Add default workspace image to org setting #18723
Conversation
mustard-mh
force-pushed
the
hw/org-img
branch
from
0fecdd4 to
5cb3118
Compare
Co-authored-by: Filip Troníček <[email protected]>
There was a problem hiding this comment.
I tested and generally it works.
/hold
there are some discussions though have we can surface issues with access to the default image to members and owners. see https://gitpod.slack.com/archives/C05H5UQBW6Q/p1695027536449729?thread_ts=1695026341.413039&cid=C05H5UQBW6Q
|
Unit tests added, try it with exec |
There was a problem hiding this comment.
Thanks for adding this, @mustard-mh. 🌮
I've added below a few comments on UX—most importantly a suggestion for adding a message for users when their workspace could break because of the custom default image set.
We can improve the UX more around this feature in later iterations:
- Better checks
- Better form UX
- Include auth for private registries
- ...
| d = []byte(`# List the start up tasks. Learn more: https://www.gitpod.io/docs/configure/workspaces/tasks | ||
| defaultImage, err := getDefaultWorkspaceImage(ctx) | ||
| if err != nil { | ||
| fmt.Printf("failed to get organization default workspace image: %v\n", err) |
There was a problem hiding this comment.
issue: Not the best line to comment on this, but org users can easily run into non-functional workspace start flow if image is inaccessible, tags are missing, etc. See relevant discussion (internal). Cc @akosyakov
| Error 1 | Error 2 | ... |
|---|---|---|
 |
 |
| @@ -2507,6 +2509,7 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable { | |||
| const user = await this.checkAndBlockUser("updateOrgSettings"); | |||
| traceAPIParams(ctx, { orgId, userId: user.id }); | |||
| await this.guardTeamOperation(orgId, "update"); | |||
| // TODO: call ImageBuilder ResolveBaseImage to dry test if we can access this image | |||
There was a problem hiding this comment.
thought: This could be out of the scope of this PR, but from the relevant discussion (internal) with @akosyakov, an idea could be to try to validate the image on load, and nudge org owners when something is wrong. This could be surfacing also in the dashboard as global alert. 💡
| Checking | Error | OK |
|---|---|---|
 |
 |
 |
Later on, we could improve UX by also moving the help text and also this status check above the text input.
| Proposed UX for help text placement, out of the scope of this PR |
|---|
 |
| <TextInputField | ||
| label="Default Image" | ||
| // TODO: Provide document links | ||
| hint="Use any official Gitpod Docker image, or Docker image reference" | ||
| value={defaultWorkspaceImage} | ||
| onChange={setDefaultWorkspaceImage} | ||
| disabled={isLoading || !org?.isOwner} | ||
| /> |
There was a problem hiding this comment.
issue(non-blocking): Minor UX issue, but could we use a placeholder for now when someone is deleting the text input_ here? Feels a bit unintuitive when you delete all text and click save that there's a default value overriding the empty text input. Could be improved later.
| orgIdEnv.setName("GITPOD_WORKSPACE_DEFAULT_IMAGE"); | ||
| orgIdEnv.setValue(await this.configProvider.getDefaultImage(workspace.organizationId)); | ||
| sysEnvvars.push(orgIdEnv); | ||
|
|
||
| const spec = new StartWorkspaceSpec(); |
There was a problem hiding this comment.
suggestion: Definitely not the best line to comment about this, but since setting a non-reachable or non-functional workspace image could break UX for many org users, we could at least inform users why their workspace is broken.
From relevant discussion (internal):
Otherwise, users would be left in blank if they don't have organization settings access. I don't think users can guess there's something wrong with the custom image, right?
What do you think of adding an error alert in the workspace start, when a custom default image, and ideally we could check if it's accessible or not? If we can't check if the image is reachable, we could tone down the error as we do with the last editor warning and warn users that there's a custom set image that could be responsible for this workspace error.
What do you think?
| Error alert | Warning alert |
|---|---|
 |
 |
☝️ Copy for the warning could be improved.
☝️ We use that area for the latest editor warning, which could be nice if we replaced. In the future, we could hide the latest editor warning all together or tone down the message.
There was a problem hiding this comment.
@mustard-mh can we do something here?
Co-authored-by: George Tsiolis <[email protected]>
|
📔 To summarize:
Going to smoke test this PR, and only push necessary changes then. |
It is not only on change of default workspace image, but whenever someone to see it as well. There can be other conditions why it fails not only when default image is changing.
Here we don't need to do anyhting. It is outside of Gitpod control. User has to docker login and so on. |
@akosyakov Could you explain this in detail?
User who has private ECR permission on workspace start don't have that permission on in workspace docker pull, it's because we don't attach related env to workspace for security issues. @akosyakov So you mean that it's ok if we just left docker pull output to them |
Someone did some external change which broke default image pull, i.e. changed auth to registry, deleted a tag or so. In #18723 (comment) is proposed to validate on page load, so owner can go to this page and see whether everything is alright with the default image. The indicator is not part of changing org settings, but decoupled check which happens always, does not prevent from update the setting. They are not coupled. Org service does not need to know about image builder.
yes |
|
@akosyakov I see, Linear updated 🙏 |
|
Do we still need to do anything of rest can be addressed with follow-up PRs? @gtsiolis @mustard-mh @loujaybee |
mustard-mh
force-pushed
the
hw/org-img
branch
2 times, most recently
from
1faf203 to
22cca8d
Compare
mustard-mh
force-pushed
the
hw/org-img
branch
from
22cca8d to
97ae60f
Compare
|
Smoke tested test cases, going to unhold ✅ |
|
Thanks for this great progress, @mustard-mh! In case we're going very back and forth on the validation aspect, let's move that to a different PR, and focus this one on adding the setting. |
|
/unhold 🎉 |
Description
Summary generated by Copilot
🤖 Generated by Copilot at f347e3b
This pull request adds support for setting a default workspace image for an organization, which affects the workspace config for projects and prebuilds that belong to that organization. It also refactors some dashboard components and adds some error handling and UI logic for the organization settings page. It modifies the data model, the database migration, the server API, the client hooks, and the prebuild integrations to implement this feature.
Related Issue(s)
Fixes EXP-614
How to test
Dashboard UX
/settingspage as a member (join mine https://hw-org-img.preview.gitpod-dev.com/orgs/join?inviteId=b42773ab-7c5c-4f40-864c-ad808aed555f)Workspace Image
.gitpod.ymlshould go with org settingsgitpod/gitpod-baseas your org image, start with https://github.com/gitpod-io/empty, there should have nonodeinstalled.gitpod.yml, it should work with that image toogitpod/workspace-goGP-CLI
gp validategp validate[doc] , it should align to section Workspace Image above tooPrivate ECR
Documentation
Preview status
Gitpod was successfully deployed to your preview environment.
Build Options
Build
Run the build with werft instead of GHA
Run Leeway with
--dont-testPublish
Installer
Add desired feature flags to the end of the line above, space separated
Preview Environment / Integration Tests
If enabled this will build
install/previewIf enabled this will create the environment on GCE infra
Valid options are
all,workspace,webapp,ide,jetbrains,vscode,ssh. If enabled,with-previewandwith-large-vmwill be enabled./hold