diff --git a/chart/templates/_helpers.tpl b/chart/templates/_helpers.tpl index f6217c73ca144f..fdb89a9780c6ab 100644 --- a/chart/templates/_helpers.tpl +++ b/chart/templates/_helpers.tpl @@ -357,6 +357,39 @@ storage: {{- end -}} {{- end -}} +{{/* custom ca bundle volume and volumeMount */}} +{{- define "gitpod.caBundleVolume" -}} +{{- if .Values.fullCABundleSecretName -}} +- name: ca-bundle-certs + secret: + secretName: {{ .Values.fullCABundleSecretName }} +{{- end -}} +{{- end -}} + +{{- define "gitpod.caBundleVolumeMount" -}} +{{- if .Values.fullCABundleSecretName -}} +- name: ca-bundle-certs + mountPath: /etc/ssl/certs/ca-certificates.crt + subPath: ca-certificates.crt +{{- end -}} +{{- end -}} + +{{- define "gitpod.extraCABundleVolume" -}} +{{- if .Values.extraCABundleSecretName -}} +- name: extra-certs + secret: + secretName: {{ .Values.extraCABundleSecretName }} +{{- end -}} +{{- end -}} + +{{- define "gitpod.extraCABundleVolumeMount" -}} +{{- if .Values.extraCABundleSecretName -}} +- name: extra-certs + mountPath: /etc/ssl/certs/extra/ca-certificates.crt + subPath: ca-certificates.crt +{{- end -}} +{{- end -}} + {{- define "gitpod.kube-rbac-proxy" -}} - name: kube-rbac-proxy image: quay.io/brancz/kube-rbac-proxy:v0.11.0 diff --git a/chart/templates/blobserve-deployment.yaml b/chart/templates/blobserve-deployment.yaml index e60f2fa4f8482b..f74cd240fad9ce 100644 --- a/chart/templates/blobserve-deployment.yaml +++ b/chart/templates/blobserve-deployment.yaml @@ -65,6 +65,9 @@ spec: mountPath: /mnt/pull-secret.json subPath: .dockerconfigjson {{- end }} + {{- if .Values.fullCABundleSecretName }} +{{ include "gitpod.caBundleVolumeMount" . | indent 8 }} + {{- end }} {{ include "gitpod.kube-rbac-proxy" $this | indent 6 }} volumes: - name: cache @@ -77,5 +80,8 @@ spec: secret: secretName: {{ .Values.components.workspace.pullSecret.secretName }} {{- end }} + {{- if .Values.fullCABundleSecretName }} +{{ include "gitpod.caBundleVolume" . | indent 6 }} + {{- end }} {{ toYaml .Values.defaults | indent 6 }} {{ end }} diff --git a/chart/templates/content-service-deployment.yaml b/chart/templates/content-service-deployment.yaml index 393843e694a991..735228c0fb1d24 100644 --- a/chart/templates/content-service-deployment.yaml +++ b/chart/templates/content-service-deployment.yaml @@ -61,6 +61,9 @@ spec: - name: config mountPath: "/config" readOnly: true + {{- if .Values.fullCABundleSecretName }} +{{ include "gitpod.caBundleVolumeMount" . | indent 8 }} + {{- end }} {{- if $comp.volumeMounts }} {{ toYaml $comp.volumeMounts | indent 8 }} {{- end }} @@ -68,6 +71,9 @@ spec: - name: config configMap: name: {{ template "gitpod.comp.configMap" $this }} + {{- if .Values.fullCABundleSecretName }} +{{ include "gitpod.caBundleVolume" . | indent 6 }} + {{- end }} {{- if $comp.volumes }} {{ toYaml $comp.volumes | indent 6 }} {{- end }} diff --git a/chart/templates/image-builder-deployment.yaml b/chart/templates/image-builder-deployment.yaml index 92a72a7ccc4c31..41b647c569a624 100644 --- a/chart/templates/image-builder-deployment.yaml +++ b/chart/templates/image-builder-deployment.yaml @@ -64,6 +64,9 @@ spec: secret: secretName: {{ $sec.secret }} {{- end }} + {{- if .Values.fullCABundleSecretName }} +{{ include "gitpod.caBundleVolume" . | indent 6 }} + {{- end }} enableServiceLinks: false containers: - name: dind @@ -80,6 +83,9 @@ spec: - mountPath: /etc/docker/certs.d/{{- if eq $sec.name "builtin" -}}{{ template "gitpod.builtinRegistry.name" $this.root }}{{ else }}{{ $sec.name }}{{ end }} name: docker-tls-certs-{{ $idx }} {{- end }} + {{- if .Values.fullCABundleSecretName }} +{{ include "gitpod.caBundleVolumeMount" . | indent 8 }} + {{- end }} {{- if $comp.dindResources }} resources: {{ toYaml $comp.dindResources | indent 10 }} @@ -105,6 +111,9 @@ spec: name: pull-secret {{- end }} {{- end }} + {{- if .Values.fullCABundleSecretName }} +{{ include "gitpod.caBundleVolumeMount" . | indent 8 }} + {{- end }} resources: requests: cpu: {{ $.Values.resources.default.cpu }} diff --git a/chart/templates/image-builder-mk3-deployment.yaml b/chart/templates/image-builder-mk3-deployment.yaml index ea6bf610548cbf..414ee03d07d543 100644 --- a/chart/templates/image-builder-mk3-deployment.yaml +++ b/chart/templates/image-builder-mk3-deployment.yaml @@ -60,6 +60,9 @@ spec: - name: wsman-tls-certs secret: secretName: {{ .Values.components.wsManager.tls.server.secretName }} + {{- if .Values.fullCABundleSecretName }} +{{ include "gitpod.caBundleVolume" . | indent 6 }} + {{- end }} enableServiceLinks: false containers: {{ include "gitpod.kube-rbac-proxy" $this | indent 6 }} @@ -86,6 +89,9 @@ spec: name: pull-secret {{- end }} {{- end }} + {{- if .Values.fullCABundleSecretName }} +{{ include "gitpod.caBundleVolumeMount" . | indent 8 }} + {{- end }} resources: requests: cpu: {{ $.Values.resources.default.cpu }} diff --git a/chart/templates/proxy-deployment.yaml b/chart/templates/proxy-deployment.yaml index b6c975566ef5fb..c50192cfe7a363 100644 --- a/chart/templates/proxy-deployment.yaml +++ b/chart/templates/proxy-deployment.yaml @@ -105,6 +105,9 @@ spec: {{- end }} - name: config-certificates mountPath: "/etc/caddy/certificates" + {{- if .Values.fullCABundleSecretName }} +{{ include "gitpod.caBundleVolumeMount" . | indent 8 }} + {{- end }} {{ include "gitpod.container.defaultEnv" (dict "root" . "gp" $.Values "comp" $comp) | indent 8 }} - name: PROXY_DOMAIN value: "{{ $.Values.hostname }}" @@ -123,5 +126,8 @@ spec: - name: config-certificates secret: secretName: {{ $.Values.certificatesSecret.secretName }} + {{- if .Values.fullCABundleSecretName }} +{{ include "gitpod.caBundleVolume" . | indent 6 }} + {{- end }} {{ toYaml .Values.defaults | indent 6 }} {{ end }} diff --git a/chart/templates/registry-facade-daemonset.yaml b/chart/templates/registry-facade-daemonset.yaml index 79f34b8fe9defa..88363b202ed669 100644 --- a/chart/templates/registry-facade-daemonset.yaml +++ b/chart/templates/registry-facade-daemonset.yaml @@ -71,6 +71,9 @@ spec: - name: https-certificates mountPath: "/mnt/certificates" {{- end }} + {{- if .Values.fullCABundleSecretName }} +{{ include "gitpod.caBundleVolumeMount" . | indent 8 }} + {{- end }} {{ include "gitpod.kube-rbac-proxy" $this | indent 6 }} volumes: - name: cache @@ -91,5 +94,8 @@ spec: secret: secretName: {{ .Values.certificatesSecret.secretName }} {{- end }} + {{- if .Values.fullCABundleSecretName }} +{{ include "gitpod.caBundleVolume" . | indent 6 }} + {{- end }} {{ toYaml .Values.defaults | indent 6 }} {{ end }} diff --git a/chart/templates/server-deployment.yaml b/chart/templates/server-deployment.yaml index efe5b9c1f9b6cd..1f49ebcad77716 100644 --- a/chart/templates/server-deployment.yaml +++ b/chart/templates/server-deployment.yaml @@ -105,6 +105,9 @@ spec: mountPath: "{{ dir $comp.githubApp.certPath }}" readOnly: true {{- end }} +{{- if .Values.fullCABundleSecretName }} +{{ include "gitpod.caBundleVolumeMount" . | indent 8 }} +{{- end }} {{- if $comp.serverContainer.volumeMounts }} {{ toYaml $comp.serverContainer.volumeMounts | indent 8 }} {{- end }} @@ -145,5 +148,8 @@ spec: {{- if $comp.volumes }} {{ toYaml $comp.volumes | indent 6 }} {{- end }} +{{- if .Values.fullCABundleSecretName }} +{{ include "gitpod.caBundleVolume" . | indent 6 }} +{{- end }} {{ toYaml .Values.defaults | indent 6 }} {{ end }} \ No newline at end of file diff --git a/chart/templates/ws-daemon-daemonset.yaml b/chart/templates/ws-daemon-daemonset.yaml index 8a0094bbf9843b..08795432e50919 100644 --- a/chart/templates/ws-daemon-daemonset.yaml +++ b/chart/templates/ws-daemon-daemonset.yaml @@ -100,6 +100,9 @@ spec: {{- end }} {{- if $comp.volumes }} {{ toYaml $comp.volumes | indent 6 }} +{{- end }} +{{- if .Values.fullCABundleSecretName }} +{{ include "gitpod.caBundleVolume" . | indent 6 }} {{- end }} enableServiceLinks: false {{- if (or $comp.userNamespaces.shiftfsModuleLoader.enabled $comp.userNamespaces.seccompProfileInstaller.enabled) }} @@ -267,6 +270,9 @@ spec: name: tls-certs {{- if $comp.volumeMounts }} {{ toYaml $comp.volumeMounts | indent 8 }} +{{- end }} +{{- if .Values.fullCABundleSecretName }} +{{ include "gitpod.caBundleVolumeMount" . | indent 8 }} {{- end }} args: ["run", "--config", "/config/config.json"] image: {{ template "gitpod.comp.imageFull" $this }} diff --git a/chart/templates/ws-manager-deployment.yaml b/chart/templates/ws-manager-deployment.yaml index 007f0b207ea03e..05a78f52b5611b 100644 --- a/chart/templates/ws-manager-deployment.yaml +++ b/chart/templates/ws-manager-deployment.yaml @@ -56,6 +56,9 @@ spec: - name: workspace-template configMap: name: workspace-template + {{- if .Values.extraCABundleSecretName }} +{{ include "gitpod.extraCABundleVolume" . | indent 6 }} + {{- end }} {{- if $comp.volumes }} {{ toYaml $comp.volumes | indent 6 }} {{- end }} @@ -81,6 +84,9 @@ spec: - mountPath: /certs name: tls-certs readOnly: true + {{- if .Values.extraCABundleSecretName }} +{{ include "gitpod.extraCABundleVolumeMount" . | indent 8 }} + {{- end }} {{- if $comp.volumeMounts }} {{ toYaml $comp.volumeMounts | indent 8 }} {{- end }} diff --git a/chart/values.yaml b/chart/values.yaml index 9ddbe2c6cc71dd..d458991ad9b4ff 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -761,3 +761,5 @@ cert-manager: certificate: selfSigned: true secretName: gitpod-ca-certificate + +# fullCABundleSecretName: full-ca-bundle \ No newline at end of file diff --git a/components/supervisor/pkg/supervisor/supervisor.go b/components/supervisor/pkg/supervisor/supervisor.go index a511b07699c2b5..d7e72662e08dd5 100644 --- a/components/supervisor/pkg/supervisor/supervisor.go +++ b/components/supervisor/pkg/supervisor/supervisor.go @@ -9,6 +9,7 @@ import ( "crypto/rand" "crypto/rsa" "crypto/sha256" + "encoding/base64" "encoding/json" "errors" "fmt" @@ -148,6 +149,7 @@ func Run(options ...RunOption) { return } + mergeExtraCABundle() err = AddGitpodUserIfNotExists() if err != nil { log.WithError(err).Fatal("cannot ensure Gitpod user exists") @@ -352,6 +354,21 @@ func Run(options ...RunOption) { wg.Wait() } +func mergeExtraCABundle() { + if c := os.Getenv("GITPOD_EXTRA_CA_BUNDLE"); c != "" { + crt, err := base64.RawStdEncoding.DecodeString(c) + if err != nil { + return + } + file, err := os.OpenFile("/etc/ssl/certs/ca-certificates.crt", os.O_WRONLY|os.O_APPEND, 0622) + if err != nil { + return + } + _, _ = file.Write(crt) + _ = file.Close() + } +} + func createGitpodService(cfg *Config, tknsrv api.TokenServiceServer) *gitpod.APIoverJSONRPC { endpoint, host, err := cfg.GitpodAPIEndpoint() if err != nil { diff --git a/components/ws-manager/pkg/manager/create.go b/components/ws-manager/pkg/manager/create.go index d872714e6be152..ee8154bbd9e246 100644 --- a/components/ws-manager/pkg/manager/create.go +++ b/components/ws-manager/pkg/manager/create.go @@ -10,6 +10,7 @@ import ( "encoding/base64" "fmt" "io" + "os" "path/filepath" "reflect" "strconv" @@ -568,6 +569,14 @@ func (m *Manager) createWorkspaceEnvironment(startContext *startWorkspaceContext result = append(result, corev1.EnvVar{Name: "THEIA_WEBVIEW_EXTERNAL_ENDPOINT", Value: "webview-{{hostname}}"}) result = append(result, corev1.EnvVar{Name: "THEIA_MINI_BROWSER_HOST_PATTERN", Value: "browser-{{hostname}}"}) + if _, err := os.Stat("/etc/ssl/certs/extra/ca-certificates.crt"); err == nil { + crt, err := os.ReadFile("/etc/ssl/certs/extra/ca-certificates.crt") + if err == nil { + base64Crt := base64.RawStdEncoding.EncodeToString(crt) + result = append(result, corev1.EnvVar{Name: "GITPOD_EXTRA_CA_BUNDLE", Value: base64Crt}) + } + } + // We don't require that Git be configured for workspaces if spec.Git != nil { result = append(result, corev1.EnvVar{Name: "GITPOD_GIT_USER_NAME", Value: spec.Git.Username})