Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
gitpod-io
GitHub Repository: gitpod-io/gitpod
 Path: blob/main/install/installer/pkg/components/ws-daemon/daemonset.go
2501 views
1
// Copyright (c) 2021 Gitpod GmbH. All rights reserved.

2
// Licensed under the GNU Affero General Public License (AGPL).

3
// See License.AGPL.txt in the project root for license information.

4


5
package wsdaemon

6


7
import (

8
	"fmt"

9


10
	"github.com/gitpod-io/gitpod/installer/pkg/cluster"

11
	"github.com/gitpod-io/gitpod/installer/pkg/common"

12


13
	appsv1 "k8s.io/api/apps/v1"

14
	corev1 "k8s.io/api/core/v1"

15
	"k8s.io/apimachinery/pkg/api/resource"

16
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

17
	"k8s.io/apimachinery/pkg/runtime"

18
	"k8s.io/apimachinery/pkg/util/intstr"

19
	"k8s.io/utils/pointer"

20
)

21


22
func daemonset(ctx *common.RenderContext) ([]runtime.Object, error) {

23
	cfg := ctx.Config

24
	labels := common.CustomizeLabel(ctx, Component, common.TypeMetaDaemonset)

25


26
	configHash, err := common.ObjectHash(configmap(ctx))

27
	if err != nil {

28
		return nil, err

29
	}

30


31
	initContainers := []corev1.Container{

32
		{

33
			Name:  "seccomp-profile-installer",

34
			Image: ctx.ImageName(cfg.Repository, "seccomp-profile-installer", ctx.VersionManifest.Components.WSDaemon.UserNamespaces.SeccompProfileInstaller.Version),

35
			Command: []string{

36
				"/bin/sh",

37
				"-c",

38
				fmt.Sprintf("cp -f /installer/workspace_default.json /mnt/dst/workspace_default_%s.json", ctx.VersionManifest.Version),

39
			},

40
			VolumeMounts: []corev1.VolumeMount{{

41
				Name:      "hostseccomp",

42
				MountPath: "/mnt/dst",

43
			}},

44
			SecurityContext: &corev1.SecurityContext{Privileged: pointer.Bool(true)},

45
		},

46
		{

47
			Name:  "sysctl",

48
			Image: ctx.ImageName(cfg.Repository, "ws-daemon", ctx.VersionManifest.Components.WSDaemon.Version),

49
			Command: []string{

50
				"sh",

51
				"-c",

52
				`(

53
	echo "running sysctls" &&

54
	sysctl -w net.core.somaxconn=4096 &&

55
	sysctl -w "net.ipv4.ip_local_port_range=5000 65000" &&

56
	sysctl -w "net.ipv4.tcp_tw_reuse=1" &&

57
	sysctl -w fs.inotify.max_user_watches=1000000 &&

58
	sysctl -w "kernel.dmesg_restrict=1" &&

59
	sysctl -w vm.unprivileged_userfaultfd=0

60
) && echo "done!" || echo "failed!"

61
`,

62
			},

63
			SecurityContext: &corev1.SecurityContext{Privileged: pointer.Bool(true)},

64
		},

65
	}

66


67
	volumes := []corev1.Volume{

68
		{

69
			Name: "hostfs",

70
			VolumeSource: corev1.VolumeSource{HostPath: &corev1.HostPathVolumeSource{

71
				Path: "/",

72
			}},

73
		},

74
		{

75
			Name: "working-area-mk2",

76
			VolumeSource: corev1.VolumeSource{HostPath: &corev1.HostPathVolumeSource{

77
				Path: HostWorkingAreaMk2,

78
				Type: func() *corev1.HostPathType { r := corev1.HostPathDirectoryOrCreate; return &r }(),

79
			}},

80
		},

81
		{

82
			Name:         "tls-certs",

83
			VolumeSource: corev1.VolumeSource{Secret: &corev1.SecretVolumeSource{SecretName: TLSSecretName}},

84
		},

85
		{

86
			Name: "config",

87
			VolumeSource: corev1.VolumeSource{ConfigMap: &corev1.ConfigMapVolumeSource{

88
				LocalObjectReference: corev1.LocalObjectReference{Name: Component},

89
			}},

90
		},

91
		{

92
			Name: "containerd-socket",

93
			VolumeSource: corev1.VolumeSource{HostPath: &corev1.HostPathVolumeSource{

94
				Path: ctx.Config.Workspace.Runtime.ContainerDSocketDir,

95
			}},

96
		},

97
		{

98
			Name: "node-fs0",

99
			VolumeSource: corev1.VolumeSource{HostPath: &corev1.HostPathVolumeSource{

100
				Path: ctx.Config.Workspace.Runtime.ContainerDRuntimeDir,

101
				Type: func() *corev1.HostPathType { r := corev1.HostPathDirectory; return &r }(),

102
			}},

103
		},

104
		{

105
			Name: "node-mounts",

106
			VolumeSource: corev1.VolumeSource{HostPath: &corev1.HostPathVolumeSource{

107
				Path: "/proc/mounts",

108
				Type: func() *corev1.HostPathType { r := corev1.HostPathFile; return &r }(),

109
			}},

110
		},

111
		{

112
			Name: "node-cgroups",

113
			VolumeSource: corev1.VolumeSource{HostPath: &corev1.HostPathVolumeSource{

114
				Path: "/sys/fs/cgroup",

115
				Type: func() *corev1.HostPathType { r := corev1.HostPathDirectory; return &r }(),

116
			}},

117
		},

118
		{

119
			Name: "node-hosts",

120
			VolumeSource: corev1.VolumeSource{HostPath: &corev1.HostPathVolumeSource{

121
				Path: "/etc/hosts",

122
				Type: func() *corev1.HostPathType { r := corev1.HostPathFile; return &r }(),

123
			}},

124
		},

125
		{

126
			Name: "node-linux-src",

127
			VolumeSource: corev1.VolumeSource{HostPath: &corev1.HostPathVolumeSource{

128
				Path: "/usr/src",

129
				Type: func() *corev1.HostPathType { r := corev1.HostPathDirectory; return &r }(),

130
			}},

131
		},

132
		{

133
			Name:         "hostseccomp",

134
			VolumeSource: corev1.VolumeSource{HostPath: &corev1.HostPathVolumeSource{Path: "/var/lib/kubelet/seccomp"}},

135
		},

136
		{

137
			Name: "gcloud-tmp",

138
			VolumeSource: corev1.VolumeSource{HostPath: &corev1.HostPathVolumeSource{

139
				Path: HostBackupPath,

140
				Type: func() *corev1.HostPathType { r := corev1.HostPathDirectoryOrCreate; return &r }(),

141
			}},

142
		},

143
		common.CAVolume(),

144
	}

145


146
	volumeMounts := []corev1.VolumeMount{

147
		{

148
			Name:             "working-area-mk2",

149
			MountPath:        ContainerWorkingAreaMk2,

150
			MountPropagation: func() *corev1.MountPropagationMode { r := corev1.MountPropagationBidirectional; return &r }(),

151
		},

152
		{

153
			Name:      "config",

154
			MountPath: "/config",

155
		},

156
		{

157
			Name:      "containerd-socket",

158
			MountPath: "/mnt/containerd",

159
		},

160
		{

161
			Name:      "node-fs0",

162
			MountPath: "/mnt/node0",

163
		},

164
		{

165
			Name:             "node-mounts",

166
			ReadOnly:         true,

167
			MountPath:        "/mnt/mounts",

168
			MountPropagation: func() *corev1.MountPropagationMode { r := corev1.MountPropagationHostToContainer; return &r }(),

169
		},

170
		{

171
			Name:             "node-cgroups",

172
			MountPath:        "/mnt/node-cgroups",

173
			MountPropagation: func() *corev1.MountPropagationMode { r := corev1.MountPropagationHostToContainer; return &r }(),

174
		},

175
		{

176
			Name:      "node-hosts",

177
			MountPath: "/mnt/hosts",

178
		},

179
		{

180
			Name:      "tls-certs",

181
			MountPath: "/certs",

182
		},

183
		{

184
			Name:      "gcloud-tmp",

185
			MountPath: "/mnt/sync-tmp",

186
		},

187
		common.CAVolumeMount(),

188
	}

189


190
	tolerations := []corev1.Toleration{

191
		{

192
			Key:      "node.kubernetes.io/disk-pressure",

193
			Operator: "Exists",

194
			Effect:   "NoExecute",

195
		},

196
		{

197
			Key:      "node.kubernetes.io/memory-pressure",

198
			Operator: "Exists",

199
			Effect:   "NoExecute",

200
		},

201
		{

202
			Key:      "node.kubernetes.io/out-of-disk",

203
			Operator: "Exists",

204
			Effect:   "NoExecute",

205
		},

206
		{

207
			Operator: "Exists",

208
		},

209
	}

210


211
	podSpec := corev1.PodSpec{

212
		Volumes:        volumes,

213
		InitContainers: initContainers,

214
		Containers: []corev1.Container{

215
			{

216
				Name:  Component,

217
				Image: ctx.ImageName(ctx.Config.Repository, Component, ctx.VersionManifest.Components.WSDaemon.Version),

218
				Args: []string{

219
					"run",

220
					"--config",

221
					"/config/config.json",

222
				},

223
				Ports: []corev1.ContainerPort{{

224
					Name:          "rpc",

225
					ContainerPort: ServicePort,

226
				}},

227
				Env: common.CustomizeEnvvar(ctx, Component, common.MergeEnv(

228
					common.DefaultEnv(&cfg),

229
					common.WorkspaceTracingEnv(ctx, Component),

230
					common.NodeNameEnv(ctx),

231
				)),

232
				Resources: common.ResourceRequirements(ctx, Component, Component, corev1.ResourceRequirements{Requests: corev1.ResourceList{

233
					"cpu":    resource.MustParse("500m"),

234
					"memory": resource.MustParse("2Gi"),

235
				}}),

236
				VolumeMounts:    volumeMounts,

237
				ImagePullPolicy: corev1.PullIfNotPresent,

238
				SecurityContext: &corev1.SecurityContext{

239
					Privileged: pointer.Bool(true),

240
				},

241
				ReadinessProbe: &corev1.Probe{

242
					ProbeHandler: corev1.ProbeHandler{

243
						HTTPGet: &corev1.HTTPGetAction{

244
							Path: "/ready",

245
							Port: intstr.IntOrString{IntVal: ReadinessPort},

246
						},

247
					},

248
					InitialDelaySeconds: 5,

249
					PeriodSeconds:       5,

250
					TimeoutSeconds:      1,

251
					SuccessThreshold:    2,

252
					FailureThreshold:    5,

253
				},

254
				LivenessProbe: &corev1.Probe{

255
					ProbeHandler: corev1.ProbeHandler{

256
						HTTPGet: &corev1.HTTPGetAction{

257
							Path: "/live",

258
							Port: intstr.IntOrString{IntVal: ReadinessPort},

259
						},

260
					},

261
					InitialDelaySeconds: 5,

262
					PeriodSeconds:       10,

263
					TimeoutSeconds:      1,

264
					SuccessThreshold:    1,

265
					FailureThreshold:    5,

266
				},

267
			},

268
			*common.KubeRBACProxyContainer(ctx),

269
		},

270
		RestartPolicy:                 corev1.RestartPolicyAlways,

271
		TerminationGracePeriodSeconds: pointer.Int64(30),

272
		DNSPolicy:                     corev1.DNSClusterFirst,

273
		ServiceAccountName:            Component,

274
		HostPID:                       true,

275
		Affinity:                      cluster.WithNodeAffinity(cluster.AffinityLabelWorkspacesRegular, cluster.AffinityLabelWorkspacesHeadless),

276
		Tolerations:                   tolerations,

277
		PriorityClassName:             common.SystemNodeCritical,

278
		EnableServiceLinks:            pointer.Bool(false),

279
	}

280


281
	err = common.AddStorageMounts(ctx, &podSpec, Component)

282
	if err != nil {

283
		return nil, err

284
	}

285


286
	return []runtime.Object{&appsv1.DaemonSet{

287
		TypeMeta: common.TypeMetaDaemonset,

288
		ObjectMeta: metav1.ObjectMeta{

289
			Name:        Component,

290
			Namespace:   ctx.Namespace,

291
			Labels:      labels,

292
			Annotations: common.CustomizeAnnotation(ctx, Component, common.TypeMetaDaemonset),

293
		},

294
		Spec: appsv1.DaemonSetSpec{

295
			Selector: &metav1.LabelSelector{MatchLabels: common.DefaultLabels(Component)},

296
			Template: corev1.PodTemplateSpec{

297
				ObjectMeta: metav1.ObjectMeta{

298
					Labels: labels,

299
					Annotations: common.CustomizeAnnotation(ctx, Component, common.TypeMetaDaemonset, func() map[string]string {

300
						return map[string]string{

301
							common.AnnotationConfigChecksum: configHash,

302
						}

303
					}),

304
				},

305
				Spec: podSpec,

306
			},

307
			UpdateStrategy: common.DaemonSetRolloutStrategy(),

308
		},

309
	}}, nil

310
}

311


312