[installer]: general fixes for the meta components

This now installs the meta components to a cluster using an InCluster database and registry

installer/pkg/common/common.go

@@ -61,6 +61,16 @@ func DefaultEnv(cfg *config.Config) []corev1.EnvVar {
 
 	return []corev1.EnvVar{
 		{Name: "GITPOD_DOMAIN", Value: cfg.Domain},
+		{Name: "GITPOD_INSTALLATION_LONGNAME", Value: cfg.Domain},  // todo(sje): figure out these values
+		{Name: "GITPOD_INSTALLATION_SHORTNAME", Value: cfg.Domain}, // todo(sje): figure out these values
+		{Name: "GITPOD_REGION", Value: cfg.Metadata.Region},
+		{Name: "HOST_URL", Value: "https://" + cfg.Domain},
+		{Name: "KUBE_NAMESPACE", ValueFrom: &corev1.EnvVarSource{
+			FieldRef: &corev1.ObjectFieldSelector{
+				FieldPath: "metadata.namespace",
+			},
+		}},
+		{Name: "KUBE_DOMAIN", Value: "svc.cluster.local"},
 		{Name: "LOG_LEVEL", Value: strings.ToLower(logLevel)},
 	}
 }
@@ -102,7 +112,7 @@ func AnalyticsEnv(cfg *config.Config) (res []corev1.EnvVar) {
 	}}
 }
 
-func MessageBusEnv(cfg *config.Config) (res []corev1.EnvVar) {
+func MessageBusEnv(_ *config.Config) (res []corev1.EnvVar) {
 	clusterObj := corev1.LocalObjectReference{Name: InClusterMessageQueueName}
 	tlsObj := corev1.LocalObjectReference{Name: InClusterMessageQueueTLS}
 
@@ -173,14 +183,22 @@ func DatabaseEnv(cfg *config.Config) (res []corev1.EnvVar) {
 			LocalObjectReference: obj,
 			Key:                  "password",
 		}},
+	}, {
+		Name: "DB_USERNAME",
+		ValueFrom: &corev1.EnvVarSource{SecretKeyRef: &corev1.SecretKeySelector{
+			LocalObjectReference: obj,
+			Key:                  "username",
+		}},
 	}, {
 		// todo(sje): conditional
 		Name:  "DB_DELETED_ENTRIES_GC_ENABLED",
 		Value: "false",
 	}, {
 		Name: "DB_ENCRYPTION_KEYS",
-		// todo(sje): either Value or ValueFrom
-		Value: "todo",
+		ValueFrom: &corev1.EnvVarSource{SecretKeyRef: &corev1.SecretKeySelector{
+			LocalObjectReference: obj,
+			Key:                  "encryptionKeys",
+		}},
 		//ValueFrom: &corev1.EnvVarSource{SecretKeyRef: &corev1.SecretKeySelector{
 		//	LocalObjectReference: corev1.LocalObjectReference{
 		//		Name: "",
@@ -193,7 +211,7 @@ func DatabaseEnv(cfg *config.Config) (res []corev1.EnvVar) {
 func DatabaseWaiterContainer(ctx *RenderContext) *corev1.Container {
 	return &corev1.Container{
 		Name:  "database-waiter",
-		Image: ImageName(ctx.Config.Repository, "service-waiter", "latest"),
+		Image: ImageName(ctx.Config.Repository, "service-waiter", ctx.VersionManifest.Components.ServiceWaiter.Version),
 		Args: []string{
 			"-v",
 			"database",
@@ -211,7 +229,7 @@ func DatabaseWaiterContainer(ctx *RenderContext) *corev1.Container {
 func MessageBusWaiterContainer(ctx *RenderContext) *corev1.Container {
 	return &corev1.Container{
 		Name:  "msgbus-waiter",
-		Image: ImageName(ctx.Config.Repository, "service-waiter", "latest"),
+		Image: ImageName(ctx.Config.Repository, "service-waiter", ctx.VersionManifest.Components.ServiceWaiter.Version),
 		Args: []string{
 			"-v",
 			"messagebus",
@@ -250,10 +268,10 @@ func KubeRBACProxyContainer() *corev1.Container {
 			},
 		},
 		Resources: corev1.ResourceRequirements{Requests: corev1.ResourceList{
-			corev1.ResourceName("cpu"):    resource.MustParse("1m"),
-			corev1.ResourceName("memory"): resource.MustParse("30Mi"),
+			corev1.ResourceCPU:    resource.MustParse("1m"),
+			corev1.ResourceMemory: resource.MustParse("30Mi"),
 		}},
-		TerminationMessagePolicy: corev1.TerminationMessagePolicy("FallbackToLogsOnError"),
+		TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError,
 		SecurityContext: &corev1.SecurityContext{
 			RunAsUser:    pointer.Int64(65532),
 			RunAsGroup:   pointer.Int64(65532),

installer/pkg/common/render.go

@@ -78,8 +78,10 @@ func DependencySortingRenderFunc(f RenderFunc) RenderFunc {
 }
 
 type GeneratedValues struct {
-	StorageAccessKey string
-	StorageSecretKey string
+	StorageAccessKey         string
+	StorageSecretKey         string
+	InternalRegistryUsername string
+	InternalRegistryPassword string
 }
 
 type RenderContext struct {
@@ -104,6 +106,18 @@ func (r *RenderContext) generateValues() error {
 	}
 	r.Values.StorageSecretKey = storageSecretKey
 
+	internalRegistryUsername, err := RandomString(20)
+	if err != nil {
+		return err
+	}
+	r.Values.InternalRegistryUsername = internalRegistryUsername
+
+	internalRegistryPassword, err := RandomString(20)
+	if err != nil {
+		return err
+	}
+	r.Values.InternalRegistryPassword = internalRegistryPassword
+
 	return nil
 }
 

installer/pkg/components/content-service/configmap.go

@@ -9,7 +9,6 @@ import (
 	"fmt"
 
 	"github.com/gitpod-io/gitpod/content-service/api/config"
-	apiconfig "github.com/gitpod-io/gitpod/content-service/api/config"
 	"github.com/gitpod-io/gitpod/installer/pkg/common"
 
 	corev1 "k8s.io/api/core/v1"
@@ -18,6 +17,11 @@ import (
 )
 
 func configmap(ctx *common.RenderContext) ([]runtime.Object, error) {
+	storageConfig, err := common.StorageConfiguration(ctx)
+	if err != nil {
+		return nil, err
+	}
+
 	cscfg := config.ServiceConfig{
 		Service: config.Service{
 			Addr: fmt.Sprintf(":%d", RPCPort),
@@ -28,8 +32,7 @@ func configmap(ctx *common.RenderContext) ([]runtime.Object, error) {
 		PProf: config.PProf{
 			Addr: fmt.Sprintf(":%d", PProfPort),
 		},
-		// todo(sje): work out how to cater for different storages
-		Storage: apiconfig.StorageConfig{},
+		Storage: *storageConfig,
 	}
 
 	fc, err := json.MarshalIndent(cscfg, "", " ")

installer/pkg/components/docker-registry/constants.go

@@ -8,4 +8,5 @@ const (
 	BuiltInRegistryAuth  = "builtin-registry-auth"
 	BuiltInRegistryCerts = "builtin-registry-certs"
 	Component            = "docker-registry"
+	RegistryName         = "registry"
 )

installer/pkg/components/docker-registry/helm.go

@@ -21,6 +21,7 @@ var Helm = common.CompositeHelmFunc(
 			Enabled: pointer.BoolDeref(cfg.Config.ContainerRegistry.InCluster, false),
 			Values: &values.Options{
 				Values: []string{
+					helm.KeyValue("docker-registry.fullnameOverride", RegistryName),
 					helm.KeyValue("docker-registry.service.port", strconv.Itoa(proxy.ContainerHTTPSPort)),
 					helm.KeyValue("docker-registry.tlsSecretName", proxy.RegistryTLSCertSecret),
 				},

installer/pkg/components/docker-registry/secret.go

@@ -25,14 +25,14 @@ func secret(ctx *common.RenderContext) ([]runtime.Object, error) {
 		return nil, nil
 	}
 
-	user, err := common.RandomString(20)
-	if err != nil {
-		return nil, err
+	user := ctx.Values.InternalRegistryUsername
+	if user == "" {
+		return nil, fmt.Errorf("unknown value: internal registry username")
 	}
 
-	password, err := common.RandomString(20)
-	if err != nil {
-		return nil, err
+	password := ctx.Values.InternalRegistryPassword
+	if password == "" {
+		return nil, fmt.Errorf("unknown value: internal registry password")
 	}
 
 	// todo(sje): handle if bypassing registry with proxy

installer/pkg/components/image-builder-mk3/configmap.go

@@ -7,6 +7,8 @@ package image_builder_mk3
 import (
 	"encoding/json"
 	"fmt"
+	dockerregistry "github.com/gitpod-io/gitpod/installer/pkg/components/docker-registry"
+	"k8s.io/utils/pointer"
 	"time"
 
 	"github.com/gitpod-io/gitpod/common-go/util"
@@ -21,26 +23,43 @@ import (
 )
 
 func configmap(ctx *common.RenderContext) ([]runtime.Object, error) {
-	imgcfg := config.ServiceConfig{
-		Orchestrator: config.Configuration{
-			WorkspaceManager: config.WorkspaceManagerConfig{
-				Address: fmt.Sprintf("%s:%d", wsmanager.Component, wsmanager.RPCPort),
-				TLS: config.TLS{
-					Authority:   "/wsman-certs/ca.crt",
-					Certificate: "/wsman-certs/tls.crt",
-					PrivateKey:  "/wsman-certs/tls.key",
-				},
+	orchestrator := config.Configuration{
+		WorkspaceManager: config.WorkspaceManagerConfig{
+			Address: fmt.Sprintf("%s:%d", wsmanager.Component, wsmanager.RPCPort),
+			TLS: config.TLS{
+				Authority:   "/wsman-certs/ca.crt",
+				Certificate: "/wsman-certs/tls.crt",
+				PrivateKey:  "/wsman-certs/tls.key",
 			},
-			AuthFile:                 PullSecretFile, // todo(sje): make conditional
-			BaseImageRepository:      "",             // todo(sje): get conditional value
-			WorkspaceImageRepository: "",             // todo(sje): get conditional value
-			BuilderImage:             common.ImageName(ctx.Config.Repository, BuilderImage, BuilderImageVersion),
-			BuilderAuthKeyFile:       "/config/authkey",
 		},
+		BuilderImage:       common.ImageName(ctx.Config.Repository, BuilderImage, ctx.VersionManifest.Components.ImageBuilderMk3.BuilderImage.Version),
+		BuilderAuthKeyFile: "/config/authkey",
+	}
+
+	var baseImageRepo string
+	var workspaceImgRepo string
+	if pointer.BoolDeref(ctx.Config.ContainerRegistry.InCluster, false) {
+		// todo(sje): handle external registry
+		registryName := fmt.Sprintf("%s.%s", dockerregistry.RegistryName, ctx.Config.Domain)
+
+		baseImageRepo = fmt.Sprintf("%s/base-images", registryName)
+		workspaceImgRepo = fmt.Sprintf("%s/workspace-images", registryName)
+
+		orchestrator.AuthFile = PullSecretFile
+	} else {
+		// todo(sje): handle outside cluster values for image builder mk3
+		return nil, fmt.Errorf("in cluster container currently only supported option")
+	}
+
+	orchestrator.BaseImageRepository = baseImageRepo
+	orchestrator.WorkspaceImageRepository = workspaceImgRepo
+
+	imgcfg := config.ServiceConfig{
+		Orchestrator: orchestrator,
 		RefCache: config.RefCacheConfig{
 			Interval: util.Duration(time.Hour * 6).String(),
 			Refs: []string{
-				common.ImageName(ctx.Config.Repository, workspace.DefaultWorkspaceImage, workspace.DefaultWorkspaceImageVersion),
+				fmt.Sprintf("%s:%s", workspace.DefaultWorkspaceImage, workspace.DefaultWorkspaceImageVersion),
 			},
 		},
 		Service: config.Service{

installer/pkg/components/image-builder-mk3/constants.go

@@ -5,12 +5,11 @@
 package image_builder_mk3
 
 const (
-	PullSecretFile      = "/config/pull-secret.json"
-	BuilderImage        = "image-builder-mk3/bob"
-	BuilderImageVersion = "latest"
-	Component           = "image-builder-mk3"
-	RPCPort             = 8080
-	RPCPortName         = "service"
-	PProfPort           = 6060
-	PrometheusPort      = 9500
+	PullSecretFile = "/config/pull-secret.json"
+	BuilderImage   = "image-builder-mk3/bob"
+	Component      = "image-builder-mk3"
+	RPCPort        = 8080
+	RPCPortName    = "service"
+	PProfPort      = 6060
+	PrometheusPort = 9500
 )

installer/pkg/components/mysql/secret.go

@@ -5,13 +5,21 @@
 package mysql
 
 import (
+	"encoding/json"
 	"fmt"
 	"github.com/gitpod-io/gitpod/installer/pkg/common"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 )
 
+type EncryptionKey struct {
+	Name     string `json:"name"`
+	Version  int    `json:"version"`
+	Primary  bool   `json:"primary"`
+	Material string `json:"material"`
+}
+
 func secrets(ctx *common.RenderContext) ([]runtime.Object, error) {
 	if !enabled(ctx) {
 		return nil, nil
@@ -27,6 +35,16 @@ func secrets(ctx *common.RenderContext) ([]runtime.Object, error) {
 		return nil, err
 	}
 
+	encryptionKeys, err := json.MarshalIndent([]EncryptionKey{{
+		Name:     "general",
+		Version:  1,
+		Primary:  true,
+		Material: "4uGh1q8y2DYryJwrVMHs0kWXJlqvHWWt/KJuNi04edI=",
+	}}, "", "  ")
+	if err != nil {
+		return nil, fmt.Errorf("failed to marshal mysql encryptionKeys: %w", err)
+	}
+
 	return []runtime.Object{&corev1.Secret{
 		TypeMeta: common.TypeMetaSecret,
 		ObjectMeta: metav1.ObjectMeta{
@@ -46,11 +64,12 @@ func secrets(ctx *common.RenderContext) ([]runtime.Object, error) {
 			Labels:    common.DefaultLabels(Component),
 		},
 		Data: map[string][]byte{
-			"database": []byte(Database),
-			"host":     []byte(Component),
-			"port":     []byte(fmt.Sprintf("%d", Port)),
-			"password": []byte(password),
-			"username": []byte(Username),
+			"database":       []byte(Database),
+			"encryptionKeys": encryptionKeys,
+			"host":           []byte(Component),
+			"port":           []byte(fmt.Sprintf("%d", Port)),
+			"password":       []byte(password),
+			"username":       []byte(Username),
 		},
 	}}, nil
 }

installer/pkg/components/proxy/configmap.go

@@ -90,15 +90,14 @@ func configmap(ctx *common.RenderContext) ([]runtime.Object, error) {
 
 	// todo(sje) make conditional
 	// todo(sje): allow value to be set via config
-	username, err := common.RandomString(20)
-	if err != nil {
-		return nil, err
+	username := ctx.Values.InternalRegistryUsername
+	if username == "" {
+		return nil, fmt.Errorf("unknown value: internal registry username")
 	}
 
-	// todo(sje): allow value to be set via config
-	password, err := common.RandomString(20)
-	if err != nil {
-		return nil, err
+	password := ctx.Values.InternalRegistryPassword
+	if password == "" {
+		return nil, fmt.Errorf("unknown value: internal registry password")
 	}
 
 	hashedPassword, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
@@ -108,7 +107,7 @@ func configmap(ctx *common.RenderContext) ([]runtime.Object, error) {
 
 	dockerRegistry, err := renderTemplate(vhostDockerRegistry, dockerRegistryTpl{
 		Domain:       ctx.Config.Domain,
-		ReverseProxy: fmt.Sprintf("https://%s", common.DockerRegistryName),
+		ReverseProxy: fmt.Sprintf("https://%s.%s.%s", common.DockerRegistryName, ctx.Namespace, kubeDomain),
 		Username:     username,
 		Password:     base64.StdEncoding.EncodeToString(hashedPassword),
 	})
@@ -118,7 +117,7 @@ func configmap(ctx *common.RenderContext) ([]runtime.Object, error) {
 
 	openVSX, err := renderTemplate(vhostOpenVSXTmpl, openVSXTpl{
 		Domain:  ctx.Config.Domain,
-		RepoURL: "open-vsx.org", // todo(sje) allow this to be configurable
+		RepoURL: fmt.Sprintf("openvsx-proxy.%s.%s:%d", ctx.Namespace, kubeDomain, 8080), // todo(sje): get port from (future) config
 	})
 	if err != nil {
 		return nil, err