[installer] make dashboard to wait server and papi

Author: mustard-mh

install/installer/pkg/common/common.go

@@ -14,6 +14,8 @@ import (
 	"strings"
 
 	"github.com/gitpod-io/gitpod/common-go/baseserver"
+	public_api_server "github.com/gitpod-io/gitpod/installer/pkg/components/public-api-server"
+	"github.com/gitpod-io/gitpod/installer/pkg/components/server"
 	config "github.com/gitpod-io/gitpod/installer/pkg/config/v1"
 	"github.com/gitpod-io/gitpod/installer/pkg/config/v1/experimental"
 
@@ -493,6 +495,48 @@ func RedisWaiterContainer(ctx *RenderContext) *corev1.Container {
 	}
 }
 
+// ServerDeploymentWaiterContainer is the container used to wait for the deployment/server to be ready
+// it requires deployment get access to the cluster
+func ServerDeploymentWaiterContainer(ctx *RenderContext) *corev1.Container {
+	image := ctx.ImageName(ctx.Config.Repository, server.Component, ctx.VersionManifest.Components.Server.Version)
+	return &corev1.Container{
+		Name:  "server-waiter",
+		Image: ctx.ImageName(ctx.Config.Repository, "service-waiter", ctx.VersionManifest.Components.ServiceWaiter.Version),
+		Args: []string{
+			"-v",
+			"server",
+			"--image",
+			image,
+		},
+		SecurityContext: &corev1.SecurityContext{
+			Privileged:               pointer.Bool(false),
+			AllowPrivilegeEscalation: pointer.Bool(false),
+			RunAsUser:                pointer.Int64(31001),
+		},
+	}
+}
+
+// PublicAPIServerDeploymentWaiterContainer is the container used to wait for the deployment/public-api-server to be ready
+// it requires deployment get access to the cluster
+func PublicAPIServerDeploymentWaiterContainer(ctx *RenderContext) *corev1.Container {
+	image := ctx.ImageName(ctx.Config.Repository, public_api_server.Component, ctx.VersionManifest.Components.Server.Version)
+	return &corev1.Container{
+		Name:  "papi-server-waiter",
+		Image: ctx.ImageName(ctx.Config.Repository, "service-waiter", ctx.VersionManifest.Components.ServiceWaiter.Version),
+		Args: []string{
+			"-v",
+			"public-api-server",
+			"--image",
+			image,
+		},
+		SecurityContext: &corev1.SecurityContext{
+			Privileged:               pointer.Bool(false),
+			AllowPrivilegeEscalation: pointer.Bool(false),
+			RunAsUser:                pointer.Int64(31001),
+		},
+	}
+}
+
 func KubeRBACProxyContainer(ctx *RenderContext) *corev1.Container {
 	return KubeRBACProxyContainerWithConfig(ctx)
 }

install/installer/pkg/components/dashboard/deployment.go

@@ -48,6 +48,10 @@ func deployment(ctx *common.RenderContext) ([]runtime.Object, error) {
 						DNSPolicy:                     corev1.DNSClusterFirst,
 						RestartPolicy:                 corev1.RestartPolicyAlways,
 						TerminationGracePeriodSeconds: pointer.Int64(30),
+						InitContainers: []corev1.Container{
+							*common.PublicAPIServerDeploymentWaiterContainer(ctx),
+							*common.ServerDeploymentWaiterContainer(ctx),
+						},
 						Containers: []corev1.Container{{
 							Name:            Component,
 							Image:           ctx.ImageName(ctx.Config.Repository, Component, ctx.VersionManifest.Components.Dashboard.Version),

install/installer/pkg/components/dashboard/objects.go

@@ -4,13 +4,19 @@
 
 package dashboard
 
-import "github.com/gitpod-io/gitpod/installer/pkg/common"
+import (
+	"github.com/gitpod-io/gitpod/installer/pkg/common"
+	"k8s.io/apimachinery/pkg/runtime"
+)
 
 var Objects = common.CompositeRenderFunc(
 	deployment,
 	networkpolicy,
 	rolebinding,
 	pdb,
+	func(ctx *common.RenderContext) ([]runtime.Object, error) {
+		return Role(ctx)
+	},
 	common.GenerateService(Component, []common.ServicePort{
 		{
 			Name:          PortName,

install/installer/pkg/components/dashboard/role.go

@@ -0,0 +1,33 @@
+// Copyright (c) 2023 Gitpod GmbH. All rights reserved.
+// Licensed under the GNU Affero General Public License (AGPL).
+// See License.AGPL.txt in the project root for license information.
+
+package dashboard
+
+import (
+	"github.com/gitpod-io/gitpod/installer/pkg/common"
+
+	rbacv1 "k8s.io/api/rbac/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+func Role(ctx *common.RenderContext) ([]runtime.Object, error) {
+	return []runtime.Object{&rbacv1.Role{
+		TypeMeta: common.TypeMetaRole,
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      Component,
+			Namespace: ctx.Namespace,
+			Labels:    common.DefaultLabels(Component),
+		},
+		Rules: []rbacv1.PolicyRule{
+			{
+				APIGroups: []string{""},
+				Resources: []string{"deployment"},
+				Verbs: []string{
+					"get",
+				},
+			},
+		},
+	}}, nil
+}

install/installer/pkg/components/dashboard/rolebinding.go

@@ -5,8 +5,6 @@
 package dashboard
 
 import (
-	"fmt"
-
 	"github.com/gitpod-io/gitpod/installer/pkg/common"
 
 	rbacv1 "k8s.io/api/rbac/v1"
@@ -23,8 +21,8 @@ func rolebinding(ctx *common.RenderContext) ([]runtime.Object, error) {
 			Labels:    common.DefaultLabels(Component),
 		},
 		RoleRef: rbacv1.RoleRef{
-			Kind:     "ClusterRole",
-			Name:     fmt.Sprintf("%s-ns-psp:restricted-root-user", ctx.Namespace),
+			Kind:     "Role",
+			Name:     Component,
 			APIGroup: "rbac.authorization.k8s.io",
 		},
 		Subjects: []rbacv1.Subject{{