Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[refresh-credential] rotate the AWS ECR credential by schedule #15313

Merged
merged 14 commits into from
Dec 15, 2022
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
installer: update volume mount when Secret updates
According to Kubernetes doc, a container using a Secret as a
subPath volume mount will not receive Secret updates.

Signed-off-by: JenTing Hsiao <hsiaoairplane@gmail.com>
  • Loading branch information
jenting committed Dec 12, 2022
commit db80e26b09613a652048eb3dca6fb2281acd272a
2 changes: 1 addition & 1 deletion install/installer/pkg/components/blobserve/configmap.go
Original file line number Diff line number Diff line change
@@ -101,7 +101,7 @@ func configmap(ctx *common.RenderContext) ([]runtime.Object, error) {
MaxSize: MaxSizeBytes,
},
},
AuthCfg: "/mnt/pull-secret.json",
AuthCfg: "/mnt/pull-secret/pull-secret.json",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I forget, but, nesting the secret within a sub-directory was necessary, so that we can watch it for changes, right?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're right 💯

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PProfAddr: common.LocalhostAddressFromPort(baseserver.BuiltinDebugPort),
PrometheusAddr: common.LocalhostPrometheusAddr(),
ReadinessProbeAddr: fmt.Sprintf(":%v", ReadinessPort),
4 changes: 2 additions & 2 deletions install/installer/pkg/components/blobserve/deployment.go
Original file line number Diff line number Diff line change
@@ -92,6 +92,7 @@ func deployment(ctx *common.RenderContext) ([]runtime.Object, error) {
Name: volumeName,
VolumeSource: corev1.VolumeSource{Secret: &corev1.SecretVolumeSource{
SecretName: secretName,
Items: []corev1.KeyToPath{{Key: ".dockerconfigjson", Path: "pull-secret.json"}},
}},
}},
Containers: []corev1.Container{{
@@ -126,8 +127,7 @@ func deployment(ctx *common.RenderContext) ([]runtime.Object, error) {
MountPath: "/mnt/cache",
}, {
Name: volumeName,
MountPath: "/mnt/pull-secret.json",
SubPath: ".dockerconfigjson",
MountPath: "/mnt/pull-secret",
}},

ReadinessProbe: &corev1.Probe{
Original file line number Diff line number Diff line change
@@ -48,7 +48,7 @@ func configmap(ctx *common.RenderContext) ([]runtime.Object, error) {
},
},
PullSecret: secretName,
PullSecretFile: PullSecretFile,
PullSecretFile: "/config/pull-secret/pull-secret.json",
BaseImageRepository: fmt.Sprintf("%s/base-images", registryName),
BuilderImage: ctx.ImageName(ctx.Config.Repository, BuilderImage, ctx.VersionManifest.Components.ImageBuilderMk3.BuilderImage.Version),
WorkspaceImageRepository: fmt.Sprintf("%s/workspace-images", registryName),
Original file line number Diff line number Diff line change
@@ -7,9 +7,8 @@ package image_builder_mk3
import "github.com/gitpod-io/gitpod/installer/pkg/common"

const (
PullSecretFile = "/config/pull-secret.json"
BuilderImage = "image-builder-mk3/bob"
Component = common.ImageBuilderComponent
RPCPort = common.ImageBuilderRPCPort
RPCPortName = "service"
BuilderImage = "image-builder-mk3/bob"
Component = common.ImageBuilderComponent
RPCPort = common.ImageBuilderRPCPort
RPCPortName = "service"
)
Original file line number Diff line number Diff line change
@@ -81,6 +81,7 @@ func deployment(ctx *common.RenderContext) ([]runtime.Object, error) {
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: secretName,
Items: []corev1.KeyToPath{{Key: ".dockerconfigjson", Path: "pull-secret.json"}},
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Is pull-secret the right name? as we would also use it for pushes here. Could be tackled with https://github.com/gitpod-io/security/issues/89

Copy link
Contributor Author

@jenting jenting Dec 14, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The name is pull-secret.json now, ref code.
I updated the https://github.com/gitpod-io/security/issues/89 to track it.

},
},
},
@@ -100,8 +101,7 @@ func deployment(ctx *common.RenderContext) ([]runtime.Object, error) {
},
{
Name: "pull-secret",
MountPath: PullSecretFile,
SubPath: ".dockerconfigjson",
MountPath: "/config/pull-secret",
},
}
if vol, mnt, _, ok := common.CustomCACertVolume(ctx); ok {
Original file line number Diff line number Diff line change
@@ -88,7 +88,7 @@ func configmap(ctx *common.RenderContext) ([]runtime.Object, error) {
IPFSCache: ipfsCache,
RedisCache: redisCache,
},
AuthCfg: "/mnt/pull-secret.json",
AuthCfg: "/mnt/pull-secret/pull-secret.json",
PProfAddr: common.LocalhostAddressFromPort(baseserver.BuiltinDebugPort),
PrometheusAddr: common.LocalhostPrometheusAddr(),
ReadinessProbeAddr: fmt.Sprintf(":%v", ReadinessPort),
Original file line number Diff line number Diff line change
@@ -264,8 +264,7 @@ func daemonset(ctx *common.RenderContext) ([]runtime.Object, error) {
},
{
Name: name,
MountPath: "/mnt/pull-secret.json",
SubPath: ".dockerconfigjson",
MountPath: "/mnt/pull-secret",
},
},
volumeMounts...,
@@ -357,6 +356,7 @@ func daemonset(ctx *common.RenderContext) ([]runtime.Object, error) {
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: secretName,
Items: []corev1.KeyToPath{{Key: ".dockerconfigjson", Path: "pull-secret.json"}},
},
},
}, {