[test] Fix workspace integration tests

.github/CODEOWNERS

@@ -128,3 +128,18 @@
 /CHANGELOG.md
 /components/ide/jetbrains/backend-plugin/gradle-latest.properties
 /components/ide/jetbrains/gateway-plugin/gradle-latest.properties
+
+#
+# Add so that teams assert we're not breaking each other's integration tests
+/test/pkg/agent @gitpod-io/engineering-workspace
+/test/pkg/integration @gitpod-io/engineering-ide @gitpod-io/engineering-workspace
+/test/pkg/report @gitpod-io/engineering-workspace
+/test/tests/workspace @gitpod-io/engineering-workspace
+/test/tests/smoke-test @gitpod-io/engineering-ide @gitpod-io/engineering-workspace
+/test/tests/ide @gitpod-io/engineering-ide
+/test/tests/components/content-service @gitpod-io/engineering-workspace
+/test/tests/components/database @gitpod-io/engineering-webapp
+/test/tests/components/image-builder @gitpod-io/engineering-workspace
+/test/tests/components/server @gitpod-io/engineering-webapp
+/test/tests/components/ws-daemon @gitpod-io/engineering-workspace
+/test/tests/components/ws-manager @gitpod-io/engineering-workspace

.github/workflows/workspace-integration-tests.yml

@@ -38,21 +38,14 @@ jobs:
         steps:
             # sometimes auth fails with:
             # google-github-actions/setup-gcloud failed with: EACCES: permission denied, mkdir '/__t/gcloud'
+            - name: Set up Cloud SDK
+              uses: google-github-actions/setup-gcloud@v1
             - id: auth
               uses: google-github-actions/auth@v1
               continue-on-error: true
               with:
                   token_format: access_token
                   credentials_json: "${{ secrets.GCP_CREDENTIALS }}"
-            # so we retry on failure
-            - id: auth-retry
-              uses: google-github-actions/auth@v1
-              if: steps.auth.outcome == 'failure'
-              with:
-                  token_format: access_token
-                  credentials_json: "${{ secrets.GCP_CREDENTIALS }}"
-            - name: Set up Cloud SDK
-              uses: google-github-actions/setup-gcloud@v1
             # do this step as early as possible, so that Slack Notify failure has the secret
             - name: Get Secrets from GCP
               id: "secrets"
@@ -193,7 +186,7 @@ jobs:
                   args+=( "-kubeconfig=/home/gitpod/.kube/config" )
                   args+=( "-namespace=default" )
                   [[ "$USERNAME" != "" ]] && args+=( "-username=$USERNAME" )
-                  args+=( "-timeout=60m" )
+                  args+=( "-timeout=90m" )
 
                   BASE_TESTS_DIR="$GITHUB_WORKSPACE/test/tests"
                   CONTENT_SERVICE_TESTS="$BASE_TESTS_DIR/components/content-service"
@@ -225,7 +218,8 @@ jobs:
                       fi
 
                       set +e
-                      go test -p 2 -v ./... "${args[@]}" -run '.*[^.SerialOnly]$' 2>&1 | go-junit-report -subtest-mode=exclude-parents -set-exit-code -out "TEST-${TEST_NAME}-PARALLEL.xml" -iocopy
+                      # running tests in parallel saves time, but is flakey.
+                      go test -p 1 --parallel 1 -v ./... "${args[@]}" -run '.*[^.SerialOnly]$' 2>&1 | go-junit-report -subtest-mode=exclude-parents -set-exit-code -out "TEST-${TEST_NAME}-PARALLEL.xml" -iocopy
                       RC=${PIPESTATUS[0]}
                       set -e
 
@@ -240,6 +234,7 @@ jobs:
               uses: test-summary/action@v2
               with:
                   paths: "test/tests/**/TEST-*.xml"
+                  show: "all"
               if: always()
             - name: Slack Notification
               uses: rtCamp/action-slack-notify@v2

.werft/vm/manifests/rook-ceph/common.yaml

@@ -80,24 +80,6 @@ rules:
     resources: ["volumesnapshots/status"]
     verbs: ["update", "patch"]
 ---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: 'psp:rook'
-  labels:
-    operator: rook
-    storage-backend: ceph
-    app.kubernetes.io/part-of: rook-ceph-operator
-rules:
-  - apiGroups:
-      - policy
-    resources:
-      - podsecuritypolicies
-    resourceNames:
-      - 00-rook-privileged
-    verbs:
-      - use
----
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -701,156 +683,6 @@ subjects:
     name: rook-ceph-system
     namespace: rook-ceph # namespace:operator
 ---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: rook-ceph-system-psp
-  labels:
-    operator: rook
-    storage-backend: ceph
-    app.kubernetes.io/part-of: rook-ceph-operator
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: 'psp:rook'
-subjects:
-  - kind: ServiceAccount
-    name: rook-ceph-system
-    namespace: rook-ceph # namespace:operator
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: rook-csi-cephfs-plugin-sa-psp
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: 'psp:rook'
-subjects:
-  - kind: ServiceAccount
-    name: rook-csi-cephfs-plugin-sa
-    namespace: rook-ceph # namespace:operator
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: rook-csi-cephfs-provisioner-sa-psp
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: 'psp:rook'
-subjects:
-  - kind: ServiceAccount
-    name: rook-csi-cephfs-provisioner-sa
-    namespace: rook-ceph # namespace:operator
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: rook-csi-rbd-plugin-sa-psp
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: 'psp:rook'
-subjects:
-  - kind: ServiceAccount
-    name: rook-csi-rbd-plugin-sa
-    namespace: rook-ceph # namespace:operator
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: rook-csi-rbd-provisioner-sa-psp
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: 'psp:rook'
-subjects:
-  - kind: ServiceAccount
-    name: rook-csi-rbd-provisioner-sa
-    namespace: rook-ceph # namespace:operator
----
-# We expect most Kubernetes teams to follow the Kubernetes docs and have these PSPs.
-# * privileged (for kube-system namespace)
-# * restricted (for all logged in users)
-#
-# PSPs are applied based on the first match alphabetically. `rook-ceph-operator` comes after
-# `restricted` alphabetically, so we name this `00-rook-privileged`, so it stays somewhere
-# close to the top and so `rook-system` gets the intended PSP. This may need to be renamed in
-# environments with other `00`-prefixed PSPs.
-#
-# More on PSP ordering: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#policy-order
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: 00-rook-privileged
-  annotations:
-    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
-    seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
-spec:
-  privileged: true
-  allowedCapabilities:
-    # required by CSI
-    - SYS_ADMIN
-    - MKNOD
-  fsGroup:
-    rule: RunAsAny
-  # runAsUser, supplementalGroups - Rook needs to run some pods as root
-  # Ceph pods could be run as the Ceph user, but that user isn't always known ahead of time
-  runAsUser:
-    rule: RunAsAny
-  supplementalGroups:
-    rule: RunAsAny
-  # seLinux - seLinux context is unknown ahead of time; set if this is well-known
-  seLinux:
-    rule: RunAsAny
-  volumes:
-    # recommended minimum set
-    - configMap
-    - downwardAPI
-    - emptyDir
-    - persistentVolumeClaim
-    - secret
-    - projected
-    # required for Rook
-    - hostPath
-  # allowedHostPaths can be set to Rook's known host volume mount points when they are fully-known
-  # allowedHostPaths:
-  #   - pathPrefix: "/run/udev"  # for OSD prep
-  #     readOnly: false
-  #   - pathPrefix: "/dev"  # for OSD prep
-  #     readOnly: false
-  #   - pathPrefix: "/var/lib/rook"  # or whatever the dataDirHostPath value is set to
-  #     readOnly: false
-  # Ceph requires host IPC for setting up encrypted devices
-  hostIPC: true
-  # Ceph OSDs need to share the same PID namespace
-  hostPID: true
-  # hostNetwork can be set to 'false' if host networking isn't used
-  hostNetwork: true
-  hostPorts:
-    # Ceph messenger protocol v1
-    - min: 6789
-      max: 6790 # <- support old default port
-    # Ceph messenger protocol v2
-    - min: 3300
-      max: 3300
-    # Ceph RADOS ports for OSDs, MDSes
-    - min: 6800
-      max: 7300
-    # # Ceph dashboard port HTTP (not recommended)
-    # - min: 7000
-    #   max: 7000
-    # Ceph dashboard port HTTPS
-    - min: 8443
-      max: 8443
-    # Ceph mgr Prometheus Metrics
-    - min: 9283
-      max: 9283
-    # port for CSIAddons
-    - min: 9070
-      max: 9070
----
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -1147,38 +979,6 @@ subjects:
     name: rook-ceph-cmd-reporter
     namespace: rook-ceph # namespace:cluster
 ---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: rook-ceph-cmd-reporter-psp
-  namespace: rook-ceph # namespace:cluster
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: psp:rook
-subjects:
-  - kind: ServiceAccount
-    name: rook-ceph-cmd-reporter
-    namespace: rook-ceph # namespace:cluster
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: rook-ceph-default-psp
-  namespace: rook-ceph # namespace:cluster
-  labels:
-    operator: rook
-    storage-backend: ceph
-    app.kubernetes.io/part-of: rook-ceph-operator
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: psp:rook
-subjects:
-  - kind: ServiceAccount
-    name: default
-    namespace: rook-ceph # namespace:cluster
----
 # Allow the ceph mgr to access resources scoped to the CephCluster namespace necessary for mgr modules
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@@ -1194,20 +994,6 @@ subjects:
     name: rook-ceph-mgr
     namespace: rook-ceph # namespace:cluster
 ---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: rook-ceph-mgr-psp
-  namespace: rook-ceph # namespace:cluster
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: psp:rook
-subjects:
-  - kind: ServiceAccount
-    name: rook-ceph-mgr
-    namespace: rook-ceph # namespace:cluster
----
 # Allow the ceph mgr to access resources in the Rook operator namespace necessary for mgr modules
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@@ -1238,20 +1024,6 @@ subjects:
     name: rook-ceph-osd
     namespace: rook-ceph # namespace:cluster
 ---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: rook-ceph-osd-psp
-  namespace: rook-ceph # namespace:cluster
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: psp:rook
-subjects:
-  - kind: ServiceAccount
-    name: rook-ceph-osd
-    namespace: rook-ceph # namespace:cluster
----
 # Allow the osd purge job to run in this namespace
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@@ -1267,20 +1039,6 @@ subjects:
     name: rook-ceph-purge-osd
     namespace: rook-ceph # namespace:cluster
 ---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: rook-ceph-purge-osd-psp
-  namespace: rook-ceph # namespace:cluster
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: psp:rook
-subjects:
-  - kind: ServiceAccount
-    name: rook-ceph-purge-osd
-    namespace: rook-ceph # namespace:cluster
----
 # Allow the rgw pods in this namespace to work with configmaps
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@@ -1296,20 +1054,6 @@ subjects:
     name: rook-ceph-rgw
     namespace: rook-ceph # namespace:cluster
 ---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: rook-ceph-rgw-psp
-  namespace: rook-ceph # namespace:cluster
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: psp:rook
-subjects:
-  - kind: ServiceAccount
-    name: rook-ceph-rgw
-    namespace: rook-ceph # namespace:cluster
----
 # Grant the operator, agent, and discovery agents access to resources in the rook-ceph-system namespace
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1

components/gitpod-protocol/go/gitpod-service.go

@@ -2053,6 +2053,7 @@ type UpdateOwnAuthProviderParams struct {
 type CreateWorkspaceOptions struct {
 	StartWorkspaceOptions
 	ContextURL                         string `json:"contextUrl,omitempty"`
+	OrganizationId                     string `json:"organizationId,omitempty"`
 	IgnoreRunningWorkspaceOnSameCommit bool   `json:"ignoreRunningWorkspaceOnSameCommit,omitemopty"`
 	IgnoreRunningPrebuild              bool   `json:"ignoreRunningPrebuild,omitemopty"`
 	AllowUsingPreviousPrebuilds        bool   `json:"allowUsingPreviousPrebuilds,omitemopty"`

dev/preview/BUILD.yaml

@@ -33,7 +33,7 @@ scripts:
       export TF_VAR_preview_name="${TF_VAR_preview_name:-$(previewctl get name)}"
       export TF_VAR_vm_cpu="${TF_VAR_vm_cpu:-6}"
       export TF_VAR_vm_memory="${TF_VAR_vm_memory:-12Gi}"
-      export TF_VAR_vm_storage_class="${TF_VAR_vm_storage_class:-longhorn-gitpod-k3s-202209251218-onereplica}"
+      export TF_VAR_vm_storage_class="${TF_VAR_vm_storage_class:-longhorn-gitpod-k3s-202304191605-onereplica}"
       ./workflow/preview/deploy-harvester.sh
 
   - name: delete-preview