testdata/render/gcp-setup/output.golden @@ -2796,6 +2796,16 @@ data: namespace: default --- apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + creationTimestamp: null + labels: + app: gitpod + component: ws-daemon + name: ws-daemon + namespace: workspace-secrets + --- + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null @@ -2852,6 +2862,13 @@ data: component: ws-daemon name: default-ws-daemon-rb --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + creationTimestamp: null + name: ws-daemon + namespace: workspace-secrets + --- apiVersion: v1 kind: Service metadata: @@ -5060,7 +5077,8 @@ data: } }, "kubeconfig": "", - "namespace": "default" + "namespace": "default", + "secretsNamespace": "workspace-secrets" }, "content": { "workingArea": "/mnt/workingarea", @@ -5176,6 +5194,7 @@ data: { "manager": { "namespace": "default", + "secretsNamespace": "", "schedulerName": "", "seccompProfile": "workspace_default_pd-ide-metrics.23.json", "timeouts": { @@ -6084,6 +6103,26 @@ rules: - patch - watch --- +# rbac.authorization.k8s.io/v1/Role ws-daemon +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + app: gitpod + component: ws-daemon + name: ws-daemon + namespace: workspace-secrets +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +--- # rbac.authorization.k8s.io/v1/Role ws-manager apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -6554,6 +6593,22 @@ subjects: - kind: ServiceAccount name: workspace --- +# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + name: ws-daemon + namespace: workspace-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ws-daemon +subjects: +- kind: ServiceAccount + name: ws-daemon + namespace: default +--- # rbac.authorization.k8s.io/v1/RoleBinding ws-manager apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -7543,7 +7598,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: eb4dd48f0756c6343cc7b91acd5ec6e881b6d1f97547b217b5ce52d5e6669e91 + gitpod.io/checksum_config: c9e4e386dff69815d3f4617c1255e1fc80fdf92a2406c6511ca690df3d54e12d creationTimestamp: null labels: app: gitpod @@ -9901,7 +9956,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: e2866e24a01f026d164c591d5c649a0a5589feea38a0d90d785d1167483cd02e + gitpod.io/checksum_config: eb8ba5a842ba7a2f4e7650963e3143422148261199e4d15fbbc03016e8c3acff creationTimestamp: null labels: app: gitpod diff --git a/install/installer/cmd/testdata/render/http-proxy/output.golden b/install/installer/cmd/testdata/render/http-proxy/output.golden index 4cb3c454237d16..8fcc29b25d8400 100644 --- a/install/installer/cmd/testdata/render/http-proxy/output.golden +++ b/install/installer/cmd/testdata/render/http-proxy/output.golden @@ -2966,6 +2966,16 @@ data: namespace: default --- apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + creationTimestamp: null + labels: + app: gitpod + component: ws-daemon + name: ws-daemon + namespace: workspace-secrets + --- + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null @@ -3022,6 +3032,13 @@ data: component: ws-daemon name: default-ws-daemon-rb --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + creationTimestamp: null + name: ws-daemon + namespace: workspace-secrets + --- apiVersion: v1 kind: Service metadata: @@ -5512,7 +5529,8 @@ data: } }, "kubeconfig": "", - "namespace": "default" + "namespace": "default", + "secretsNamespace": "workspace-secrets" }, "content": { "workingArea": "/mnt/workingarea", @@ -5629,6 +5647,7 @@ data: { "manager": { "namespace": "default", + "secretsNamespace": "", "schedulerName": "", "seccompProfile": "workspace_default_pd-ide-metrics.23.json", "timeouts": { @@ -6576,6 +6595,26 @@ rules: - patch - watch --- +# rbac.authorization.k8s.io/v1/Role ws-daemon +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + app: gitpod + component: ws-daemon + name: ws-daemon + namespace: workspace-secrets +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +--- # rbac.authorization.k8s.io/v1/Role ws-manager apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -7046,6 +7085,22 @@ subjects: - kind: ServiceAccount name: workspace --- +# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + name: ws-daemon + namespace: workspace-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ws-daemon +subjects: +- kind: ServiceAccount + name: ws-daemon + namespace: default +--- # rbac.authorization.k8s.io/v1/RoleBinding ws-manager apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -8337,7 +8392,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: c3f063b20c86e50d84ab6b62d85d5042146c1748f01c42dd37581239a888b9d8 + gitpod.io/checksum_config: 96b5a68d5c5c49ae0d0c9f68e9d28d40b15481832f04c7686a092963380f1093 creationTimestamp: null labels: app: gitpod @@ -12127,7 +12182,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 6bccb0af0666fedca427bf7e904bb6ad0760871f8272d37c095015b1917a8a3b + gitpod.io/checksum_config: 4a4578809a4c2f9cfbbd2781d720a47df569cc4e3b54be23b5c41f56c0296e77 creationTimestamp: null labels: app: gitpod diff --git a/install/installer/cmd/testdata/render/ide-config/output.golden b/install/installer/cmd/testdata/render/ide-config/output.golden index 77c9d8383fc79b..6861e1f4478967 100644 --- a/install/installer/cmd/testdata/render/ide-config/output.golden +++ b/install/installer/cmd/testdata/render/ide-config/output.golden @@ -2979,6 +2979,16 @@ data: namespace: default --- apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + creationTimestamp: null + labels: + app: gitpod + component: ws-daemon + name: ws-daemon + namespace: workspace-secrets + --- + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null @@ -3035,6 +3045,13 @@ data: component: ws-daemon name: default-ws-daemon-rb --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + creationTimestamp: null + name: ws-daemon + namespace: workspace-secrets + --- apiVersion: v1 kind: Service metadata: @@ -5525,7 +5542,8 @@ data: } }, "kubeconfig": "", - "namespace": "default" + "namespace": "default", + "secretsNamespace": "workspace-secrets" }, "content": { "workingArea": "/mnt/workingarea", @@ -5642,6 +5660,7 @@ data: { "manager": { "namespace": "default", + "secretsNamespace": "", "schedulerName": "", "seccompProfile": "workspace_default_pd-ide-metrics.23.json", "timeouts": { @@ -6589,6 +6608,26 @@ rules: - patch - watch --- +# rbac.authorization.k8s.io/v1/Role ws-daemon +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + app: gitpod + component: ws-daemon + name: ws-daemon + namespace: workspace-secrets +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +--- # rbac.authorization.k8s.io/v1/Role ws-manager apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -7059,6 +7098,22 @@ subjects: - kind: ServiceAccount name: workspace --- +# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + name: ws-daemon + namespace: workspace-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ws-daemon +subjects: +- kind: ServiceAccount + name: ws-daemon + namespace: default +--- # rbac.authorization.k8s.io/v1/RoleBinding ws-manager apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -8153,7 +8208,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: c3f063b20c86e50d84ab6b62d85d5042146c1748f01c42dd37581239a888b9d8 + gitpod.io/checksum_config: 96b5a68d5c5c49ae0d0c9f68e9d28d40b15481832f04c7686a092963380f1093 creationTimestamp: null labels: app: gitpod @@ -10822,7 +10877,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 6bccb0af0666fedca427bf7e904bb6ad0760871f8272d37c095015b1917a8a3b + gitpod.io/checksum_config: 4a4578809a4c2f9cfbbd2781d720a47df569cc4e3b54be23b5c41f56c0296e77 creationTimestamp: null labels: app: gitpod diff --git a/install/installer/cmd/testdata/render/kind-workspace/output.golden b/install/installer/cmd/testdata/render/kind-workspace/output.golden index 4428800fb8155e..ac07abbb6370de 100644 --- a/install/installer/cmd/testdata/render/kind-workspace/output.golden +++ b/install/installer/cmd/testdata/render/kind-workspace/output.golden @@ -1189,6 +1189,16 @@ data: namespace: default --- apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + creationTimestamp: null + labels: + app: gitpod + component: ws-daemon + name: ws-daemon + namespace: workspace-secrets + --- + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null @@ -1245,6 +1255,13 @@ data: component: ws-daemon name: default-ws-daemon-rb --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + creationTimestamp: null + name: ws-daemon + namespace: workspace-secrets + --- apiVersion: v1 kind: Service metadata: @@ -1883,7 +1900,8 @@ data: } }, "kubeconfig": "", - "namespace": "default" + "namespace": "default", + "secretsNamespace": "workspace-secrets" }, "content": { "workingArea": "/mnt/workingarea", @@ -2000,6 +2018,7 @@ data: { "manager": { "namespace": "default", + "secretsNamespace": "", "schedulerName": "", "seccompProfile": "workspace_default_pd-ide-metrics.23.json", "timeouts": { @@ -2625,6 +2644,26 @@ rules: - get - update --- +# rbac.authorization.k8s.io/v1/Role ws-daemon +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + app: gitpod + component: ws-daemon + name: ws-daemon + namespace: workspace-secrets +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +--- # rbac.authorization.k8s.io/v1/Role ws-manager apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -2805,6 +2844,22 @@ subjects: - kind: ServiceAccount name: workspace --- +# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + name: ws-daemon + namespace: workspace-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ws-daemon +subjects: +- kind: ServiceAccount + name: ws-daemon + namespace: default +--- # rbac.authorization.k8s.io/v1/RoleBinding ws-manager apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -3389,7 +3444,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: c3f063b20c86e50d84ab6b62d85d5042146c1748f01c42dd37581239a888b9d8 + gitpod.io/checksum_config: 96b5a68d5c5c49ae0d0c9f68e9d28d40b15481832f04c7686a092963380f1093 creationTimestamp: null labels: app: gitpod @@ -3985,7 +4040,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 220f4f84d031d4a23cf0177b3e94a85a25707d132a8313a51602a3d8b9255414 + gitpod.io/checksum_config: 04d0c84ff10675d023182a24beb2171cdf9b88568eb96032394819e8566b3c00 creationTimestamp: null labels: app: gitpod diff --git a/install/installer/cmd/testdata/render/message-bus-password/output.golden b/install/installer/cmd/testdata/render/message-bus-password/output.golden index 4b17024f994619..59781ef5e5a9dc 100644 --- a/install/installer/cmd/testdata/render/message-bus-password/output.golden +++ b/install/installer/cmd/testdata/render/message-bus-password/output.golden @@ -2966,6 +2966,16 @@ data: namespace: default --- apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + creationTimestamp: null + labels: + app: gitpod + component: ws-daemon + name: ws-daemon + namespace: workspace-secrets + --- + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null @@ -3022,6 +3032,13 @@ data: component: ws-daemon name: default-ws-daemon-rb --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + creationTimestamp: null + name: ws-daemon + namespace: workspace-secrets + --- apiVersion: v1 kind: Service metadata: @@ -5512,7 +5529,8 @@ data: } }, "kubeconfig": "", - "namespace": "default" + "namespace": "default", + "secretsNamespace": "workspace-secrets" }, "content": { "workingArea": "/mnt/workingarea", @@ -5629,6 +5647,7 @@ data: { "manager": { "namespace": "default", + "secretsNamespace": "", "schedulerName": "", "seccompProfile": "workspace_default_pd-ide-metrics.23.json", "timeouts": { @@ -6576,6 +6595,26 @@ rules: - patch - watch --- +# rbac.authorization.k8s.io/v1/Role ws-daemon +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + app: gitpod + component: ws-daemon + name: ws-daemon + namespace: workspace-secrets +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +--- # rbac.authorization.k8s.io/v1/Role ws-manager apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -7046,6 +7085,22 @@ subjects: - kind: ServiceAccount name: workspace --- +# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + name: ws-daemon + namespace: workspace-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ws-daemon +subjects: +- kind: ServiceAccount + name: ws-daemon + namespace: default +--- # rbac.authorization.k8s.io/v1/RoleBinding ws-manager apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -8136,7 +8191,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: c3f063b20c86e50d84ab6b62d85d5042146c1748f01c42dd37581239a888b9d8 + gitpod.io/checksum_config: 96b5a68d5c5c49ae0d0c9f68e9d28d40b15481832f04c7686a092963380f1093 creationTimestamp: null labels: app: gitpod @@ -10803,7 +10858,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 6bccb0af0666fedca427bf7e904bb6ad0760871f8272d37c095015b1917a8a3b + gitpod.io/checksum_config: 4a4578809a4c2f9cfbbd2781d720a47df569cc4e3b54be23b5c41f56c0296e77 creationTimestamp: null labels: app: gitpod diff --git a/install/installer/cmd/testdata/render/minimal/output.golden b/install/installer/cmd/testdata/render/minimal/output.golden index b6d1cebbf214aa..af9a92e3702676 100644 --- a/install/installer/cmd/testdata/render/minimal/output.golden +++ b/install/installer/cmd/testdata/render/minimal/output.golden @@ -2963,6 +2963,16 @@ data: namespace: default --- apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + creationTimestamp: null + labels: + app: gitpod + component: ws-daemon + name: ws-daemon + namespace: workspace-secrets + --- + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null @@ -3019,6 +3029,13 @@ data: component: ws-daemon name: default-ws-daemon-rb --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + creationTimestamp: null + name: ws-daemon + namespace: workspace-secrets + --- apiVersion: v1 kind: Service metadata: @@ -5509,7 +5526,8 @@ data: } }, "kubeconfig": "", - "namespace": "default" + "namespace": "default", + "secretsNamespace": "workspace-secrets" }, "content": { "workingArea": "/mnt/workingarea", @@ -5626,6 +5644,7 @@ data: { "manager": { "namespace": "default", + "secretsNamespace": "", "schedulerName": "", "seccompProfile": "workspace_default_pd-ide-metrics.23.json", "timeouts": { @@ -6573,6 +6592,26 @@ rules: - patch - watch --- +# rbac.authorization.k8s.io/v1/Role ws-daemon +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + app: gitpod + component: ws-daemon + name: ws-daemon + namespace: workspace-secrets +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +--- # rbac.authorization.k8s.io/v1/Role ws-manager apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -7043,6 +7082,22 @@ subjects: - kind: ServiceAccount name: workspace --- +# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + name: ws-daemon + namespace: workspace-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ws-daemon +subjects: +- kind: ServiceAccount + name: ws-daemon + namespace: default +--- # rbac.authorization.k8s.io/v1/RoleBinding ws-manager apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -8133,7 +8188,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: c3f063b20c86e50d84ab6b62d85d5042146c1748f01c42dd37581239a888b9d8 + gitpod.io/checksum_config: 96b5a68d5c5c49ae0d0c9f68e9d28d40b15481832f04c7686a092963380f1093 creationTimestamp: null labels: app: gitpod @@ -10800,7 +10855,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 6bccb0af0666fedca427bf7e904bb6ad0760871f8272d37c095015b1917a8a3b + gitpod.io/checksum_config: 4a4578809a4c2f9cfbbd2781d720a47df569cc4e3b54be23b5c41f56c0296e77 creationTimestamp: null labels: app: gitpod diff --git a/install/installer/cmd/testdata/render/overrides-inline/output.golden b/install/installer/cmd/testdata/render/overrides-inline/output.golden index 66f459c3479626..f56c9722195d43 100644 --- a/install/installer/cmd/testdata/render/overrides-inline/output.golden +++ b/install/installer/cmd/testdata/render/overrides-inline/output.golden @@ -2961,6 +2961,16 @@ data: namespace: default --- apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + creationTimestamp: null + labels: + app: gitpod + component: ws-daemon + name: ws-daemon + namespace: workspace-secrets + --- + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null @@ -3017,6 +3027,13 @@ data: component: ws-daemon name: default-ws-daemon-rb --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + creationTimestamp: null + name: ws-daemon + namespace: workspace-secrets + --- apiVersion: v1 kind: Service metadata: @@ -5507,7 +5524,8 @@ data: } }, "kubeconfig": "", - "namespace": "default" + "namespace": "default", + "secretsNamespace": "workspace-secrets" }, "content": { "workingArea": "/mnt/workingarea", @@ -5624,6 +5642,7 @@ data: { "manager": { "namespace": "default", + "secretsNamespace": "", "schedulerName": "", "seccompProfile": "workspace_default_pd-ide-metrics.23.json", "timeouts": { @@ -6571,6 +6590,26 @@ rules: - patch - watch --- +# rbac.authorization.k8s.io/v1/Role ws-daemon +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + app: gitpod + component: ws-daemon + name: ws-daemon + namespace: workspace-secrets +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +--- # rbac.authorization.k8s.io/v1/Role ws-manager apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -7041,6 +7080,22 @@ subjects: - kind: ServiceAccount name: workspace --- +# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + name: ws-daemon + namespace: workspace-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ws-daemon +subjects: +- kind: ServiceAccount + name: ws-daemon + namespace: default +--- # rbac.authorization.k8s.io/v1/RoleBinding ws-manager apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -8143,7 +8198,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: c3f063b20c86e50d84ab6b62d85d5042146c1748f01c42dd37581239a888b9d8 + gitpod.io/checksum_config: 96b5a68d5c5c49ae0d0c9f68e9d28d40b15481832f04c7686a092963380f1093 creationTimestamp: null labels: app: gitpod @@ -10810,7 +10865,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 6bccb0af0666fedca427bf7e904bb6ad0760871f8272d37c095015b1917a8a3b + gitpod.io/checksum_config: 4a4578809a4c2f9cfbbd2781d720a47df569cc4e3b54be23b5c41f56c0296e77 creationTimestamp: null labels: app: gitpod diff --git a/install/installer/cmd/testdata/render/pod-config/output.golden b/install/installer/cmd/testdata/render/pod-config/output.golden index 48925d29764c79..793276f90399a0 100644 --- a/install/installer/cmd/testdata/render/pod-config/output.golden +++ b/install/installer/cmd/testdata/render/pod-config/output.golden @@ -2970,6 +2970,16 @@ data: namespace: default --- apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + creationTimestamp: null + labels: + app: gitpod + component: ws-daemon + name: ws-daemon + namespace: workspace-secrets + --- + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null @@ -3026,6 +3036,13 @@ data: component: ws-daemon name: default-ws-daemon-rb --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + creationTimestamp: null + name: ws-daemon + namespace: workspace-secrets + --- apiVersion: v1 kind: Service metadata: @@ -5516,7 +5533,8 @@ data: } }, "kubeconfig": "", - "namespace": "default" + "namespace": "default", + "secretsNamespace": "workspace-secrets" }, "content": { "workingArea": "/mnt/workingarea", @@ -5633,6 +5651,7 @@ data: { "manager": { "namespace": "default", + "secretsNamespace": "", "schedulerName": "", "seccompProfile": "workspace_default_pd-ide-metrics.23.json", "timeouts": { @@ -6580,6 +6599,26 @@ rules: - patch - watch --- +# rbac.authorization.k8s.io/v1/Role ws-daemon +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + app: gitpod + component: ws-daemon + name: ws-daemon + namespace: workspace-secrets +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +--- # rbac.authorization.k8s.io/v1/Role ws-manager apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -7050,6 +7089,22 @@ subjects: - kind: ServiceAccount name: workspace --- +# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + name: ws-daemon + namespace: workspace-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ws-daemon +subjects: +- kind: ServiceAccount + name: ws-daemon + namespace: default +--- # rbac.authorization.k8s.io/v1/RoleBinding ws-manager apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -8140,7 +8195,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: c3f063b20c86e50d84ab6b62d85d5042146c1748f01c42dd37581239a888b9d8 + gitpod.io/checksum_config: 96b5a68d5c5c49ae0d0c9f68e9d28d40b15481832f04c7686a092963380f1093 creationTimestamp: null labels: app: gitpod @@ -10807,7 +10862,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 6bccb0af0666fedca427bf7e904bb6ad0760871f8272d37c095015b1917a8a3b + gitpod.io/checksum_config: 4a4578809a4c2f9cfbbd2781d720a47df569cc4e3b54be23b5c41f56c0296e77 creationTimestamp: null labels: app: gitpod diff --git a/install/installer/cmd/testdata/render/shortname/output.golden b/install/installer/cmd/testdata/render/shortname/output.golden index be01d7b7d5da37..ae2db633e1f242 100644 --- a/install/installer/cmd/testdata/render/shortname/output.golden +++ b/install/installer/cmd/testdata/render/shortname/output.golden @@ -2963,6 +2963,16 @@ data: namespace: default --- apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + creationTimestamp: null + labels: + app: gitpod + component: ws-daemon + name: ws-daemon + namespace: workspace-secrets + --- + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null @@ -3019,6 +3029,13 @@ data: component: ws-daemon name: default-ws-daemon-rb --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + creationTimestamp: null + name: ws-daemon + namespace: workspace-secrets + --- apiVersion: v1 kind: Service metadata: @@ -5509,7 +5526,8 @@ data: } }, "kubeconfig": "", - "namespace": "default" + "namespace": "default", + "secretsNamespace": "workspace-secrets" }, "content": { "workingArea": "/mnt/workingarea", @@ -5626,6 +5644,7 @@ data: { "manager": { "namespace": "default", + "secretsNamespace": "", "schedulerName": "", "seccompProfile": "workspace_default_pd-ide-metrics.23.json", "timeouts": { @@ -6573,6 +6592,26 @@ rules: - patch - watch --- +# rbac.authorization.k8s.io/v1/Role ws-daemon +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + app: gitpod + component: ws-daemon + name: ws-daemon + namespace: workspace-secrets +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +--- # rbac.authorization.k8s.io/v1/Role ws-manager apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -7043,6 +7082,22 @@ subjects: - kind: ServiceAccount name: workspace --- +# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + name: ws-daemon + namespace: workspace-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ws-daemon +subjects: +- kind: ServiceAccount + name: ws-daemon + namespace: default +--- # rbac.authorization.k8s.io/v1/RoleBinding ws-manager apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -8133,7 +8188,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: c3f063b20c86e50d84ab6b62d85d5042146c1748f01c42dd37581239a888b9d8 + gitpod.io/checksum_config: 96b5a68d5c5c49ae0d0c9f68e9d28d40b15481832f04c7686a092963380f1093 creationTimestamp: null labels: app: gitpod @@ -10800,7 +10855,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: b86c15b7ccf53d8f812d381760022c16e8bf00aa5385b5cf2acd870f0bc901db + gitpod.io/checksum_config: 7a5265597622304d09dd82531a4f224e0f16d39da5899000916b146dd370cfde creationTimestamp: null labels: app: gitpod diff --git a/install/installer/cmd/testdata/render/statefulset-customization/output.golden b/install/installer/cmd/testdata/render/statefulset-customization/output.golden index e11bfc5abb9c0d..06180fa4226b22 100644 --- a/install/installer/cmd/testdata/render/statefulset-customization/output.golden +++ b/install/installer/cmd/testdata/render/statefulset-customization/output.golden @@ -2975,6 +2975,16 @@ data: namespace: default --- apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + creationTimestamp: null + labels: + app: gitpod + component: ws-daemon + name: ws-daemon + namespace: workspace-secrets + --- + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null @@ -3031,6 +3041,13 @@ data: component: ws-daemon name: default-ws-daemon-rb --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + creationTimestamp: null + name: ws-daemon + namespace: workspace-secrets + --- apiVersion: v1 kind: Service metadata: @@ -5521,7 +5538,8 @@ data: } }, "kubeconfig": "", - "namespace": "default" + "namespace": "default", + "secretsNamespace": "workspace-secrets" }, "content": { "workingArea": "/mnt/workingarea", @@ -5638,6 +5656,7 @@ data: { "manager": { "namespace": "default", + "secretsNamespace": "", "schedulerName": "", "seccompProfile": "workspace_default_pd-ide-metrics.23.json", "timeouts": { @@ -6585,6 +6604,26 @@ rules: - patch - watch --- +# rbac.authorization.k8s.io/v1/Role ws-daemon +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + app: gitpod + component: ws-daemon + name: ws-daemon + namespace: workspace-secrets +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +--- # rbac.authorization.k8s.io/v1/Role ws-manager apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -7055,6 +7094,22 @@ subjects: - kind: ServiceAccount name: workspace --- +# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + name: ws-daemon + namespace: workspace-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ws-daemon +subjects: +- kind: ServiceAccount + name: ws-daemon + namespace: default +--- # rbac.authorization.k8s.io/v1/RoleBinding ws-manager apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -8145,7 +8200,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: c3f063b20c86e50d84ab6b62d85d5042146c1748f01c42dd37581239a888b9d8 + gitpod.io/checksum_config: 96b5a68d5c5c49ae0d0c9f68e9d28d40b15481832f04c7686a092963380f1093 creationTimestamp: null labels: app: gitpod @@ -10812,7 +10867,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 6bccb0af0666fedca427bf7e904bb6ad0760871f8272d37c095015b1917a8a3b + gitpod.io/checksum_config: 4a4578809a4c2f9cfbbd2781d720a47df569cc4e3b54be23b5c41f56c0296e77 creationTimestamp: null labels: app: gitpod diff --git a/install/installer/cmd/testdata/render/telemetry/output.golden b/install/installer/cmd/testdata/render/telemetry/output.golden index 7287bef4d0f524..477bfe33c35480 100644 --- a/install/installer/cmd/testdata/render/telemetry/output.golden +++ b/install/installer/cmd/testdata/render/telemetry/output.golden @@ -2966,6 +2966,16 @@ data: namespace: default --- apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + creationTimestamp: null + labels: + app: gitpod + component: ws-daemon + name: ws-daemon + namespace: workspace-secrets + --- + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null @@ -3022,6 +3032,13 @@ data: component: ws-daemon name: default-ws-daemon-rb --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + creationTimestamp: null + name: ws-daemon + namespace: workspace-secrets + --- apiVersion: v1 kind: Service metadata: @@ -5512,7 +5529,8 @@ data: } }, "kubeconfig": "", - "namespace": "default" + "namespace": "default", + "secretsNamespace": "workspace-secrets" }, "content": { "workingArea": "/mnt/workingarea", @@ -5629,6 +5647,7 @@ data: { "manager": { "namespace": "default", + "secretsNamespace": "", "schedulerName": "", "seccompProfile": "workspace_default_pd-ide-metrics.23.json", "timeouts": { @@ -6576,6 +6595,26 @@ rules: - patch - watch --- +# rbac.authorization.k8s.io/v1/Role ws-daemon +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + app: gitpod + component: ws-daemon + name: ws-daemon + namespace: workspace-secrets +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +--- # rbac.authorization.k8s.io/v1/Role ws-manager apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -7046,6 +7085,22 @@ subjects: - kind: ServiceAccount name: workspace --- +# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + name: ws-daemon + namespace: workspace-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ws-daemon +subjects: +- kind: ServiceAccount + name: ws-daemon + namespace: default +--- # rbac.authorization.k8s.io/v1/RoleBinding ws-manager apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -8136,7 +8191,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: c3f063b20c86e50d84ab6b62d85d5042146c1748f01c42dd37581239a888b9d8 + gitpod.io/checksum_config: 96b5a68d5c5c49ae0d0c9f68e9d28d40b15481832f04c7686a092963380f1093 creationTimestamp: null labels: app: gitpod @@ -10803,7 +10858,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 6bccb0af0666fedca427bf7e904bb6ad0760871f8272d37c095015b1917a8a3b + gitpod.io/checksum_config: 4a4578809a4c2f9cfbbd2781d720a47df569cc4e3b54be23b5c41f56c0296e77 creationTimestamp: null labels: app: gitpod diff --git a/install/installer/cmd/testdata/render/use-pod-security-policies/output.golden b/install/installer/cmd/testdata/render/use-pod-security-policies/output.golden index 4b553ca4234ff0..42dc9238663efe 100644 --- a/install/installer/cmd/testdata/render/use-pod-security-policies/output.golden +++ b/install/installer/cmd/testdata/render/use-pod-security-policies/output.golden @@ -3287,6 +3287,16 @@ data: namespace: default --- apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + creationTimestamp: null + labels: + app: gitpod + component: ws-daemon + name: ws-daemon + namespace: workspace-secrets + --- + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null @@ -3343,6 +3353,13 @@ data: component: ws-daemon name: default-ws-daemon-rb --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + creationTimestamp: null + name: ws-daemon + namespace: workspace-secrets + --- apiVersion: v1 kind: Service metadata: @@ -5842,7 +5859,8 @@ data: } }, "kubeconfig": "", - "namespace": "default" + "namespace": "default", + "secretsNamespace": "workspace-secrets" }, "content": { "workingArea": "/mnt/workingarea", @@ -5959,6 +5977,7 @@ data: { "manager": { "namespace": "default", + "secretsNamespace": "", "schedulerName": "", "seccompProfile": "workspace_default_pd-ide-metrics.23.json", "timeouts": { @@ -7017,6 +7036,26 @@ rules: verbs: - use --- +# rbac.authorization.k8s.io/v1/Role ws-daemon +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + app: gitpod + component: ws-daemon + name: ws-daemon + namespace: workspace-secrets +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +--- # rbac.authorization.k8s.io/v1/Role ws-manager apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -7487,6 +7526,22 @@ subjects: - kind: ServiceAccount name: workspace --- +# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + name: ws-daemon + namespace: workspace-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ws-daemon +subjects: +- kind: ServiceAccount + name: ws-daemon + namespace: default +--- # rbac.authorization.k8s.io/v1/RoleBinding ws-manager apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -8577,7 +8632,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: c3f063b20c86e50d84ab6b62d85d5042146c1748f01c42dd37581239a888b9d8 + gitpod.io/checksum_config: 96b5a68d5c5c49ae0d0c9f68e9d28d40b15481832f04c7686a092963380f1093 creationTimestamp: null labels: app: gitpod @@ -11244,7 +11299,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 6bccb0af0666fedca427bf7e904bb6ad0760871f8272d37c095015b1917a8a3b + gitpod.io/checksum_config: 4a4578809a4c2f9cfbbd2781d720a47df569cc4e3b54be23b5c41f56c0296e77 creationTimestamp: null labels: app: gitpod diff --git a/install/installer/cmd/testdata/render/vsxproxy-pvc/output.golden b/install/installer/cmd/testdata/render/vsxproxy-pvc/output.golden index 32b1fb904356ce..5dd2fe753e654d 100644 --- a/install/installer/cmd/testdata/render/vsxproxy-pvc/output.golden +++ b/install/installer/cmd/testdata/render/vsxproxy-pvc/output.golden @@ -2966,6 +2966,16 @@ data: namespace: default --- apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + creationTimestamp: null + labels: + app: gitpod + component: ws-daemon + name: ws-daemon + namespace: workspace-secrets + --- + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null @@ -3022,6 +3032,13 @@ data: component: ws-daemon name: default-ws-daemon-rb --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + creationTimestamp: null + name: ws-daemon + namespace: workspace-secrets + --- apiVersion: v1 kind: Service metadata: @@ -5512,7 +5529,8 @@ data: } }, "kubeconfig": "", - "namespace": "default" + "namespace": "default", + "secretsNamespace": "workspace-secrets" }, "content": { "workingArea": "/mnt/workingarea", @@ -5629,6 +5647,7 @@ data: { "manager": { "namespace": "default", + "secretsNamespace": "", "schedulerName": "", "seccompProfile": "workspace_default_pd-ide-metrics.23.json", "timeouts": { @@ -6576,6 +6595,26 @@ rules: - patch - watch --- +# rbac.authorization.k8s.io/v1/Role ws-daemon +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + app: gitpod + component: ws-daemon + name: ws-daemon + namespace: workspace-secrets +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +--- # rbac.authorization.k8s.io/v1/Role ws-manager apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -7046,6 +7085,22 @@ subjects: - kind: ServiceAccount name: workspace --- +# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + name: ws-daemon + namespace: workspace-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ws-daemon +subjects: +- kind: ServiceAccount + name: ws-daemon + namespace: default +--- # rbac.authorization.k8s.io/v1/RoleBinding ws-manager apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -8136,7 +8191,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: c3f063b20c86e50d84ab6b62d85d5042146c1748f01c42dd37581239a888b9d8 + gitpod.io/checksum_config: 96b5a68d5c5c49ae0d0c9f68e9d28d40b15481832f04c7686a092963380f1093 creationTimestamp: null labels: app: gitpod @@ -10791,7 +10846,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 6bccb0af0666fedca427bf7e904bb6ad0760871f8272d37c095015b1917a8a3b + gitpod.io/checksum_config: 4a4578809a4c2f9cfbbd2781d720a47df569cc4e3b54be23b5c41f56c0296e77 creationTimestamp: null labels: app: gitpod diff --git a/install/installer/cmd/testdata/render/workspace-requests-limits/output.golden b/install/installer/cmd/testdata/render/workspace-requests-limits/output.golden index 201382fca12637..42e6d58789e9f4 100644 --- a/install/installer/cmd/testdata/render/workspace-requests-limits/output.golden +++ b/install/installer/cmd/testdata/render/workspace-requests-limits/output.golden @@ -2966,6 +2966,16 @@ data: namespace: default --- apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + creationTimestamp: null + labels: + app: gitpod + component: ws-daemon + name: ws-daemon + namespace: workspace-secrets + --- + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null @@ -3022,6 +3032,13 @@ data: component: ws-daemon name: default-ws-daemon-rb --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + creationTimestamp: null + name: ws-daemon + namespace: workspace-secrets + --- apiVersion: v1 kind: Service metadata: @@ -5512,7 +5529,8 @@ data: } }, "kubeconfig": "", - "namespace": "default" + "namespace": "default", + "secretsNamespace": "workspace-secrets" }, "content": { "workingArea": "/mnt/workingarea", @@ -5629,6 +5647,7 @@ data: { "manager": { "namespace": "default", + "secretsNamespace": "", "schedulerName": "", "seccompProfile": "workspace_default_pd-ide-metrics.23.json", "timeouts": { @@ -6576,6 +6595,26 @@ rules: - patch - watch --- +# rbac.authorization.k8s.io/v1/Role ws-daemon +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + app: gitpod + component: ws-daemon + name: ws-daemon + namespace: workspace-secrets +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +--- # rbac.authorization.k8s.io/v1/Role ws-manager apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -7046,6 +7085,22 @@ subjects: - kind: ServiceAccount name: workspace --- +# rbac.authorization.k8s.io/v1/RoleBinding ws-daemon +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + name: ws-daemon + namespace: workspace-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ws-daemon +subjects: +- kind: ServiceAccount + name: ws-daemon + namespace: default +--- # rbac.authorization.k8s.io/v1/RoleBinding ws-manager apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -8136,7 +8191,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: c3f063b20c86e50d84ab6b62d85d5042146c1748f01c42dd37581239a888b9d8 + gitpod.io/checksum_config: 96b5a68d5c5c49ae0d0c9f68e9d28d40b15481832f04c7686a092963380f1093 creationTimestamp: null labels: app: gitpod @@ -10803,7 +10858,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 903ddd6b5567f5831d07f643a85942f7c7891ec40745b0aeb508a7c115389511 + gitpod.io/checksum_config: 8f78e0c49b70bc845b8c69ddc215fc3d1999be738c385173ffd48a84c8303fa5 creationTimestamp: null labels: app: gitpod diff --git a/install/installer/pkg/common/common.go b/install/installer/pkg/common/common.go index a8059e6b39e997..04243924f52369 100644 --- a/install/installer/pkg/common/common.go +++ b/install/installer/pkg/common/common.go @@ -664,7 +664,7 @@ var DeploymentStrategy = appsv1.DeploymentStrategy{ var ( TypeMetaNamespace = metav1.TypeMeta{ APIVersion: "v1", - Kind: "namespace", + Kind: "Namespace", } TypeMetaStatefulSet = metav1.TypeMeta{ APIVersion: "apps/v1", diff --git a/install/installer/pkg/common/constants.go b/install/installer/pkg/common/constants.go index 07c2d9aee21330..6b76f69273e899 100644 --- a/install/installer/pkg/common/constants.go +++ b/install/installer/pkg/common/constants.go @@ -59,6 +59,7 @@ const ( DBCaFileName = "ca.crt" DBCaBasePath = "/db-ssl" DBCaPath = DBCaBasePath + "/" + DBCaFileName + WorkspaceSecretsNamespace = "workspace-secrets" AnnotationConfigChecksum = "gitpod.io/checksum_config" diff --git a/install/installer/pkg/components/ws-daemon/configmap.go b/install/installer/pkg/components/ws-daemon/configmap.go index adaaef995d52a4..1b08aa15e6e940 100644 --- a/install/installer/pkg/components/ws-daemon/configmap.go +++ b/install/installer/pkg/components/ws-daemon/configmap.go @@ -112,6 +112,7 @@ func configmap(ctx *common.RenderContext) ([]runtime.Object, error) { Daemon: daemon.Config{ Runtime: daemon.RuntimeConfig{ KubernetesNamespace: ctx.Namespace, + SecretsNamespace: common.WorkspaceSecretsNamespace, Container: &container.Config{ Runtime: container.RuntimeContainerd, Mapping: runtimeMapping, diff --git a/install/installer/pkg/components/ws-daemon/objects.go b/install/installer/pkg/components/ws-daemon/objects.go index b2113e8acb3994..51fefd0e65e81b 100644 --- a/install/installer/pkg/components/ws-daemon/objects.go +++ b/install/installer/pkg/components/ws-daemon/objects.go @@ -9,6 +9,7 @@ import ( ) var Objects = common.CompositeRenderFunc( + role, clusterrole, configmap, common.DefaultServiceAccount(Component), diff --git a/install/installer/pkg/components/ws-daemon/role.go b/install/installer/pkg/components/ws-daemon/role.go new file mode 100644 index 00000000000000..592a55db44cf06 --- /dev/null +++ b/install/installer/pkg/components/ws-daemon/role.go @@ -0,0 +1,37 @@ +// Copyright (c) 2021 Gitpod GmbH. All rights reserved. +// Licensed under the GNU Affero General Public License (AGPL). +// See License.AGPL.txt in the project root for license information. + +package wsdaemon + +import ( + "github.com/gitpod-io/gitpod/installer/pkg/common" + + rbacv1 "k8s.io/api/rbac/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" +) + +func role(ctx *common.RenderContext) ([]runtime.Object, error) { + return []runtime.Object{ + &rbacv1.Role{ + TypeMeta: common.TypeMetaRole, + ObjectMeta: metav1.ObjectMeta{ + Name: Component, + Namespace: common.WorkspaceSecretsNamespace, + Labels: common.DefaultLabels(Component), + }, + Rules: []rbacv1.PolicyRule{ + { + APIGroups: []string{""}, + Resources: []string{"secrets"}, + Verbs: []string{ + "get", + "list", + "watch", + }, + }, + }, + }, + }, nil +} diff --git a/install/installer/pkg/components/ws-daemon/rolebinding.go b/install/installer/pkg/components/ws-daemon/rolebinding.go index 051ba5b26136c7..286cf85b5834b6 100644 --- a/install/installer/pkg/components/ws-daemon/rolebinding.go +++ b/install/installer/pkg/components/ws-daemon/rolebinding.go @@ -54,5 +54,25 @@ func rolebinding(ctx *common.RenderContext) ([]runtime.Object, error) { Namespace: ctx.Namespace, }}, }, + + &rbacv1.RoleBinding{ + TypeMeta: common.TypeMetaRoleBinding, + ObjectMeta: metav1.ObjectMeta{ + Name: Component, + Namespace: common.WorkspaceSecretsNamespace, + }, + RoleRef: rbacv1.RoleRef{ + APIGroup: "rbac.authorization.k8s.io", + Kind: "Role", + Name: Component, + }, + Subjects: []rbacv1.Subject{ + { + Kind: "ServiceAccount", + Name: Component, + Namespace: ctx.Namespace, + }, + }, + }, }, nil } diff --git a/install/installer/pkg/components/ws-manager-mk2/configmap.go b/install/installer/pkg/components/ws-manager-mk2/configmap.go index ffcf7a09cef672..7f6c451ad16c5f 100644 --- a/install/installer/pkg/components/ws-manager-mk2/configmap.go +++ b/install/installer/pkg/components/ws-manager-mk2/configmap.go @@ -184,9 +184,10 @@ func configmap(ctx *common.RenderContext) ([]runtime.Object, error) { wsmcfg := config.ServiceConfiguration{ Manager: config.Configuration{ - Namespace: ctx.Namespace, - SchedulerName: schedulerName, - SeccompProfile: fmt.Sprintf("workspace_default_%s.json", ctx.VersionManifest.Version), + Namespace: ctx.Namespace, + SecretsNamespace: common.WorkspaceSecretsNamespace, + SchedulerName: schedulerName, + SeccompProfile: fmt.Sprintf("workspace_default_%s.json", ctx.VersionManifest.Version), WorkspaceDaemon: config.WorkspaceDaemonConfiguration{ Port: 8080, TLS: struct { diff --git a/install/installer/pkg/components/ws-manager-mk2/namespace.go b/install/installer/pkg/components/ws-manager-mk2/namespace.go new file mode 100644 index 00000000000000..24fc01ff0326e6 --- /dev/null +++ b/install/installer/pkg/components/ws-manager-mk2/namespace.go @@ -0,0 +1,23 @@ +// Copyright (c) 2021 Gitpod GmbH. All rights reserved. +// Licensed under the GNU Affero General Public License (AGPL). +// See License-AGPL.txt in the project root for license information. + +package wsmanagermk2 + +import ( + "github.com/gitpod-io/gitpod/installer/pkg/common" + v1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" +) + +func namespace(ctx *common.RenderContext) ([]runtime.Object, error) { + return []runtime.Object{ + &v1.Namespace{ + TypeMeta: common.TypeMetaNamespace, + ObjectMeta: metav1.ObjectMeta{ + Name: common.WorkspaceSecretsNamespace, + }, + }, + }, nil +} diff --git a/install/installer/pkg/components/ws-manager-mk2/objects.go b/install/installer/pkg/components/ws-manager-mk2/objects.go index 6f61a2d0fdaf5a..6ea4f430633468 100644 --- a/install/installer/pkg/components/ws-manager-mk2/objects.go +++ b/install/installer/pkg/components/ws-manager-mk2/objects.go @@ -23,6 +23,7 @@ var Objects common.RenderFunc = func(cfg *common.RenderContext) ([]runtime.Objec } return common.CompositeRenderFunc( + namespace, crd, configmap, deployment, diff --git a/install/installer/pkg/components/ws-manager-mk2/role.go b/install/installer/pkg/components/ws-manager-mk2/role.go index 0f31ae5c69ad7d..47ef51c07ffa78 100644 --- a/install/installer/pkg/components/ws-manager-mk2/role.go +++ b/install/installer/pkg/components/ws-manager-mk2/role.go @@ -12,6 +12,121 @@ import ( "k8s.io/apimachinery/pkg/runtime" ) +var controllerRules = []rbacv1.PolicyRule{ + { + APIGroups: []string{""}, + Resources: []string{"pods"}, + Verbs: []string{ + "create", + "delete", + "get", + "list", + "patch", + "update", + "watch", + }, + }, + { + Verbs: []string{"get"}, + APIGroups: []string{""}, + Resources: []string{"pod/status"}, + }, + { + APIGroups: []string{"workspace.gitpod.io"}, + Resources: []string{"workspaces"}, + Verbs: []string{ + "create", + "delete", + "get", + "list", + "patch", + "update", + "watch", + }, + }, + { + Verbs: []string{"update"}, + APIGroups: []string{"workspace.gitpod.io"}, + Resources: []string{"workspaces/finalizers"}, + }, + { + APIGroups: []string{"workspace.gitpod.io"}, + Resources: []string{"workspaces/status"}, + Verbs: []string{ + "get", + "patch", + "update", + }, + }, + { + APIGroups: []string{"workspace.gitpod.io"}, + Resources: []string{"snapshots"}, + Verbs: []string{ + "create", + "delete", + "get", + "list", + "watch", + }, + }, + { + APIGroups: []string{"workspace.gitpod.io"}, + Resources: []string{"snapshots/status"}, + Verbs: []string{ + "get", + }, + }, + { + APIGroups: []string{""}, + Resources: []string{"secrets"}, + Verbs: []string{ + "create", + "delete", + "get", + "list", + "watch", + }, + }, + { + APIGroups: []string{""}, + Resources: []string{"configmaps"}, + Verbs: []string{ + "create", + "delete", + "get", + "list", + "patch", + "update", + "watch", + }, + }, +} + +// ConfigMap, Leases, and Events access is required for leader-election. +var leaderElectionRules = []rbacv1.PolicyRule{ + { + APIGroups: []string{"coordination.k8s.io"}, + Resources: []string{"leases"}, + Verbs: []string{ + "create", + "delete", + "get", + "list", + "patch", + "update", + "watch", + }, + }, + { + APIGroups: []string{""}, + Resources: []string{"events"}, + Verbs: []string{ + "create", + "patch", + }, + }, +} + func role(ctx *common.RenderContext) ([]runtime.Object, error) { labels := common.DefaultLabels(Component) @@ -23,117 +138,17 @@ func role(ctx *common.RenderContext) ([]runtime.Object, error) { Namespace: ctx.Namespace, Labels: labels, }, - Rules: []rbacv1.PolicyRule{ - { - APIGroups: []string{""}, - Resources: []string{"pods"}, - Verbs: []string{ - "create", - "delete", - "get", - "list", - "patch", - "update", - "watch", - }, - }, - { - Verbs: []string{"get"}, - APIGroups: []string{""}, - Resources: []string{"pod/status"}, - }, - { - APIGroups: []string{"workspace.gitpod.io"}, - Resources: []string{"workspaces"}, - Verbs: []string{ - "create", - "delete", - "get", - "list", - "patch", - "update", - "watch", - }, - }, - { - Verbs: []string{"update"}, - APIGroups: []string{"workspace.gitpod.io"}, - Resources: []string{"workspaces/finalizers"}, - }, - { - APIGroups: []string{"workspace.gitpod.io"}, - Resources: []string{"workspaces/status"}, - Verbs: []string{ - "get", - "patch", - "update", - }, - }, - { - APIGroups: []string{"workspace.gitpod.io"}, - Resources: []string{"snapshots"}, - Verbs: []string{ - "create", - "delete", - "get", - "list", - "watch", - }, - }, - { - APIGroups: []string{"workspace.gitpod.io"}, - Resources: []string{"snapshots/status"}, - Verbs: []string{ - "get", - }, - }, - // ConfigMap, Leases, and Events access is required for leader-election. - { - APIGroups: []string{""}, - Resources: []string{"configmaps"}, - Verbs: []string{ - "create", - "delete", - "get", - "list", - "patch", - "update", - "watch", - }, - }, - { - APIGroups: []string{"coordination.k8s.io"}, - Resources: []string{"leases"}, - Verbs: []string{ - "create", - "delete", - "get", - "list", - "patch", - "update", - "watch", - }, - }, - { - APIGroups: []string{""}, - Resources: []string{"events"}, - Verbs: []string{ - "create", - "patch", - }, - }, - { - APIGroups: []string{""}, - Resources: []string{"secrets"}, - Verbs: []string{ - "create", - "delete", - "get", - "list", - "watch", - }, - }, + Rules: append(controllerRules, leaderElectionRules...), + }, + + &rbacv1.Role{ + TypeMeta: common.TypeMetaRole, + ObjectMeta: metav1.ObjectMeta{ + Name: Component, + Namespace: common.WorkspaceSecretsNamespace, + Labels: labels, }, + Rules: controllerRules, }, }, nil } diff --git a/install/installer/pkg/components/ws-manager-mk2/rolebinding.go b/install/installer/pkg/components/ws-manager-mk2/rolebinding.go index 467abf56a32b5c..44408b6dfaf371 100644 --- a/install/installer/pkg/components/ws-manager-mk2/rolebinding.go +++ b/install/installer/pkg/components/ws-manager-mk2/rolebinding.go @@ -51,8 +51,30 @@ func rolebinding(ctx *common.RenderContext) ([]runtime.Object, error) { }, Subjects: []rbacv1.Subject{ { - Kind: "ServiceAccount", - Name: Component, + Kind: "ServiceAccount", + Name: Component, + Namespace: ctx.Namespace, + }, + }, + }, + + &rbacv1.RoleBinding{ + TypeMeta: common.TypeMetaRoleBinding, + ObjectMeta: metav1.ObjectMeta{ + Name: Component, + Namespace: common.WorkspaceSecretsNamespace, + Labels: labels, + }, + RoleRef: rbacv1.RoleRef{ + APIGroup: "rbac.authorization.k8s.io", + Kind: "Role", + Name: Component, + }, + Subjects: []rbacv1.Subject{ + { + Kind: "ServiceAccount", + Name: Component, + Namespace: ctx.Namespace, }, }, },