[installer] Add custom CA secret support

[csweichel]

Description

Adds custom CA cert support to the installer. When specified, the CA certs are mounted into server, image-builder and ws-daemon.

Related Issue(s)

Fixes #9077

How to test

(proper test is to install Gitpod on a cluster trying to talk to a Docker registry and SCM which use custom certs).

# produce new config
installer init > cfg.yaml

# set required values
yq write -i config.yaml domain foobar.com
yq write -i config.yaml customCACert.kind secret
yq write -i config.yaml customCACert.name custom-ca-cert

# validate cluster (should fail)
installer validate cluster --config config.yaml # reports missing secret

# produce secret and validate (should succeed)
openssl genrsa -out ca.crt 2048
kubectl create secret generic custom-ca-certs --from-file=ca.crt=ca.crt
installer validate cluster --config config.yaml

# render
installer render --config config.yaml > objs.yaml

# make sure we got the certs rendered in
grep -B 5 objs.yaml custom-ca-certs

Release Notes

Add custom CA cert support to Gitpod services

[princerachit]

nit: Would it make sense to have the return values in a wrapper struct

[princerachit]

@csweichel I think something is missing in the test description around yq. Are you using the default shipped version of yq with workspace full?

I believe cfg.yaml and config.yaml are the same files. And is the write keyword in yq write -i config.yaml domain foobar.com command supposed to be there? It is failing for me.

[csweichel]

@csweichel I think something is missing in the test description around yq. Are you using the default shipped version of yq with workspace full?

Yes. I just used yq as it was available in my workspace on this branch.

I believe cfg.yaml and config.yaml are the same files.

Yep, fixed it in the description.

And is the write keyword in yq write -i config.yaml domain foobar.com command supposed to be there? It is failing for me.

AFAIK there are two incompatible versions of yq going 'round. I just used the yq as I found it in the workspace on this branch.

[corneliusludmann]

looks good 👍 🛹

[easyCZ]

When running through the test steps, it fails for me on:

./installer validate cluster --config config.yaml
{
  "status": "ERROR",
  "items": [
    ...,
    {
      "name": "custom-ca-cert is present and valid",
      "description": "ensures the custom-ca-cert secret is present and contains the required data",
      "status": "ERROR",
      "errors": [
        {
          "message": "secret custom-ca-cert not found",
          "type": "ERROR"
        }
      ]
    }
  ]
}

My setup:

• Compiled installer on this branch
• Ran the steps
• kubectl secret create failed because the secret already existed in the default configured kubens, but I could retrieve it

[csweichel]

@easyCZ that's a UX bug in the installer. The installer requires users to pass the namespace explicitly, i.e. ./installer validate cluster -n staging-cw-fix-9077 --config config.yaml works.

@corneliusludmann @lucasvaltl do we have an issue for this already?

[iamulya]

(proper test is to install Gitpod on a cluster trying to talk to a Docker registry and SCM which use custom certs).

@csweichel Doesn't the workspace pod configuration have to be changed/updated as well so that git inside workspace can talk to an SCM with custom CA?

[csweichel]

(proper test is to install Gitpod on a cluster trying to talk to a Docker registry and SCM which use custom certs).

@csweichel Doesn't the workspace pod configuration have to be changed/updated as well so that git inside workspace can talk to an SCM with custom CA?

Yes. That will be a follow up PR. We already have the corresponding support in ws-manager. All that's missing is a config change.