diff --git a/.werft/jobs/build/installer/post-process.sh b/.werft/jobs/build/installer/post-process.sh index 9ec9125aaf87f4..345b1e034c6349 100755 --- a/.werft/jobs/build/installer/post-process.sh +++ b/.werft/jobs/build/installer/post-process.sh @@ -52,7 +52,7 @@ MATCHES="$(grep -c -- --- k8s.yaml)" # get the read number of K8s manifest docs # K8s object names and kinds are duplicated in a config map to faciliate deletion # subtract one (the config map) and then divide by 2 to get the actual # of docs we'll loop through -DOCS="$((((MATCHES - 1) / 2) + 1))" +DOCS="$(((MATCHES - 1) / 2))" documentIndex=0 while [ "$documentIndex" -le "$DOCS" ]; do diff --git a/components/ws-daemon/pkg/controller/workspace_controller.go b/components/ws-daemon/pkg/controller/workspace_controller.go index 8fd0826fc984b7..e2d676217b6292 100644 --- a/components/ws-daemon/pkg/controller/workspace_controller.go +++ b/components/ws-daemon/pkg/controller/workspace_controller.go @@ -22,7 +22,9 @@ import ( "github.com/prometheus/client_golang/prometheus" "google.golang.org/protobuf/proto" + corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/wait" "k8s.io/client-go/util/retry" ctrl "sigs.k8s.io/controller-runtime" @@ -55,9 +57,10 @@ type WorkspaceController struct { maxConcurrentReconciles int operations *WorkspaceOperations metrics *workspaceMetrics + secretNamespace string } -func NewWorkspaceController(c client.Client, nodeName string, maxConcurrentReconciles int, ops *WorkspaceOperations, reg prometheus.Registerer) (*WorkspaceController, error) { +func NewWorkspaceController(c client.Client, nodeName, secretNamespace string, maxConcurrentReconciles int, ops *WorkspaceOperations, reg prometheus.Registerer) (*WorkspaceController, error) { metrics := newWorkspaceMetrics() reg.Register(metrics) @@ -67,6 +70,7 @@ func NewWorkspaceController(c client.Client, nodeName string, maxConcurrentRecon maxConcurrentReconciles: maxConcurrentReconciles, operations: ops, metrics: metrics, + secretNamespace: secretNamespace, }, nil } @@ -139,10 +143,8 @@ func (wsc *WorkspaceController) handleWorkspaceInit(ctx context.Context, ws *wor defer tracing.FinishSpan(span, &err) if c := wsk8s.GetCondition(ws.Status.Conditions, string(workspacev1.WorkspaceConditionContentReady)); c == nil { - var init csapi.WorkspaceInitializer - err = proto.Unmarshal(ws.Spec.Initializer, &init) + init, err := wsc.prepareInitializer(ctx, ws) if err != nil { - err = fmt.Errorf("cannot unmarshal initializer config: %w", err) return ctrl.Result{}, err } @@ -153,7 +155,7 @@ func (wsc *WorkspaceController) handleWorkspaceInit(ctx context.Context, ws *wor WorkspaceId: ws.Spec.Ownership.WorkspaceID, InstanceId: ws.Name, }, - Initializer: &init, + Initializer: init, Headless: ws.IsHeadless(), }) @@ -300,6 +302,27 @@ func (wsc *WorkspaceController) handleWorkspaceStop(ctx context.Context, ws *wor return ctrl.Result{}, err } +func (wsc *WorkspaceController) prepareInitializer(ctx context.Context, ws *workspacev1.Workspace) (*csapi.WorkspaceInitializer, error) { + var init csapi.WorkspaceInitializer + err := proto.Unmarshal(ws.Spec.Initializer, &init) + if err != nil { + err = fmt.Errorf("cannot unmarshal initializer config: %w", err) + return nil, err + } + + var tokenSecret corev1.Secret + err = wsc.Get(ctx, types.NamespacedName{Name: fmt.Sprintf("%s-tokens", ws.Name), Namespace: wsc.secretNamespace}, &tokenSecret) + if err != nil { + return nil, fmt.Errorf("could not get token secret for workspace: %w", err) + } + + if err = csapi.InjectSecretsToInitializer(&init, tokenSecret.Data); err != nil { + return nil, fmt.Errorf("failed to inject secrets into initializer: %w", err) + } + + return &init, nil +} + func toWorkspaceGitStatus(status *csapi.GitStatus) *workspacev1.GitStatus { if status == nil { return nil diff --git a/components/ws-daemon/pkg/daemon/config.go b/components/ws-daemon/pkg/daemon/config.go index 43e0bbcd31d4a0..ac072c476919c2 100644 --- a/components/ws-daemon/pkg/daemon/config.go +++ b/components/ws-daemon/pkg/daemon/config.go @@ -42,6 +42,7 @@ type RuntimeConfig struct { Container *container.Config `json:"containerRuntime"` Kubeconfig string `json:"kubeconfig"` KubernetesNamespace string `json:"namespace"` + SecretsNamespace string `json:"secretsNamespace"` } type IOLimitConfig struct { diff --git a/components/ws-daemon/pkg/daemon/daemon.go b/components/ws-daemon/pkg/daemon/daemon.go index b582efda900e0a..736cd1756bec6f 100644 --- a/components/ws-daemon/pkg/daemon/daemon.go +++ b/components/ws-daemon/pkg/daemon/daemon.go @@ -22,6 +22,7 @@ import ( "k8s.io/client-go/rest" "k8s.io/client-go/tools/clientcmd" ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/cache" "sigs.k8s.io/controller-runtime/pkg/manager" "sigs.k8s.io/controller-runtime/pkg/metrics" @@ -175,6 +176,7 @@ func NewDaemon(config Config) (*Daemon, error) { Namespace: config.Runtime.KubernetesNamespace, HealthProbeBindAddress: "0", MetricsBindAddress: "0", // Metrics are exposed through baseserver. + NewCache: cache.MultiNamespacedCacheBuilder([]string{config.Runtime.KubernetesNamespace, config.Runtime.SecretsNamespace}), }) if err != nil { return nil, err @@ -207,7 +209,8 @@ func NewDaemon(config Config) (*Daemon, error) { return nil, err } - wsctrl, err := controller.NewWorkspaceController(mgr.GetClient(), nodename, config.WorkspaceController.MaxConcurrentReconciles, workspaceOps, wrappedReg) + wsctrl, err := controller.NewWorkspaceController( + mgr.GetClient(), nodename, config.Runtime.SecretsNamespace, config.WorkspaceController.MaxConcurrentReconciles, workspaceOps, wrappedReg) if err != nil { return nil, err } diff --git a/components/ws-manager-api/go/config/config.go b/components/ws-manager-api/go/config/config.go index 00dff49ebeb683..506d9f8ada6da4 100644 --- a/components/ws-manager-api/go/config/config.go +++ b/components/ws-manager-api/go/config/config.go @@ -77,6 +77,8 @@ type ServiceConfiguration struct { type Configuration struct { // Namespace is the kubernetes namespace the workspace manager operates in Namespace string `json:"namespace"` + // SecretsNamespace is the kubernetes namespace which contains workspace secrets + SecretsNamespace string `json:"secretsNamespace"` // SchedulerName is the name of the workspace scheduler all pods are created with SchedulerName string `json:"schedulerName"` // SeccompProfile names the seccomp profile workspaces will use diff --git a/components/ws-manager-mk2/controllers/maintenance_controller.go b/components/ws-manager-mk2/controllers/maintenance_controller.go index d2f2f14fb93fd5..a8422e6767d0b9 100644 --- a/components/ws-manager-mk2/controllers/maintenance_controller.go +++ b/components/ws-manager-mk2/controllers/maintenance_controller.go @@ -50,7 +50,6 @@ func (r *MaintenanceReconciler) Reconcile(ctx context.Context, req ctrl.Request) log := log.FromContext(ctx).WithValues("configMap", req.NamespacedName) if req.Name != configMapName { - log.Info("ignoring unexpected ConfigMap") return ctrl.Result{}, nil } diff --git a/components/ws-manager-mk2/controllers/suite_test.go b/components/ws-manager-mk2/controllers/suite_test.go index 1e41ce4e84e7d5..808a248b474274 100644 --- a/components/ws-manager-mk2/controllers/suite_test.go +++ b/components/ws-manager-mk2/controllers/suite_test.go @@ -24,6 +24,8 @@ import ( "github.com/gitpod-io/gitpod/ws-manager-mk2/pkg/activity" "github.com/gitpod-io/gitpod/ws-manager/api/config" workspacev1 "github.com/gitpod-io/gitpod/ws-manager/api/crd/v1" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" //+kubebuilder:scaffold:imports ) @@ -31,9 +33,10 @@ import ( // http://onsi.github.io/ginkgo/ to learn more about Ginkgo. const ( - timeout = time.Second * 20 - duration = time.Second * 2 - interval = time.Millisecond * 250 + timeout = time.Second * 20 + duration = time.Second * 2 + interval = time.Millisecond * 250 + secretsNamespace = "workspace-secrets" ) // var cfg *rest.Config @@ -113,6 +116,7 @@ var _ = BeforeSuite(func() { Expect(timeoutReconciler.SetupWithManager(k8sManager)).To(Succeed()) ctx, cancel = context.WithCancel(context.Background()) + _ = createNamespace(secretsNamespace) go func() { defer GinkgoRecover() @@ -127,6 +131,7 @@ func newTestConfig() config.Configuration { GitpodHostURL: "gitpod.io", HeartbeatInterval: util.Duration(30 * time.Second), Namespace: "default", + SecretsNamespace: secretsNamespace, SeccompProfile: "default.json", Timeouts: config.WorkspaceTimeoutConfiguration{ AfterClose: util.Duration(1 * time.Minute), @@ -156,6 +161,19 @@ func (f *fakeMaintenance) IsEnabled() bool { return f.enabled } +func createNamespace(name string) *corev1.Namespace { + GinkgoHelper() + + namespace := &corev1.Namespace{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + }, + } + + Expect(k8sClient.Create(ctx, namespace)).To(Succeed()) + return namespace +} + var _ = AfterSuite(func() { cancel() By("tearing down the test environment") diff --git a/components/ws-manager-mk2/controllers/workspace_controller.go b/components/ws-manager-mk2/controllers/workspace_controller.go index 1cf4afe3acbca3..9605149343bd1c 100644 --- a/components/ws-manager-mk2/controllers/workspace_controller.go +++ b/components/ws-manager-mk2/controllers/workspace_controller.go @@ -7,6 +7,7 @@ package controllers import ( "context" "fmt" + "strings" "time" corev1 "k8s.io/api/core/v1" @@ -14,6 +15,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/types" + "k8s.io/apimachinery/pkg/util/wait" ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/controller" @@ -195,7 +197,9 @@ func (r *WorkspaceReconciler) actOnStatus(ctx context.Context, workspace *worksp } } - r.deleteWorkspaceSecrets(ctx, workspace) + if err := r.deleteWorkspaceSecrets(ctx, workspace); err != nil { + return ctrl.Result{RequeueAfter: 10 * time.Second}, err + } // Workspace might have already been in a deleting state, // but not guaranteed, so try deleting anyway. @@ -257,7 +261,10 @@ func (r *WorkspaceReconciler) actOnStatus(ctx context.Context, workspace *worksp } case workspace.Status.Phase == workspacev1.WorkspacePhaseRunning: - r.deleteWorkspaceSecrets(ctx, workspace) + err := r.deleteWorkspaceSecrets(ctx, workspace) + if err != nil { + log.Error(err, "could not delete workspace secrets") + } // we've disposed already - try to remove the finalizer and call it a day case workspace.Status.Phase == workspacev1.WorkspacePhaseStopped: @@ -349,37 +356,64 @@ func (r *WorkspaceReconciler) deleteWorkspacePod(ctx context.Context, pod *corev return ctrl.Result{}, nil } -func (r *WorkspaceReconciler) deleteWorkspaceSecrets(ctx context.Context, ws *workspacev1.Workspace) { +func (r *WorkspaceReconciler) deleteWorkspaceSecrets(ctx context.Context, ws *workspacev1.Workspace) error { log := log.FromContext(ctx) // if a secret cannot be deleted we do not return early because we want to attempt // the deletion of the remaining secrets + var errs []string err := r.deleteSecret(ctx, fmt.Sprintf("%s-%s", ws.Name, "env"), r.Config.Namespace) if err != nil { + errs = append(errs, err.Error()) log.Error(err, "could not delete environment secret", "workspace", ws.Name) } -} - -func (r *WorkspaceReconciler) deleteSecret(ctx context.Context, name, namespace string) error { - var secret corev1.Secret - err := r.Client.Get(ctx, types.NamespacedName{Name: name, Namespace: namespace}, &secret) - if errors.IsNotFound(err) { - // nothing to delete - return nil - } + err = r.deleteSecret(ctx, fmt.Sprintf("%s-%s", ws.Name, "tokens"), r.Config.SecretsNamespace) if err != nil { - return fmt.Errorf("could not retrieve secret %s: %w", name, err) + errs = append(errs, err.Error()) + log.Error(err, "could not delete token secret", "workspace", ws.Name) } - err = r.Client.Delete(ctx, &secret) - if err != nil && !errors.IsNotFound(err) { - return fmt.Errorf("could not delete secret %s: %w", name, err) + if len(errs) != 0 { + return fmt.Errorf(strings.Join(errs, ":")) } return nil } +func (r *WorkspaceReconciler) deleteSecret(ctx context.Context, name, namespace string) error { + log := log.FromContext(ctx) + + err := wait.ExponentialBackoffWithContext(ctx, wait.Backoff{ + Duration: 100 * time.Millisecond, + Factor: 1.5, + Jitter: 0.2, + Steps: 3, + }, func() (bool, error) { + var secret corev1.Secret + err := r.Client.Get(ctx, types.NamespacedName{Name: name, Namespace: namespace}, &secret) + if errors.IsNotFound(err) { + // nothing to delete + return true, nil + } + + if err != nil { + log.Error(err, "cannot retrieve secret scheduled for deletion", "secret", name) + return false, nil + } + + err = r.Client.Delete(ctx, &secret) + if err != nil && !errors.IsNotFound(err) { + log.Error(err, "cannot delete secret", "secret", name) + return false, nil + } + + return true, nil + }) + + return err +} + var ( wsOwnerKey = ".metadata.controller" apiGVStr = workspacev1.GroupVersion.String() diff --git a/components/ws-manager-mk2/controllers/workspace_controller_test.go b/components/ws-manager-mk2/controllers/workspace_controller_test.go index d688dd61ec2fe0..7ab3db7f210dd3 100644 --- a/components/ws-manager-mk2/controllers/workspace_controller_test.go +++ b/components/ws-manager-mk2/controllers/workspace_controller_test.go @@ -33,8 +33,11 @@ var _ = Describe("WorkspaceController", func() { Context("with regular workspaces", func() { It("should handle successful workspace creation and stop request", func() { name := uuid.NewString() + + envSecret := createSecret(fmt.Sprintf("%s-env", name), "default") + tokenSecret := createSecret(fmt.Sprintf("%s-tokens", name), secretsNamespace) + ws := newWorkspace(name, "default") - secret := createSecret(fmt.Sprintf("%s-env", name), "default") m := collectMetricCounts(wsMetrics, ws) pod := createWorkspaceExpectPod(ws) @@ -73,7 +76,8 @@ var _ = Describe("WorkspaceController", func() { }) expectPhaseEventually(ws, workspacev1.WorkspacePhaseRunning) - expectSecretCleanup(secret) + expectSecretCleanup(envSecret) + expectSecretCleanup(tokenSecret) markContentReady(ws) @@ -255,7 +259,10 @@ var _ = Describe("WorkspaceController", func() { It("deleting workspace resource should gracefully clean up", func() { name := uuid.NewString() ws := newWorkspace(name, "default") - secret := createSecret(fmt.Sprintf("%s-env", name), "default") + + envSecret := createSecret(fmt.Sprintf("%s-env", name), "default") + tokenSecret := createSecret(fmt.Sprintf("%s-tokens", name), secretsNamespace) + m := collectMetricCounts(wsMetrics, ws) pod := createWorkspaceExpectPod(ws) @@ -269,7 +276,8 @@ var _ = Describe("WorkspaceController", func() { expectWorkspaceCleanup(ws, pod) - expectSecretCleanup(secret) + expectSecretCleanup(envSecret) + expectSecretCleanup(tokenSecret) expectMetricsDelta(m, collectMetricCounts(wsMetrics, ws), metricCounts{ restores: 1, diff --git a/components/ws-manager-mk2/main.go b/components/ws-manager-mk2/main.go index 302fc4951d8395..f802614895fe52 100644 --- a/components/ws-manager-mk2/main.go +++ b/components/ws-manager-mk2/main.go @@ -18,12 +18,9 @@ import ( "google.golang.org/grpc/credentials" "google.golang.org/grpc/credentials/insecure" _ "k8s.io/client-go/plugin/pkg/client/auth" - "k8s.io/client-go/rest" grpc_prometheus "github.com/grpc-ecosystem/go-grpc-prometheus" "github.com/prometheus/client_golang/prometheus" - corev1 "k8s.io/api/core/v1" - "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/runtime" utilruntime "k8s.io/apimachinery/pkg/util/runtime" clientgoscheme "k8s.io/client-go/kubernetes/scheme" @@ -109,16 +106,7 @@ func main() { HealthProbeBindAddress: cfg.Health.Addr, LeaderElection: enableLeaderElection, LeaderElectionID: "ws-manager-mk2-leader.gitpod.io", - Namespace: cfg.Manager.Namespace, - NewCache: func(conf *rest.Config, opts cache.Options) (cache.Cache, error) { - // Only watch the maintenance mode ConfigMap. - opts.SelectorsByObject = cache.SelectorsByObject{ - &corev1.ConfigMap{}: cache.ObjectSelector{ - Label: labels.SelectorFromSet(labels.Set{controllers.LabelMaintenance: "true"}), - }, - } - return cache.New(conf, opts) - }, + NewCache: cache.MultiNamespacedCacheBuilder([]string{cfg.Manager.Namespace, cfg.Manager.SecretsNamespace}), }) if err != nil { setupLog.Error(err, "unable to start manager") diff --git a/components/ws-manager-mk2/service/manager.go b/components/ws-manager-mk2/service/manager.go index 1a47a5a6688fef..026017ec512aac 100644 --- a/components/ws-manager-mk2/service/manager.go +++ b/components/ws-manager-mk2/service/manager.go @@ -33,6 +33,7 @@ import ( "github.com/gitpod-io/gitpod/ws-manager/api/config" workspacev1 "github.com/gitpod-io/gitpod/ws-manager/api/crd/v1" + csapi "github.com/gitpod-io/gitpod/content-service/api" "github.com/sirupsen/logrus" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/errors" @@ -116,11 +117,6 @@ func (wsm *WorkspaceManagerServer) StartWorkspace(ctx context.Context, req *wsma return nil, status.Errorf(codes.InvalidArgument, "unsupported workspace type: %v", req.Type) } - initializer, err := proto.Marshal(req.Spec.Initializer) - if err != nil { - return nil, status.Errorf(codes.InvalidArgument, "cannot serialise content initializer: %v", err) - } - var git *workspacev1.GitSpec if req.Spec.Git != nil { git = &workspacev1.GitSpec{ @@ -204,6 +200,12 @@ func (wsm *WorkspaceManagerServer) StartWorkspace(ctx context.Context, req *wsma userEnvVars, envData := extractWorkspaceUserEnv(envSecretName, req.Spec.Envvars, req.Spec.SysEnvvars) sysEnvVars := extractWorkspaceSysEnv(req.Spec.SysEnvvars) + tokenData := extractWorkspaceTokenData(req.Spec) + initializer, err := proto.Marshal(req.Spec.Initializer) + if err != nil { + return nil, status.Errorf(codes.InvalidArgument, "cannot serialise content initializer: %v", err) + } + ws := workspacev1.Workspace{ TypeMeta: metav1.TypeMeta{ APIVersion: workspacev1.GroupVersion.String(), @@ -256,6 +258,11 @@ func (wsm *WorkspaceManagerServer) StartWorkspace(ctx context.Context, req *wsma return nil, fmt.Errorf("cannot create env secret for workspace %s: %w", req.Id, err) } + err = wsm.createWorkspaceSecret(ctx, &ws, fmt.Sprintf("%s-%s", req.Id, "tokens"), wsm.Config.SecretsNamespace, tokenData) + if err != nil { + return nil, fmt.Errorf("cannot create token secret for workspace %s: %w", req.Id, err) + } + wsm.metrics.recordWorkspaceStart(&ws) err = wsm.Client.Create(ctx, &ws) if err != nil { @@ -857,6 +864,14 @@ func extractWorkspaceSysEnv(sysEnvs []*wsmanapi.EnvironmentVariable) []corev1.En return envs } +func extractWorkspaceTokenData(spec *wsmanapi.StartWorkspaceSpec) map[string]string { + secrets := make(map[string]string) + for k, v := range csapi.ExtractAndReplaceSecretsFromInitializer(spec.Initializer) { + secrets[k] = v + } + return secrets +} + func extractWorkspaceStatus(ws *workspacev1.Workspace) *wsmanapi.WorkspaceStatus { version, _ := strconv.ParseUint(ws.ResourceVersion, 10, 64) diff --git a/install/installer/cmd/testdata/render/agent-smith/output.golden b/install/installer/cmd/testdata/render/agent-smith/output.golden index 42f68e85d7c379..a7748f25c21f25 100644 --- a/install/installer/cmd/testdata/render/agent-smith/output.golden +++ b/install/installer/cmd/testdata/render/agent-smith/output.golden @@ -5692,7 +5692,8 @@ data: } }, "kubeconfig": "", - "namespace": "default" + "namespace": "default", + "secretsNamespace": "workspace-secrets" }, "content": { "workingArea": "/mnt/workingarea", @@ -5809,6 +5810,7 @@ data: { "manager": { "namespace": "default", + "secretsNamespace": "", "schedulerName": "", "seccompProfile": "workspace_default_pd-ide-metrics.23.json", "timeouts": { @@ -8316,7 +8318,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: c3f063b20c86e50d84ab6b62d85d5042146c1748f01c42dd37581239a888b9d8 + gitpod.io/checksum_config: 96b5a68d5c5c49ae0d0c9f68e9d28d40b15481832f04c7686a092963380f1093 creationTimestamp: null labels: app: gitpod @@ -10983,7 +10985,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 6bccb0af0666fedca427bf7e904bb6ad0760871f8272d37c095015b1917a8a3b + gitpod.io/checksum_config: 4a4578809a4c2f9cfbbd2781d720a47df569cc4e3b54be23b5c41f56c0296e77 creationTimestamp: null labels: app: gitpod diff --git a/install/installer/cmd/testdata/render/aws-setup/output.golden b/install/installer/cmd/testdata/render/aws-setup/output.golden index 3d8e89ebb70478..3c5356ce7b640d 100644 --- a/install/installer/cmd/testdata/render/aws-setup/output.golden +++ b/install/installer/cmd/testdata/render/aws-setup/output.golden @@ -5033,7 +5033,8 @@ data: } }, "kubeconfig": "", - "namespace": "default" + "namespace": "default", + "secretsNamespace": "workspace-secrets" }, "content": { "workingArea": "/mnt/workingarea", @@ -5154,6 +5155,7 @@ data: { "manager": { "namespace": "default", + "secretsNamespace": "", "schedulerName": "", "seccompProfile": "workspace_default_pd-ide-metrics.23.json", "timeouts": { @@ -7484,7 +7486,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 573f5fc567df7be7fba63ecdc681e3aa5f059daa207992586a41bba4106d2545 + gitpod.io/checksum_config: a23a04a77f794df58d7dffe59383242db628f6da2c0e4bac7620b1d968996243 creationTimestamp: null labels: app: gitpod @@ -9796,7 +9798,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: b7da41879471e13b5f45ca5d34265974ed68c3c77c93f8d9b6c0d188ac9724e5 + gitpod.io/checksum_config: 9e4ebf60455939d2a4b5781c2c4e3b84c9029ee7f841dfcb5f3ccc8f7179599e creationTimestamp: null labels: app: gitpod diff --git a/install/installer/cmd/testdata/render/custom-pull-repository/output.golden b/install/installer/cmd/testdata/render/custom-pull-repository/output.golden index 53fb91ec5fbb88..a45fb814416d2d 100644 --- a/install/installer/cmd/testdata/render/custom-pull-repository/output.golden +++ b/install/installer/cmd/testdata/render/custom-pull-repository/output.golden @@ -5509,7 +5509,8 @@ data: } }, "kubeconfig": "", - "namespace": "default" + "namespace": "default", + "secretsNamespace": "workspace-secrets" }, "content": { "workingArea": "/mnt/workingarea", @@ -5626,6 +5627,7 @@ data: { "manager": { "namespace": "default", + "secretsNamespace": "", "schedulerName": "", "seccompProfile": "workspace_default_pd-ide-metrics.23.json", "timeouts": { @@ -8133,7 +8135,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: c3f063b20c86e50d84ab6b62d85d5042146c1748f01c42dd37581239a888b9d8 + gitpod.io/checksum_config: 96b5a68d5c5c49ae0d0c9f68e9d28d40b15481832f04c7686a092963380f1093 creationTimestamp: null labels: app: gitpod @@ -10800,7 +10802,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 6bccb0af0666fedca427bf7e904bb6ad0760871f8272d37c095015b1917a8a3b + gitpod.io/checksum_config: 4a4578809a4c2f9cfbbd2781d720a47df569cc4e3b54be23b5c41f56c0296e77 creationTimestamp: null labels: app: gitpod diff --git a/install/installer/cmd/testdata/render/customization/output.golden b/install/installer/cmd/testdata/render/customization/output.golden index c4ec44917ffd6c..bed9636dbecc54 100644 --- a/install/installer/cmd/testdata/render/customization/output.golden +++ b/install/installer/cmd/testdata/render/customization/output.golden @@ -6126,7 +6126,8 @@ data: } }, "kubeconfig": "", - "namespace": "default" + "namespace": "default", + "secretsNamespace": "workspace-secrets" }, "content": { "workingArea": "/mnt/workingarea", @@ -6248,6 +6249,7 @@ data: { "manager": { "namespace": "default", + "secretsNamespace": "", "schedulerName": "", "seccompProfile": "workspace_default_pd-ide-metrics.23.json", "timeouts": { @@ -8886,7 +8888,7 @@ spec: metadata: annotations: gitpod.io: hello - gitpod.io/checksum_config: e72f036b19d3287feece7409ecc0991d1c4f58ad96da7b901ce565b0f5208039 + gitpod.io/checksum_config: 0f892bd4e952cbaa5d71eaaea340ba2838a5763f0caca3f2e6f1b1591c104000 hello: world creationTimestamp: null labels: @@ -11685,7 +11687,7 @@ spec: metadata: annotations: gitpod.io: hello - gitpod.io/checksum_config: 6ea687679b10a3046a6840985edd56495c512b0d5bf4b5a9f85d46f41de49036 + gitpod.io/checksum_config: 14b2091d899fef2d7a41550f7baf02deebc76d64734f5d9b812acd7f937eed88 hello: world creationTimestamp: null labels: diff --git a/install/installer/cmd/testdata/render/external-registry/output.golden b/install/installer/cmd/testdata/render/external-registry/output.golden index 3db0467025f40d..de57fef9bbde50 100644 --- a/install/installer/cmd/testdata/render/external-registry/output.golden +++ b/install/installer/cmd/testdata/render/external-registry/output.golden @@ -5289,7 +5289,8 @@ data: } }, "kubeconfig": "", - "namespace": "default" + "namespace": "default", + "secretsNamespace": "workspace-secrets" }, "content": { "workingArea": "/mnt/workingarea", @@ -5406,6 +5407,7 @@ data: { "manager": { "namespace": "default", + "secretsNamespace": "", "schedulerName": "", "seccompProfile": "workspace_default_pd-ide-metrics.23.json", "timeouts": { @@ -7853,7 +7855,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: c3f063b20c86e50d84ab6b62d85d5042146c1748f01c42dd37581239a888b9d8 + gitpod.io/checksum_config: 96b5a68d5c5c49ae0d0c9f68e9d28d40b15481832f04c7686a092963380f1093 creationTimestamp: null labels: app: gitpod @@ -10423,7 +10425,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 6bccb0af0666fedca427bf7e904bb6ad0760871f8272d37c095015b1917a8a3b + gitpod.io/checksum_config: 4a4578809a4c2f9cfbbd2781d720a47df569cc4e3b54be23b5c41f56c0296e77 creationTimestamp: null labels: app: gitpod diff --git a/install/installer/cmd/testdata/render/gcp-setup/output.golden b/install/installer/cmd/testdata/render/gcp-setup/output.golden index e670282ae24073..572aee8a0ce9a3 100644 --- a/install/installer/cmd/testdata/render/gcp-setup/output.golden +++ b/install/installer/cmd/testdata/render/gcp-setup/output.golden @@ -5060,7 +5060,8 @@ data: } }, "kubeconfig": "", - "namespace": "default" + "namespace": "default", + "secretsNamespace": "workspace-secrets" }, "content": { "workingArea": "/mnt/workingarea", @@ -5176,6 +5177,7 @@ data: { "manager": { "namespace": "default", + "secretsNamespace": "", "schedulerName": "", "seccompProfile": "workspace_default_pd-ide-metrics.23.json", "timeouts": { @@ -7543,7 +7545,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: eb4dd48f0756c6343cc7b91acd5ec6e881b6d1f97547b217b5ce52d5e6669e91 + gitpod.io/checksum_config: c9e4e386dff69815d3f4617c1255e1fc80fdf92a2406c6511ca690df3d54e12d creationTimestamp: null labels: app: gitpod @@ -9901,7 +9903,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: e2866e24a01f026d164c591d5c649a0a5589feea38a0d90d785d1167483cd02e + gitpod.io/checksum_config: eb8ba5a842ba7a2f4e7650963e3143422148261199e4d15fbbc03016e8c3acff creationTimestamp: null labels: app: gitpod diff --git a/install/installer/cmd/testdata/render/http-proxy/output.golden b/install/installer/cmd/testdata/render/http-proxy/output.golden index 4cb3c454237d16..491ffc4b326b85 100644 --- a/install/installer/cmd/testdata/render/http-proxy/output.golden +++ b/install/installer/cmd/testdata/render/http-proxy/output.golden @@ -5512,7 +5512,8 @@ data: } }, "kubeconfig": "", - "namespace": "default" + "namespace": "default", + "secretsNamespace": "workspace-secrets" }, "content": { "workingArea": "/mnt/workingarea", @@ -5629,6 +5630,7 @@ data: { "manager": { "namespace": "default", + "secretsNamespace": "", "schedulerName": "", "seccompProfile": "workspace_default_pd-ide-metrics.23.json", "timeouts": { @@ -8337,7 +8339,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: c3f063b20c86e50d84ab6b62d85d5042146c1748f01c42dd37581239a888b9d8 + gitpod.io/checksum_config: 96b5a68d5c5c49ae0d0c9f68e9d28d40b15481832f04c7686a092963380f1093 creationTimestamp: null labels: app: gitpod @@ -12127,7 +12129,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 6bccb0af0666fedca427bf7e904bb6ad0760871f8272d37c095015b1917a8a3b + gitpod.io/checksum_config: 4a4578809a4c2f9cfbbd2781d720a47df569cc4e3b54be23b5c41f56c0296e77 creationTimestamp: null labels: app: gitpod diff --git a/install/installer/cmd/testdata/render/ide-config/output.golden b/install/installer/cmd/testdata/render/ide-config/output.golden index 77c9d8383fc79b..ce75d0e8ea51a9 100644 --- a/install/installer/cmd/testdata/render/ide-config/output.golden +++ b/install/installer/cmd/testdata/render/ide-config/output.golden @@ -5525,7 +5525,8 @@ data: } }, "kubeconfig": "", - "namespace": "default" + "namespace": "default", + "secretsNamespace": "workspace-secrets" }, "content": { "workingArea": "/mnt/workingarea", @@ -5642,6 +5643,7 @@ data: { "manager": { "namespace": "default", + "secretsNamespace": "", "schedulerName": "", "seccompProfile": "workspace_default_pd-ide-metrics.23.json", "timeouts": { @@ -8153,7 +8155,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: c3f063b20c86e50d84ab6b62d85d5042146c1748f01c42dd37581239a888b9d8 + gitpod.io/checksum_config: 96b5a68d5c5c49ae0d0c9f68e9d28d40b15481832f04c7686a092963380f1093 creationTimestamp: null labels: app: gitpod @@ -10822,7 +10824,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 6bccb0af0666fedca427bf7e904bb6ad0760871f8272d37c095015b1917a8a3b + gitpod.io/checksum_config: 4a4578809a4c2f9cfbbd2781d720a47df569cc4e3b54be23b5c41f56c0296e77 creationTimestamp: null labels: app: gitpod diff --git a/install/installer/cmd/testdata/render/kind-workspace/output.golden b/install/installer/cmd/testdata/render/kind-workspace/output.golden index 4428800fb8155e..51c8ab80a29c04 100644 --- a/install/installer/cmd/testdata/render/kind-workspace/output.golden +++ b/install/installer/cmd/testdata/render/kind-workspace/output.golden @@ -1883,7 +1883,8 @@ data: } }, "kubeconfig": "", - "namespace": "default" + "namespace": "default", + "secretsNamespace": "workspace-secrets" }, "content": { "workingArea": "/mnt/workingarea", @@ -2000,6 +2001,7 @@ data: { "manager": { "namespace": "default", + "secretsNamespace": "", "schedulerName": "", "seccompProfile": "workspace_default_pd-ide-metrics.23.json", "timeouts": { @@ -3389,7 +3391,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: c3f063b20c86e50d84ab6b62d85d5042146c1748f01c42dd37581239a888b9d8 + gitpod.io/checksum_config: 96b5a68d5c5c49ae0d0c9f68e9d28d40b15481832f04c7686a092963380f1093 creationTimestamp: null labels: app: gitpod @@ -3985,7 +3987,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 220f4f84d031d4a23cf0177b3e94a85a25707d132a8313a51602a3d8b9255414 + gitpod.io/checksum_config: 04d0c84ff10675d023182a24beb2171cdf9b88568eb96032394819e8566b3c00 creationTimestamp: null labels: app: gitpod diff --git a/install/installer/cmd/testdata/render/message-bus-password/output.golden b/install/installer/cmd/testdata/render/message-bus-password/output.golden index 4b17024f994619..fe87d673c91e27 100644 --- a/install/installer/cmd/testdata/render/message-bus-password/output.golden +++ b/install/installer/cmd/testdata/render/message-bus-password/output.golden @@ -5512,7 +5512,8 @@ data: } }, "kubeconfig": "", - "namespace": "default" + "namespace": "default", + "secretsNamespace": "workspace-secrets" }, "content": { "workingArea": "/mnt/workingarea", @@ -5629,6 +5630,7 @@ data: { "manager": { "namespace": "default", + "secretsNamespace": "", "schedulerName": "", "seccompProfile": "workspace_default_pd-ide-metrics.23.json", "timeouts": { @@ -8136,7 +8138,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: c3f063b20c86e50d84ab6b62d85d5042146c1748f01c42dd37581239a888b9d8 + gitpod.io/checksum_config: 96b5a68d5c5c49ae0d0c9f68e9d28d40b15481832f04c7686a092963380f1093 creationTimestamp: null labels: app: gitpod @@ -10803,7 +10805,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 6bccb0af0666fedca427bf7e904bb6ad0760871f8272d37c095015b1917a8a3b + gitpod.io/checksum_config: 4a4578809a4c2f9cfbbd2781d720a47df569cc4e3b54be23b5c41f56c0296e77 creationTimestamp: null labels: app: gitpod diff --git a/install/installer/cmd/testdata/render/minimal/output.golden b/install/installer/cmd/testdata/render/minimal/output.golden index b6d1cebbf214aa..1b559ce7936a3d 100644 --- a/install/installer/cmd/testdata/render/minimal/output.golden +++ b/install/installer/cmd/testdata/render/minimal/output.golden @@ -5509,7 +5509,8 @@ data: } }, "kubeconfig": "", - "namespace": "default" + "namespace": "default", + "secretsNamespace": "workspace-secrets" }, "content": { "workingArea": "/mnt/workingarea", @@ -5626,6 +5627,7 @@ data: { "manager": { "namespace": "default", + "secretsNamespace": "", "schedulerName": "", "seccompProfile": "workspace_default_pd-ide-metrics.23.json", "timeouts": { @@ -8133,7 +8135,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: c3f063b20c86e50d84ab6b62d85d5042146c1748f01c42dd37581239a888b9d8 + gitpod.io/checksum_config: 96b5a68d5c5c49ae0d0c9f68e9d28d40b15481832f04c7686a092963380f1093 creationTimestamp: null labels: app: gitpod @@ -10800,7 +10802,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 6bccb0af0666fedca427bf7e904bb6ad0760871f8272d37c095015b1917a8a3b + gitpod.io/checksum_config: 4a4578809a4c2f9cfbbd2781d720a47df569cc4e3b54be23b5c41f56c0296e77 creationTimestamp: null labels: app: gitpod diff --git a/install/installer/cmd/testdata/render/overrides-inline/output.golden b/install/installer/cmd/testdata/render/overrides-inline/output.golden index 66f459c3479626..3cd0b421b95a2f 100644 --- a/install/installer/cmd/testdata/render/overrides-inline/output.golden +++ b/install/installer/cmd/testdata/render/overrides-inline/output.golden @@ -5507,7 +5507,8 @@ data: } }, "kubeconfig": "", - "namespace": "default" + "namespace": "default", + "secretsNamespace": "workspace-secrets" }, "content": { "workingArea": "/mnt/workingarea", @@ -5624,6 +5625,7 @@ data: { "manager": { "namespace": "default", + "secretsNamespace": "", "schedulerName": "", "seccompProfile": "workspace_default_pd-ide-metrics.23.json", "timeouts": { @@ -8143,7 +8145,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: c3f063b20c86e50d84ab6b62d85d5042146c1748f01c42dd37581239a888b9d8 + gitpod.io/checksum_config: 96b5a68d5c5c49ae0d0c9f68e9d28d40b15481832f04c7686a092963380f1093 creationTimestamp: null labels: app: gitpod @@ -10810,7 +10812,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 6bccb0af0666fedca427bf7e904bb6ad0760871f8272d37c095015b1917a8a3b + gitpod.io/checksum_config: 4a4578809a4c2f9cfbbd2781d720a47df569cc4e3b54be23b5c41f56c0296e77 creationTimestamp: null labels: app: gitpod diff --git a/install/installer/cmd/testdata/render/pod-config/output.golden b/install/installer/cmd/testdata/render/pod-config/output.golden index 48925d29764c79..59659d480312d3 100644 --- a/install/installer/cmd/testdata/render/pod-config/output.golden +++ b/install/installer/cmd/testdata/render/pod-config/output.golden @@ -5516,7 +5516,8 @@ data: } }, "kubeconfig": "", - "namespace": "default" + "namespace": "default", + "secretsNamespace": "workspace-secrets" }, "content": { "workingArea": "/mnt/workingarea", @@ -5633,6 +5634,7 @@ data: { "manager": { "namespace": "default", + "secretsNamespace": "", "schedulerName": "", "seccompProfile": "workspace_default_pd-ide-metrics.23.json", "timeouts": { @@ -8140,7 +8142,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: c3f063b20c86e50d84ab6b62d85d5042146c1748f01c42dd37581239a888b9d8 + gitpod.io/checksum_config: 96b5a68d5c5c49ae0d0c9f68e9d28d40b15481832f04c7686a092963380f1093 creationTimestamp: null labels: app: gitpod @@ -10807,7 +10809,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 6bccb0af0666fedca427bf7e904bb6ad0760871f8272d37c095015b1917a8a3b + gitpod.io/checksum_config: 4a4578809a4c2f9cfbbd2781d720a47df569cc4e3b54be23b5c41f56c0296e77 creationTimestamp: null labels: app: gitpod diff --git a/install/installer/cmd/testdata/render/shortname/output.golden b/install/installer/cmd/testdata/render/shortname/output.golden index be01d7b7d5da37..74dfde92fb21a6 100644 --- a/install/installer/cmd/testdata/render/shortname/output.golden +++ b/install/installer/cmd/testdata/render/shortname/output.golden @@ -5509,7 +5509,8 @@ data: } }, "kubeconfig": "", - "namespace": "default" + "namespace": "default", + "secretsNamespace": "workspace-secrets" }, "content": { "workingArea": "/mnt/workingarea", @@ -5626,6 +5627,7 @@ data: { "manager": { "namespace": "default", + "secretsNamespace": "", "schedulerName": "", "seccompProfile": "workspace_default_pd-ide-metrics.23.json", "timeouts": { @@ -8133,7 +8135,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: c3f063b20c86e50d84ab6b62d85d5042146c1748f01c42dd37581239a888b9d8 + gitpod.io/checksum_config: 96b5a68d5c5c49ae0d0c9f68e9d28d40b15481832f04c7686a092963380f1093 creationTimestamp: null labels: app: gitpod @@ -10800,7 +10802,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: b86c15b7ccf53d8f812d381760022c16e8bf00aa5385b5cf2acd870f0bc901db + gitpod.io/checksum_config: 7a5265597622304d09dd82531a4f224e0f16d39da5899000916b146dd370cfde creationTimestamp: null labels: app: gitpod diff --git a/install/installer/cmd/testdata/render/statefulset-customization/output.golden b/install/installer/cmd/testdata/render/statefulset-customization/output.golden index e11bfc5abb9c0d..18bf799ccd8b1d 100644 --- a/install/installer/cmd/testdata/render/statefulset-customization/output.golden +++ b/install/installer/cmd/testdata/render/statefulset-customization/output.golden @@ -5521,7 +5521,8 @@ data: } }, "kubeconfig": "", - "namespace": "default" + "namespace": "default", + "secretsNamespace": "workspace-secrets" }, "content": { "workingArea": "/mnt/workingarea", @@ -5638,6 +5639,7 @@ data: { "manager": { "namespace": "default", + "secretsNamespace": "", "schedulerName": "", "seccompProfile": "workspace_default_pd-ide-metrics.23.json", "timeouts": { @@ -8145,7 +8147,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: c3f063b20c86e50d84ab6b62d85d5042146c1748f01c42dd37581239a888b9d8 + gitpod.io/checksum_config: 96b5a68d5c5c49ae0d0c9f68e9d28d40b15481832f04c7686a092963380f1093 creationTimestamp: null labels: app: gitpod @@ -10812,7 +10814,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 6bccb0af0666fedca427bf7e904bb6ad0760871f8272d37c095015b1917a8a3b + gitpod.io/checksum_config: 4a4578809a4c2f9cfbbd2781d720a47df569cc4e3b54be23b5c41f56c0296e77 creationTimestamp: null labels: app: gitpod diff --git a/install/installer/cmd/testdata/render/telemetry/output.golden b/install/installer/cmd/testdata/render/telemetry/output.golden index 7287bef4d0f524..60322313503308 100644 --- a/install/installer/cmd/testdata/render/telemetry/output.golden +++ b/install/installer/cmd/testdata/render/telemetry/output.golden @@ -5512,7 +5512,8 @@ data: } }, "kubeconfig": "", - "namespace": "default" + "namespace": "default", + "secretsNamespace": "workspace-secrets" }, "content": { "workingArea": "/mnt/workingarea", @@ -5629,6 +5630,7 @@ data: { "manager": { "namespace": "default", + "secretsNamespace": "", "schedulerName": "", "seccompProfile": "workspace_default_pd-ide-metrics.23.json", "timeouts": { @@ -8136,7 +8138,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: c3f063b20c86e50d84ab6b62d85d5042146c1748f01c42dd37581239a888b9d8 + gitpod.io/checksum_config: 96b5a68d5c5c49ae0d0c9f68e9d28d40b15481832f04c7686a092963380f1093 creationTimestamp: null labels: app: gitpod @@ -10803,7 +10805,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 6bccb0af0666fedca427bf7e904bb6ad0760871f8272d37c095015b1917a8a3b + gitpod.io/checksum_config: 4a4578809a4c2f9cfbbd2781d720a47df569cc4e3b54be23b5c41f56c0296e77 creationTimestamp: null labels: app: gitpod diff --git a/install/installer/cmd/testdata/render/use-pod-security-policies/output.golden b/install/installer/cmd/testdata/render/use-pod-security-policies/output.golden index 4b553ca4234ff0..0269f2300947b4 100644 --- a/install/installer/cmd/testdata/render/use-pod-security-policies/output.golden +++ b/install/installer/cmd/testdata/render/use-pod-security-policies/output.golden @@ -5842,7 +5842,8 @@ data: } }, "kubeconfig": "", - "namespace": "default" + "namespace": "default", + "secretsNamespace": "workspace-secrets" }, "content": { "workingArea": "/mnt/workingarea", @@ -5959,6 +5960,7 @@ data: { "manager": { "namespace": "default", + "secretsNamespace": "", "schedulerName": "", "seccompProfile": "workspace_default_pd-ide-metrics.23.json", "timeouts": { @@ -8577,7 +8579,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: c3f063b20c86e50d84ab6b62d85d5042146c1748f01c42dd37581239a888b9d8 + gitpod.io/checksum_config: 96b5a68d5c5c49ae0d0c9f68e9d28d40b15481832f04c7686a092963380f1093 creationTimestamp: null labels: app: gitpod @@ -11244,7 +11246,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 6bccb0af0666fedca427bf7e904bb6ad0760871f8272d37c095015b1917a8a3b + gitpod.io/checksum_config: 4a4578809a4c2f9cfbbd2781d720a47df569cc4e3b54be23b5c41f56c0296e77 creationTimestamp: null labels: app: gitpod diff --git a/install/installer/cmd/testdata/render/vsxproxy-pvc/output.golden b/install/installer/cmd/testdata/render/vsxproxy-pvc/output.golden index 32b1fb904356ce..f28888954ece1d 100644 --- a/install/installer/cmd/testdata/render/vsxproxy-pvc/output.golden +++ b/install/installer/cmd/testdata/render/vsxproxy-pvc/output.golden @@ -5512,7 +5512,8 @@ data: } }, "kubeconfig": "", - "namespace": "default" + "namespace": "default", + "secretsNamespace": "workspace-secrets" }, "content": { "workingArea": "/mnt/workingarea", @@ -5629,6 +5630,7 @@ data: { "manager": { "namespace": "default", + "secretsNamespace": "", "schedulerName": "", "seccompProfile": "workspace_default_pd-ide-metrics.23.json", "timeouts": { @@ -8136,7 +8138,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: c3f063b20c86e50d84ab6b62d85d5042146c1748f01c42dd37581239a888b9d8 + gitpod.io/checksum_config: 96b5a68d5c5c49ae0d0c9f68e9d28d40b15481832f04c7686a092963380f1093 creationTimestamp: null labels: app: gitpod @@ -10791,7 +10793,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 6bccb0af0666fedca427bf7e904bb6ad0760871f8272d37c095015b1917a8a3b + gitpod.io/checksum_config: 4a4578809a4c2f9cfbbd2781d720a47df569cc4e3b54be23b5c41f56c0296e77 creationTimestamp: null labels: app: gitpod diff --git a/install/installer/cmd/testdata/render/workspace-requests-limits/output.golden b/install/installer/cmd/testdata/render/workspace-requests-limits/output.golden index 201382fca12637..c7899e809e623e 100644 --- a/install/installer/cmd/testdata/render/workspace-requests-limits/output.golden +++ b/install/installer/cmd/testdata/render/workspace-requests-limits/output.golden @@ -5512,7 +5512,8 @@ data: } }, "kubeconfig": "", - "namespace": "default" + "namespace": "default", + "secretsNamespace": "workspace-secrets" }, "content": { "workingArea": "/mnt/workingarea", @@ -5629,6 +5630,7 @@ data: { "manager": { "namespace": "default", + "secretsNamespace": "", "schedulerName": "", "seccompProfile": "workspace_default_pd-ide-metrics.23.json", "timeouts": { @@ -8136,7 +8138,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: c3f063b20c86e50d84ab6b62d85d5042146c1748f01c42dd37581239a888b9d8 + gitpod.io/checksum_config: 96b5a68d5c5c49ae0d0c9f68e9d28d40b15481832f04c7686a092963380f1093 creationTimestamp: null labels: app: gitpod @@ -10803,7 +10805,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 903ddd6b5567f5831d07f643a85942f7c7891ec40745b0aeb508a7c115389511 + gitpod.io/checksum_config: 8f78e0c49b70bc845b8c69ddc215fc3d1999be738c385173ffd48a84c8303fa5 creationTimestamp: null labels: app: gitpod diff --git a/install/installer/pkg/common/common.go b/install/installer/pkg/common/common.go index a8059e6b39e997..04243924f52369 100644 --- a/install/installer/pkg/common/common.go +++ b/install/installer/pkg/common/common.go @@ -664,7 +664,7 @@ var DeploymentStrategy = appsv1.DeploymentStrategy{ var ( TypeMetaNamespace = metav1.TypeMeta{ APIVersion: "v1", - Kind: "namespace", + Kind: "Namespace", } TypeMetaStatefulSet = metav1.TypeMeta{ APIVersion: "apps/v1", diff --git a/install/installer/pkg/common/constants.go b/install/installer/pkg/common/constants.go index 07c2d9aee21330..6b76f69273e899 100644 --- a/install/installer/pkg/common/constants.go +++ b/install/installer/pkg/common/constants.go @@ -59,6 +59,7 @@ const ( DBCaFileName = "ca.crt" DBCaBasePath = "/db-ssl" DBCaPath = DBCaBasePath + "/" + DBCaFileName + WorkspaceSecretsNamespace = "workspace-secrets" AnnotationConfigChecksum = "gitpod.io/checksum_config" diff --git a/install/installer/pkg/components/ws-daemon/configmap.go b/install/installer/pkg/components/ws-daemon/configmap.go index adaaef995d52a4..1b08aa15e6e940 100644 --- a/install/installer/pkg/components/ws-daemon/configmap.go +++ b/install/installer/pkg/components/ws-daemon/configmap.go @@ -112,6 +112,7 @@ func configmap(ctx *common.RenderContext) ([]runtime.Object, error) { Daemon: daemon.Config{ Runtime: daemon.RuntimeConfig{ KubernetesNamespace: ctx.Namespace, + SecretsNamespace: common.WorkspaceSecretsNamespace, Container: &container.Config{ Runtime: container.RuntimeContainerd, Mapping: runtimeMapping, diff --git a/install/installer/pkg/components/ws-daemon/objects.go b/install/installer/pkg/components/ws-daemon/objects.go index b2113e8acb3994..51fefd0e65e81b 100644 --- a/install/installer/pkg/components/ws-daemon/objects.go +++ b/install/installer/pkg/components/ws-daemon/objects.go @@ -9,6 +9,7 @@ import ( ) var Objects = common.CompositeRenderFunc( + role, clusterrole, configmap, common.DefaultServiceAccount(Component), diff --git a/install/installer/pkg/components/ws-daemon/role.go b/install/installer/pkg/components/ws-daemon/role.go new file mode 100644 index 00000000000000..9069222dc54e54 --- /dev/null +++ b/install/installer/pkg/components/ws-daemon/role.go @@ -0,0 +1,49 @@ +// Copyright (c) 2021 Gitpod GmbH. All rights reserved. +// Licensed under the GNU Affero General Public License (AGPL). +// See License.AGPL.txt in the project root for license information. + +package wsdaemon + +import ( + "github.com/gitpod-io/gitpod/installer/pkg/common" + "github.com/gitpod-io/gitpod/installer/pkg/config/v1/experimental" + + rbacv1 "k8s.io/api/rbac/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" +) + +func role(ctx *common.RenderContext) ([]runtime.Object, error) { + var useMk2 bool + _ = ctx.WithExperimental(func(ucfg *experimental.Config) error { + if ucfg.Workspace != nil { + useMk2 = ucfg.Workspace.UseWsmanagerMk2 + } + return nil + }) + if !useMk2 { + return nil, nil + } + + return []runtime.Object{ + &rbacv1.Role{ + TypeMeta: common.TypeMetaRole, + ObjectMeta: metav1.ObjectMeta{ + Name: Component, + Namespace: common.WorkspaceSecretsNamespace, + Labels: common.DefaultLabels(Component), + }, + Rules: []rbacv1.PolicyRule{ + { + APIGroups: []string{""}, + Resources: []string{"secrets"}, + Verbs: []string{ + "get", + "list", + "watch", + }, + }, + }, + }, + }, nil +} diff --git a/install/installer/pkg/components/ws-daemon/rolebinding.go b/install/installer/pkg/components/ws-daemon/rolebinding.go index 051ba5b26136c7..1d244ef8eea23e 100644 --- a/install/installer/pkg/components/ws-daemon/rolebinding.go +++ b/install/installer/pkg/components/ws-daemon/rolebinding.go @@ -8,6 +8,7 @@ import ( "fmt" "github.com/gitpod-io/gitpod/installer/pkg/common" + "github.com/gitpod-io/gitpod/installer/pkg/config/v1/experimental" rbacv1 "k8s.io/api/rbac/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -17,7 +18,7 @@ import ( func rolebinding(ctx *common.RenderContext) ([]runtime.Object, error) { labels := common.DefaultLabels(Component) - return []runtime.Object{ + bindings := []runtime.Object{ &rbacv1.ClusterRoleBinding{ TypeMeta: common.TypeMetaClusterRoleBinding, ObjectMeta: metav1.ObjectMeta{ @@ -54,5 +55,33 @@ func rolebinding(ctx *common.RenderContext) ([]runtime.Object, error) { Namespace: ctx.Namespace, }}, }, - }, nil + } + + _ = ctx.WithExperimental(func(ucfg *experimental.Config) error { + if ucfg.Workspace != nil && ucfg.Workspace.UseWsmanagerMk2 { + bindings = append(bindings, &rbacv1.RoleBinding{ + TypeMeta: common.TypeMetaRoleBinding, + ObjectMeta: metav1.ObjectMeta{ + Name: Component, + Namespace: common.WorkspaceSecretsNamespace, + }, + RoleRef: rbacv1.RoleRef{ + APIGroup: "rbac.authorization.k8s.io", + Kind: "Role", + Name: Component, + }, + Subjects: []rbacv1.Subject{ + { + Kind: "ServiceAccount", + Name: Component, + Namespace: ctx.Namespace, + }, + }, + }) + } + + return nil + }) + + return bindings, nil } diff --git a/install/installer/pkg/components/ws-manager-mk2/configmap.go b/install/installer/pkg/components/ws-manager-mk2/configmap.go index ffcf7a09cef672..7f6c451ad16c5f 100644 --- a/install/installer/pkg/components/ws-manager-mk2/configmap.go +++ b/install/installer/pkg/components/ws-manager-mk2/configmap.go @@ -184,9 +184,10 @@ func configmap(ctx *common.RenderContext) ([]runtime.Object, error) { wsmcfg := config.ServiceConfiguration{ Manager: config.Configuration{ - Namespace: ctx.Namespace, - SchedulerName: schedulerName, - SeccompProfile: fmt.Sprintf("workspace_default_%s.json", ctx.VersionManifest.Version), + Namespace: ctx.Namespace, + SecretsNamespace: common.WorkspaceSecretsNamespace, + SchedulerName: schedulerName, + SeccompProfile: fmt.Sprintf("workspace_default_%s.json", ctx.VersionManifest.Version), WorkspaceDaemon: config.WorkspaceDaemonConfiguration{ Port: 8080, TLS: struct { diff --git a/install/installer/pkg/components/ws-manager-mk2/namespace.go b/install/installer/pkg/components/ws-manager-mk2/namespace.go new file mode 100644 index 00000000000000..24fc01ff0326e6 --- /dev/null +++ b/install/installer/pkg/components/ws-manager-mk2/namespace.go @@ -0,0 +1,23 @@ +// Copyright (c) 2021 Gitpod GmbH. All rights reserved. +// Licensed under the GNU Affero General Public License (AGPL). +// See License-AGPL.txt in the project root for license information. + +package wsmanagermk2 + +import ( + "github.com/gitpod-io/gitpod/installer/pkg/common" + v1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" +) + +func namespace(ctx *common.RenderContext) ([]runtime.Object, error) { + return []runtime.Object{ + &v1.Namespace{ + TypeMeta: common.TypeMetaNamespace, + ObjectMeta: metav1.ObjectMeta{ + Name: common.WorkspaceSecretsNamespace, + }, + }, + }, nil +} diff --git a/install/installer/pkg/components/ws-manager-mk2/objects.go b/install/installer/pkg/components/ws-manager-mk2/objects.go index 6f61a2d0fdaf5a..6ea4f430633468 100644 --- a/install/installer/pkg/components/ws-manager-mk2/objects.go +++ b/install/installer/pkg/components/ws-manager-mk2/objects.go @@ -23,6 +23,7 @@ var Objects common.RenderFunc = func(cfg *common.RenderContext) ([]runtime.Objec } return common.CompositeRenderFunc( + namespace, crd, configmap, deployment, diff --git a/install/installer/pkg/components/ws-manager-mk2/role.go b/install/installer/pkg/components/ws-manager-mk2/role.go index 0f31ae5c69ad7d..47ef51c07ffa78 100644 --- a/install/installer/pkg/components/ws-manager-mk2/role.go +++ b/install/installer/pkg/components/ws-manager-mk2/role.go @@ -12,6 +12,121 @@ import ( "k8s.io/apimachinery/pkg/runtime" ) +var controllerRules = []rbacv1.PolicyRule{ + { + APIGroups: []string{""}, + Resources: []string{"pods"}, + Verbs: []string{ + "create", + "delete", + "get", + "list", + "patch", + "update", + "watch", + }, + }, + { + Verbs: []string{"get"}, + APIGroups: []string{""}, + Resources: []string{"pod/status"}, + }, + { + APIGroups: []string{"workspace.gitpod.io"}, + Resources: []string{"workspaces"}, + Verbs: []string{ + "create", + "delete", + "get", + "list", + "patch", + "update", + "watch", + }, + }, + { + Verbs: []string{"update"}, + APIGroups: []string{"workspace.gitpod.io"}, + Resources: []string{"workspaces/finalizers"}, + }, + { + APIGroups: []string{"workspace.gitpod.io"}, + Resources: []string{"workspaces/status"}, + Verbs: []string{ + "get", + "patch", + "update", + }, + }, + { + APIGroups: []string{"workspace.gitpod.io"}, + Resources: []string{"snapshots"}, + Verbs: []string{ + "create", + "delete", + "get", + "list", + "watch", + }, + }, + { + APIGroups: []string{"workspace.gitpod.io"}, + Resources: []string{"snapshots/status"}, + Verbs: []string{ + "get", + }, + }, + { + APIGroups: []string{""}, + Resources: []string{"secrets"}, + Verbs: []string{ + "create", + "delete", + "get", + "list", + "watch", + }, + }, + { + APIGroups: []string{""}, + Resources: []string{"configmaps"}, + Verbs: []string{ + "create", + "delete", + "get", + "list", + "patch", + "update", + "watch", + }, + }, +} + +// ConfigMap, Leases, and Events access is required for leader-election. +var leaderElectionRules = []rbacv1.PolicyRule{ + { + APIGroups: []string{"coordination.k8s.io"}, + Resources: []string{"leases"}, + Verbs: []string{ + "create", + "delete", + "get", + "list", + "patch", + "update", + "watch", + }, + }, + { + APIGroups: []string{""}, + Resources: []string{"events"}, + Verbs: []string{ + "create", + "patch", + }, + }, +} + func role(ctx *common.RenderContext) ([]runtime.Object, error) { labels := common.DefaultLabels(Component) @@ -23,117 +138,17 @@ func role(ctx *common.RenderContext) ([]runtime.Object, error) { Namespace: ctx.Namespace, Labels: labels, }, - Rules: []rbacv1.PolicyRule{ - { - APIGroups: []string{""}, - Resources: []string{"pods"}, - Verbs: []string{ - "create", - "delete", - "get", - "list", - "patch", - "update", - "watch", - }, - }, - { - Verbs: []string{"get"}, - APIGroups: []string{""}, - Resources: []string{"pod/status"}, - }, - { - APIGroups: []string{"workspace.gitpod.io"}, - Resources: []string{"workspaces"}, - Verbs: []string{ - "create", - "delete", - "get", - "list", - "patch", - "update", - "watch", - }, - }, - { - Verbs: []string{"update"}, - APIGroups: []string{"workspace.gitpod.io"}, - Resources: []string{"workspaces/finalizers"}, - }, - { - APIGroups: []string{"workspace.gitpod.io"}, - Resources: []string{"workspaces/status"}, - Verbs: []string{ - "get", - "patch", - "update", - }, - }, - { - APIGroups: []string{"workspace.gitpod.io"}, - Resources: []string{"snapshots"}, - Verbs: []string{ - "create", - "delete", - "get", - "list", - "watch", - }, - }, - { - APIGroups: []string{"workspace.gitpod.io"}, - Resources: []string{"snapshots/status"}, - Verbs: []string{ - "get", - }, - }, - // ConfigMap, Leases, and Events access is required for leader-election. - { - APIGroups: []string{""}, - Resources: []string{"configmaps"}, - Verbs: []string{ - "create", - "delete", - "get", - "list", - "patch", - "update", - "watch", - }, - }, - { - APIGroups: []string{"coordination.k8s.io"}, - Resources: []string{"leases"}, - Verbs: []string{ - "create", - "delete", - "get", - "list", - "patch", - "update", - "watch", - }, - }, - { - APIGroups: []string{""}, - Resources: []string{"events"}, - Verbs: []string{ - "create", - "patch", - }, - }, - { - APIGroups: []string{""}, - Resources: []string{"secrets"}, - Verbs: []string{ - "create", - "delete", - "get", - "list", - "watch", - }, - }, + Rules: append(controllerRules, leaderElectionRules...), + }, + + &rbacv1.Role{ + TypeMeta: common.TypeMetaRole, + ObjectMeta: metav1.ObjectMeta{ + Name: Component, + Namespace: common.WorkspaceSecretsNamespace, + Labels: labels, }, + Rules: controllerRules, }, }, nil } diff --git a/install/installer/pkg/components/ws-manager-mk2/rolebinding.go b/install/installer/pkg/components/ws-manager-mk2/rolebinding.go index 467abf56a32b5c..44408b6dfaf371 100644 --- a/install/installer/pkg/components/ws-manager-mk2/rolebinding.go +++ b/install/installer/pkg/components/ws-manager-mk2/rolebinding.go @@ -51,8 +51,30 @@ func rolebinding(ctx *common.RenderContext) ([]runtime.Object, error) { }, Subjects: []rbacv1.Subject{ { - Kind: "ServiceAccount", - Name: Component, + Kind: "ServiceAccount", + Name: Component, + Namespace: ctx.Namespace, + }, + }, + }, + + &rbacv1.RoleBinding{ + TypeMeta: common.TypeMetaRoleBinding, + ObjectMeta: metav1.ObjectMeta{ + Name: Component, + Namespace: common.WorkspaceSecretsNamespace, + Labels: labels, + }, + RoleRef: rbacv1.RoleRef{ + APIGroup: "rbac.authorization.k8s.io", + Kind: "Role", + Name: Component, + }, + Subjects: []rbacv1.Subject{ + { + Kind: "ServiceAccount", + Name: Component, + Namespace: ctx.Namespace, }, }, },