Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
gitpod-io
GitHub Repository: gitpod-io/gitpod
 Path: blob/main/install/installer/pkg/components/ws-proxy/deployment.go
2501 views
1
// Copyright (c) 2021 Gitpod GmbH. All rights reserved.

2
// Licensed under the GNU Affero General Public License (AGPL).

3
// See License.AGPL.txt in the project root for license information.

4


5
package wsproxy

6


7
import (

8
	"github.com/gitpod-io/gitpod/common-go/baseserver"

9
	"github.com/gitpod-io/gitpod/installer/pkg/cluster"

10
	"github.com/gitpod-io/gitpod/installer/pkg/common"

11


12
	wsmanagermk2 "github.com/gitpod-io/gitpod/installer/pkg/components/ws-manager-mk2"

13


14
	appsv1 "k8s.io/api/apps/v1"

15
	corev1 "k8s.io/api/core/v1"

16
	"k8s.io/apimachinery/pkg/api/resource"

17
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

18
	"k8s.io/apimachinery/pkg/runtime"

19
	"k8s.io/apimachinery/pkg/util/intstr"

20
	"k8s.io/utils/pointer"

21
)

22


23
func deployment(ctx *common.RenderContext) ([]runtime.Object, error) {

24
	labels := common.CustomizeLabel(ctx, Component, common.TypeMetaDeployment)

25


26
	configHash, err := common.ObjectHash(configmap(ctx))

27
	if err != nil {

28
		return nil, err

29
	}

30


31
	volumes := []corev1.Volume{

32
		{

33
			Name: "config-certificates",

34
			VolumeSource: corev1.VolumeSource{

35
				Secret: &corev1.SecretVolumeSource{

36
					SecretName: ctx.Config.Certificate.Name,

37
				},

38
			},

39
		},

40
	}

41


42
	volumeMounts := []corev1.VolumeMount{

43
		{

44
			Name:      "config-certificates",

45
			MountPath: "/mnt/certificates"},

46
	}

47


48
	if ctx.Config.SSHGatewayHostKey != nil {

49
		volumes = append(volumes, corev1.Volume{

50
			Name: "host-key",

51
			VolumeSource: corev1.VolumeSource{

52
				Secret: &corev1.SecretVolumeSource{

53
					SecretName: ctx.Config.SSHGatewayHostKey.Name,

54
				},

55
			},

56
		})

57


58
		volumeMounts = append(volumeMounts, corev1.VolumeMount{

59
			Name:      "host-key",

60
			MountPath: "/mnt/host-key",

61
		})

62
	}

63


64
	if ctx.Config.SSHGatewayCAKey != nil {

65
		volumes = append(volumes, corev1.Volume{

66
			Name: "ca-key",

67
			VolumeSource: corev1.VolumeSource{

68
				Secret: &corev1.SecretVolumeSource{

69
					SecretName: ctx.Config.SSHGatewayCAKey.Name,

70
					Optional:   pointer.Bool(true),

71
				},

72
			},

73
		})

74


75
		volumeMounts = append(volumeMounts, corev1.VolumeMount{

76
			Name:      "ca-key",

77
			MountPath: "/mnt/ca-key/ca.key",

78
			SubPath:   "ca.key",

79
			ReadOnly:  true,

80
		})

81
	}

82


83
	podSpec := corev1.PodSpec{

84
		PriorityClassName:         common.SystemNodeCritical,

85
		Affinity:                  cluster.WithNodeAffinityHostnameAntiAffinity(Component, cluster.AffinityLabelServices),

86
		TopologySpreadConstraints: cluster.WithHostnameTopologySpread(Component),

87
		EnableServiceLinks:        pointer.Bool(false),

88
		ServiceAccountName:        Component,

89
		SecurityContext: &corev1.PodSecurityContext{

90
			RunAsUser: pointer.Int64(31002),

91
		},

92
		TerminationGracePeriodSeconds: pointer.Int64(360),

93
		Volumes: append([]corev1.Volume{

94
			{

95
				Name: "config",

96
				VolumeSource: corev1.VolumeSource{

97
					ConfigMap: &corev1.ConfigMapVolumeSource{

98
						LocalObjectReference: corev1.LocalObjectReference{Name: Component},

99
					},

100
				},

101
			},

102
			{

103
				Name: "ws-manager-client-tls-certs",

104
				VolumeSource: corev1.VolumeSource{

105
					Secret: &corev1.SecretVolumeSource{

106
						SecretName: wsmanagermk2.TLSSecretNameClient,

107
					},

108
				},

109
			},

110
			common.CAVolume(),

111
		}, volumes...),

112
		Containers: []corev1.Container{{

113
			Name:            Component,

114
			Args:            []string{"run", "/config/config.json"},

115
			Image:           ctx.ImageName(ctx.Config.Repository, Component, ctx.VersionManifest.Components.WSProxy.Version),

116
			ImagePullPolicy: corev1.PullIfNotPresent,

117
			Resources: common.ResourceRequirements(ctx, Component, Component, corev1.ResourceRequirements{

118
				Requests: corev1.ResourceList{

119
					"cpu":    resource.MustParse("100m"),

120
					"memory": resource.MustParse("32Mi"),

121
				},

122
			}),

123
			Ports: []corev1.ContainerPort{{

124
				Name:          HTTPProxyPortName,

125
				ContainerPort: HTTPProxyPort,

126
			}, {

127
				Name:          HTTPSProxyPortName,

128
				ContainerPort: HTTPSProxyPort,

129
			}, {

130
				Name:          baseserver.BuiltinMetricsPortName,

131
				ContainerPort: baseserver.BuiltinMetricsPort,

132
			}, {

133
				Name:          SSHPortName,

134
				ContainerPort: SSHServicePort,

135
			}},

136
			SecurityContext: &corev1.SecurityContext{

137
				Privileged:               pointer.Bool(false),

138
				AllowPrivilegeEscalation: pointer.Bool(false),

139
			},

140
			Env: common.CustomizeEnvvar(ctx, Component, common.MergeEnv(

141
				common.DefaultEnv(&ctx.Config),

142
				common.WorkspaceTracingEnv(ctx, Component),

143
				common.AnalyticsEnv(&ctx.Config),

144
				// ws-proxy and proxy may not in the same cluster

145
				common.ConfigcatEnvOutOfCluster(ctx),

146
			)),

147
			ReadinessProbe: &corev1.Probe{

148
				InitialDelaySeconds: int32(2),

149
				PeriodSeconds:       int32(5),

150
				FailureThreshold:    int32(10),

151
				ProbeHandler: corev1.ProbeHandler{

152
					HTTPGet: &corev1.HTTPGetAction{

153
						Path: "/readyz",

154
						Port: intstr.IntOrString{IntVal: ReadinessPort},

155
					},

156
				},

157
			},

158
			LivenessProbe: &corev1.Probe{

159
				InitialDelaySeconds: int32(2),

160
				PeriodSeconds:       int32(5),

161
				FailureThreshold:    int32(10),

162
				SuccessThreshold:    int32(1),

163
				TimeoutSeconds:      int32(2),

164
				ProbeHandler: corev1.ProbeHandler{

165
					HTTPGet: &corev1.HTTPGetAction{

166
						Path: "/healthz",

167
						Port: intstr.IntOrString{IntVal: ReadinessPort},

168
					},

169
				},

170
			},

171
			VolumeMounts: append([]corev1.VolumeMount{

172
				{

173
					Name:      "config",

174
					MountPath: "/config",

175
					ReadOnly:  true,

176
				},

177
				{

178
					Name:      "ws-manager-client-tls-certs",

179
					MountPath: "/ws-manager-client-tls-certs",

180
					ReadOnly:  true,

181
				},

182
				common.CAVolumeMount(),

183
			}, volumeMounts...),

184
		},

185
			*common.KubeRBACProxyContainer(ctx),

186
		},

187
		Tolerations: common.WithTolerationWorkspaceComponentNotReady(ctx),

188
	}

189


190
	return []runtime.Object{

191
		&appsv1.Deployment{

192
			TypeMeta: common.TypeMetaDeployment,

193
			ObjectMeta: metav1.ObjectMeta{

194
				Name:        Component,

195
				Namespace:   ctx.Namespace,

196
				Labels:      labels,

197
				Annotations: common.CustomizeAnnotation(ctx, Component, common.TypeMetaDeployment),

198
			},

199
			Spec: appsv1.DeploymentSpec{

200
				Selector: &metav1.LabelSelector{MatchLabels: common.DefaultLabels(Component)},

201
				Replicas: common.Replicas(ctx, Component),

202
				Strategy: common.DeploymentStrategy,

203
				Template: corev1.PodTemplateSpec{

204
					ObjectMeta: metav1.ObjectMeta{

205
						Name:      Component,

206
						Namespace: ctx.Namespace,

207
						Labels:    labels,

208
						Annotations: common.CustomizeAnnotation(ctx, Component, common.TypeMetaDeployment, func() map[string]string {

209
							return map[string]string{

210
								common.AnnotationConfigChecksum: configHash,

211
							}

212
						}),

213
					},

214
					Spec: podSpec,

215
				},

216
			},

217
		},

218
	}, nil

219
}

220


221