Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
gitpod-io
GitHub Repository: gitpod-io/gitpod
 Path: blob/main/install/installer/pkg/components/image-builder-mk3/deployment.go
2501 views
1
// Copyright (c) 2021 Gitpod GmbH. All rights reserved.

2
// Licensed under the GNU Affero General Public License (AGPL).

3
// See License.AGPL.txt in the project root for license information.

4


5
package image_builder_mk3

6


7
import (

8
	"fmt"

9


10
	"github.com/gitpod-io/gitpod/installer/pkg/cluster"

11
	"github.com/gitpod-io/gitpod/installer/pkg/config/v1"

12


13
	"github.com/gitpod-io/gitpod/installer/pkg/common"

14
	dockerregistry "github.com/gitpod-io/gitpod/installer/pkg/components/docker-registry"

15
	wsmanagermk2 "github.com/gitpod-io/gitpod/installer/pkg/components/ws-manager-mk2"

16


17
	appsv1 "k8s.io/api/apps/v1"

18
	corev1 "k8s.io/api/core/v1"

19
	"k8s.io/apimachinery/pkg/api/resource"

20
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

21
	"k8s.io/apimachinery/pkg/runtime"

22
	"k8s.io/utils/pointer"

23
)

24


25
func pullSecretName(ctx *common.RenderContext) (string, error) {

26
	var secretName string

27
	if pointer.BoolDeref(ctx.Config.ContainerRegistry.InCluster, false) {

28
		secretName = dockerregistry.BuiltInRegistryAuth

29
	} else if ctx.Config.ContainerRegistry.External != nil {

30
		secretName = ctx.Config.ContainerRegistry.External.Certificate.Name

31
	} else {

32
		return "", fmt.Errorf("%s: invalid container registry config", Component)

33
	}

34
	return secretName, nil

35
}

36


37
func deployment(ctx *common.RenderContext) ([]runtime.Object, error) {

38
	labels := common.CustomizeLabel(ctx, Component, common.TypeMetaDeployment)

39


40
	var hashObj []runtime.Object

41
	if objs, err := configmap(ctx); err != nil {

42
		return nil, err

43
	} else {

44
		hashObj = append(hashObj, objs...)

45
	}

46


47
	secretName, err := pullSecretName(ctx)

48
	if err != nil {

49
		return nil, err

50
	}

51


52
	if objs, err := common.DockerRegistryHash(ctx); err != nil {

53
		return nil, err

54
	} else {

55
		hashObj = append(hashObj, objs...)

56
	}

57


58
	configHash, err := common.ObjectHash(hashObj, nil)

59
	if err != nil {

60
		return nil, err

61
	}

62


63
	volumes := []corev1.Volume{

64
		{

65
			Name: "configuration",

66
			VolumeSource: corev1.VolumeSource{

67
				ConfigMap: &corev1.ConfigMapVolumeSource{

68
					LocalObjectReference: corev1.LocalObjectReference{Name: fmt.Sprintf("%s-config", Component)},

69
				},

70
			},

71
		},

72
		{

73
			Name: "wsman-tls-certs",

74
			VolumeSource: corev1.VolumeSource{

75
				Secret: &corev1.SecretVolumeSource{

76
					SecretName: wsmanagermk2.TLSSecretNameClient,

77
				},

78
			},

79
		},

80
		{

81
			Name: "pull-secret",

82
			VolumeSource: corev1.VolumeSource{

83
				Secret: &corev1.SecretVolumeSource{

84
					SecretName: secretName,

85
					Items:      []corev1.KeyToPath{{Key: ".dockerconfigjson", Path: "pull-secret.json"}},

86
				},

87
			},

88
		},

89
		common.CAVolume(),

90
	}

91


92
	volumeMounts := []corev1.VolumeMount{

93
		{

94
			Name:      "configuration",

95
			MountPath: "/config/image-builder.json",

96
			SubPath:   "image-builder.json",

97
		},

98
		{

99
			Name:      "wsman-tls-certs",

100
			MountPath: "/wsman-certs",

101
			ReadOnly:  true,

102
		},

103
		{

104
			Name:      "pull-secret",

105
			MountPath: "/config/pull-secret",

106
		},

107
		common.CAVolumeMount(),

108
	}

109


110
	if ctx.Config.Kind == config.InstallationWorkspace {

111
		// Only enable TLS in workspace clusters. This check can be removed

112
		// once image-builder-mk3 has been removed from application clusters

113
		// (https://github.com/gitpod-io/gitpod/issues/7845).

114
		volumes = append(volumes, corev1.Volume{

115
			Name: VolumeTLSCerts,

116
			VolumeSource: corev1.VolumeSource{

117
				Secret: &corev1.SecretVolumeSource{SecretName: TLSSecretName},

118
			},

119
		})

120
		volumeMounts = append(volumeMounts, corev1.VolumeMount{

121
			Name:      VolumeTLSCerts,

122
			MountPath: "/certs",

123
			ReadOnly:  true,

124
		})

125
	}

126


127
	return []runtime.Object{&appsv1.Deployment{

128
		TypeMeta: common.TypeMetaDeployment,

129
		ObjectMeta: metav1.ObjectMeta{

130
			Name:        Component,

131
			Namespace:   ctx.Namespace,

132
			Labels:      labels,

133
			Annotations: common.CustomizeAnnotation(ctx, Component, common.TypeMetaDeployment),

134
		},

135
		Spec: appsv1.DeploymentSpec{

136
			Selector: &metav1.LabelSelector{MatchLabels: common.DefaultLabels(Component)},

137
			Replicas: common.Replicas(ctx, Component),

138
			Strategy: common.DeploymentStrategy,

139
			Template: corev1.PodTemplateSpec{

140
				ObjectMeta: metav1.ObjectMeta{

141
					Name:      Component,

142
					Namespace: ctx.Namespace,

143
					Labels:    labels,

144
					Annotations: common.CustomizeAnnotation(ctx, Component, common.TypeMetaDeployment, func() map[string]string {

145
						return map[string]string{

146
							common.AnnotationConfigChecksum: configHash,

147
						}

148
					}),

149
				},

150
				Spec: corev1.PodSpec{

151
					Affinity:                      cluster.WithNodeAffinityHostnameAntiAffinity(Component, cluster.AffinityLabelServices),

152
					TopologySpreadConstraints:     cluster.WithHostnameTopologySpread(Component),

153
					ServiceAccountName:            Component,

154
					EnableServiceLinks:            pointer.Bool(false),

155
					DNSPolicy:                     corev1.DNSClusterFirst,

156
					RestartPolicy:                 corev1.RestartPolicyAlways,

157
					TerminationGracePeriodSeconds: pointer.Int64(30),

158
					Volumes:                       volumes,

159
					Containers: []corev1.Container{{

160
						Name:            Component,

161
						Image:           ctx.ImageName(ctx.Config.Repository, Component, ctx.VersionManifest.Components.ImageBuilderMk3.Version),

162
						ImagePullPolicy: corev1.PullIfNotPresent,

163
						Args: []string{

164
							"run",

165
							"--config",

166
							"/config/image-builder.json",

167
						},

168
						Env: common.CustomizeEnvvar(ctx, Component, common.MergeEnv(

169
							common.DefaultEnv(&ctx.Config),

170
							common.WorkspaceTracingEnv(ctx, Component),

171
						)),

172
						Resources: common.ResourceRequirements(ctx, Component, Component, corev1.ResourceRequirements{

173
							Requests: corev1.ResourceList{

174
								"cpu":    resource.MustParse("100m"),

175
								"memory": resource.MustParse("200Mi"),

176
							},

177
						}),

178
						Ports: []corev1.ContainerPort{{

179
							ContainerPort: RPCPort,

180
							Name:          RPCPortName,

181
						}},

182
						SecurityContext: &corev1.SecurityContext{

183
							Privileged:               pointer.Bool(false),

184
							AllowPrivilegeEscalation: pointer.Bool(false),

185
							RunAsUser:                pointer.Int64(33333),

186
						},

187
						VolumeMounts: volumeMounts,

188
					},

189
						*common.KubeRBACProxyContainer(ctx),

190
					},

191
					Tolerations: common.WithTolerationWorkspaceComponentNotReady(ctx),

192
				},

193
			},

194
		},

195
	}}, nil

196
}

197


198