Revert "Remove unused caCertSecret (#16793)"

This reverts commit 5b30eb5.

Author: easyCZ

components/image-builder-mk3/cmd/setup.go

@@ -0,0 +1,35 @@
+// Copyright (c) 2020 Gitpod GmbH. All rights reserved.
+// Licensed under the GNU Affero General Public License (AGPL).
+// See License.AGPL.txt in the project root for license information.
+
+package cmd
+
+import (
+	"os"
+	"os/exec"
+
+	"github.com/spf13/cobra"
+
+	"github.com/gitpod-io/gitpod/common-go/log"
+)
+
+var setupCmd = &cobra.Command{
+	Use:   "setup",
+	Short: "Updates the CA certificates",
+	Run: func(cmd *cobra.Command, args []string) {
+		log.Info("Updating CA certificates...")
+		shCmd := exec.Command("update-ca-certificates", "-f")
+		shCmd.Stdin = os.Stdin
+		shCmd.Stderr = os.Stderr
+		shCmd.Stdout = os.Stdout
+
+		err := shCmd.Run()
+		if err != nil {
+			log.Fatalf("cannot update CA certificates: %v", err)
+		}
+	},
+}
+
+func init() {
+	rootCmd.AddCommand(setupCmd)
+}

components/registry-facade/cmd/setup.go

@@ -7,6 +7,7 @@ package cmd
 import (
 	"fmt"
 	"os"
+	"os/exec"
 	"path/filepath"
 	"regexp"
 
@@ -42,15 +43,13 @@ var setupCmd = &cobra.Command{
 			}
 
 			// https://github.com/containerd/containerd/blob/main/docs/cri/config.md#registry-configuration
-			// https://github.com/containerd/containerd/blob/main/docs/hosts.md
 			hostsToml := fmt.Sprintf(`
 server = "https://%v:%v"
 
 [host."https://%v:%v"]
     capabilities = ["pull", "resolve"]
     ca = "%v"
-	# skip verifications of the registry's certificate chain and host name when set to true
-    #skip_verify = true
+    skip_verify = true
 `, hostname, port, hostname, port, filepath.Join(regDirectory, "ca.crt"))
 
 			err = os.WriteFile(filepath.Join(fakeRegPath, "hosts.toml"), []byte(hostsToml), 0644)
@@ -69,6 +68,27 @@ server = "https://%v:%v"
 				}
 			}
 		}
+
+		{
+			log.Info("Updating CA certificates in the node...")
+			shCmd := exec.Command("update-ca-certificates", "-f")
+			shCmd.Stdin = os.Stdin
+			shCmd.Stderr = os.Stderr
+			shCmd.Stdout = os.Stdout
+
+			err := shCmd.Run()
+			if err != nil {
+				log.Fatalf("cannot update CA certificates: %v", err)
+			}
+
+			sourceCA := "/etc/ssl/certs/ca-certificates.crt"
+			targetCA := filepath.Join(hostfs, "/etc/ssl/certs/ca-certificates.crt")
+
+			err = copyFile(sourceCA, targetCA)
+			if err != nil {
+				log.Fatal(err)
+			}
+		}
 	},
 }
 
@@ -81,6 +101,7 @@ func init() {
 
 	_ = setupCmd.MarkFlagRequired("hostname")
 	_ = setupCmd.MarkFlagRequired("hostfs")
+	_ = setupCmd.MarkFlagRequired("ca-directory")
 }
 
 func hostExists(hostname, hostsPath string) bool {

components/ws-manager-api/go/config/config.go

@@ -88,6 +88,9 @@ type Configuration struct {
 	Timeouts WorkspaceTimeoutConfiguration `json:"timeouts"`
 	// InitProbe configures the ready-probe of workspaces which signal when the initialization is finished
 	InitProbe InitProbeConfiguration `json:"initProbe"`
+	// WorkspaceCACertSecret optionally names a secret which is mounted in `/etc/ssl/certs/gp-custom.crt`
+	// in all workspace pods.
+	WorkspaceCACertSecret string `json:"caCertSecret,omitempty"`
 	// WorkspaceURLTemplate is a Go template which resolves to the external URL of the
 	// workspace. Available fields are:
 	// - `ID` which is the workspace ID,

components/ws-manager-mk2/controllers/create.go

@@ -267,6 +267,16 @@ func createDefiniteWorkspacePod(sctx *startWorkspaceContext) (*corev1.Pod, error
 		prefix = "prebuild"
 	case workspacev1.WorkspaceTypeImageBuild:
 		prefix = "imagebuild"
+		// mount self-signed gitpod CA certificate to ensure
+		// we can push images to the in-cluster registry
+		workspaceContainer.VolumeMounts = append(workspaceContainer.VolumeMounts,
+			corev1.VolumeMount{
+				Name:      "gitpod-ca-certificate",
+				MountPath: "/usr/local/share/ca-certificates/gitpod-ca.crt",
+				SubPath:   "ca.crt",
+				ReadOnly:  true,
+			},
+		)
 	default:
 		prefix = "ws"
 	}
@@ -311,6 +321,51 @@ func createDefiniteWorkspacePod(sctx *startWorkspaceContext) (*corev1.Pod, error
 			},
 		},
 	}
+	if sctx.Workspace.Spec.Type == workspacev1.WorkspaceTypeImageBuild {
+		volumes = append(volumes, corev1.Volume{
+			Name: "gitpod-ca-certificate",
+			VolumeSource: corev1.VolumeSource{
+				Secret: &corev1.SecretVolumeSource{
+					SecretName: "builtin-registry-facade-cert",
+					Items: []corev1.KeyToPath{
+						{Key: "ca.crt", Path: "ca.crt"},
+					},
+				},
+			},
+		})
+	}
+
+	// This is how we support custom CA certs in Gitpod workspaces.
+	// Keep workspace templates clean.
+	if sctx.Config.WorkspaceCACertSecret != "" {
+		const volumeName = "custom-ca-certs"
+		volumes = append(volumes, corev1.Volume{
+			Name: volumeName,
+			VolumeSource: corev1.VolumeSource{
+				Secret: &corev1.SecretVolumeSource{
+					SecretName: sctx.Config.WorkspaceCACertSecret,
+					Items: []corev1.KeyToPath{
+						{
+							Key:  "ca.crt",
+							Path: "ca.crt",
+						},
+					},
+				},
+			},
+		})
+
+		const mountPath = "/etc/ssl/certs/gitpod-ca.crt"
+		workspaceContainer.VolumeMounts = append(workspaceContainer.VolumeMounts, corev1.VolumeMount{
+			Name:      volumeName,
+			ReadOnly:  true,
+			MountPath: mountPath,
+			SubPath:   "ca.crt",
+		})
+		workspaceContainer.Env = append(workspaceContainer.Env, corev1.EnvVar{
+			Name:  "NODE_EXTRA_CA_CERTS",
+			Value: mountPath,
+		})
+	}
 
 	workloadType := "regular"
 	if sctx.Headless {

components/ws-manager/pkg/manager/create.go

@@ -443,6 +443,51 @@ func (m *Manager) createDefiniteWorkspacePod(startContext *startWorkspaceContext
 		},
 	}
 
+	// This is how we support custom CA certs in Gitpod workspaces.
+	// Keep workspace templates clean.
+	if m.Config.WorkspaceCACertSecret != "" {
+		const volumeName = "custom-ca-certs"
+		volumes = append(volumes, corev1.Volume{
+			Name: volumeName,
+			VolumeSource: corev1.VolumeSource{
+				Secret: &corev1.SecretVolumeSource{
+					SecretName: m.Config.WorkspaceCACertSecret,
+					Items: []corev1.KeyToPath{
+						{
+							Key:  "ca.crt",
+							Path: "ca.crt",
+						},
+					},
+				},
+			},
+		})
+
+		const mountPath = "/etc/ssl/certs/gitpod-ca.crt"
+		workspaceContainer.VolumeMounts = append(workspaceContainer.VolumeMounts, corev1.VolumeMount{
+			Name:      volumeName,
+			ReadOnly:  true,
+			MountPath: mountPath,
+			SubPath:   "ca.crt",
+		})
+		workspaceContainer.Env = append(workspaceContainer.Env, corev1.EnvVar{
+			Name:  "NODE_EXTRA_CA_CERTS",
+			Value: mountPath,
+		})
+	}
+
+	if req.Type == api.WorkspaceType_IMAGEBUILD {
+		// mount self-signed gitpod CA certificate to ensure
+		// we can push images to the in-cluster registry
+		workspaceContainer.VolumeMounts = append(workspaceContainer.VolumeMounts,
+			corev1.VolumeMount{
+				Name:      "gitpod-ca-certificate",
+				MountPath: "/usr/local/share/ca-certificates/gitpod-ca.crt",
+				SubPath:   "ca.crt",
+				ReadOnly:  true,
+			},
+		)
+	}
+
 	workloadType := "regular"
 	if startContext.Headless {
 		workloadType = "headless"
@@ -604,6 +649,20 @@ func (m *Manager) createDefiniteWorkspacePod(startContext *startWorkspaceContext
 		}
 	}
 
+	if req.Type == api.WorkspaceType_IMAGEBUILD {
+		pod.Spec.Volumes = append(pod.Spec.Volumes, corev1.Volume{
+			Name: "gitpod-ca-certificate",
+			VolumeSource: corev1.VolumeSource{
+				Secret: &corev1.SecretVolumeSource{
+					SecretName: "builtin-registry-facade-cert",
+					Items: []corev1.KeyToPath{
+						{Key: "ca.crt", Path: "ca.crt"},
+					},
+				},
+			},
+		})
+	}
+
 	return &pod, nil
 }
 

components/ws-manager/pkg/manager/create_test.go

@@ -53,10 +53,11 @@ func TestCreateDefiniteWorkspacePod(t *testing.T) {
 	type fixture struct {
 		WorkspaceClass
 
-		Spec    *json.RawMessage          `json:"spec,omitempty"`    // *api.StartWorkspaceSpec
-		Request *json.RawMessage          `json:"request,omitempty"` // *api.StartWorkspaceRequest
-		Context *startWorkspaceContext    `json:"context,omitempty"`
-		Classes map[string]WorkspaceClass `json:"classes,omitempty"`
+		Spec         *json.RawMessage          `json:"spec,omitempty"`    // *api.StartWorkspaceSpec
+		Request      *json.RawMessage          `json:"request,omitempty"` // *api.StartWorkspaceRequest
+		Context      *startWorkspaceContext    `json:"context,omitempty"`
+		CACertSecret string                    `json:"caCertSecret,omitempty"`
+		Classes      map[string]WorkspaceClass `json:"classes,omitempty"`
 
 		EnforceAffinity   bool `json:"enforceAffinity,omitempty"`
 		DebugWorkspacePod bool `json:"debugWorkspacePod,omitempty"`
@@ -73,6 +74,7 @@ func TestCreateDefiniteWorkspacePod(t *testing.T) {
 			fixture := input.(*fixture)
 
 			mgmtCfg := forTestingOnlyManagerConfig()
+			mgmtCfg.WorkspaceCACertSecret = fixture.CACertSecret
 			mgmtCfg.DebugWorkspacePod = fixture.DebugWorkspacePod
 
 			if fixture.Classes == nil {
@@ -196,10 +198,11 @@ func TestCreatePVCForWorkspacePod(t *testing.T) {
 	type fixture struct {
 		WorkspaceClass
 
-		Spec    *json.RawMessage          `json:"spec,omitempty"`    // *api.StartWorkspaceSpec
-		Request *json.RawMessage          `json:"request,omitempty"` // *api.StartWorkspaceRequest
-		Context *startWorkspaceContext    `json:"context,omitempty"`
-		Classes map[string]WorkspaceClass `json:"classes,omitempty"`
+		Spec         *json.RawMessage          `json:"spec,omitempty"`    // *api.StartWorkspaceSpec
+		Request      *json.RawMessage          `json:"request,omitempty"` // *api.StartWorkspaceRequest
+		Context      *startWorkspaceContext    `json:"context,omitempty"`
+		CACertSecret string                    `json:"caCertSecret,omitempty"`
+		Classes      map[string]WorkspaceClass `json:"classes,omitempty"`
 
 		EnforceAffinity bool `json:"enforceAffinity,omitempty"`
 	}
@@ -215,6 +218,7 @@ func TestCreatePVCForWorkspacePod(t *testing.T) {
 			fixture := input.(*fixture)
 
 			mgmtCfg := forTestingOnlyManagerConfig()
+			mgmtCfg.WorkspaceCACertSecret = fixture.CACertSecret
 
 			if fixture.Classes == nil {
 				fixture.Classes = make(map[string]WorkspaceClass)

components/ws-manager/pkg/manager/testdata/cdwp_affinity.golden

@@ -267,4 +267,4 @@
         },
         "status": {}
     }
-}
+}