From ba59c1bd9448bf2b565e4260ca09f7c848ab0daa Mon Sep 17 00:00:00 2001 From: Milan Pavlik Date: Mon, 14 Nov 2022 15:27:08 +0000 Subject: [PATCH] [usage] Deploy usage by default --- dev/preview/workflow/preview/deploy-gitpod.sh | 1 - .../testdata/render/aws-setup/output.golden | 401 ++++++++++++++ .../testdata/render/azure-setup/output.golden | 401 ++++++++++++++ .../render/customization/output.golden | 444 +++++++++++++++ .../render/external-registry/output.golden | 401 ++++++++++++++ .../testdata/render/gcp-setup/output.golden | 389 +++++++++++++ .../testdata/render/http-proxy/output.golden | 521 ++++++++++++++++++ .../render/insecure-s3-setup/output.golden | 401 ++++++++++++++ .../cmd/testdata/render/minimal/output.golden | 401 ++++++++++++++ .../testdata/render/shortname/output.golden | 401 ++++++++++++++ .../statefulset-customization/output.golden | 401 ++++++++++++++ .../use-pod-security-policies/output.golden | 401 ++++++++++++++ .../workspace-requests-limits/output.golden | 401 ++++++++++++++ .../pkg/components/usage/configmap.go | 25 +- .../pkg/components/usage/configmap_test.go | 129 ++++- .../installer/pkg/components/usage/objects.go | 7 - .../pkg/components/usage/objects_test.go | 59 +- .../config/v1/experimental/experimental.go | 1 - 18 files changed, 5140 insertions(+), 45 deletions(-) diff --git a/dev/preview/workflow/preview/deploy-gitpod.sh b/dev/preview/workflow/preview/deploy-gitpod.sh index 6845affe1d8101..10d8bf2cb0518c 100755 --- a/dev/preview/workflow/preview/deploy-gitpod.sh +++ b/dev/preview/workflow/preview/deploy-gitpod.sh @@ -362,7 +362,6 @@ yq w -i "${INSTALLER_CONFIG_PATH}" sshGatewayHostKey.name "host-key" # # configureUsage # -yq w -i "${INSTALLER_CONFIG_PATH}" experimental.webapp.usage.enabled "true" yq w -i "${INSTALLER_CONFIG_PATH}" experimental.webapp.usage.schedule "1m" yq w -i "${INSTALLER_CONFIG_PATH}" experimental.webapp.usage.billInstancesAfter "2022-08-11T08:05:32.499Z" yq w -i "${INSTALLER_CONFIG_PATH}" experimental.webapp.usage.defaultSpendingLimit.forUsers "500" diff --git a/install/installer/cmd/testdata/render/aws-setup/output.golden b/install/installer/cmd/testdata/render/aws-setup/output.golden index 18f16bd2965287..aafa0693895d80 100644 --- a/install/installer/cmd/testdata/render/aws-setup/output.golden +++ b/install/installer/cmd/testdata/render/aws-setup/output.golden @@ -360,6 +360,36 @@ spec: policyTypes: - Ingress +--- +# networking.k8s.io/v1/NetworkPolicy usage +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +spec: + ingress: + - from: + - podSelector: + matchLabels: + component: server + - podSelector: + matchLabels: + component: public-api-server + ports: + - port: 9001 + protocol: TCP + podSelector: + matchLabels: + app: gitpod + component: usage + policyTypes: + - Ingress + --- # networking.k8s.io/v1/NetworkPolicy workspace-default apiVersion: networking.k8s.io/v1 @@ -984,6 +1014,18 @@ metadata: name: server namespace: default --- +# v1/ServiceAccount usage +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +--- # v1/ServiceAccount workspace apiVersion: v1 automountServiceAccountToken: true @@ -2603,6 +2645,78 @@ data: name: public-api-server namespace: default --- + apiVersion: apps/v1 + kind: Deployment + metadata: + annotations: + gitpod.io/checksum_config: 2e5e440024a9f86e101eefce306c4888024c495f968ee92ee01e072aad7fa13e + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: default-usage-rb-kube-rbac-proxy + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- + apiVersion: v1 + kind: ConfigMap + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- + apiVersion: v1 + kind: ServiceAccount + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- + apiVersion: v1 + kind: Service + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + kind: service + name: usage + namespace: default + --- + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- apiVersion: v1 kind: ConfigMap metadata: @@ -4950,6 +5064,48 @@ metadata: name: server-ide-config namespace: default --- +# v1/ConfigMap usage +apiVersion: v1 +data: + config.json: |- + { + "controllerSchedule": "15m0s", + "resetUsageSchedule": "15m0s", + "creditsPerMinuteByWorkspaceClass": { + "default": 0.1666666667 + }, + "server": { + "services": { + "grpc": { + "address": "0.0.0.0:9001" + } + } + }, + "defaultSpendingLimit": { + "forTeams": 1000000000, + "forUsers": 1000000000, + "minForUsersOnStripe": 0 + }, + "stripePrices": { + "individualUsagePriceIds": { + "eur": "", + "usd": "" + }, + "teamUsagePriceIds": { + "eur": "", + "usd": "" + } + } + } +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +--- # v1/ConfigMap workspace-templates apiVersion: v1 kind: ConfigMap @@ -5662,6 +5818,24 @@ subjects: name: server namespace: default --- +# rbac.authorization.k8s.io/v1/ClusterRoleBinding default-usage-rb-kube-rbac-proxy +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: default-usage-rb-kube-rbac-proxy +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: default-kube-rbac-proxy +subjects: +- kind: ServiceAccount + name: usage + namespace: default +--- # rbac.authorization.k8s.io/v1/ClusterRoleBinding default-ws-daemon-rb apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -6332,6 +6506,24 @@ subjects: - kind: ServiceAccount name: server --- +# rbac.authorization.k8s.io/v1/RoleBinding usage +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: default-ns-psp:restricted-root-user +subjects: +- kind: ServiceAccount + name: usage +--- # rbac.authorization.k8s.io/v1/RoleBinding workspace apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -6869,6 +7061,30 @@ spec: status: loadBalancer: {} --- +# v1/Service usage +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + kind: service + name: usage + namespace: default +spec: + ports: + - name: grpc + port: 9001 + protocol: TCP + targetPort: 9001 + selector: + app: gitpod + component: usage + type: ClusterIP +status: + loadBalancer: {} +--- # v1/Service ws-daemon apiVersion: v1 kind: Service @@ -9362,6 +9578,191 @@ spec: secretName: twilio-secret status: {} --- +# apps/v1/Deployment usage +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + gitpod.io/checksum_config: 2e5e440024a9f86e101eefce306c4888024c495f968ee92ee01e072aad7fa13e + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app: gitpod + component: usage + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: gitpod.io/workload_meta + operator: Exists + containers: + - args: + - run + - --config=/config.json + env: + - name: GITPOD_DOMAIN + value: gitpod.example.com + - name: GITPOD_INSTALLATION_SHORTNAME + value: default + - name: GITPOD_REGION + value: eu-west-2 + - name: HOST_URL + value: https://gitpod.example.com + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: KUBE_DOMAIN + value: svc.cluster.local + - name: LOG_LEVEL + value: info + - name: DB_HOST + valueFrom: + secretKeyRef: + key: host + name: aws-database + - name: DB_PORT + valueFrom: + secretKeyRef: + key: port + name: aws-database + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: aws-database + - name: DB_USERNAME + valueFrom: + secretKeyRef: + key: username + name: aws-database + - name: DB_ENCRYPTION_KEYS + valueFrom: + secretKeyRef: + key: encryptionKeys + name: aws-database + image: eu.gcr.io/gitpod-core-dev/build/usage:test + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /live + port: 9501 + scheme: HTTP + successThreshold: 1 + timeoutSeconds: 1 + name: usage + readinessProbe: + failureThreshold: 3 + httpGet: + path: /ready + port: 9501 + scheme: HTTP + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 100m + memory: 64Mi + securityContext: + privileged: false + volumeMounts: + - mountPath: /config.json + name: config + readOnly: true + subPath: config.json + - args: + - --logtostderr + - --insecure-listen-address=[$(IP)]:9500 + - --upstream=http://127.0.0.1:9500/ + env: + - name: IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay.io/brancz/kube-rbac-proxy:v0.12.0 + name: kube-rbac-proxy + ports: + - containerPort: 9500 + name: metrics + resources: + requests: + cpu: 1m + memory: 30Mi + securityContext: + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + terminationMessagePolicy: FallbackToLogsOnError + dnsPolicy: ClusterFirst + enableServiceLinks: false + initContainers: + - args: + - -v + - database + env: + - name: DB_HOST + valueFrom: + secretKeyRef: + key: host + name: aws-database + - name: DB_PORT + valueFrom: + secretKeyRef: + key: port + name: aws-database + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: aws-database + - name: DB_USERNAME + valueFrom: + secretKeyRef: + key: username + name: aws-database + - name: DB_ENCRYPTION_KEYS + valueFrom: + secretKeyRef: + key: encryptionKeys + name: aws-database + image: eu.gcr.io/gitpod-core-dev/build/service-waiter:test + name: database-waiter + resources: {} + securityContext: + privileged: false + runAsUser: 31001 + restartPolicy: Always + serviceAccountName: usage + terminationGracePeriodSeconds: 30 + volumes: + - configMap: + name: usage + name: config +status: {} +--- # apps/v1/Deployment ws-manager apiVersion: apps/v1 kind: Deployment diff --git a/install/installer/cmd/testdata/render/azure-setup/output.golden b/install/installer/cmd/testdata/render/azure-setup/output.golden index fc3e69190e6cf0..806a0b038a2ac0 100644 --- a/install/installer/cmd/testdata/render/azure-setup/output.golden +++ b/install/installer/cmd/testdata/render/azure-setup/output.golden @@ -360,6 +360,36 @@ spec: policyTypes: - Ingress +--- +# networking.k8s.io/v1/NetworkPolicy usage +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +spec: + ingress: + - from: + - podSelector: + matchLabels: + component: server + - podSelector: + matchLabels: + component: public-api-server + ports: + - port: 9001 + protocol: TCP + podSelector: + matchLabels: + app: gitpod + component: usage + policyTypes: + - Ingress + --- # networking.k8s.io/v1/NetworkPolicy workspace-default apiVersion: networking.k8s.io/v1 @@ -963,6 +993,18 @@ metadata: name: server namespace: default --- +# v1/ServiceAccount usage +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +--- # v1/ServiceAccount workspace apiVersion: v1 automountServiceAccountToken: true @@ -2520,6 +2562,78 @@ data: name: public-api-server namespace: default --- + apiVersion: apps/v1 + kind: Deployment + metadata: + annotations: + gitpod.io/checksum_config: 2e5e440024a9f86e101eefce306c4888024c495f968ee92ee01e072aad7fa13e + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: default-usage-rb-kube-rbac-proxy + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- + apiVersion: v1 + kind: ConfigMap + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- + apiVersion: v1 + kind: ServiceAccount + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- + apiVersion: v1 + kind: Service + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + kind: service + name: usage + namespace: default + --- + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- apiVersion: v1 kind: ConfigMap metadata: @@ -4813,6 +4927,48 @@ metadata: name: server-ide-config namespace: default --- +# v1/ConfigMap usage +apiVersion: v1 +data: + config.json: |- + { + "controllerSchedule": "15m0s", + "resetUsageSchedule": "15m0s", + "creditsPerMinuteByWorkspaceClass": { + "default": 0.1666666667 + }, + "server": { + "services": { + "grpc": { + "address": "0.0.0.0:9001" + } + } + }, + "defaultSpendingLimit": { + "forTeams": 1000000000, + "forUsers": 1000000000, + "minForUsersOnStripe": 0 + }, + "stripePrices": { + "individualUsagePriceIds": { + "eur": "", + "usd": "" + }, + "teamUsagePriceIds": { + "eur": "", + "usd": "" + } + } + } +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +--- # v1/ConfigMap workspace-templates apiVersion: v1 kind: ConfigMap @@ -5521,6 +5677,24 @@ subjects: name: server namespace: default --- +# rbac.authorization.k8s.io/v1/ClusterRoleBinding default-usage-rb-kube-rbac-proxy +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: default-usage-rb-kube-rbac-proxy +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: default-kube-rbac-proxy +subjects: +- kind: ServiceAccount + name: usage + namespace: default +--- # rbac.authorization.k8s.io/v1/ClusterRoleBinding default-ws-daemon-rb apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -6173,6 +6347,24 @@ subjects: - kind: ServiceAccount name: server --- +# rbac.authorization.k8s.io/v1/RoleBinding usage +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: default-ns-psp:restricted-root-user +subjects: +- kind: ServiceAccount + name: usage +--- # rbac.authorization.k8s.io/v1/RoleBinding workspace apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -6714,6 +6906,30 @@ spec: status: loadBalancer: {} --- +# v1/Service usage +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + kind: service + name: usage + namespace: default +spec: + ports: + - name: grpc + port: 9001 + protocol: TCP + targetPort: 9001 + selector: + app: gitpod + component: usage + type: ClusterIP +status: + loadBalancer: {} +--- # v1/Service ws-daemon apiVersion: v1 kind: Service @@ -9213,6 +9429,191 @@ spec: secretName: twilio-secret status: {} --- +# apps/v1/Deployment usage +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + gitpod.io/checksum_config: 2e5e440024a9f86e101eefce306c4888024c495f968ee92ee01e072aad7fa13e + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app: gitpod + component: usage + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: gitpod.io/workload_meta + operator: Exists + containers: + - args: + - run + - --config=/config.json + env: + - name: GITPOD_DOMAIN + value: gitpod.example.com + - name: GITPOD_INSTALLATION_SHORTNAME + value: default + - name: GITPOD_REGION + value: uksouth + - name: HOST_URL + value: https://gitpod.example.com + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: KUBE_DOMAIN + value: svc.cluster.local + - name: LOG_LEVEL + value: info + - name: DB_HOST + valueFrom: + secretKeyRef: + key: host + name: azure-database + - name: DB_PORT + valueFrom: + secretKeyRef: + key: port + name: azure-database + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: azure-database + - name: DB_USERNAME + valueFrom: + secretKeyRef: + key: username + name: azure-database + - name: DB_ENCRYPTION_KEYS + valueFrom: + secretKeyRef: + key: encryptionKeys + name: azure-database + image: eu.gcr.io/gitpod-core-dev/build/usage:test + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /live + port: 9501 + scheme: HTTP + successThreshold: 1 + timeoutSeconds: 1 + name: usage + readinessProbe: + failureThreshold: 3 + httpGet: + path: /ready + port: 9501 + scheme: HTTP + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 100m + memory: 64Mi + securityContext: + privileged: false + volumeMounts: + - mountPath: /config.json + name: config + readOnly: true + subPath: config.json + - args: + - --logtostderr + - --insecure-listen-address=[$(IP)]:9500 + - --upstream=http://127.0.0.1:9500/ + env: + - name: IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay.io/brancz/kube-rbac-proxy:v0.12.0 + name: kube-rbac-proxy + ports: + - containerPort: 9500 + name: metrics + resources: + requests: + cpu: 1m + memory: 30Mi + securityContext: + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + terminationMessagePolicy: FallbackToLogsOnError + dnsPolicy: ClusterFirst + enableServiceLinks: false + initContainers: + - args: + - -v + - database + env: + - name: DB_HOST + valueFrom: + secretKeyRef: + key: host + name: azure-database + - name: DB_PORT + valueFrom: + secretKeyRef: + key: port + name: azure-database + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: azure-database + - name: DB_USERNAME + valueFrom: + secretKeyRef: + key: username + name: azure-database + - name: DB_ENCRYPTION_KEYS + valueFrom: + secretKeyRef: + key: encryptionKeys + name: azure-database + image: eu.gcr.io/gitpod-core-dev/build/service-waiter:test + name: database-waiter + resources: {} + securityContext: + privileged: false + runAsUser: 31001 + restartPolicy: Always + serviceAccountName: usage + terminationGracePeriodSeconds: 30 + volumes: + - configMap: + name: usage + name: config +status: {} +--- # apps/v1/Deployment ws-manager apiVersion: apps/v1 kind: Deployment diff --git a/install/installer/cmd/testdata/render/customization/output.golden b/install/installer/cmd/testdata/render/customization/output.golden index 11b825812493f1..bb828ceb5603a9 100644 --- a/install/installer/cmd/testdata/render/customization/output.golden +++ b/install/installer/cmd/testdata/render/customization/output.golden @@ -360,6 +360,36 @@ spec: policyTypes: - Ingress +--- +# networking.k8s.io/v1/NetworkPolicy usage +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +spec: + ingress: + - from: + - podSelector: + matchLabels: + component: server + - podSelector: + matchLabels: + component: public-api-server + ports: + - port: 9001 + protocol: TCP + podSelector: + matchLabels: + app: gitpod + component: usage + policyTypes: + - Ingress + --- # networking.k8s.io/v1/NetworkPolicy workspace-default apiVersion: networking.k8s.io/v1 @@ -1090,6 +1120,23 @@ metadata: name: server namespace: default --- +# v1/ServiceAccount usage +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: + gitpod.io: hello + hello: world + creationTimestamp: null + labels: + app: gitpod + component: usage + gitpod.io: hello + hello: world + name: usage + namespace: default +--- # v1/ServiceAccount workspace apiVersion: v1 automountServiceAccountToken: true @@ -3100,6 +3147,97 @@ data: name: public-api-server namespace: default --- + apiVersion: apps/v1 + kind: Deployment + metadata: + annotations: + gitpod.io: hello + gitpod.io/checksum_config: 59ca8e966956adc39d92abd7bde923298e98553020a90170a48d27dd551f9608 + hello: world + creationTimestamp: null + labels: + app: gitpod + component: usage + gitpod.io: hello + hello: world + name: usage + namespace: default + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: default-usage-rb-kube-rbac-proxy + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- + apiVersion: v1 + kind: ConfigMap + metadata: + annotations: + gitpod.io: hello + hello: world + creationTimestamp: null + labels: + app: gitpod + component: usage + gitpod.io: hello + hello: world + name: usage + namespace: default + --- + apiVersion: v1 + kind: ServiceAccount + metadata: + annotations: + gitpod.io: hello + hello: world + creationTimestamp: null + labels: + app: gitpod + component: usage + gitpod.io: hello + hello: world + name: usage + namespace: default + --- + apiVersion: v1 + kind: Service + metadata: + annotations: + gitpod.io: hello + hello: world + creationTimestamp: null + labels: + app: gitpod + component: usage + gitpod.io: hello + hello: world + kind: service + name: usage + namespace: default + --- + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- apiVersion: v1 kind: ConfigMap metadata: @@ -5799,6 +5937,53 @@ metadata: name: server-ide-config namespace: default --- +# v1/ConfigMap usage +apiVersion: v1 +data: + config.json: |- + { + "controllerSchedule": "15m0s", + "resetUsageSchedule": "15m0s", + "creditsPerMinuteByWorkspaceClass": { + "default": 0.1666666667 + }, + "server": { + "services": { + "grpc": { + "address": "0.0.0.0:9001" + } + } + }, + "defaultSpendingLimit": { + "forTeams": 1000000000, + "forUsers": 1000000000, + "minForUsersOnStripe": 0 + }, + "stripePrices": { + "individualUsagePriceIds": { + "eur": "", + "usd": "" + }, + "teamUsagePriceIds": { + "eur": "", + "usd": "" + } + } + } +kind: ConfigMap +metadata: + annotations: + gitpod.io: hello + hello: world + creationTimestamp: null + labels: + app: gitpod + component: usage + gitpod.io: hello + hello: world + name: usage + namespace: default +--- # v1/ConfigMap workspace-templates apiVersion: v1 kind: ConfigMap @@ -6565,6 +6750,24 @@ subjects: name: server namespace: default --- +# rbac.authorization.k8s.io/v1/ClusterRoleBinding default-usage-rb-kube-rbac-proxy +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: default-usage-rb-kube-rbac-proxy +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: default-kube-rbac-proxy +subjects: +- kind: ServiceAccount + name: usage + namespace: default +--- # rbac.authorization.k8s.io/v1/ClusterRoleBinding default-ws-daemon-rb apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -7235,6 +7438,24 @@ subjects: - kind: ServiceAccount name: server --- +# rbac.authorization.k8s.io/v1/RoleBinding usage +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: default-ns-psp:restricted-root-user +subjects: +- kind: ServiceAccount + name: usage +--- # rbac.authorization.k8s.io/v1/RoleBinding workspace apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -7942,6 +8163,35 @@ spec: status: loadBalancer: {} --- +# v1/Service usage +apiVersion: v1 +kind: Service +metadata: + annotations: + gitpod.io: hello + hello: world + creationTimestamp: null + labels: + app: gitpod + component: usage + gitpod.io: hello + hello: world + kind: service + name: usage + namespace: default +spec: + ports: + - name: grpc + port: 9001 + protocol: TCP + targetPort: 9001 + selector: + app: gitpod + component: usage + type: ClusterIP +status: + loadBalancer: {} +--- # v1/Service ws-daemon apiVersion: v1 kind: Service @@ -10827,6 +11077,200 @@ spec: secretName: twilio-secret status: {} --- +# apps/v1/Deployment usage +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + gitpod.io: hello + gitpod.io/checksum_config: 59ca8e966956adc39d92abd7bde923298e98553020a90170a48d27dd551f9608 + hello: world + creationTimestamp: null + labels: + app: gitpod + component: usage + gitpod.io: hello + hello: world + name: usage + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app: gitpod + component: usage + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + annotations: + gitpod.io: hello + hello: world + creationTimestamp: null + labels: + app: gitpod + component: usage + gitpod.io: hello + hello: world + name: usage + namespace: default + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: gitpod.io/workload_meta + operator: Exists + containers: + - args: + - run + - --config=/config.json + env: + - name: GITPOD_DOMAIN + value: gitpod.example.com + - name: GITPOD_INSTALLATION_SHORTNAME + value: default + - name: GITPOD_REGION + value: local + - name: HOST_URL + value: https://gitpod.example.com + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: KUBE_DOMAIN + value: svc.cluster.local + - name: LOG_LEVEL + value: info + - name: DB_HOST + valueFrom: + secretKeyRef: + key: host + name: mysql + - name: DB_PORT + valueFrom: + secretKeyRef: + key: port + name: mysql + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: mysql + - name: DB_USERNAME + valueFrom: + secretKeyRef: + key: username + name: mysql + - name: DB_ENCRYPTION_KEYS + valueFrom: + secretKeyRef: + key: encryptionKeys + name: mysql + image: eu.gcr.io/gitpod-core-dev/build/usage:test + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /live + port: 9501 + scheme: HTTP + successThreshold: 1 + timeoutSeconds: 1 + name: usage + readinessProbe: + failureThreshold: 3 + httpGet: + path: /ready + port: 9501 + scheme: HTTP + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 100m + memory: 64Mi + securityContext: + privileged: false + volumeMounts: + - mountPath: /config.json + name: config + readOnly: true + subPath: config.json + - args: + - --logtostderr + - --insecure-listen-address=[$(IP)]:9500 + - --upstream=http://127.0.0.1:9500/ + env: + - name: IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay.io/brancz/kube-rbac-proxy:v0.12.0 + name: kube-rbac-proxy + ports: + - containerPort: 9500 + name: metrics + resources: + requests: + cpu: 1m + memory: 30Mi + securityContext: + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + terminationMessagePolicy: FallbackToLogsOnError + dnsPolicy: ClusterFirst + enableServiceLinks: false + initContainers: + - args: + - -v + - database + env: + - name: DB_HOST + valueFrom: + secretKeyRef: + key: host + name: mysql + - name: DB_PORT + valueFrom: + secretKeyRef: + key: port + name: mysql + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: mysql + - name: DB_USERNAME + valueFrom: + secretKeyRef: + key: username + name: mysql + - name: DB_ENCRYPTION_KEYS + valueFrom: + secretKeyRef: + key: encryptionKeys + name: mysql + image: eu.gcr.io/gitpod-core-dev/build/service-waiter:test + name: database-waiter + resources: {} + securityContext: + privileged: false + runAsUser: 31001 + restartPolicy: Always + serviceAccountName: usage + terminationGracePeriodSeconds: 30 + volumes: + - configMap: + name: usage + name: config +status: {} +--- # apps/v1/Deployment ws-manager apiVersion: apps/v1 kind: Deployment diff --git a/install/installer/cmd/testdata/render/external-registry/output.golden b/install/installer/cmd/testdata/render/external-registry/output.golden index e8d39297f83680..f5a7a24133b358 100644 --- a/install/installer/cmd/testdata/render/external-registry/output.golden +++ b/install/installer/cmd/testdata/render/external-registry/output.golden @@ -360,6 +360,36 @@ spec: policyTypes: - Ingress +--- +# networking.k8s.io/v1/NetworkPolicy usage +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +spec: + ingress: + - from: + - podSelector: + matchLabels: + component: server + - podSelector: + matchLabels: + component: public-api-server + ports: + - port: 9001 + protocol: TCP + podSelector: + matchLabels: + app: gitpod + component: usage + policyTypes: + - Ingress + --- # networking.k8s.io/v1/NetworkPolicy workspace-default apiVersion: networking.k8s.io/v1 @@ -963,6 +993,18 @@ metadata: name: server namespace: default --- +# v1/ServiceAccount usage +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +--- # v1/ServiceAccount workspace apiVersion: v1 automountServiceAccountToken: true @@ -2597,6 +2639,78 @@ data: name: public-api-server namespace: default --- + apiVersion: apps/v1 + kind: Deployment + metadata: + annotations: + gitpod.io/checksum_config: 2e5e440024a9f86e101eefce306c4888024c495f968ee92ee01e072aad7fa13e + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: default-usage-rb-kube-rbac-proxy + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- + apiVersion: v1 + kind: ConfigMap + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- + apiVersion: v1 + kind: ServiceAccount + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- + apiVersion: v1 + kind: Service + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + kind: service + name: usage + namespace: default + --- + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- apiVersion: v1 kind: ConfigMap metadata: @@ -5000,6 +5114,48 @@ metadata: name: server-ide-config namespace: default --- +# v1/ConfigMap usage +apiVersion: v1 +data: + config.json: |- + { + "controllerSchedule": "15m0s", + "resetUsageSchedule": "15m0s", + "creditsPerMinuteByWorkspaceClass": { + "default": 0.1666666667 + }, + "server": { + "services": { + "grpc": { + "address": "0.0.0.0:9001" + } + } + }, + "defaultSpendingLimit": { + "forTeams": 1000000000, + "forUsers": 1000000000, + "minForUsersOnStripe": 0 + }, + "stripePrices": { + "individualUsagePriceIds": { + "eur": "", + "usd": "" + }, + "teamUsagePriceIds": { + "eur": "", + "usd": "" + } + } + } +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +--- # v1/ConfigMap workspace-templates apiVersion: v1 kind: ConfigMap @@ -5727,6 +5883,24 @@ subjects: name: server namespace: default --- +# rbac.authorization.k8s.io/v1/ClusterRoleBinding default-usage-rb-kube-rbac-proxy +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: default-usage-rb-kube-rbac-proxy +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: default-kube-rbac-proxy +subjects: +- kind: ServiceAccount + name: usage + namespace: default +--- # rbac.authorization.k8s.io/v1/ClusterRoleBinding default-ws-daemon-rb apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -6379,6 +6553,24 @@ subjects: - kind: ServiceAccount name: server --- +# rbac.authorization.k8s.io/v1/RoleBinding usage +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: default-ns-psp:restricted-root-user +subjects: +- kind: ServiceAccount + name: usage +--- # rbac.authorization.k8s.io/v1/RoleBinding workspace apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -6996,6 +7188,30 @@ spec: status: loadBalancer: {} --- +# v1/Service usage +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + kind: service + name: usage + namespace: default +spec: + ports: + - name: grpc + port: 9001 + protocol: TCP + targetPort: 9001 + selector: + app: gitpod + component: usage + type: ClusterIP +status: + loadBalancer: {} +--- # v1/Service ws-daemon apiVersion: v1 kind: Service @@ -9639,6 +9855,191 @@ spec: secretName: twilio-secret status: {} --- +# apps/v1/Deployment usage +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + gitpod.io/checksum_config: 2e5e440024a9f86e101eefce306c4888024c495f968ee92ee01e072aad7fa13e + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app: gitpod + component: usage + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: gitpod.io/workload_meta + operator: Exists + containers: + - args: + - run + - --config=/config.json + env: + - name: GITPOD_DOMAIN + value: gitpod.example.com + - name: GITPOD_INSTALLATION_SHORTNAME + value: default + - name: GITPOD_REGION + value: local + - name: HOST_URL + value: https://gitpod.example.com + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: KUBE_DOMAIN + value: svc.cluster.local + - name: LOG_LEVEL + value: info + - name: DB_HOST + valueFrom: + secretKeyRef: + key: host + name: mysql + - name: DB_PORT + valueFrom: + secretKeyRef: + key: port + name: mysql + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: mysql + - name: DB_USERNAME + valueFrom: + secretKeyRef: + key: username + name: mysql + - name: DB_ENCRYPTION_KEYS + valueFrom: + secretKeyRef: + key: encryptionKeys + name: mysql + image: eu.gcr.io/gitpod-core-dev/build/usage:test + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /live + port: 9501 + scheme: HTTP + successThreshold: 1 + timeoutSeconds: 1 + name: usage + readinessProbe: + failureThreshold: 3 + httpGet: + path: /ready + port: 9501 + scheme: HTTP + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 100m + memory: 64Mi + securityContext: + privileged: false + volumeMounts: + - mountPath: /config.json + name: config + readOnly: true + subPath: config.json + - args: + - --logtostderr + - --insecure-listen-address=[$(IP)]:9500 + - --upstream=http://127.0.0.1:9500/ + env: + - name: IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay.io/brancz/kube-rbac-proxy:v0.12.0 + name: kube-rbac-proxy + ports: + - containerPort: 9500 + name: metrics + resources: + requests: + cpu: 1m + memory: 30Mi + securityContext: + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + terminationMessagePolicy: FallbackToLogsOnError + dnsPolicy: ClusterFirst + enableServiceLinks: false + initContainers: + - args: + - -v + - database + env: + - name: DB_HOST + valueFrom: + secretKeyRef: + key: host + name: mysql + - name: DB_PORT + valueFrom: + secretKeyRef: + key: port + name: mysql + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: mysql + - name: DB_USERNAME + valueFrom: + secretKeyRef: + key: username + name: mysql + - name: DB_ENCRYPTION_KEYS + valueFrom: + secretKeyRef: + key: encryptionKeys + name: mysql + image: eu.gcr.io/gitpod-core-dev/build/service-waiter:test + name: database-waiter + resources: {} + securityContext: + privileged: false + runAsUser: 31001 + restartPolicy: Always + serviceAccountName: usage + terminationGracePeriodSeconds: 30 + volumes: + - configMap: + name: usage + name: config +status: {} +--- # apps/v1/Deployment ws-manager apiVersion: apps/v1 kind: Deployment diff --git a/install/installer/cmd/testdata/render/gcp-setup/output.golden b/install/installer/cmd/testdata/render/gcp-setup/output.golden index f4065cb621b33f..6bf9c2f7df54ba 100644 --- a/install/installer/cmd/testdata/render/gcp-setup/output.golden +++ b/install/installer/cmd/testdata/render/gcp-setup/output.golden @@ -360,6 +360,36 @@ spec: policyTypes: - Ingress +--- +# networking.k8s.io/v1/NetworkPolicy usage +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +spec: + ingress: + - from: + - podSelector: + matchLabels: + component: server + - podSelector: + matchLabels: + component: public-api-server + ports: + - port: 9001 + protocol: TCP + podSelector: + matchLabels: + app: gitpod + component: usage + policyTypes: + - Ingress + --- # networking.k8s.io/v1/NetworkPolicy workspace-default apiVersion: networking.k8s.io/v1 @@ -959,6 +989,18 @@ metadata: name: server namespace: default --- +# v1/ServiceAccount usage +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +--- # v1/ServiceAccount workspace apiVersion: v1 automountServiceAccountToken: true @@ -2539,6 +2581,78 @@ data: name: public-api-server namespace: default --- + apiVersion: apps/v1 + kind: Deployment + metadata: + annotations: + gitpod.io/checksum_config: 2e5e440024a9f86e101eefce306c4888024c495f968ee92ee01e072aad7fa13e + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: default-usage-rb-kube-rbac-proxy + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- + apiVersion: v1 + kind: ConfigMap + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- + apiVersion: v1 + kind: ServiceAccount + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- + apiVersion: v1 + kind: Service + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + kind: service + name: usage + namespace: default + --- + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- apiVersion: v1 kind: ConfigMap metadata: @@ -4774,6 +4888,48 @@ metadata: name: server-ide-config namespace: default --- +# v1/ConfigMap usage +apiVersion: v1 +data: + config.json: |- + { + "controllerSchedule": "15m0s", + "resetUsageSchedule": "15m0s", + "creditsPerMinuteByWorkspaceClass": { + "default": 0.1666666667 + }, + "server": { + "services": { + "grpc": { + "address": "0.0.0.0:9001" + } + } + }, + "defaultSpendingLimit": { + "forTeams": 1000000000, + "forUsers": 1000000000, + "minForUsersOnStripe": 0 + }, + "stripePrices": { + "individualUsagePriceIds": { + "eur": "", + "usd": "" + }, + "teamUsagePriceIds": { + "eur": "", + "usd": "" + } + } + } +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +--- # v1/ConfigMap workspace-templates apiVersion: v1 kind: ConfigMap @@ -5480,6 +5636,24 @@ subjects: name: server namespace: default --- +# rbac.authorization.k8s.io/v1/ClusterRoleBinding default-usage-rb-kube-rbac-proxy +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: default-usage-rb-kube-rbac-proxy +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: default-kube-rbac-proxy +subjects: +- kind: ServiceAccount + name: usage + namespace: default +--- # rbac.authorization.k8s.io/v1/ClusterRoleBinding default-ws-daemon-rb apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -6150,6 +6324,24 @@ subjects: - kind: ServiceAccount name: server --- +# rbac.authorization.k8s.io/v1/RoleBinding usage +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: default-ns-psp:restricted-root-user +subjects: +- kind: ServiceAccount + name: usage +--- # rbac.authorization.k8s.io/v1/RoleBinding workspace apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -6688,6 +6880,30 @@ spec: status: loadBalancer: {} --- +# v1/Service usage +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + kind: service + name: usage + namespace: default +spec: + ports: + - name: grpc + port: 9001 + protocol: TCP + targetPort: 9001 + selector: + app: gitpod + component: usage + type: ClusterIP +status: + loadBalancer: {} +--- # v1/Service ws-daemon apiVersion: v1 kind: Service @@ -9130,6 +9346,179 @@ spec: secretName: twilio-secret status: {} --- +# apps/v1/Deployment usage +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + gitpod.io/checksum_config: 2e5e440024a9f86e101eefce306c4888024c495f968ee92ee01e072aad7fa13e + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app: gitpod + component: usage + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: gitpod.io/workload_meta + operator: Exists + containers: + - args: + - run + - --config=/config.json + env: + - name: GITPOD_DOMAIN + value: gitpod.example.com + - name: GITPOD_INSTALLATION_SHORTNAME + value: default + - name: GITPOD_REGION + value: europe-west2 + - name: HOST_URL + value: https://gitpod.example.com + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: KUBE_DOMAIN + value: svc.cluster.local + - name: LOG_LEVEL + value: info + - name: DB_HOST + value: cloudsqlproxy + - name: DB_PORT + value: "3306" + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: gcp-database + - name: DB_USERNAME + valueFrom: + secretKeyRef: + key: username + name: gcp-database + - name: DB_ENCRYPTION_KEYS + valueFrom: + secretKeyRef: + key: encryptionKeys + name: gcp-database + image: eu.gcr.io/gitpod-core-dev/build/usage:test + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /live + port: 9501 + scheme: HTTP + successThreshold: 1 + timeoutSeconds: 1 + name: usage + readinessProbe: + failureThreshold: 3 + httpGet: + path: /ready + port: 9501 + scheme: HTTP + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 100m + memory: 64Mi + securityContext: + privileged: false + volumeMounts: + - mountPath: /config.json + name: config + readOnly: true + subPath: config.json + - args: + - --logtostderr + - --insecure-listen-address=[$(IP)]:9500 + - --upstream=http://127.0.0.1:9500/ + env: + - name: IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay.io/brancz/kube-rbac-proxy:v0.12.0 + name: kube-rbac-proxy + ports: + - containerPort: 9500 + name: metrics + resources: + requests: + cpu: 1m + memory: 30Mi + securityContext: + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + terminationMessagePolicy: FallbackToLogsOnError + dnsPolicy: ClusterFirst + enableServiceLinks: false + initContainers: + - args: + - -v + - database + env: + - name: DB_HOST + value: cloudsqlproxy + - name: DB_PORT + value: "3306" + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: gcp-database + - name: DB_USERNAME + valueFrom: + secretKeyRef: + key: username + name: gcp-database + - name: DB_ENCRYPTION_KEYS + valueFrom: + secretKeyRef: + key: encryptionKeys + name: gcp-database + image: eu.gcr.io/gitpod-core-dev/build/service-waiter:test + name: database-waiter + resources: {} + securityContext: + privileged: false + runAsUser: 31001 + restartPolicy: Always + serviceAccountName: usage + terminationGracePeriodSeconds: 30 + volumes: + - configMap: + name: usage + name: config +status: {} +--- # apps/v1/Deployment ws-manager apiVersion: apps/v1 kind: Deployment diff --git a/install/installer/cmd/testdata/render/http-proxy/output.golden b/install/installer/cmd/testdata/render/http-proxy/output.golden index 8c7f51f1befb4d..c77a6b6bd9d1e8 100644 --- a/install/installer/cmd/testdata/render/http-proxy/output.golden +++ b/install/installer/cmd/testdata/render/http-proxy/output.golden @@ -360,6 +360,36 @@ spec: policyTypes: - Ingress +--- +# networking.k8s.io/v1/NetworkPolicy usage +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +spec: + ingress: + - from: + - podSelector: + matchLabels: + component: server + - podSelector: + matchLabels: + component: public-api-server + ports: + - port: 9001 + protocol: TCP + podSelector: + matchLabels: + app: gitpod + component: usage + policyTypes: + - Ingress + --- # networking.k8s.io/v1/NetworkPolicy workspace-default apiVersion: networking.k8s.io/v1 @@ -1000,6 +1030,18 @@ metadata: name: server namespace: default --- +# v1/ServiceAccount usage +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +--- # v1/ServiceAccount workspace apiVersion: v1 automountServiceAccountToken: true @@ -2706,6 +2748,78 @@ data: name: public-api-server namespace: default --- + apiVersion: apps/v1 + kind: Deployment + metadata: + annotations: + gitpod.io/checksum_config: 2e5e440024a9f86e101eefce306c4888024c495f968ee92ee01e072aad7fa13e + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: default-usage-rb-kube-rbac-proxy + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- + apiVersion: v1 + kind: ConfigMap + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- + apiVersion: v1 + kind: ServiceAccount + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- + apiVersion: v1 + kind: Service + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + kind: service + name: usage + namespace: default + --- + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- apiVersion: v1 kind: ConfigMap metadata: @@ -5223,6 +5337,48 @@ metadata: name: server-ide-config namespace: default --- +# v1/ConfigMap usage +apiVersion: v1 +data: + config.json: |- + { + "controllerSchedule": "15m0s", + "resetUsageSchedule": "15m0s", + "creditsPerMinuteByWorkspaceClass": { + "default": 0.1666666667 + }, + "server": { + "services": { + "grpc": { + "address": "0.0.0.0:9001" + } + } + }, + "defaultSpendingLimit": { + "forTeams": 1000000000, + "forUsers": 1000000000, + "minForUsersOnStripe": 0 + }, + "stripePrices": { + "individualUsagePriceIds": { + "eur": "", + "usd": "" + }, + "teamUsagePriceIds": { + "eur": "", + "usd": "" + } + } + } +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +--- # v1/ConfigMap workspace-templates apiVersion: v1 kind: ConfigMap @@ -5969,6 +6125,24 @@ subjects: name: server namespace: default --- +# rbac.authorization.k8s.io/v1/ClusterRoleBinding default-usage-rb-kube-rbac-proxy +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: default-usage-rb-kube-rbac-proxy +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: default-kube-rbac-proxy +subjects: +- kind: ServiceAccount + name: usage + namespace: default +--- # rbac.authorization.k8s.io/v1/ClusterRoleBinding default-ws-daemon-rb apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -6639,6 +6813,24 @@ subjects: - kind: ServiceAccount name: server --- +# rbac.authorization.k8s.io/v1/RoleBinding usage +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: default-ns-psp:restricted-root-user +subjects: +- kind: ServiceAccount + name: usage +--- # rbac.authorization.k8s.io/v1/RoleBinding workspace apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -7279,6 +7471,30 @@ spec: status: loadBalancer: {} --- +# v1/Service usage +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + kind: service + name: usage + namespace: default +spec: + ports: + - name: grpc + port: 9001 + protocol: TCP + targetPort: 9001 + selector: + app: gitpod + component: usage + type: ClusterIP +status: + loadBalancer: {} +--- # v1/Service ws-daemon apiVersion: v1 kind: Service @@ -11302,6 +11518,311 @@ spec: secretName: twilio-secret status: {} --- +# apps/v1/Deployment usage +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + gitpod.io/checksum_config: 2e5e440024a9f86e101eefce306c4888024c495f968ee92ee01e072aad7fa13e + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app: gitpod + component: usage + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: gitpod.io/workload_meta + operator: Exists + containers: + - args: + - run + - --config=/config.json + env: + - name: GITPOD_DOMAIN + value: gitpod.example.com + - name: GITPOD_INSTALLATION_SHORTNAME + value: default + - name: GITPOD_REGION + value: local + - name: HOST_URL + value: https://gitpod.example.com + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: KUBE_DOMAIN + value: svc.cluster.local + - name: LOG_LEVEL + value: info + - name: HTTP_PROXY + valueFrom: + secretKeyRef: + key: httpProxy + name: http-proxy-settings + optional: true + - name: http_proxy + valueFrom: + secretKeyRef: + key: httpProxy + name: http-proxy-settings + optional: true + - name: HTTPS_PROXY + valueFrom: + secretKeyRef: + key: httpsProxy + name: http-proxy-settings + optional: true + - name: https_proxy + valueFrom: + secretKeyRef: + key: httpsProxy + name: http-proxy-settings + optional: true + - name: CUSTOM_NO_PROXY + valueFrom: + secretKeyRef: + key: noProxy + name: http-proxy-settings + optional: true + - name: custom_no_proxy + valueFrom: + secretKeyRef: + key: noProxy + name: http-proxy-settings + optional: true + - name: NO_PROXY + value: ws-manager,wsdaemon,$(CUSTOM_NO_PROXY) + - name: no_proxy + value: ws-manager,wsdaemon,$(CUSTOM_NO_PROXY) + - name: DB_HOST + valueFrom: + secretKeyRef: + key: host + name: mysql + - name: DB_PORT + valueFrom: + secretKeyRef: + key: port + name: mysql + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: mysql + - name: DB_USERNAME + valueFrom: + secretKeyRef: + key: username + name: mysql + - name: DB_ENCRYPTION_KEYS + valueFrom: + secretKeyRef: + key: encryptionKeys + name: mysql + image: eu.gcr.io/gitpod-core-dev/build/usage:test + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /live + port: 9501 + scheme: HTTP + successThreshold: 1 + timeoutSeconds: 1 + name: usage + readinessProbe: + failureThreshold: 3 + httpGet: + path: /ready + port: 9501 + scheme: HTTP + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 100m + memory: 64Mi + securityContext: + privileged: false + volumeMounts: + - mountPath: /config.json + name: config + readOnly: true + subPath: config.json + - args: + - --logtostderr + - --insecure-listen-address=[$(IP)]:9500 + - --upstream=http://127.0.0.1:9500/ + env: + - name: IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: HTTP_PROXY + valueFrom: + secretKeyRef: + key: httpProxy + name: http-proxy-settings + optional: true + - name: http_proxy + valueFrom: + secretKeyRef: + key: httpProxy + name: http-proxy-settings + optional: true + - name: HTTPS_PROXY + valueFrom: + secretKeyRef: + key: httpsProxy + name: http-proxy-settings + optional: true + - name: https_proxy + valueFrom: + secretKeyRef: + key: httpsProxy + name: http-proxy-settings + optional: true + - name: CUSTOM_NO_PROXY + valueFrom: + secretKeyRef: + key: noProxy + name: http-proxy-settings + optional: true + - name: custom_no_proxy + valueFrom: + secretKeyRef: + key: noProxy + name: http-proxy-settings + optional: true + - name: NO_PROXY + value: ws-manager,wsdaemon,$(CUSTOM_NO_PROXY) + - name: no_proxy + value: ws-manager,wsdaemon,$(CUSTOM_NO_PROXY) + image: quay.io/brancz/kube-rbac-proxy:v0.12.0 + name: kube-rbac-proxy + ports: + - containerPort: 9500 + name: metrics + resources: + requests: + cpu: 1m + memory: 30Mi + securityContext: + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + terminationMessagePolicy: FallbackToLogsOnError + dnsPolicy: ClusterFirst + enableServiceLinks: false + initContainers: + - args: + - -v + - database + env: + - name: DB_HOST + valueFrom: + secretKeyRef: + key: host + name: mysql + - name: DB_PORT + valueFrom: + secretKeyRef: + key: port + name: mysql + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: mysql + - name: DB_USERNAME + valueFrom: + secretKeyRef: + key: username + name: mysql + - name: DB_ENCRYPTION_KEYS + valueFrom: + secretKeyRef: + key: encryptionKeys + name: mysql + - name: HTTP_PROXY + valueFrom: + secretKeyRef: + key: httpProxy + name: http-proxy-settings + optional: true + - name: http_proxy + valueFrom: + secretKeyRef: + key: httpProxy + name: http-proxy-settings + optional: true + - name: HTTPS_PROXY + valueFrom: + secretKeyRef: + key: httpsProxy + name: http-proxy-settings + optional: true + - name: https_proxy + valueFrom: + secretKeyRef: + key: httpsProxy + name: http-proxy-settings + optional: true + - name: CUSTOM_NO_PROXY + valueFrom: + secretKeyRef: + key: noProxy + name: http-proxy-settings + optional: true + - name: custom_no_proxy + valueFrom: + secretKeyRef: + key: noProxy + name: http-proxy-settings + optional: true + - name: NO_PROXY + value: ws-manager,wsdaemon,$(CUSTOM_NO_PROXY) + - name: no_proxy + value: ws-manager,wsdaemon,$(CUSTOM_NO_PROXY) + image: eu.gcr.io/gitpod-core-dev/build/service-waiter:test + name: database-waiter + resources: {} + securityContext: + privileged: false + runAsUser: 31001 + restartPolicy: Always + serviceAccountName: usage + terminationGracePeriodSeconds: 30 + volumes: + - configMap: + name: usage + name: config +status: {} +--- # apps/v1/Deployment ws-manager apiVersion: apps/v1 kind: Deployment diff --git a/install/installer/cmd/testdata/render/insecure-s3-setup/output.golden b/install/installer/cmd/testdata/render/insecure-s3-setup/output.golden index 31aaab0cd65559..ffcad9977025b6 100644 --- a/install/installer/cmd/testdata/render/insecure-s3-setup/output.golden +++ b/install/installer/cmd/testdata/render/insecure-s3-setup/output.golden @@ -360,6 +360,36 @@ spec: policyTypes: - Ingress +--- +# networking.k8s.io/v1/NetworkPolicy usage +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +spec: + ingress: + - from: + - podSelector: + matchLabels: + component: server + - podSelector: + matchLabels: + component: public-api-server + ports: + - port: 9001 + protocol: TCP + podSelector: + matchLabels: + app: gitpod + component: usage + policyTypes: + - Ingress + --- # networking.k8s.io/v1/NetworkPolicy workspace-default apiVersion: networking.k8s.io/v1 @@ -984,6 +1014,18 @@ metadata: name: server namespace: default --- +# v1/ServiceAccount usage +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +--- # v1/ServiceAccount workspace apiVersion: v1 automountServiceAccountToken: true @@ -2677,6 +2719,78 @@ data: name: public-api-server namespace: default --- + apiVersion: apps/v1 + kind: Deployment + metadata: + annotations: + gitpod.io/checksum_config: 2e5e440024a9f86e101eefce306c4888024c495f968ee92ee01e072aad7fa13e + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: default-usage-rb-kube-rbac-proxy + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- + apiVersion: v1 + kind: ConfigMap + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- + apiVersion: v1 + kind: ServiceAccount + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- + apiVersion: v1 + kind: Service + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + kind: service + name: usage + namespace: default + --- + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- apiVersion: v1 kind: ConfigMap metadata: @@ -5134,6 +5248,48 @@ metadata: name: server-ide-config namespace: default --- +# v1/ConfigMap usage +apiVersion: v1 +data: + config.json: |- + { + "controllerSchedule": "15m0s", + "resetUsageSchedule": "15m0s", + "creditsPerMinuteByWorkspaceClass": { + "default": 0.1666666667 + }, + "server": { + "services": { + "grpc": { + "address": "0.0.0.0:9001" + } + } + }, + "defaultSpendingLimit": { + "forTeams": 1000000000, + "forUsers": 1000000000, + "minForUsersOnStripe": 0 + }, + "stripePrices": { + "individualUsagePriceIds": { + "eur": "", + "usd": "" + }, + "teamUsagePriceIds": { + "eur": "", + "usd": "" + } + } + } +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +--- # v1/ConfigMap workspace-templates apiVersion: v1 kind: ConfigMap @@ -5863,6 +6019,24 @@ subjects: name: server namespace: default --- +# rbac.authorization.k8s.io/v1/ClusterRoleBinding default-usage-rb-kube-rbac-proxy +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: default-usage-rb-kube-rbac-proxy +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: default-kube-rbac-proxy +subjects: +- kind: ServiceAccount + name: usage + namespace: default +--- # rbac.authorization.k8s.io/v1/ClusterRoleBinding default-ws-daemon-rb apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -6533,6 +6707,24 @@ subjects: - kind: ServiceAccount name: server --- +# rbac.authorization.k8s.io/v1/RoleBinding usage +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: default-ns-psp:restricted-root-user +subjects: +- kind: ServiceAccount + name: usage +--- # rbac.authorization.k8s.io/v1/RoleBinding workspace apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -7146,6 +7338,30 @@ spec: status: loadBalancer: {} --- +# v1/Service usage +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + kind: service + name: usage + namespace: default +spec: + ports: + - name: grpc + port: 9001 + protocol: TCP + targetPort: 9001 + selector: + app: gitpod + component: usage + type: ClusterIP +status: + loadBalancer: {} +--- # v1/Service ws-daemon apiVersion: v1 kind: Service @@ -9785,6 +10001,191 @@ spec: secretName: twilio-secret status: {} --- +# apps/v1/Deployment usage +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + gitpod.io/checksum_config: 2e5e440024a9f86e101eefce306c4888024c495f968ee92ee01e072aad7fa13e + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app: gitpod + component: usage + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: gitpod.io/workload_meta + operator: Exists + containers: + - args: + - run + - --config=/config.json + env: + - name: GITPOD_DOMAIN + value: gitpod.example.com + - name: GITPOD_INSTALLATION_SHORTNAME + value: default + - name: GITPOD_REGION + value: local + - name: HOST_URL + value: https://gitpod.example.com + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: KUBE_DOMAIN + value: svc.cluster.local + - name: LOG_LEVEL + value: info + - name: DB_HOST + valueFrom: + secretKeyRef: + key: host + name: mysql + - name: DB_PORT + valueFrom: + secretKeyRef: + key: port + name: mysql + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: mysql + - name: DB_USERNAME + valueFrom: + secretKeyRef: + key: username + name: mysql + - name: DB_ENCRYPTION_KEYS + valueFrom: + secretKeyRef: + key: encryptionKeys + name: mysql + image: eu.gcr.io/gitpod-core-dev/build/usage:test + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /live + port: 9501 + scheme: HTTP + successThreshold: 1 + timeoutSeconds: 1 + name: usage + readinessProbe: + failureThreshold: 3 + httpGet: + path: /ready + port: 9501 + scheme: HTTP + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 100m + memory: 64Mi + securityContext: + privileged: false + volumeMounts: + - mountPath: /config.json + name: config + readOnly: true + subPath: config.json + - args: + - --logtostderr + - --insecure-listen-address=[$(IP)]:9500 + - --upstream=http://127.0.0.1:9500/ + env: + - name: IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay.io/brancz/kube-rbac-proxy:v0.12.0 + name: kube-rbac-proxy + ports: + - containerPort: 9500 + name: metrics + resources: + requests: + cpu: 1m + memory: 30Mi + securityContext: + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + terminationMessagePolicy: FallbackToLogsOnError + dnsPolicy: ClusterFirst + enableServiceLinks: false + initContainers: + - args: + - -v + - database + env: + - name: DB_HOST + valueFrom: + secretKeyRef: + key: host + name: mysql + - name: DB_PORT + valueFrom: + secretKeyRef: + key: port + name: mysql + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: mysql + - name: DB_USERNAME + valueFrom: + secretKeyRef: + key: username + name: mysql + - name: DB_ENCRYPTION_KEYS + valueFrom: + secretKeyRef: + key: encryptionKeys + name: mysql + image: eu.gcr.io/gitpod-core-dev/build/service-waiter:test + name: database-waiter + resources: {} + securityContext: + privileged: false + runAsUser: 31001 + restartPolicy: Always + serviceAccountName: usage + terminationGracePeriodSeconds: 30 + volumes: + - configMap: + name: usage + name: config +status: {} +--- # apps/v1/Deployment ws-manager apiVersion: apps/v1 kind: Deployment diff --git a/install/installer/cmd/testdata/render/minimal/output.golden b/install/installer/cmd/testdata/render/minimal/output.golden index b621c2c7273bb7..17b120f437bd92 100644 --- a/install/installer/cmd/testdata/render/minimal/output.golden +++ b/install/installer/cmd/testdata/render/minimal/output.golden @@ -360,6 +360,36 @@ spec: policyTypes: - Ingress +--- +# networking.k8s.io/v1/NetworkPolicy usage +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +spec: + ingress: + - from: + - podSelector: + matchLabels: + component: server + - podSelector: + matchLabels: + component: public-api-server + ports: + - port: 9001 + protocol: TCP + podSelector: + matchLabels: + app: gitpod + component: usage + policyTypes: + - Ingress + --- # networking.k8s.io/v1/NetworkPolicy workspace-default apiVersion: networking.k8s.io/v1 @@ -1000,6 +1030,18 @@ metadata: name: server namespace: default --- +# v1/ServiceAccount usage +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +--- # v1/ServiceAccount workspace apiVersion: v1 automountServiceAccountToken: true @@ -2703,6 +2745,78 @@ data: name: public-api-server namespace: default --- + apiVersion: apps/v1 + kind: Deployment + metadata: + annotations: + gitpod.io/checksum_config: 2e5e440024a9f86e101eefce306c4888024c495f968ee92ee01e072aad7fa13e + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: default-usage-rb-kube-rbac-proxy + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- + apiVersion: v1 + kind: ConfigMap + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- + apiVersion: v1 + kind: ServiceAccount + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- + apiVersion: v1 + kind: Service + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + kind: service + name: usage + namespace: default + --- + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- apiVersion: v1 kind: ConfigMap metadata: @@ -5220,6 +5334,48 @@ metadata: name: server-ide-config namespace: default --- +# v1/ConfigMap usage +apiVersion: v1 +data: + config.json: |- + { + "controllerSchedule": "15m0s", + "resetUsageSchedule": "15m0s", + "creditsPerMinuteByWorkspaceClass": { + "default": 0.1666666667 + }, + "server": { + "services": { + "grpc": { + "address": "0.0.0.0:9001" + } + } + }, + "defaultSpendingLimit": { + "forTeams": 1000000000, + "forUsers": 1000000000, + "minForUsersOnStripe": 0 + }, + "stripePrices": { + "individualUsagePriceIds": { + "eur": "", + "usd": "" + }, + "teamUsagePriceIds": { + "eur": "", + "usd": "" + } + } + } +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +--- # v1/ConfigMap workspace-templates apiVersion: v1 kind: ConfigMap @@ -5966,6 +6122,24 @@ subjects: name: server namespace: default --- +# rbac.authorization.k8s.io/v1/ClusterRoleBinding default-usage-rb-kube-rbac-proxy +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: default-usage-rb-kube-rbac-proxy +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: default-kube-rbac-proxy +subjects: +- kind: ServiceAccount + name: usage + namespace: default +--- # rbac.authorization.k8s.io/v1/ClusterRoleBinding default-ws-daemon-rb apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -6636,6 +6810,24 @@ subjects: - kind: ServiceAccount name: server --- +# rbac.authorization.k8s.io/v1/RoleBinding usage +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: default-ns-psp:restricted-root-user +subjects: +- kind: ServiceAccount + name: usage +--- # rbac.authorization.k8s.io/v1/RoleBinding workspace apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -7276,6 +7468,30 @@ spec: status: loadBalancer: {} --- +# v1/Service usage +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + kind: service + name: usage + namespace: default +spec: + ports: + - name: grpc + port: 9001 + protocol: TCP + targetPort: 9001 + selector: + app: gitpod + component: usage + type: ClusterIP +status: + loadBalancer: {} +--- # v1/Service ws-daemon apiVersion: v1 kind: Service @@ -10014,6 +10230,191 @@ spec: secretName: twilio-secret status: {} --- +# apps/v1/Deployment usage +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + gitpod.io/checksum_config: 2e5e440024a9f86e101eefce306c4888024c495f968ee92ee01e072aad7fa13e + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app: gitpod + component: usage + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: gitpod.io/workload_meta + operator: Exists + containers: + - args: + - run + - --config=/config.json + env: + - name: GITPOD_DOMAIN + value: gitpod.example.com + - name: GITPOD_INSTALLATION_SHORTNAME + value: default + - name: GITPOD_REGION + value: local + - name: HOST_URL + value: https://gitpod.example.com + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: KUBE_DOMAIN + value: svc.cluster.local + - name: LOG_LEVEL + value: info + - name: DB_HOST + valueFrom: + secretKeyRef: + key: host + name: mysql + - name: DB_PORT + valueFrom: + secretKeyRef: + key: port + name: mysql + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: mysql + - name: DB_USERNAME + valueFrom: + secretKeyRef: + key: username + name: mysql + - name: DB_ENCRYPTION_KEYS + valueFrom: + secretKeyRef: + key: encryptionKeys + name: mysql + image: eu.gcr.io/gitpod-core-dev/build/usage:test + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /live + port: 9501 + scheme: HTTP + successThreshold: 1 + timeoutSeconds: 1 + name: usage + readinessProbe: + failureThreshold: 3 + httpGet: + path: /ready + port: 9501 + scheme: HTTP + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 100m + memory: 64Mi + securityContext: + privileged: false + volumeMounts: + - mountPath: /config.json + name: config + readOnly: true + subPath: config.json + - args: + - --logtostderr + - --insecure-listen-address=[$(IP)]:9500 + - --upstream=http://127.0.0.1:9500/ + env: + - name: IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay.io/brancz/kube-rbac-proxy:v0.12.0 + name: kube-rbac-proxy + ports: + - containerPort: 9500 + name: metrics + resources: + requests: + cpu: 1m + memory: 30Mi + securityContext: + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + terminationMessagePolicy: FallbackToLogsOnError + dnsPolicy: ClusterFirst + enableServiceLinks: false + initContainers: + - args: + - -v + - database + env: + - name: DB_HOST + valueFrom: + secretKeyRef: + key: host + name: mysql + - name: DB_PORT + valueFrom: + secretKeyRef: + key: port + name: mysql + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: mysql + - name: DB_USERNAME + valueFrom: + secretKeyRef: + key: username + name: mysql + - name: DB_ENCRYPTION_KEYS + valueFrom: + secretKeyRef: + key: encryptionKeys + name: mysql + image: eu.gcr.io/gitpod-core-dev/build/service-waiter:test + name: database-waiter + resources: {} + securityContext: + privileged: false + runAsUser: 31001 + restartPolicy: Always + serviceAccountName: usage + terminationGracePeriodSeconds: 30 + volumes: + - configMap: + name: usage + name: config +status: {} +--- # apps/v1/Deployment ws-manager apiVersion: apps/v1 kind: Deployment diff --git a/install/installer/cmd/testdata/render/shortname/output.golden b/install/installer/cmd/testdata/render/shortname/output.golden index d2147de6b7b441..b4cf560ece9678 100644 --- a/install/installer/cmd/testdata/render/shortname/output.golden +++ b/install/installer/cmd/testdata/render/shortname/output.golden @@ -360,6 +360,36 @@ spec: policyTypes: - Ingress +--- +# networking.k8s.io/v1/NetworkPolicy usage +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +spec: + ingress: + - from: + - podSelector: + matchLabels: + component: server + - podSelector: + matchLabels: + component: public-api-server + ports: + - port: 9001 + protocol: TCP + podSelector: + matchLabels: + app: gitpod + component: usage + policyTypes: + - Ingress + --- # networking.k8s.io/v1/NetworkPolicy workspace-default apiVersion: networking.k8s.io/v1 @@ -1000,6 +1030,18 @@ metadata: name: server namespace: default --- +# v1/ServiceAccount usage +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +--- # v1/ServiceAccount workspace apiVersion: v1 automountServiceAccountToken: true @@ -2703,6 +2745,78 @@ data: name: public-api-server namespace: default --- + apiVersion: apps/v1 + kind: Deployment + metadata: + annotations: + gitpod.io/checksum_config: 2e5e440024a9f86e101eefce306c4888024c495f968ee92ee01e072aad7fa13e + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: default-usage-rb-kube-rbac-proxy + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- + apiVersion: v1 + kind: ConfigMap + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- + apiVersion: v1 + kind: ServiceAccount + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- + apiVersion: v1 + kind: Service + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + kind: service + name: usage + namespace: default + --- + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- apiVersion: v1 kind: ConfigMap metadata: @@ -5220,6 +5334,48 @@ metadata: name: server-ide-config namespace: default --- +# v1/ConfigMap usage +apiVersion: v1 +data: + config.json: |- + { + "controllerSchedule": "15m0s", + "resetUsageSchedule": "15m0s", + "creditsPerMinuteByWorkspaceClass": { + "default": 0.1666666667 + }, + "server": { + "services": { + "grpc": { + "address": "0.0.0.0:9001" + } + } + }, + "defaultSpendingLimit": { + "forTeams": 1000000000, + "forUsers": 1000000000, + "minForUsersOnStripe": 0 + }, + "stripePrices": { + "individualUsagePriceIds": { + "eur": "", + "usd": "" + }, + "teamUsagePriceIds": { + "eur": "", + "usd": "" + } + } + } +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +--- # v1/ConfigMap workspace-templates apiVersion: v1 kind: ConfigMap @@ -5966,6 +6122,24 @@ subjects: name: server namespace: default --- +# rbac.authorization.k8s.io/v1/ClusterRoleBinding default-usage-rb-kube-rbac-proxy +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: default-usage-rb-kube-rbac-proxy +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: default-kube-rbac-proxy +subjects: +- kind: ServiceAccount + name: usage + namespace: default +--- # rbac.authorization.k8s.io/v1/ClusterRoleBinding default-ws-daemon-rb apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -6636,6 +6810,24 @@ subjects: - kind: ServiceAccount name: server --- +# rbac.authorization.k8s.io/v1/RoleBinding usage +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: default-ns-psp:restricted-root-user +subjects: +- kind: ServiceAccount + name: usage +--- # rbac.authorization.k8s.io/v1/RoleBinding workspace apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -7276,6 +7468,30 @@ spec: status: loadBalancer: {} --- +# v1/Service usage +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + kind: service + name: usage + namespace: default +spec: + ports: + - name: grpc + port: 9001 + protocol: TCP + targetPort: 9001 + selector: + app: gitpod + component: usage + type: ClusterIP +status: + loadBalancer: {} +--- # v1/Service ws-daemon apiVersion: v1 kind: Service @@ -10014,6 +10230,191 @@ spec: secretName: twilio-secret status: {} --- +# apps/v1/Deployment usage +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + gitpod.io/checksum_config: 2e5e440024a9f86e101eefce306c4888024c495f968ee92ee01e072aad7fa13e + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app: gitpod + component: usage + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: gitpod.io/workload_meta + operator: Exists + containers: + - args: + - run + - --config=/config.json + env: + - name: GITPOD_DOMAIN + value: gitpod.example.com + - name: GITPOD_INSTALLATION_SHORTNAME + value: dev + - name: GITPOD_REGION + value: local + - name: HOST_URL + value: https://gitpod.example.com + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: KUBE_DOMAIN + value: svc.cluster.local + - name: LOG_LEVEL + value: info + - name: DB_HOST + valueFrom: + secretKeyRef: + key: host + name: mysql + - name: DB_PORT + valueFrom: + secretKeyRef: + key: port + name: mysql + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: mysql + - name: DB_USERNAME + valueFrom: + secretKeyRef: + key: username + name: mysql + - name: DB_ENCRYPTION_KEYS + valueFrom: + secretKeyRef: + key: encryptionKeys + name: mysql + image: eu.gcr.io/gitpod-core-dev/build/usage:test + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /live + port: 9501 + scheme: HTTP + successThreshold: 1 + timeoutSeconds: 1 + name: usage + readinessProbe: + failureThreshold: 3 + httpGet: + path: /ready + port: 9501 + scheme: HTTP + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 100m + memory: 64Mi + securityContext: + privileged: false + volumeMounts: + - mountPath: /config.json + name: config + readOnly: true + subPath: config.json + - args: + - --logtostderr + - --insecure-listen-address=[$(IP)]:9500 + - --upstream=http://127.0.0.1:9500/ + env: + - name: IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay.io/brancz/kube-rbac-proxy:v0.12.0 + name: kube-rbac-proxy + ports: + - containerPort: 9500 + name: metrics + resources: + requests: + cpu: 1m + memory: 30Mi + securityContext: + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + terminationMessagePolicy: FallbackToLogsOnError + dnsPolicy: ClusterFirst + enableServiceLinks: false + initContainers: + - args: + - -v + - database + env: + - name: DB_HOST + valueFrom: + secretKeyRef: + key: host + name: mysql + - name: DB_PORT + valueFrom: + secretKeyRef: + key: port + name: mysql + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: mysql + - name: DB_USERNAME + valueFrom: + secretKeyRef: + key: username + name: mysql + - name: DB_ENCRYPTION_KEYS + valueFrom: + secretKeyRef: + key: encryptionKeys + name: mysql + image: eu.gcr.io/gitpod-core-dev/build/service-waiter:test + name: database-waiter + resources: {} + securityContext: + privileged: false + runAsUser: 31001 + restartPolicy: Always + serviceAccountName: usage + terminationGracePeriodSeconds: 30 + volumes: + - configMap: + name: usage + name: config +status: {} +--- # apps/v1/Deployment ws-manager apiVersion: apps/v1 kind: Deployment diff --git a/install/installer/cmd/testdata/render/statefulset-customization/output.golden b/install/installer/cmd/testdata/render/statefulset-customization/output.golden index c4df133ea48ebe..803665edcee5f7 100644 --- a/install/installer/cmd/testdata/render/statefulset-customization/output.golden +++ b/install/installer/cmd/testdata/render/statefulset-customization/output.golden @@ -360,6 +360,36 @@ spec: policyTypes: - Ingress +--- +# networking.k8s.io/v1/NetworkPolicy usage +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +spec: + ingress: + - from: + - podSelector: + matchLabels: + component: server + - podSelector: + matchLabels: + component: public-api-server + ports: + - port: 9001 + protocol: TCP + podSelector: + matchLabels: + app: gitpod + component: usage + policyTypes: + - Ingress + --- # networking.k8s.io/v1/NetworkPolicy workspace-default apiVersion: networking.k8s.io/v1 @@ -1000,6 +1030,18 @@ metadata: name: server namespace: default --- +# v1/ServiceAccount usage +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +--- # v1/ServiceAccount workspace apiVersion: v1 automountServiceAccountToken: true @@ -2715,6 +2757,78 @@ data: name: public-api-server namespace: default --- + apiVersion: apps/v1 + kind: Deployment + metadata: + annotations: + gitpod.io/checksum_config: 2e5e440024a9f86e101eefce306c4888024c495f968ee92ee01e072aad7fa13e + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: default-usage-rb-kube-rbac-proxy + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- + apiVersion: v1 + kind: ConfigMap + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- + apiVersion: v1 + kind: ServiceAccount + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- + apiVersion: v1 + kind: Service + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + kind: service + name: usage + namespace: default + --- + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- apiVersion: v1 kind: ConfigMap metadata: @@ -5232,6 +5346,48 @@ metadata: name: server-ide-config namespace: default --- +# v1/ConfigMap usage +apiVersion: v1 +data: + config.json: |- + { + "controllerSchedule": "15m0s", + "resetUsageSchedule": "15m0s", + "creditsPerMinuteByWorkspaceClass": { + "default": 0.1666666667 + }, + "server": { + "services": { + "grpc": { + "address": "0.0.0.0:9001" + } + } + }, + "defaultSpendingLimit": { + "forTeams": 1000000000, + "forUsers": 1000000000, + "minForUsersOnStripe": 0 + }, + "stripePrices": { + "individualUsagePriceIds": { + "eur": "", + "usd": "" + }, + "teamUsagePriceIds": { + "eur": "", + "usd": "" + } + } + } +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +--- # v1/ConfigMap workspace-templates apiVersion: v1 kind: ConfigMap @@ -5978,6 +6134,24 @@ subjects: name: server namespace: default --- +# rbac.authorization.k8s.io/v1/ClusterRoleBinding default-usage-rb-kube-rbac-proxy +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: default-usage-rb-kube-rbac-proxy +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: default-kube-rbac-proxy +subjects: +- kind: ServiceAccount + name: usage + namespace: default +--- # rbac.authorization.k8s.io/v1/ClusterRoleBinding default-ws-daemon-rb apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -6648,6 +6822,24 @@ subjects: - kind: ServiceAccount name: server --- +# rbac.authorization.k8s.io/v1/RoleBinding usage +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: default-ns-psp:restricted-root-user +subjects: +- kind: ServiceAccount + name: usage +--- # rbac.authorization.k8s.io/v1/RoleBinding workspace apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -7288,6 +7480,30 @@ spec: status: loadBalancer: {} --- +# v1/Service usage +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + kind: service + name: usage + namespace: default +spec: + ports: + - name: grpc + port: 9001 + protocol: TCP + targetPort: 9001 + selector: + app: gitpod + component: usage + type: ClusterIP +status: + loadBalancer: {} +--- # v1/Service ws-daemon apiVersion: v1 kind: Service @@ -10026,6 +10242,191 @@ spec: secretName: twilio-secret status: {} --- +# apps/v1/Deployment usage +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + gitpod.io/checksum_config: 2e5e440024a9f86e101eefce306c4888024c495f968ee92ee01e072aad7fa13e + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app: gitpod + component: usage + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: gitpod.io/workload_meta + operator: Exists + containers: + - args: + - run + - --config=/config.json + env: + - name: GITPOD_DOMAIN + value: gitpod.example.com + - name: GITPOD_INSTALLATION_SHORTNAME + value: default + - name: GITPOD_REGION + value: local + - name: HOST_URL + value: https://gitpod.example.com + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: KUBE_DOMAIN + value: svc.cluster.local + - name: LOG_LEVEL + value: info + - name: DB_HOST + valueFrom: + secretKeyRef: + key: host + name: mysql + - name: DB_PORT + valueFrom: + secretKeyRef: + key: port + name: mysql + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: mysql + - name: DB_USERNAME + valueFrom: + secretKeyRef: + key: username + name: mysql + - name: DB_ENCRYPTION_KEYS + valueFrom: + secretKeyRef: + key: encryptionKeys + name: mysql + image: eu.gcr.io/gitpod-core-dev/build/usage:test + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /live + port: 9501 + scheme: HTTP + successThreshold: 1 + timeoutSeconds: 1 + name: usage + readinessProbe: + failureThreshold: 3 + httpGet: + path: /ready + port: 9501 + scheme: HTTP + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 100m + memory: 64Mi + securityContext: + privileged: false + volumeMounts: + - mountPath: /config.json + name: config + readOnly: true + subPath: config.json + - args: + - --logtostderr + - --insecure-listen-address=[$(IP)]:9500 + - --upstream=http://127.0.0.1:9500/ + env: + - name: IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay.io/brancz/kube-rbac-proxy:v0.12.0 + name: kube-rbac-proxy + ports: + - containerPort: 9500 + name: metrics + resources: + requests: + cpu: 1m + memory: 30Mi + securityContext: + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + terminationMessagePolicy: FallbackToLogsOnError + dnsPolicy: ClusterFirst + enableServiceLinks: false + initContainers: + - args: + - -v + - database + env: + - name: DB_HOST + valueFrom: + secretKeyRef: + key: host + name: mysql + - name: DB_PORT + valueFrom: + secretKeyRef: + key: port + name: mysql + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: mysql + - name: DB_USERNAME + valueFrom: + secretKeyRef: + key: username + name: mysql + - name: DB_ENCRYPTION_KEYS + valueFrom: + secretKeyRef: + key: encryptionKeys + name: mysql + image: eu.gcr.io/gitpod-core-dev/build/service-waiter:test + name: database-waiter + resources: {} + securityContext: + privileged: false + runAsUser: 31001 + restartPolicy: Always + serviceAccountName: usage + terminationGracePeriodSeconds: 30 + volumes: + - configMap: + name: usage + name: config +status: {} +--- # apps/v1/Deployment ws-manager apiVersion: apps/v1 kind: Deployment diff --git a/install/installer/cmd/testdata/render/use-pod-security-policies/output.golden b/install/installer/cmd/testdata/render/use-pod-security-policies/output.golden index 618bc87bc4e43c..84b3f30ab3dc02 100644 --- a/install/installer/cmd/testdata/render/use-pod-security-policies/output.golden +++ b/install/installer/cmd/testdata/render/use-pod-security-policies/output.golden @@ -360,6 +360,36 @@ spec: policyTypes: - Ingress +--- +# networking.k8s.io/v1/NetworkPolicy usage +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +spec: + ingress: + - from: + - podSelector: + matchLabels: + component: server + - podSelector: + matchLabels: + component: public-api-server + ports: + - port: 9001 + protocol: TCP + podSelector: + matchLabels: + app: gitpod + component: usage + policyTypes: + - Ingress + --- # networking.k8s.io/v1/NetworkPolicy workspace-default apiVersion: networking.k8s.io/v1 @@ -1222,6 +1252,18 @@ metadata: name: server namespace: default --- +# v1/ServiceAccount usage +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +--- # v1/ServiceAccount workspace apiVersion: v1 automountServiceAccountToken: true @@ -2991,6 +3033,78 @@ data: name: public-api-server namespace: default --- + apiVersion: apps/v1 + kind: Deployment + metadata: + annotations: + gitpod.io/checksum_config: 2e5e440024a9f86e101eefce306c4888024c495f968ee92ee01e072aad7fa13e + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: default-usage-rb-kube-rbac-proxy + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- + apiVersion: v1 + kind: ConfigMap + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- + apiVersion: v1 + kind: ServiceAccount + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- + apiVersion: v1 + kind: Service + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + kind: service + name: usage + namespace: default + --- + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- apiVersion: v1 kind: ConfigMap metadata: @@ -5553,6 +5667,48 @@ metadata: name: server-ide-config namespace: default --- +# v1/ConfigMap usage +apiVersion: v1 +data: + config.json: |- + { + "controllerSchedule": "15m0s", + "resetUsageSchedule": "15m0s", + "creditsPerMinuteByWorkspaceClass": { + "default": 0.1666666667 + }, + "server": { + "services": { + "grpc": { + "address": "0.0.0.0:9001" + } + } + }, + "defaultSpendingLimit": { + "forTeams": 1000000000, + "forUsers": 1000000000, + "minForUsersOnStripe": 0 + }, + "stripePrices": { + "individualUsagePriceIds": { + "eur": "", + "usd": "" + }, + "teamUsagePriceIds": { + "eur": "", + "usd": "" + } + } + } +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +--- # v1/ConfigMap workspace-templates apiVersion: v1 kind: ConfigMap @@ -6382,6 +6538,24 @@ subjects: name: server namespace: default --- +# rbac.authorization.k8s.io/v1/ClusterRoleBinding default-usage-rb-kube-rbac-proxy +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: default-usage-rb-kube-rbac-proxy +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: default-kube-rbac-proxy +subjects: +- kind: ServiceAccount + name: usage + namespace: default +--- # rbac.authorization.k8s.io/v1/ClusterRoleBinding default-ws-daemon-rb apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -7080,6 +7254,24 @@ subjects: - kind: ServiceAccount name: server --- +# rbac.authorization.k8s.io/v1/RoleBinding usage +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: default-ns-psp:restricted-root-user +subjects: +- kind: ServiceAccount + name: usage +--- # rbac.authorization.k8s.io/v1/RoleBinding workspace apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -7720,6 +7912,30 @@ spec: status: loadBalancer: {} --- +# v1/Service usage +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + kind: service + name: usage + namespace: default +spec: + ports: + - name: grpc + port: 9001 + protocol: TCP + targetPort: 9001 + selector: + app: gitpod + component: usage + type: ClusterIP +status: + loadBalancer: {} +--- # v1/Service ws-daemon apiVersion: v1 kind: Service @@ -10458,6 +10674,191 @@ spec: secretName: twilio-secret status: {} --- +# apps/v1/Deployment usage +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + gitpod.io/checksum_config: 2e5e440024a9f86e101eefce306c4888024c495f968ee92ee01e072aad7fa13e + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app: gitpod + component: usage + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: gitpod.io/workload_meta + operator: Exists + containers: + - args: + - run + - --config=/config.json + env: + - name: GITPOD_DOMAIN + value: gitpod.example.com + - name: GITPOD_INSTALLATION_SHORTNAME + value: default + - name: GITPOD_REGION + value: local + - name: HOST_URL + value: https://gitpod.example.com + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: KUBE_DOMAIN + value: svc.cluster.local + - name: LOG_LEVEL + value: info + - name: DB_HOST + valueFrom: + secretKeyRef: + key: host + name: mysql + - name: DB_PORT + valueFrom: + secretKeyRef: + key: port + name: mysql + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: mysql + - name: DB_USERNAME + valueFrom: + secretKeyRef: + key: username + name: mysql + - name: DB_ENCRYPTION_KEYS + valueFrom: + secretKeyRef: + key: encryptionKeys + name: mysql + image: eu.gcr.io/gitpod-core-dev/build/usage:test + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /live + port: 9501 + scheme: HTTP + successThreshold: 1 + timeoutSeconds: 1 + name: usage + readinessProbe: + failureThreshold: 3 + httpGet: + path: /ready + port: 9501 + scheme: HTTP + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 100m + memory: 64Mi + securityContext: + privileged: false + volumeMounts: + - mountPath: /config.json + name: config + readOnly: true + subPath: config.json + - args: + - --logtostderr + - --insecure-listen-address=[$(IP)]:9500 + - --upstream=http://127.0.0.1:9500/ + env: + - name: IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay.io/brancz/kube-rbac-proxy:v0.12.0 + name: kube-rbac-proxy + ports: + - containerPort: 9500 + name: metrics + resources: + requests: + cpu: 1m + memory: 30Mi + securityContext: + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + terminationMessagePolicy: FallbackToLogsOnError + dnsPolicy: ClusterFirst + enableServiceLinks: false + initContainers: + - args: + - -v + - database + env: + - name: DB_HOST + valueFrom: + secretKeyRef: + key: host + name: mysql + - name: DB_PORT + valueFrom: + secretKeyRef: + key: port + name: mysql + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: mysql + - name: DB_USERNAME + valueFrom: + secretKeyRef: + key: username + name: mysql + - name: DB_ENCRYPTION_KEYS + valueFrom: + secretKeyRef: + key: encryptionKeys + name: mysql + image: eu.gcr.io/gitpod-core-dev/build/service-waiter:test + name: database-waiter + resources: {} + securityContext: + privileged: false + runAsUser: 31001 + restartPolicy: Always + serviceAccountName: usage + terminationGracePeriodSeconds: 30 + volumes: + - configMap: + name: usage + name: config +status: {} +--- # apps/v1/Deployment ws-manager apiVersion: apps/v1 kind: Deployment diff --git a/install/installer/cmd/testdata/render/workspace-requests-limits/output.golden b/install/installer/cmd/testdata/render/workspace-requests-limits/output.golden index 43427d27911ab5..cc64d1736f976b 100644 --- a/install/installer/cmd/testdata/render/workspace-requests-limits/output.golden +++ b/install/installer/cmd/testdata/render/workspace-requests-limits/output.golden @@ -360,6 +360,36 @@ spec: policyTypes: - Ingress +--- +# networking.k8s.io/v1/NetworkPolicy usage +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +spec: + ingress: + - from: + - podSelector: + matchLabels: + component: server + - podSelector: + matchLabels: + component: public-api-server + ports: + - port: 9001 + protocol: TCP + podSelector: + matchLabels: + app: gitpod + component: usage + policyTypes: + - Ingress + --- # networking.k8s.io/v1/NetworkPolicy workspace-default apiVersion: networking.k8s.io/v1 @@ -1000,6 +1030,18 @@ metadata: name: server namespace: default --- +# v1/ServiceAccount usage +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +--- # v1/ServiceAccount workspace apiVersion: v1 automountServiceAccountToken: true @@ -2706,6 +2748,78 @@ data: name: public-api-server namespace: default --- + apiVersion: apps/v1 + kind: Deployment + metadata: + annotations: + gitpod.io/checksum_config: 2e5e440024a9f86e101eefce306c4888024c495f968ee92ee01e072aad7fa13e + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: default-usage-rb-kube-rbac-proxy + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- + apiVersion: v1 + kind: ConfigMap + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- + apiVersion: v1 + kind: ServiceAccount + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- + apiVersion: v1 + kind: Service + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + kind: service + name: usage + namespace: default + --- + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + --- apiVersion: v1 kind: ConfigMap metadata: @@ -5223,6 +5337,48 @@ metadata: name: server-ide-config namespace: default --- +# v1/ConfigMap usage +apiVersion: v1 +data: + config.json: |- + { + "controllerSchedule": "15m0s", + "resetUsageSchedule": "15m0s", + "creditsPerMinuteByWorkspaceClass": { + "default": 0.1666666667 + }, + "server": { + "services": { + "grpc": { + "address": "0.0.0.0:9001" + } + } + }, + "defaultSpendingLimit": { + "forTeams": 1000000000, + "forUsers": 1000000000, + "minForUsersOnStripe": 0 + }, + "stripePrices": { + "individualUsagePriceIds": { + "eur": "", + "usd": "" + }, + "teamUsagePriceIds": { + "eur": "", + "usd": "" + } + } + } +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +--- # v1/ConfigMap workspace-templates apiVersion: v1 kind: ConfigMap @@ -5969,6 +6125,24 @@ subjects: name: server namespace: default --- +# rbac.authorization.k8s.io/v1/ClusterRoleBinding default-usage-rb-kube-rbac-proxy +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: default-usage-rb-kube-rbac-proxy +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: default-kube-rbac-proxy +subjects: +- kind: ServiceAccount + name: usage + namespace: default +--- # rbac.authorization.k8s.io/v1/ClusterRoleBinding default-ws-daemon-rb apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -6639,6 +6813,24 @@ subjects: - kind: ServiceAccount name: server --- +# rbac.authorization.k8s.io/v1/RoleBinding usage +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: default-ns-psp:restricted-root-user +subjects: +- kind: ServiceAccount + name: usage +--- # rbac.authorization.k8s.io/v1/RoleBinding workspace apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -7279,6 +7471,30 @@ spec: status: loadBalancer: {} --- +# v1/Service usage +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + kind: service + name: usage + namespace: default +spec: + ports: + - name: grpc + port: 9001 + protocol: TCP + targetPort: 9001 + selector: + app: gitpod + component: usage + type: ClusterIP +status: + loadBalancer: {} +--- # v1/Service ws-daemon apiVersion: v1 kind: Service @@ -10017,6 +10233,191 @@ spec: secretName: twilio-secret status: {} --- +# apps/v1/Deployment usage +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + gitpod.io/checksum_config: 2e5e440024a9f86e101eefce306c4888024c495f968ee92ee01e072aad7fa13e + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app: gitpod + component: usage + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + creationTimestamp: null + labels: + app: gitpod + component: usage + name: usage + namespace: default + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: gitpod.io/workload_meta + operator: Exists + containers: + - args: + - run + - --config=/config.json + env: + - name: GITPOD_DOMAIN + value: gitpod.example.com + - name: GITPOD_INSTALLATION_SHORTNAME + value: default + - name: GITPOD_REGION + value: local + - name: HOST_URL + value: https://gitpod.example.com + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: KUBE_DOMAIN + value: svc.cluster.local + - name: LOG_LEVEL + value: info + - name: DB_HOST + valueFrom: + secretKeyRef: + key: host + name: mysql + - name: DB_PORT + valueFrom: + secretKeyRef: + key: port + name: mysql + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: mysql + - name: DB_USERNAME + valueFrom: + secretKeyRef: + key: username + name: mysql + - name: DB_ENCRYPTION_KEYS + valueFrom: + secretKeyRef: + key: encryptionKeys + name: mysql + image: eu.gcr.io/gitpod-core-dev/build/usage:test + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /live + port: 9501 + scheme: HTTP + successThreshold: 1 + timeoutSeconds: 1 + name: usage + readinessProbe: + failureThreshold: 3 + httpGet: + path: /ready + port: 9501 + scheme: HTTP + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 100m + memory: 64Mi + securityContext: + privileged: false + volumeMounts: + - mountPath: /config.json + name: config + readOnly: true + subPath: config.json + - args: + - --logtostderr + - --insecure-listen-address=[$(IP)]:9500 + - --upstream=http://127.0.0.1:9500/ + env: + - name: IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay.io/brancz/kube-rbac-proxy:v0.12.0 + name: kube-rbac-proxy + ports: + - containerPort: 9500 + name: metrics + resources: + requests: + cpu: 1m + memory: 30Mi + securityContext: + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + terminationMessagePolicy: FallbackToLogsOnError + dnsPolicy: ClusterFirst + enableServiceLinks: false + initContainers: + - args: + - -v + - database + env: + - name: DB_HOST + valueFrom: + secretKeyRef: + key: host + name: mysql + - name: DB_PORT + valueFrom: + secretKeyRef: + key: port + name: mysql + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: mysql + - name: DB_USERNAME + valueFrom: + secretKeyRef: + key: username + name: mysql + - name: DB_ENCRYPTION_KEYS + valueFrom: + secretKeyRef: + key: encryptionKeys + name: mysql + image: eu.gcr.io/gitpod-core-dev/build/service-waiter:test + name: database-waiter + resources: {} + securityContext: + privileged: false + runAsUser: 31001 + restartPolicy: Always + serviceAccountName: usage + terminationGracePeriodSeconds: 30 + volumes: + - configMap: + name: usage + name: config +status: {} +--- # apps/v1/Deployment ws-manager apiVersion: apps/v1 kind: Deployment diff --git a/install/installer/pkg/components/usage/configmap.go b/install/installer/pkg/components/usage/configmap.go index 06a67e5aab2f1a..caeec3be784827 100644 --- a/install/installer/pkg/components/usage/configmap.go +++ b/install/installer/pkg/components/usage/configmap.go @@ -21,7 +21,7 @@ import ( func configmap(ctx *common.RenderContext) ([]runtime.Object, error) { cfg := server.Config{ - LedgerSchedule: "", // By default controller is disabled + LedgerSchedule: time.Duration(15 * time.Minute).String(), ResetUsageSchedule: time.Duration(15 * time.Minute).String(), Server: &baseserver.Configuration{ Services: baseserver.ServicesConfiguration{ @@ -36,6 +36,12 @@ func configmap(ctx *common.RenderContext) ([]runtime.Object, error) { ForUsers: 1_000_000_000, MinForUsersOnStripe: 0, }, + + // This is the default configuration, used in self-hosted installs. + // For SaaS, we explicitly configure it based on workspace classes below. + CreditsPerMinuteByWorkspaceClass: map[string]float64{ + "default": 0.1666666667, + }, } expWebAppConfig := getExperimentalWebAppConfig(ctx) @@ -55,22 +61,23 @@ func configmap(ctx *common.RenderContext) ([]runtime.Object, error) { expUsageConfig := getExperimentalUsageConfig(ctx) if expUsageConfig != nil { - if expUsageConfig.Schedule != "" { - cfg.LedgerSchedule = expUsageConfig.Schedule - } + cfg.LedgerSchedule = expUsageConfig.Schedule cfg.ResetUsageSchedule = expUsageConfig.ResetUsageSchedule + if expUsageConfig.DefaultSpendingLimit != nil { cfg.DefaultSpendingLimit = *expUsageConfig.DefaultSpendingLimit } } workspaceClassConfig := getExperimentalWorkspaceClassConfig(ctx) - - cfg.CreditsPerMinuteByWorkspaceClass = make(map[string]float64) - for _, v := range workspaceClassConfig { - if v.Credits != nil { - cfg.CreditsPerMinuteByWorkspaceClass[v.Id] = v.Credits.PerMinute + if len(workspaceClassConfig) > 0 { + creditsPerMinuteByWorkspaceClass := make(map[string]float64) + for _, v := range workspaceClassConfig { + if v.Credits != nil { + cfg.CreditsPerMinuteByWorkspaceClass[v.Id] = v.Credits.PerMinute + } } + cfg.CreditsPerMinuteByWorkspaceClass = creditsPerMinuteByWorkspaceClass } _ = ctx.WithExperimental(func(ucfg *experimental.Config) error { diff --git a/install/installer/pkg/components/usage/configmap_test.go b/install/installer/pkg/components/usage/configmap_test.go index 2fa056756c8512..c7c21a13112484 100644 --- a/install/installer/pkg/components/usage/configmap_test.go +++ b/install/installer/pkg/components/usage/configmap_test.go @@ -5,14 +5,29 @@ package usage import ( "testing" + "time" + "github.com/gitpod-io/gitpod/installer/pkg/common" + config "github.com/gitpod-io/gitpod/installer/pkg/config/v1" "github.com/gitpod-io/gitpod/installer/pkg/config/v1/experimental" + "github.com/gitpod-io/gitpod/installer/pkg/config/versions" + "github.com/gitpod-io/gitpod/usage/pkg/db" "github.com/stretchr/testify/require" corev1 "k8s.io/api/core/v1" ) -func TestConfigMap_ContainsSchedule(t *testing.T) { - ctx := renderContextWithUsageConfig(t, &experimental.UsageConfig{Enabled: true, Schedule: "2m", ResetUsageSchedule: "5m"}) +func TestConfigMap_WithExperimentalOptions(t *testing.T) { + billinstancesAfter := time.Date(2022, 10, 10, 10, 10, 10, 0, time.UTC) + ctx := renderContextWithUsageConfig(t, &experimental.UsageConfig{ + Schedule: "2m", + ResetUsageSchedule: "5m", + BillInstancesAfter: &billinstancesAfter, + DefaultSpendingLimit: &db.DefaultSpendingLimit{ + ForTeams: 123, + ForUsers: 456, + MinForUsersOnStripe: 7, + }, + }) objs, err := configmap(ctx) require.NoError(t, err) @@ -25,6 +40,116 @@ func TestConfigMap_ContainsSchedule(t *testing.T) { "controllerSchedule": "2m", "resetUsageSchedule": "5m", "stripeCredentialsFile": "stripe-secret/apikeys", + "creditsPerMinuteByWorkspaceClass": { + "default": 0.1666666667 + }, + "defaultSpendingLimit": { + "forUsers": 456, + "forTeams": 123, + "minForUsersOnStripe": 7 + }, + "stripePrices": { + "individualUsagePriceIds": { + "eur": "", + "usd": "" + }, + "teamUsagePriceIds": { + "eur": "", + "usd": "" + } + }, + "server": { + "services": { + "grpc": { + "address": "0.0.0.0:9001" + } + } + } + }`, + cfgmap.Data[configJSONFilename], + ) +} + +func TestConfigMap_WithExperimentalOptions_EmptySchedule(t *testing.T) { + billinstancesAfter := time.Date(2022, 10, 10, 10, 10, 10, 0, time.UTC) + ctx := renderContextWithUsageConfig(t, &experimental.UsageConfig{ + Schedule: "", // empty specifies job is disabled + ResetUsageSchedule: "", // empty specifies job is disabled + BillInstancesAfter: &billinstancesAfter, + DefaultSpendingLimit: &db.DefaultSpendingLimit{ + ForTeams: 123, + ForUsers: 456, + MinForUsersOnStripe: 7, + }, + }) + + objs, err := configmap(ctx) + require.NoError(t, err) + + cfgmap, ok := objs[0].(*corev1.ConfigMap) + require.True(t, ok) + + require.JSONEq(t, + `{ + "stripeCredentialsFile": "stripe-secret/apikeys", + "creditsPerMinuteByWorkspaceClass": { + "default": 0.1666666667 + }, + "defaultSpendingLimit": { + "forUsers": 456, + "forTeams": 123, + "minForUsersOnStripe": 7 + }, + "stripePrices": { + "individualUsagePriceIds": { + "eur": "", + "usd": "" + }, + "teamUsagePriceIds": { + "eur": "", + "usd": "" + } + }, + "server": { + "services": { + "grpc": { + "address": "0.0.0.0:9001" + } + } + } + }`, + cfgmap.Data[configJSONFilename], + ) +} + +func TestConfigMap_DefaultOptions(t *testing.T) { + ctx, err := common.NewRenderContext(config.Config{ + Domain: "test.domain.everything.awesome.is", + }, versions.Manifest{ + Components: versions.Components{ + Usage: versions.Versioned{ + Version: "commit-test-latest", + }, + ServiceWaiter: versions.Versioned{ + Version: "commit-test-latest", + }, + }, + }, "test-namespace") + require.NoError(t, err) + + objs, err := configmap(ctx) + require.NoError(t, err) + + cfgmap, ok := objs[0].(*corev1.ConfigMap) + require.True(t, ok) + + require.JSONEq(t, + `{ + "controllerSchedule": "15m0s", + "resetUsageSchedule": "15m0s", + "creditsPerMinuteByWorkspaceClass": { + "default": 0.1666666667 + }, "defaultSpendingLimit": { "forUsers": 1000000000, "forTeams": 1000000000, diff --git a/install/installer/pkg/components/usage/objects.go b/install/installer/pkg/components/usage/objects.go index c2033f9dd50dec..063ff520069f35 100644 --- a/install/installer/pkg/components/usage/objects.go +++ b/install/installer/pkg/components/usage/objects.go @@ -4,19 +4,12 @@ package usage import ( - "github.com/gitpod-io/gitpod/common-go/log" "github.com/gitpod-io/gitpod/installer/pkg/common" "github.com/gitpod-io/gitpod/installer/pkg/config/v1/experimental" "k8s.io/apimachinery/pkg/runtime" ) func Objects(ctx *common.RenderContext) ([]runtime.Object, error) { - cfg := getExperimentalUsageConfig(ctx) - if cfg == nil { - return nil, nil - } - - log.Debug("Detected experimental.WebApp.Usage configuration", cfg) return common.CompositeRenderFunc( deployment, rolebinding, diff --git a/install/installer/pkg/components/usage/objects_test.go b/install/installer/pkg/components/usage/objects_test.go index c5d09073e4457c..e4498fd8157dff 100644 --- a/install/installer/pkg/components/usage/objects_test.go +++ b/install/installer/pkg/components/usage/objects_test.go @@ -14,13 +14,14 @@ import ( "github.com/gitpod-io/gitpod/installer/pkg/config/versions" ) -func TestObjects_NotRenderedByDefault(t *testing.T) { - ctx, err := common.NewRenderContext(config.Config{}, versions.Manifest{}, "test-namespace") +func TestObjects_RenderedByDefault(t *testing.T) { + cfg, version := newConfig(t) + ctx, err := common.NewRenderContext(cfg, version, "test-namespace") require.NoError(t, err) objects, err := Objects(ctx) require.NoError(t, err) - require.Empty(t, objects, "no objects should be rendered with default config") + require.NotEmpty(t, objects, "objects should be rendered with default config") } func TestObjects_RenderedWhenExperimentalConfigSet(t *testing.T) { @@ -32,39 +33,47 @@ func TestObjects_RenderedWhenExperimentalConfigSet(t *testing.T) { require.Len(t, objects, 7, "should render expected k8s objects") } -func renderContextWithUsageConfig(t *testing.T, usage *experimental.UsageConfig) *common.RenderContext { - ctx, err := common.NewRenderContext(config.Config{ - Domain: "test.domain.everything.awesome.is", - Experimental: &experimental.Config{ - WebApp: &experimental.WebAppConfig{ - Usage: usage, - Server: &experimental.ServerConfig{StripeSecret: "stripe-secret-name"}, - }, - }, - Database: config.Database{ - CloudSQL: &config.DatabaseCloudSQL{ - ServiceAccount: config.ObjectRef{ - Name: "gcp-db-creds-service-account-name", +func newConfig(t *testing.T) (config.Config, versions.Manifest) { + return config.Config{ + Domain: "test.domain.everything.awesome.is", + Database: config.Database{ + CloudSQL: &config.DatabaseCloudSQL{ + ServiceAccount: config.ObjectRef{ + Name: "gcp-db-creds-service-account-name", + }, }, }, }, - }, versions.Manifest{ - Components: versions.Components{ - Usage: versions.Versioned{ - Version: "commit-test-latest", - }, - ServiceWaiter: versions.Versioned{ - Version: "commit-test-latest", + versions.Manifest{ + Components: versions.Components{ + Usage: versions.Versioned{ + Version: "commit-test-latest", + }, + ServiceWaiter: versions.Versioned{ + Version: "commit-test-latest", + }, }, + } +} + +func renderContextWithUsageConfig(t *testing.T, usage *experimental.UsageConfig) *common.RenderContext { + cfg, version := newConfig(t) + + cfg.Experimental = &experimental.Config{ + WebApp: &experimental.WebAppConfig{ + Usage: usage, + Server: &experimental.ServerConfig{StripeSecret: "stripe-secret-name"}, }, - }, "test-namespace") + } + + ctx, err := common.NewRenderContext(cfg, version, "test-namespace") require.NoError(t, err) return ctx } func renderContextWithUsageEnabled(t *testing.T) *common.RenderContext { - return renderContextWithUsageConfig(t, &experimental.UsageConfig{Enabled: true}) + return renderContextWithUsageConfig(t, &experimental.UsageConfig{}) } func renderContextWithStripeSecretSet(t *testing.T) *common.RenderContext { diff --git a/install/installer/pkg/config/v1/experimental/experimental.go b/install/installer/pkg/config/v1/experimental/experimental.go index 2761ec12e3bb08..f9a48df2bed4f4 100644 --- a/install/installer/pkg/config/v1/experimental/experimental.go +++ b/install/installer/pkg/config/v1/experimental/experimental.go @@ -267,7 +267,6 @@ type PublicAPIConfig struct { } type UsageConfig struct { - Enabled bool `json:"enabled"` Schedule string `json:"schedule"` ResetUsageSchedule string `json:"resetUsageSchedule"` BillInstancesAfter *time.Time `json:"billInstancesAfter"`