Remove unused caCertSecret (#16793)

* Add trust.cert-manager.io for to bundle CA certificates

Signed-off-by: Manuel de Brito Fontes <[email protected]>

* Configure CA volume and volumemount in components

* Update ws-manager golden files

* Deploy trust manager in preview

* Remove duplicated volume

* Update installer golden files

* Generate a bundle only for registry-facade

* Update golden files

* Fix initcontainer volume mounts

* Update golden files

* Fix registry-facade certificate

* Update golden files

* Disable skip_verify

* Enable force conflict with apply server side

Signed-off-by: Manuel de Brito Fontes <[email protected]>

* Avoid random werft namespace errors

Signed-off-by: Manuel de Brito Fontes <[email protected]>

---------

Signed-off-by: Manuel de Brito Fontes <[email protected]>

Author: aledbf

components/image-builder-mk3/cmd/setup.go

@@ -7,7 +7,6 @@ package cmd
 import (
 	"fmt"
 	"os"
-	"os/exec"
 	"path/filepath"
 	"regexp"
 
@@ -43,13 +42,15 @@ var setupCmd = &cobra.Command{
 			}
 
 			// https://github.com/containerd/containerd/blob/main/docs/cri/config.md#registry-configuration
+			// https://github.com/containerd/containerd/blob/main/docs/hosts.md
 			hostsToml := fmt.Sprintf(`
 server = "https://%v:%v"
 
 [host."https://%v:%v"]
     capabilities = ["pull", "resolve"]
     ca = "%v"
-    skip_verify = true
+	# skip verifications of the registry's certificate chain and host name when set to true
+    #skip_verify = true
 `, hostname, port, hostname, port, filepath.Join(regDirectory, "ca.crt"))
 
 			err = os.WriteFile(filepath.Join(fakeRegPath, "hosts.toml"), []byte(hostsToml), 0644)
@@ -68,27 +69,6 @@ server = "https://%v:%v"
 				}
 			}
 		}
-
-		{
-			log.Info("Updating CA certificates in the node...")
-			shCmd := exec.Command("update-ca-certificates", "-f")
-			shCmd.Stdin = os.Stdin
-			shCmd.Stderr = os.Stderr
-			shCmd.Stdout = os.Stdout
-
-			err := shCmd.Run()
-			if err != nil {
-				log.Fatalf("cannot update CA certificates: %v", err)
-			}
-
-			sourceCA := "/etc/ssl/certs/ca-certificates.crt"
-			targetCA := filepath.Join(hostfs, "/etc/ssl/certs/ca-certificates.crt")
-
-			err = copyFile(sourceCA, targetCA)
-			if err != nil {
-				log.Fatal(err)
-			}
-		}
 	},
 }
 
@@ -101,7 +81,6 @@ func init() {
 
 	_ = setupCmd.MarkFlagRequired("hostname")
 	_ = setupCmd.MarkFlagRequired("hostfs")
-	_ = setupCmd.MarkFlagRequired("ca-directory")
 }
 
 func hostExists(hostname, hostsPath string) bool {

components/registry-facade/cmd/setup.go

@@ -88,9 +88,6 @@ type Configuration struct {
 	Timeouts WorkspaceTimeoutConfiguration `json:"timeouts"`
 	// InitProbe configures the ready-probe of workspaces which signal when the initialization is finished
 	InitProbe InitProbeConfiguration `json:"initProbe"`
-	// WorkspaceCACertSecret optionally names a secret which is mounted in `/etc/ssl/certs/gp-custom.crt`
-	// in all workspace pods.
-	WorkspaceCACertSecret string `json:"caCertSecret,omitempty"`
 	// WorkspaceURLTemplate is a Go template which resolves to the external URL of the
 	// workspace. Available fields are:
 	// - `ID` which is the workspace ID,

components/ws-manager-api/go/config/config.go

@@ -267,16 +267,6 @@ func createDefiniteWorkspacePod(sctx *startWorkspaceContext) (*corev1.Pod, error
 		prefix = "prebuild"
 	case workspacev1.WorkspaceTypeImageBuild:
 		prefix = "imagebuild"
-		// mount self-signed gitpod CA certificate to ensure
-		// we can push images to the in-cluster registry
-		workspaceContainer.VolumeMounts = append(workspaceContainer.VolumeMounts,
-			corev1.VolumeMount{
-				Name:      "gitpod-ca-certificate",
-				MountPath: "/usr/local/share/ca-certificates/gitpod-ca.crt",
-				SubPath:   "ca.crt",
-				ReadOnly:  true,
-			},
-		)
 	default:
 		prefix = "ws"
 	}
@@ -321,51 +311,6 @@ func createDefiniteWorkspacePod(sctx *startWorkspaceContext) (*corev1.Pod, error
 			},
 		},
 	}
-	if sctx.Workspace.Spec.Type == workspacev1.WorkspaceTypeImageBuild {
-		volumes = append(volumes, corev1.Volume{
-			Name: "gitpod-ca-certificate",
-			VolumeSource: corev1.VolumeSource{
-				Secret: &corev1.SecretVolumeSource{
-					SecretName: "builtin-registry-facade-cert",
-					Items: []corev1.KeyToPath{
-						{Key: "ca.crt", Path: "ca.crt"},
-					},
-				},
-			},
-		})
-	}
-
-	// This is how we support custom CA certs in Gitpod workspaces.
-	// Keep workspace templates clean.
-	if sctx.Config.WorkspaceCACertSecret != "" {
-		const volumeName = "custom-ca-certs"
-		volumes = append(volumes, corev1.Volume{
-			Name: volumeName,
-			VolumeSource: corev1.VolumeSource{
-				Secret: &corev1.SecretVolumeSource{
-					SecretName: sctx.Config.WorkspaceCACertSecret,
-					Items: []corev1.KeyToPath{
-						{
-							Key:  "ca.crt",
-							Path: "ca.crt",
-						},
-					},
-				},
-			},
-		})
-
-		const mountPath = "/etc/ssl/certs/gitpod-ca.crt"
-		workspaceContainer.VolumeMounts = append(workspaceContainer.VolumeMounts, corev1.VolumeMount{
-			Name:      volumeName,
-			ReadOnly:  true,
-			MountPath: mountPath,
-			SubPath:   "ca.crt",
-		})
-		workspaceContainer.Env = append(workspaceContainer.Env, corev1.EnvVar{
-			Name:  "NODE_EXTRA_CA_CERTS",
-			Value: mountPath,
-		})
-	}
 
 	workloadType := "regular"
 	if sctx.Headless {

components/ws-manager-mk2/controllers/create.go

@@ -443,51 +443,6 @@ func (m *Manager) createDefiniteWorkspacePod(startContext *startWorkspaceContext
 		},
 	}
 
-	// This is how we support custom CA certs in Gitpod workspaces.
-	// Keep workspace templates clean.
-	if m.Config.WorkspaceCACertSecret != "" {
-		const volumeName = "custom-ca-certs"
-		volumes = append(volumes, corev1.Volume{
-			Name: volumeName,
-			VolumeSource: corev1.VolumeSource{
-				Secret: &corev1.SecretVolumeSource{
-					SecretName: m.Config.WorkspaceCACertSecret,
-					Items: []corev1.KeyToPath{
-						{
-							Key:  "ca.crt",
-							Path: "ca.crt",
-						},
-					},
-				},
-			},
-		})
-
-		const mountPath = "/etc/ssl/certs/gitpod-ca.crt"
-		workspaceContainer.VolumeMounts = append(workspaceContainer.VolumeMounts, corev1.VolumeMount{
-			Name:      volumeName,
-			ReadOnly:  true,
-			MountPath: mountPath,
-			SubPath:   "ca.crt",
-		})
-		workspaceContainer.Env = append(workspaceContainer.Env, corev1.EnvVar{
-			Name:  "NODE_EXTRA_CA_CERTS",
-			Value: mountPath,
-		})
-	}
-
-	if req.Type == api.WorkspaceType_IMAGEBUILD {
-		// mount self-signed gitpod CA certificate to ensure
-		// we can push images to the in-cluster registry
-		workspaceContainer.VolumeMounts = append(workspaceContainer.VolumeMounts,
-			corev1.VolumeMount{
-				Name:      "gitpod-ca-certificate",
-				MountPath: "/usr/local/share/ca-certificates/gitpod-ca.crt",
-				SubPath:   "ca.crt",
-				ReadOnly:  true,
-			},
-		)
-	}
-
 	workloadType := "regular"
 	if startContext.Headless {
 		workloadType = "headless"
@@ -649,20 +604,6 @@ func (m *Manager) createDefiniteWorkspacePod(startContext *startWorkspaceContext
 		}
 	}
 
-	if req.Type == api.WorkspaceType_IMAGEBUILD {
-		pod.Spec.Volumes = append(pod.Spec.Volumes, corev1.Volume{
-			Name: "gitpod-ca-certificate",
-			VolumeSource: corev1.VolumeSource{
-				Secret: &corev1.SecretVolumeSource{
-					SecretName: "builtin-registry-facade-cert",
-					Items: []corev1.KeyToPath{
-						{Key: "ca.crt", Path: "ca.crt"},
-					},
-				},
-			},
-		})
-	}
-
 	return &pod, nil
 }
 

components/ws-manager/pkg/manager/create.go

@@ -53,11 +53,10 @@ func TestCreateDefiniteWorkspacePod(t *testing.T) {
 	type fixture struct {
 		WorkspaceClass
 
-		Spec         *json.RawMessage          `json:"spec,omitempty"`    // *api.StartWorkspaceSpec
-		Request      *json.RawMessage          `json:"request,omitempty"` // *api.StartWorkspaceRequest
-		Context      *startWorkspaceContext    `json:"context,omitempty"`
-		CACertSecret string                    `json:"caCertSecret,omitempty"`
-		Classes      map[string]WorkspaceClass `json:"classes,omitempty"`
+		Spec    *json.RawMessage          `json:"spec,omitempty"`    // *api.StartWorkspaceSpec
+		Request *json.RawMessage          `json:"request,omitempty"` // *api.StartWorkspaceRequest
+		Context *startWorkspaceContext    `json:"context,omitempty"`
+		Classes map[string]WorkspaceClass `json:"classes,omitempty"`
 
 		EnforceAffinity   bool `json:"enforceAffinity,omitempty"`
 		DebugWorkspacePod bool `json:"debugWorkspacePod,omitempty"`
@@ -74,7 +73,6 @@ func TestCreateDefiniteWorkspacePod(t *testing.T) {
 			fixture := input.(*fixture)
 
 			mgmtCfg := forTestingOnlyManagerConfig()
-			mgmtCfg.WorkspaceCACertSecret = fixture.CACertSecret
 			mgmtCfg.DebugWorkspacePod = fixture.DebugWorkspacePod
 
 			if fixture.Classes == nil {
@@ -198,11 +196,10 @@ func TestCreatePVCForWorkspacePod(t *testing.T) {
 	type fixture struct {
 		WorkspaceClass
 
-		Spec         *json.RawMessage          `json:"spec,omitempty"`    // *api.StartWorkspaceSpec
-		Request      *json.RawMessage          `json:"request,omitempty"` // *api.StartWorkspaceRequest
-		Context      *startWorkspaceContext    `json:"context,omitempty"`
-		CACertSecret string                    `json:"caCertSecret,omitempty"`
-		Classes      map[string]WorkspaceClass `json:"classes,omitempty"`
+		Spec    *json.RawMessage          `json:"spec,omitempty"`    // *api.StartWorkspaceSpec
+		Request *json.RawMessage          `json:"request,omitempty"` // *api.StartWorkspaceRequest
+		Context *startWorkspaceContext    `json:"context,omitempty"`
+		Classes map[string]WorkspaceClass `json:"classes,omitempty"`
 
 		EnforceAffinity bool `json:"enforceAffinity,omitempty"`
 	}
@@ -218,7 +215,6 @@ func TestCreatePVCForWorkspacePod(t *testing.T) {
 			fixture := input.(*fixture)
 
 			mgmtCfg := forTestingOnlyManagerConfig()
-			mgmtCfg.WorkspaceCACertSecret = fixture.CACertSecret
 
 			if fixture.Classes == nil {
 				fixture.Classes = make(map[string]WorkspaceClass)

components/ws-manager/pkg/manager/create_test.go

@@ -267,4 +267,4 @@
         },
         "status": {}
     }
-}
+}