1
// Copyright (c) 2022 Gitpod GmbH. All rights reserved.
2
// Licensed under the GNU Affero General Public License (AGPL).
3
// See License.AGPL.txt in the project root for license information.
4

5
package ide_service
6

7
import (
8
	"fmt"
9

10
	"github.com/gitpod-io/gitpod/common-go/baseserver"
11
	"github.com/gitpod-io/gitpod/installer/pkg/cluster"
12
	"github.com/gitpod-io/gitpod/installer/pkg/common"
13
	dockerregistry "github.com/gitpod-io/gitpod/installer/pkg/components/docker-registry"
14

15
	appsv1 "k8s.io/api/apps/v1"
16
	corev1 "k8s.io/api/core/v1"
17
	"k8s.io/apimachinery/pkg/api/resource"
18
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
19
	"k8s.io/apimachinery/pkg/runtime"
20
	"k8s.io/apimachinery/pkg/util/intstr"
21
	"k8s.io/utils/pointer"
22
)
23

24
func deployment(ctx *common.RenderContext) ([]runtime.Object, error) {
25
	labels := common.CustomizeLabel(ctx, Component, common.TypeMetaDeployment)
26

27
	volumeName := "pull-secret"
28
	var secretName string
29
	if pointer.BoolDeref(ctx.Config.ContainerRegistry.InCluster, false) {
30
		secretName = dockerregistry.BuiltInRegistryAuth
31
	} else if ctx.Config.ContainerRegistry.External != nil {
32
		if ctx.Config.ContainerRegistry.External.Certificate != nil {
33
			secretName = ctx.Config.ContainerRegistry.External.Certificate.Name
34
		}
35
	} else {
36
		return nil, fmt.Errorf("%s: invalid container registry config", Component)
37
	}
38

39
	configHash, err := common.ObjectHash(configmap(ctx))
40
	if err != nil {
41
		return nil, err
42
	}
43

44
	return []runtime.Object{
45
		&appsv1.Deployment{
46
			TypeMeta: common.TypeMetaDeployment,
47
			ObjectMeta: metav1.ObjectMeta{
48
				Name:        Component,
49
				Namespace:   ctx.Namespace,
50
				Labels:      labels,
51
				Annotations: common.CustomizeAnnotation(ctx, Component, common.TypeMetaDeployment),
52
			},
53
			Spec: appsv1.DeploymentSpec{
54
				Selector: &metav1.LabelSelector{MatchLabels: common.DefaultLabels(Component)},
55
				Replicas: common.Replicas(ctx, Component),
56
				Strategy: common.DeploymentStrategy,
57
				Template: corev1.PodTemplateSpec{
58
					ObjectMeta: metav1.ObjectMeta{
59
						Name:      Component,
60
						Namespace: ctx.Namespace,
61
						Labels:    labels,
62
						Annotations: common.CustomizeAnnotation(ctx, Component, common.TypeMetaDeployment, func() map[string]string {
63
							return map[string]string{
64
								common.AnnotationConfigChecksum: configHash,
65
							}
66
						}),
67
					},
68
					Spec: corev1.PodSpec{
69
						Affinity:                      cluster.WithNodeAffinityHostnameAntiAffinity(Component, cluster.AffinityLabelMeta),
70
						TopologySpreadConstraints:     cluster.WithHostnameTopologySpread(Component),
71
						ServiceAccountName:            Component,
72
						EnableServiceLinks:            pointer.Bool(false),
73
						DNSPolicy:                     corev1.DNSClusterFirst,
74
						RestartPolicy:                 corev1.RestartPolicyAlways,
75
						TerminationGracePeriodSeconds: pointer.Int64(30),
76
						Containers: []corev1.Container{{
77
							Args:            []string{"run", "--config", "/config/config.json"},
78
							Name:            Component,
79
							Image:           ctx.ImageName(ctx.Config.Repository, Component, ctx.VersionManifest.Components.IDEService.Version),
80
							ImagePullPolicy: corev1.PullIfNotPresent,
81
							Resources: common.ResourceRequirements(ctx, Component, Component, corev1.ResourceRequirements{
82
								Requests: corev1.ResourceList{
83
									"cpu":    resource.MustParse("100m"),
84
									"memory": resource.MustParse("128Mi"),
85
								},
86
							}),
87
							Ports: []corev1.ContainerPort{{
88
								ContainerPort: GRPCServicePort,
89
								Name:          GRPCPortName,
90
							}},
91
							SecurityContext: &corev1.SecurityContext{
92
								Privileged:               pointer.Bool(false),
93
								AllowPrivilegeEscalation: pointer.Bool(false),
94
							},
95
							Env: common.CustomizeEnvvar(ctx, Component, common.MergeEnv(
96
								common.DefaultEnv(&ctx.Config),
97
								common.ConfigcatEnv(ctx),
98
							)),
99
							VolumeMounts: []corev1.VolumeMount{
100
								{
101
									Name:      VolumeConfig,
102
									MountPath: "/config",
103
									ReadOnly:  true,
104
								},
105
								{
106
									Name:      "ide-config",
107
									MountPath: "/ide-config",
108
									ReadOnly:  true,
109
								},
110
								{
111
									Name:      volumeName,
112
									MountPath: "/mnt/pull-secret",
113
								},
114
							},
115
							ReadinessProbe: &corev1.Probe{
116
								ProbeHandler: corev1.ProbeHandler{
117
									HTTPGet: &corev1.HTTPGetAction{
118
										Path: "/ready",
119
										Port: intstr.IntOrString{IntVal: baseserver.BuiltinHealthPort},
120
									},
121
								},
122
								FailureThreshold: 3,
123
								SuccessThreshold: 1,
124
								TimeoutSeconds:   1,
125
							},
126
						},
127
							*common.KubeRBACProxyContainerWithConfig(ctx),
128
						},
129
						Volumes: []corev1.Volume{
130
							{
131
								Name: VolumeConfig,
132
								VolumeSource: corev1.VolumeSource{
133
									ConfigMap: &corev1.ConfigMapVolumeSource{
134
										LocalObjectReference: corev1.LocalObjectReference{Name: Component},
135
									},
136
								},
137
							},
138
							{
139
								Name: "ide-config",
140
								VolumeSource: corev1.VolumeSource{
141
									ConfigMap: &corev1.ConfigMapVolumeSource{
142
										LocalObjectReference: corev1.LocalObjectReference{Name: "ide-config"},
143
									},
144
								},
145
							},
146
							{
147
								Name: volumeName,
148
								VolumeSource: corev1.VolumeSource{
149
									Secret: &corev1.SecretVolumeSource{
150
										SecretName: secretName,
151
										Items:      []corev1.KeyToPath{{Key: ".dockerconfigjson", Path: "pull-secret.json"}},
152
									},
153
								},
154
							},
155
						},
156
						Tolerations: common.WithTolerationWorkspaceComponentNotReady(ctx),
157
					},
158
				},
159
			},
160
		},
161
	}, nil
162
}
163

164