From db80e26b09613a652048eb3dca6fb2281acd272a Mon Sep 17 00:00:00 2001 From: JenTing Hsiao Date: Tue, 6 Dec 2022 05:59:40 +0000 Subject: [PATCH 01/14] installer: update volume mount when Secret updates According to Kubernetes doc, a container using a Secret as a subPath volume mount will not receive Secret updates. Signed-off-by: JenTing Hsiao --- install/installer/pkg/components/blobserve/configmap.go | 2 +- install/installer/pkg/components/blobserve/deployment.go | 4 ++-- .../pkg/components/image-builder-mk3/configmap.go | 2 +- .../pkg/components/image-builder-mk3/constants.go | 9 ++++----- .../pkg/components/image-builder-mk3/deployment.go | 4 ++-- .../pkg/components/registry-facade/configmap.go | 2 +- .../pkg/components/registry-facade/daemonset.go | 4 ++-- 7 files changed, 13 insertions(+), 14 deletions(-) diff --git a/install/installer/pkg/components/blobserve/configmap.go b/install/installer/pkg/components/blobserve/configmap.go index 64882295ffcebb..7d3db32ce6372a 100644 --- a/install/installer/pkg/components/blobserve/configmap.go +++ b/install/installer/pkg/components/blobserve/configmap.go @@ -101,7 +101,7 @@ func configmap(ctx *common.RenderContext) ([]runtime.Object, error) { MaxSize: MaxSizeBytes, }, }, - AuthCfg: "/mnt/pull-secret.json", + AuthCfg: "/mnt/pull-secret/pull-secret.json", PProfAddr: common.LocalhostAddressFromPort(baseserver.BuiltinDebugPort), PrometheusAddr: common.LocalhostPrometheusAddr(), ReadinessProbeAddr: fmt.Sprintf(":%v", ReadinessPort), diff --git a/install/installer/pkg/components/blobserve/deployment.go b/install/installer/pkg/components/blobserve/deployment.go index c772e9cbd786be..55729a9d63b7ce 100644 --- a/install/installer/pkg/components/blobserve/deployment.go +++ b/install/installer/pkg/components/blobserve/deployment.go @@ -92,6 +92,7 @@ func deployment(ctx *common.RenderContext) ([]runtime.Object, error) { Name: volumeName, VolumeSource: corev1.VolumeSource{Secret: &corev1.SecretVolumeSource{ SecretName: secretName, + Items: []corev1.KeyToPath{{Key: ".dockerconfigjson", Path: "pull-secret.json"}}, }}, }}, Containers: []corev1.Container{{ @@ -126,8 +127,7 @@ func deployment(ctx *common.RenderContext) ([]runtime.Object, error) { MountPath: "/mnt/cache", }, { Name: volumeName, - MountPath: "/mnt/pull-secret.json", - SubPath: ".dockerconfigjson", + MountPath: "/mnt/pull-secret", }}, ReadinessProbe: &corev1.Probe{ diff --git a/install/installer/pkg/components/image-builder-mk3/configmap.go b/install/installer/pkg/components/image-builder-mk3/configmap.go index 34232583118815..637653cd758276 100644 --- a/install/installer/pkg/components/image-builder-mk3/configmap.go +++ b/install/installer/pkg/components/image-builder-mk3/configmap.go @@ -48,7 +48,7 @@ func configmap(ctx *common.RenderContext) ([]runtime.Object, error) { }, }, PullSecret: secretName, - PullSecretFile: PullSecretFile, + PullSecretFile: "/config/pull-secret/pull-secret.json", BaseImageRepository: fmt.Sprintf("%s/base-images", registryName), BuilderImage: ctx.ImageName(ctx.Config.Repository, BuilderImage, ctx.VersionManifest.Components.ImageBuilderMk3.BuilderImage.Version), WorkspaceImageRepository: fmt.Sprintf("%s/workspace-images", registryName), diff --git a/install/installer/pkg/components/image-builder-mk3/constants.go b/install/installer/pkg/components/image-builder-mk3/constants.go index afb61f9c6a4e13..ebb249dffd09bc 100644 --- a/install/installer/pkg/components/image-builder-mk3/constants.go +++ b/install/installer/pkg/components/image-builder-mk3/constants.go @@ -7,9 +7,8 @@ package image_builder_mk3 import "github.com/gitpod-io/gitpod/installer/pkg/common" const ( - PullSecretFile = "/config/pull-secret.json" - BuilderImage = "image-builder-mk3/bob" - Component = common.ImageBuilderComponent - RPCPort = common.ImageBuilderRPCPort - RPCPortName = "service" + BuilderImage = "image-builder-mk3/bob" + Component = common.ImageBuilderComponent + RPCPort = common.ImageBuilderRPCPort + RPCPortName = "service" ) diff --git a/install/installer/pkg/components/image-builder-mk3/deployment.go b/install/installer/pkg/components/image-builder-mk3/deployment.go index cf5773985e9758..b29160ed9c2353 100644 --- a/install/installer/pkg/components/image-builder-mk3/deployment.go +++ b/install/installer/pkg/components/image-builder-mk3/deployment.go @@ -81,6 +81,7 @@ func deployment(ctx *common.RenderContext) ([]runtime.Object, error) { VolumeSource: corev1.VolumeSource{ Secret: &corev1.SecretVolumeSource{ SecretName: secretName, + Items: []corev1.KeyToPath{{Key: ".dockerconfigjson", Path: "pull-secret.json"}}, }, }, }, @@ -100,8 +101,7 @@ func deployment(ctx *common.RenderContext) ([]runtime.Object, error) { }, { Name: "pull-secret", - MountPath: PullSecretFile, - SubPath: ".dockerconfigjson", + MountPath: "/config/pull-secret", }, } if vol, mnt, _, ok := common.CustomCACertVolume(ctx); ok { diff --git a/install/installer/pkg/components/registry-facade/configmap.go b/install/installer/pkg/components/registry-facade/configmap.go index c4d951980f733f..01b039bb0e4f42 100644 --- a/install/installer/pkg/components/registry-facade/configmap.go +++ b/install/installer/pkg/components/registry-facade/configmap.go @@ -88,7 +88,7 @@ func configmap(ctx *common.RenderContext) ([]runtime.Object, error) { IPFSCache: ipfsCache, RedisCache: redisCache, }, - AuthCfg: "/mnt/pull-secret.json", + AuthCfg: "/mnt/pull-secret/pull-secret.json", PProfAddr: common.LocalhostAddressFromPort(baseserver.BuiltinDebugPort), PrometheusAddr: common.LocalhostPrometheusAddr(), ReadinessProbeAddr: fmt.Sprintf(":%v", ReadinessPort), diff --git a/install/installer/pkg/components/registry-facade/daemonset.go b/install/installer/pkg/components/registry-facade/daemonset.go index af7dbd38717219..964907fab46ac1 100644 --- a/install/installer/pkg/components/registry-facade/daemonset.go +++ b/install/installer/pkg/components/registry-facade/daemonset.go @@ -264,8 +264,7 @@ func daemonset(ctx *common.RenderContext) ([]runtime.Object, error) { }, { Name: name, - MountPath: "/mnt/pull-secret.json", - SubPath: ".dockerconfigjson", + MountPath: "/mnt/pull-secret", }, }, volumeMounts..., @@ -357,6 +356,7 @@ func daemonset(ctx *common.RenderContext) ([]runtime.Object, error) { VolumeSource: corev1.VolumeSource{ Secret: &corev1.SecretVolumeSource{ SecretName: secretName, + Items: []corev1.KeyToPath{{Key: ".dockerconfigjson", Path: "pull-secret.json"}}, }, }, }, { From 4762c6549794d81b17aa78a26af71e20f0dc4d54 Mon Sep 17 00:00:00 2001 From: JenTing Hsiao Date: Tue, 6 Dec 2022 07:19:50 +0000 Subject: [PATCH 02/14] installer: add registry-credential component Signed-off-by: JenTing Hsiao --- .../testdata/render/aws-setup/output.golden | 260 ++++++++++++++++- .../testdata/render/azure-setup/output.golden | 260 ++++++++++++++++- .../render/customization/output.golden | 270 +++++++++++++++++- .../render/external-registry/output.golden | 260 ++++++++++++++++- .../testdata/render/gcp-setup/output.golden | 260 ++++++++++++++++- .../testdata/render/http-proxy/output.golden | 260 ++++++++++++++++- .../testdata/render/kind-ide/output.golden | 10 +- .../testdata/render/kind-meta/output.golden | 10 +- .../render/kind-workspace/output.golden | 250 +++++++++++++++- .../cmd/testdata/render/minimal/output.golden | 260 ++++++++++++++++- .../testdata/render/shortname/output.golden | 260 ++++++++++++++++- .../statefulset-customization/output.golden | 260 ++++++++++++++++- .../use-pod-security-policies/output.golden | 260 ++++++++++++++++- .../render/vsxproxy-pvc/output.golden | 260 ++++++++++++++++- .../workspace-requests-limits/output.golden | 260 ++++++++++++++++- .../components-workspace/components.go | 2 + .../registry-credential/constants.go | 13 + .../components/registry-credential/cronjob.go | 40 +++ .../pkg/components/registry-credential/job.go | 55 ++++ .../components/registry-credential/objects.go | 16 ++ .../components/registry-credential/role.go | 38 +++ .../registry-credential/rolebinding.go | 35 +++ .../components/registry-credential/secret.go | 74 +++++ 23 files changed, 3513 insertions(+), 160 deletions(-) create mode 100644 install/installer/pkg/components/registry-credential/constants.go create mode 100644 install/installer/pkg/components/registry-credential/cronjob.go create mode 100644 install/installer/pkg/components/registry-credential/job.go create mode 100644 install/installer/pkg/components/registry-credential/objects.go create mode 100644 install/installer/pkg/components/registry-credential/role.go create mode 100644 install/installer/pkg/components/registry-credential/rolebinding.go create mode 100644 install/installer/pkg/components/registry-credential/secret.go diff --git a/install/installer/cmd/testdata/render/aws-setup/output.golden b/install/installer/cmd/testdata/render/aws-setup/output.golden index a66bea8b112d33..b4a7cb2d590ab4 100644 --- a/install/installer/cmd/testdata/render/aws-setup/output.golden +++ b/install/installer/cmd/testdata/render/aws-setup/output.golden @@ -975,6 +975,18 @@ automountServiceAccountToken: true secrets: - name: messagebus --- +# v1/ServiceAccount registry-credential +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +--- # v1/ServiceAccount registry-facade apiVersion: v1 automountServiceAccountToken: true @@ -1059,6 +1071,38 @@ metadata: name: ws-proxy namespace: default --- +# v1/Secret aws-ecr-credentials +apiVersion: v1 +kind: Secret +metadata: + annotations: + aws-ecr-updater/region: us-west-1 + aws-ecr-updater/secret: aws-iam-user-credentials + creationTimestamp: null + labels: + app: gitpod + aws-ecr-updater: "true" + component: registry-credential + name: aws-ecr-credentials + namespace: default +stringData: + .dockerconfigjson: '{}' +type: kubernetes.io/dockerconfigjson +--- +# v1/Secret aws-iam-user-credentials +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: aws-iam-user-credentials + namespace: default +stringData: + access_key_id: 8-WGqw2oTnsPfUDNSk0Y + secret_access_key: DpC.aSAxkWBPu2_bJ_AE +--- # v1/Secret builtin-registry-auth apiVersion: v1 data: @@ -1294,7 +1338,7 @@ data: "maxSizeBytes": 1073741824 } }, - "dockerAuth": "/mnt/pull-secret.json", + "dockerAuth": "/mnt/pull-secret/pull-secret.json", "pprofAddr": "127.0.0.1:6060", "prometheusAddr": "127.0.0.1:9500", "readinessProbeAddr": ":8086" @@ -3273,6 +3317,70 @@ data: name: image-builder-mk3 namespace: default --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + --- + apiVersion: v1 + kind: Secret + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: aws-iam-user-credentials + namespace: default + --- + apiVersion: v1 + kind: Secret + metadata: + annotations: + aws-ecr-updater/region: us-west-1 + aws-ecr-updater/secret: aws-iam-user-credentials + creationTimestamp: null + labels: + app: gitpod + aws-ecr-updater: "true" + component: registry-credential + name: aws-ecr-credentials + namespace: default + --- + apiVersion: batch/v1 + kind: CronJob + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + --- + apiVersion: v1 + kind: ServiceAccount + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + --- apiVersion: v1 kind: Secret metadata: @@ -4714,7 +4822,7 @@ data: } }, "pullSecret": "builtin-registry-auth", - "pullSecretFile": "/config/pull-secret.json", + "pullSecretFile": "/config/pull-secret/pull-secret.json", "baseImageRepository": "registry.gitpod.example.com/base-images", "workspaceImageRepository": "registry.gitpod.example.com/workspace-images", "builderImage": "eu.gcr.io/gitpod-core-dev/build/image-builder-mk3/bob:test" @@ -4958,7 +5066,7 @@ data: "key": "/mnt/certificates/tls.key" } }, - "dockerAuth": "/mnt/pull-secret.json", + "dockerAuth": "/mnt/pull-secret/pull-secret.json", "pprofAddr": "127.0.0.1:6060", "prometheusAddr": "127.0.0.1:9500", "readinessProbeAddr": ":8086" @@ -6183,6 +6291,27 @@ rules: resources: ["events"] verbs: ["create"] --- +# rbac.authorization.k8s.io/v1/Role registry-credential +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - update +--- # rbac.authorization.k8s.io/v1/Role server apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -6652,6 +6781,24 @@ subjects: - kind: ServiceAccount name: rabbitmq --- +# rbac.authorization.k8s.io/v1/RoleBinding registry-credential +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: registry-credential +subjects: +- kind: ServiceAccount + name: registry-credential +--- # rbac.authorization.k8s.io/v1/RoleBinding server apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -7468,7 +7615,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 1568539df3f78cad79c3dd7b7e3ae3f5cf4fa74ad7263936762f004a8a6af77c + gitpod.io/checksum_config: 3e487f9543c719b9ee3f5590a0f98cb535b4bf1b301c66de8f00f3aa9d61381d creationTimestamp: null labels: app: gitpod @@ -7556,9 +7703,8 @@ spec: - mountPath: /ws-manager-client-tls-certs name: ws-manager-client-tls-certs readOnly: true - - mountPath: /mnt/pull-secret.json + - mountPath: /mnt/pull-secret name: pull-secret - subPath: .dockerconfigjson - mountPath: /mnt/certificates name: config-certificates - args: @@ -7647,6 +7793,9 @@ spec: secretName: ws-manager-client-tls - name: pull-secret secret: + items: + - key: .dockerconfigjson + path: pull-secret.json secretName: builtin-registry-auth - hostPath: path: / @@ -8329,7 +8478,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: a93d22be9b0695e0bd3211bfd5e023b09c08a8cea026a41f080346023887bd74 + gitpod.io/checksum_config: cac138904f08d79e5598805683f8dc378bd52c58348489de22949ac38dd8b193 creationTimestamp: null labels: app: gitpod @@ -8404,9 +8553,8 @@ spec: readOnly: true - mountPath: /mnt/cache name: cache - - mountPath: /mnt/pull-secret.json + - mountPath: /mnt/pull-secret name: pull-secret - subPath: .dockerconfigjson - args: - --logtostderr - --insecure-listen-address=[$(IP)]:9500 @@ -8441,6 +8589,9 @@ spec: name: config - name: pull-secret secret: + items: + - key: .dockerconfigjson + path: pull-secret.json secretName: builtin-registry-auth status: {} --- @@ -9195,7 +9346,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 6b82d310231a10f059f0a9efebcf1422f6b2e72eacb55b1ac68f283695b1a167 + gitpod.io/checksum_config: af26ec864db5be86adfb79b972614487639aa67ad16de869e23e22e468f0bed8 creationTimestamp: null labels: app: gitpod @@ -9255,9 +9406,8 @@ spec: - mountPath: /wsman-certs name: wsman-tls-certs readOnly: true - - mountPath: /config/pull-secret.json + - mountPath: /config/pull-secret name: pull-secret - subPath: .dockerconfigjson - args: - --logtostderr - --insecure-listen-address=[$(IP)]:9500 @@ -9312,6 +9462,9 @@ spec: secretName: ws-manager-client-tls - name: pull-secret secret: + items: + - key: .dockerconfigjson + path: pull-secret.json secretName: builtin-registry-auth - emptyDir: {} name: gitpod-ca-certificate @@ -10822,6 +10975,41 @@ spec: ttlSecondsAfterFinished: 60 status: {} --- +# batch/v1/Job registry-credential +apiVersion: batch/v1 +kind: Job +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +spec: + backoffLimit: 10 + template: + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + spec: + containers: + - command: + - /aws-iam-credential-rotate + - ecr-update + image: jenting/aws-iam-credential-rotate + imagePullPolicy: IfNotPresent + name: registry-credential + resources: {} + securityContext: + allowPrivilegeEscalation: false + restartPolicy: OnFailure + serviceAccountName: registry-credential +status: {} +--- # batch/v1/CronJob gitpod-telemetry apiVersion: batch/v1 kind: CronJob @@ -10912,3 +11100,51 @@ spec: schedule: '@daily' successfulJobsHistoryLimit: 3 status: {} +--- +# batch/v1/CronJob registry-credential +apiVersion: batch/v1 +kind: CronJob +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +spec: + concurrencyPolicy: Replace + failedJobsHistoryLimit: 10 + jobTemplate: + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + spec: + backoffLimit: 10 + template: + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + spec: + containers: + - command: + - /aws-iam-credential-rotate + - ecr-update + image: jenting/aws-iam-credential-rotate + imagePullPolicy: IfNotPresent + name: registry-credential + resources: {} + securityContext: + allowPrivilegeEscalation: false + restartPolicy: OnFailure + serviceAccountName: registry-credential + schedule: '* */6 * * *' + successfulJobsHistoryLimit: 1 +status: {} diff --git a/install/installer/cmd/testdata/render/azure-setup/output.golden b/install/installer/cmd/testdata/render/azure-setup/output.golden index 60150b27abdc5d..17714ad25a0f72 100644 --- a/install/installer/cmd/testdata/render/azure-setup/output.golden +++ b/install/installer/cmd/testdata/render/azure-setup/output.golden @@ -954,6 +954,18 @@ automountServiceAccountToken: true secrets: - name: messagebus --- +# v1/ServiceAccount registry-credential +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +--- # v1/ServiceAccount registry-facade apiVersion: v1 automountServiceAccountToken: true @@ -1038,6 +1050,38 @@ metadata: name: ws-proxy namespace: default --- +# v1/Secret aws-ecr-credentials +apiVersion: v1 +kind: Secret +metadata: + annotations: + aws-ecr-updater/region: us-west-1 + aws-ecr-updater/secret: aws-iam-user-credentials + creationTimestamp: null + labels: + app: gitpod + aws-ecr-updater: "true" + component: registry-credential + name: aws-ecr-credentials + namespace: default +stringData: + .dockerconfigjson: '{}' +type: kubernetes.io/dockerconfigjson +--- +# v1/Secret aws-iam-user-credentials +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: aws-iam-user-credentials + namespace: default +stringData: + access_key_id: 8-WGqw2oTnsPfUDNSk0Y + secret_access_key: DpC.aSAxkWBPu2_bJ_AE +--- # v1/Secret load-definition # Source: rabbitmq/charts/rabbitmq/templates/secrets.yaml apiVersion: v1 @@ -1258,7 +1302,7 @@ data: "maxSizeBytes": 1073741824 } }, - "dockerAuth": "/mnt/pull-secret.json", + "dockerAuth": "/mnt/pull-secret/pull-secret.json", "pprofAddr": "127.0.0.1:6060", "prometheusAddr": "127.0.0.1:9500", "readinessProbeAddr": ":8086" @@ -3188,6 +3232,70 @@ data: name: image-builder-mk3 namespace: default --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + --- + apiVersion: v1 + kind: Secret + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: aws-iam-user-credentials + namespace: default + --- + apiVersion: v1 + kind: Secret + metadata: + annotations: + aws-ecr-updater/region: us-west-1 + aws-ecr-updater/secret: aws-iam-user-credentials + creationTimestamp: null + labels: + app: gitpod + aws-ecr-updater: "true" + component: registry-credential + name: aws-ecr-credentials + namespace: default + --- + apiVersion: batch/v1 + kind: CronJob + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + --- + apiVersion: v1 + kind: ServiceAccount + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + --- apiVersion: v1 kind: ServiceAccount metadata: @@ -4629,7 +4737,7 @@ data: } }, "pullSecret": "azure-registry", - "pullSecretFile": "/config/pull-secret.json", + "pullSecretFile": "/config/pull-secret/pull-secret.json", "baseImageRepository": "azure.registry.com/base-images", "workspaceImageRepository": "azure.registry.com/workspace-images", "builderImage": "eu.gcr.io/gitpod-core-dev/build/image-builder-mk3/bob:test" @@ -4819,7 +4927,7 @@ data: "key": "/mnt/certificates/tls.key" } }, - "dockerAuth": "/mnt/pull-secret.json", + "dockerAuth": "/mnt/pull-secret/pull-secret.json", "pprofAddr": "127.0.0.1:6060", "prometheusAddr": "127.0.0.1:9500", "readinessProbeAddr": ":8086" @@ -6036,6 +6144,27 @@ rules: resources: ["events"] verbs: ["create"] --- +# rbac.authorization.k8s.io/v1/Role registry-credential +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - update +--- # rbac.authorization.k8s.io/v1/Role server apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -6487,6 +6616,24 @@ subjects: - kind: ServiceAccount name: rabbitmq --- +# rbac.authorization.k8s.io/v1/RoleBinding registry-credential +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: registry-credential +subjects: +- kind: ServiceAccount + name: registry-credential +--- # rbac.authorization.k8s.io/v1/RoleBinding server apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -7307,7 +7454,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 08acb7a558503fa536bf6d5b21aaf37ba799fb4334edb308400f03753d646264 + gitpod.io/checksum_config: 627e2d5a5d50e8eb2531bd494ceb9cd26315e43008248fb6825dfc2b5189a3d3 creationTimestamp: null labels: app: gitpod @@ -7395,9 +7542,8 @@ spec: - mountPath: /ws-manager-client-tls-certs name: ws-manager-client-tls-certs readOnly: true - - mountPath: /mnt/pull-secret.json + - mountPath: /mnt/pull-secret name: pull-secret - subPath: .dockerconfigjson - mountPath: /mnt/certificates name: config-certificates - args: @@ -7486,6 +7632,9 @@ spec: secretName: ws-manager-client-tls - name: pull-secret secret: + items: + - key: .dockerconfigjson + path: pull-secret.json secretName: azure-registry - hostPath: path: / @@ -8162,7 +8311,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 15d99333e20408bb28398cdfffeb658e161608de2b3f3d9fd983a85a796254d5 + gitpod.io/checksum_config: a46080fdf584e8531ec566bcd7761b7ceca365777f0859476a0a9c68beb99737 creationTimestamp: null labels: app: gitpod @@ -8237,9 +8386,8 @@ spec: readOnly: true - mountPath: /mnt/cache name: cache - - mountPath: /mnt/pull-secret.json + - mountPath: /mnt/pull-secret name: pull-secret - subPath: .dockerconfigjson - args: - --logtostderr - --insecure-listen-address=[$(IP)]:9500 @@ -8274,6 +8422,9 @@ spec: name: config - name: pull-secret secret: + items: + - key: .dockerconfigjson + path: pull-secret.json secretName: azure-registry status: {} --- @@ -9022,7 +9173,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 24e3c0a34ed37f9a09a1c770f5b1d59ff57211f99f0f8682e455e38c36bbeac7 + gitpod.io/checksum_config: 0da1a85b0ab27e086e341eef6d308b5585a6d369c322354bb2f73e26fffe3f78 creationTimestamp: null labels: app: gitpod @@ -9082,9 +9233,8 @@ spec: - mountPath: /wsman-certs name: wsman-tls-certs readOnly: true - - mountPath: /config/pull-secret.json + - mountPath: /config/pull-secret name: pull-secret - subPath: .dockerconfigjson - args: - --logtostderr - --insecure-listen-address=[$(IP)]:9500 @@ -9139,6 +9289,9 @@ spec: secretName: ws-manager-client-tls - name: pull-secret secret: + items: + - key: .dockerconfigjson + path: pull-secret.json secretName: azure-registry - emptyDir: {} name: gitpod-ca-certificate @@ -10661,6 +10814,41 @@ spec: ttlSecondsAfterFinished: 60 status: {} --- +# batch/v1/Job registry-credential +apiVersion: batch/v1 +kind: Job +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +spec: + backoffLimit: 10 + template: + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + spec: + containers: + - command: + - /aws-iam-credential-rotate + - ecr-update + image: jenting/aws-iam-credential-rotate + imagePullPolicy: IfNotPresent + name: registry-credential + resources: {} + securityContext: + allowPrivilegeEscalation: false + restartPolicy: OnFailure + serviceAccountName: registry-credential +status: {} +--- # batch/v1/CronJob gitpod-telemetry apiVersion: batch/v1 kind: CronJob @@ -10751,3 +10939,51 @@ spec: schedule: '@daily' successfulJobsHistoryLimit: 3 status: {} +--- +# batch/v1/CronJob registry-credential +apiVersion: batch/v1 +kind: CronJob +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +spec: + concurrencyPolicy: Replace + failedJobsHistoryLimit: 10 + jobTemplate: + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + spec: + backoffLimit: 10 + template: + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + spec: + containers: + - command: + - /aws-iam-credential-rotate + - ecr-update + image: jenting/aws-iam-credential-rotate + imagePullPolicy: IfNotPresent + name: registry-credential + resources: {} + securityContext: + allowPrivilegeEscalation: false + restartPolicy: OnFailure + serviceAccountName: registry-credential + schedule: '* */6 * * *' + successfulJobsHistoryLimit: 1 +status: {} diff --git a/install/installer/cmd/testdata/render/customization/output.golden b/install/installer/cmd/testdata/render/customization/output.golden index f6aba9384be4b5..5d395660683db2 100644 --- a/install/installer/cmd/testdata/render/customization/output.golden +++ b/install/installer/cmd/testdata/render/customization/output.golden @@ -1076,6 +1076,23 @@ automountServiceAccountToken: true secrets: - name: messagebus --- +# v1/ServiceAccount registry-credential +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: + gitpod.io: hello + hello: world + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + gitpod.io: hello + hello: world + name: registry-credential + namespace: default +--- # v1/ServiceAccount registry-facade apiVersion: v1 automountServiceAccountToken: true @@ -1195,6 +1212,38 @@ metadata: name: ws-proxy namespace: default --- +# v1/Secret aws-ecr-credentials +apiVersion: v1 +kind: Secret +metadata: + annotations: + aws-ecr-updater/region: us-west-1 + aws-ecr-updater/secret: aws-iam-user-credentials + creationTimestamp: null + labels: + app: gitpod + aws-ecr-updater: "true" + component: registry-credential + name: aws-ecr-credentials + namespace: default +stringData: + .dockerconfigjson: '{}' +type: kubernetes.io/dockerconfigjson +--- +# v1/Secret aws-iam-user-credentials +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: aws-iam-user-credentials + namespace: default +stringData: + access_key_id: 8-WGqw2oTnsPfUDNSk0Y + secret_access_key: DpC.aSAxkWBPu2_bJ_AE +--- # v1/Secret builtin-registry-auth apiVersion: v1 data: @@ -1485,7 +1534,7 @@ data: "maxSizeBytes": 1073741824 } }, - "dockerAuth": "/mnt/pull-secret.json", + "dockerAuth": "/mnt/pull-secret/pull-secret.json", "pprofAddr": "127.0.0.1:6060", "prometheusAddr": "127.0.0.1:9500", "readinessProbeAddr": ":8086" @@ -3911,6 +3960,75 @@ data: name: image-builder-mk3 namespace: default --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + --- + apiVersion: v1 + kind: Secret + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: aws-iam-user-credentials + namespace: default + --- + apiVersion: v1 + kind: Secret + metadata: + annotations: + aws-ecr-updater/region: us-west-1 + aws-ecr-updater/secret: aws-iam-user-credentials + creationTimestamp: null + labels: + app: gitpod + aws-ecr-updater: "true" + component: registry-credential + name: aws-ecr-credentials + namespace: default + --- + apiVersion: batch/v1 + kind: CronJob + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + --- + apiVersion: v1 + kind: ServiceAccount + metadata: + annotations: + gitpod.io: hello + hello: world + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + gitpod.io: hello + hello: world + name: registry-credential + namespace: default + --- apiVersion: v1 kind: Secret metadata: @@ -5509,7 +5627,7 @@ data: } }, "pullSecret": "builtin-registry-auth", - "pullSecretFile": "/config/pull-secret.json", + "pullSecretFile": "/config/pull-secret/pull-secret.json", "baseImageRepository": "registry.gitpod.example.com/base-images", "workspaceImageRepository": "registry.gitpod.example.com/workspace-images", "builderImage": "eu.gcr.io/gitpod-core-dev/build/image-builder-mk3/bob:test" @@ -5819,7 +5937,7 @@ data: "key": "/mnt/certificates/tls.key" } }, - "dockerAuth": "/mnt/pull-secret.json", + "dockerAuth": "/mnt/pull-secret/pull-secret.json", "pprofAddr": "127.0.0.1:6060", "prometheusAddr": "127.0.0.1:9500", "readinessProbeAddr": ":8086" @@ -7109,6 +7227,27 @@ rules: resources: ["events"] verbs: ["create"] --- +# rbac.authorization.k8s.io/v1/Role registry-credential +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - update +--- # rbac.authorization.k8s.io/v1/Role server apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -7578,6 +7717,24 @@ subjects: - kind: ServiceAccount name: rabbitmq --- +# rbac.authorization.k8s.io/v1/RoleBinding registry-credential +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: registry-credential +subjects: +- kind: ServiceAccount + name: registry-credential +--- # rbac.authorization.k8s.io/v1/RoleBinding server apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -8599,7 +8756,7 @@ spec: metadata: annotations: gitpod.io: hello - gitpod.io/checksum_config: 9e5f1a3b0ad0175c34b4be5f0d0a1f0b8c2727eab17bd9548976255a54916e64 + gitpod.io/checksum_config: fd416b9d91d5650b8ddab533d0b39983c0169716448f74ad056ed5dbc5227aa7 hello: world creationTimestamp: null labels: @@ -8690,9 +8847,8 @@ spec: - mountPath: /ws-manager-client-tls-certs name: ws-manager-client-tls-certs readOnly: true - - mountPath: /mnt/pull-secret.json + - mountPath: /mnt/pull-secret name: pull-secret - subPath: .dockerconfigjson - mountPath: /mnt/certificates name: config-certificates - args: @@ -8781,6 +8937,9 @@ spec: secretName: ws-manager-client-tls - name: pull-secret secret: + items: + - key: .dockerconfigjson + path: pull-secret.json secretName: builtin-registry-auth - hostPath: path: / @@ -9640,7 +9799,7 @@ spec: metadata: annotations: gitpod.io: hello - gitpod.io/checksum_config: 83fa4918a8a3e509e417c17dfe176f340594b9e93560245fcf94fea159f23617 + gitpod.io/checksum_config: f53bfe17888be51da5fce1993c73c75420a1ea22a48ae12c1a1b1ba218ca416c hello: world creationTimestamp: null labels: @@ -9718,9 +9877,8 @@ spec: readOnly: true - mountPath: /mnt/cache name: cache - - mountPath: /mnt/pull-secret.json + - mountPath: /mnt/pull-secret name: pull-secret - subPath: .dockerconfigjson - args: - --logtostderr - --insecure-listen-address=[$(IP)]:9500 @@ -9755,6 +9913,9 @@ spec: name: config - name: pull-secret secret: + items: + - key: .dockerconfigjson + path: pull-secret.json secretName: builtin-registry-auth status: {} --- @@ -10565,7 +10726,7 @@ spec: metadata: annotations: gitpod.io: hello - gitpod.io/checksum_config: bd4f1ac3b1b2e11f92bb14a55bf98ffb4eb011356e6330fde5b37d2f2de95d28 + gitpod.io/checksum_config: 3bbe78a00b2f3aebbeb9914eeb8c5e4fed6f3f71646fe10d5c5d6eb61063c719 hello: world creationTimestamp: null labels: @@ -10628,9 +10789,8 @@ spec: - mountPath: /wsman-certs name: wsman-tls-certs readOnly: true - - mountPath: /config/pull-secret.json + - mountPath: /config/pull-secret name: pull-secret - subPath: .dockerconfigjson - args: - --logtostderr - --insecure-listen-address=[$(IP)]:9500 @@ -10685,6 +10845,9 @@ spec: secretName: ws-manager-client-tls - name: pull-secret secret: + items: + - key: .dockerconfigjson + path: pull-secret.json secretName: builtin-registry-auth - emptyDir: {} name: gitpod-ca-certificate @@ -12240,6 +12403,41 @@ spec: ttlSecondsAfterFinished: 60 status: {} --- +# batch/v1/Job registry-credential +apiVersion: batch/v1 +kind: Job +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +spec: + backoffLimit: 10 + template: + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + spec: + containers: + - command: + - /aws-iam-credential-rotate + - ecr-update + image: jenting/aws-iam-credential-rotate + imagePullPolicy: IfNotPresent + name: registry-credential + resources: {} + securityContext: + allowPrivilegeEscalation: false + restartPolicy: OnFailure + serviceAccountName: registry-credential +status: {} +--- # batch/v1/CronJob gitpod-telemetry apiVersion: batch/v1 kind: CronJob @@ -12330,3 +12528,51 @@ spec: schedule: '@daily' successfulJobsHistoryLimit: 3 status: {} +--- +# batch/v1/CronJob registry-credential +apiVersion: batch/v1 +kind: CronJob +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +spec: + concurrencyPolicy: Replace + failedJobsHistoryLimit: 10 + jobTemplate: + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + spec: + backoffLimit: 10 + template: + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + spec: + containers: + - command: + - /aws-iam-credential-rotate + - ecr-update + image: jenting/aws-iam-credential-rotate + imagePullPolicy: IfNotPresent + name: registry-credential + resources: {} + securityContext: + allowPrivilegeEscalation: false + restartPolicy: OnFailure + serviceAccountName: registry-credential + schedule: '* */6 * * *' + successfulJobsHistoryLimit: 1 +status: {} diff --git a/install/installer/cmd/testdata/render/external-registry/output.golden b/install/installer/cmd/testdata/render/external-registry/output.golden index 8f9ebb72bc9748..4ae8f6ef5dda75 100644 --- a/install/installer/cmd/testdata/render/external-registry/output.golden +++ b/install/installer/cmd/testdata/render/external-registry/output.golden @@ -954,6 +954,18 @@ automountServiceAccountToken: true secrets: - name: messagebus --- +# v1/ServiceAccount registry-credential +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +--- # v1/ServiceAccount registry-facade apiVersion: v1 automountServiceAccountToken: true @@ -1038,6 +1050,38 @@ metadata: name: ws-proxy namespace: default --- +# v1/Secret aws-ecr-credentials +apiVersion: v1 +kind: Secret +metadata: + annotations: + aws-ecr-updater/region: us-west-1 + aws-ecr-updater/secret: aws-iam-user-credentials + creationTimestamp: null + labels: + app: gitpod + aws-ecr-updater: "true" + component: registry-credential + name: aws-ecr-credentials + namespace: default +stringData: + .dockerconfigjson: '{}' +type: kubernetes.io/dockerconfigjson +--- +# v1/Secret aws-iam-user-credentials +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: aws-iam-user-credentials + namespace: default +stringData: + access_key_id: 8-WGqw2oTnsPfUDNSk0Y + secret_access_key: DpC.aSAxkWBPu2_bJ_AE +--- # v1/Secret db-password apiVersion: v1 data: @@ -1289,7 +1333,7 @@ data: "maxSizeBytes": 1073741824 } }, - "dockerAuth": "/mnt/pull-secret.json", + "dockerAuth": "/mnt/pull-secret/pull-secret.json", "pprofAddr": "127.0.0.1:6060", "prometheusAddr": "127.0.0.1:9500", "readinessProbeAddr": ":8086" @@ -3265,6 +3309,70 @@ data: name: image-builder-mk3 namespace: default --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + --- + apiVersion: v1 + kind: Secret + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: aws-iam-user-credentials + namespace: default + --- + apiVersion: v1 + kind: Secret + metadata: + annotations: + aws-ecr-updater/region: us-west-1 + aws-ecr-updater/secret: aws-iam-user-credentials + creationTimestamp: null + labels: + app: gitpod + aws-ecr-updater: "true" + component: registry-credential + name: aws-ecr-credentials + namespace: default + --- + apiVersion: batch/v1 + kind: CronJob + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + --- + apiVersion: v1 + kind: ServiceAccount + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + --- apiVersion: v1 kind: ConfigMap metadata: @@ -4770,7 +4878,7 @@ data: } }, "pullSecret": "my-registry-credentials", - "pullSecretFile": "/config/pull-secret.json", + "pullSecretFile": "/config/pull-secret/pull-secret.json", "baseImageRepository": "my-registry.example.com/base-images", "workspaceImageRepository": "my-registry.example.com/workspace-images", "builderImage": "eu.gcr.io/gitpod-core-dev/build/image-builder-mk3/bob:test" @@ -5006,7 +5114,7 @@ data: "key": "/mnt/certificates/tls.key" } }, - "dockerAuth": "/mnt/pull-secret.json", + "dockerAuth": "/mnt/pull-secret/pull-secret.json", "pprofAddr": "127.0.0.1:6060", "prometheusAddr": "127.0.0.1:9500", "readinessProbeAddr": ":8086" @@ -6242,6 +6350,27 @@ rules: resources: ["events"] verbs: ["create"] --- +# rbac.authorization.k8s.io/v1/Role registry-credential +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - update +--- # rbac.authorization.k8s.io/v1/Role server apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -6693,6 +6822,24 @@ subjects: - kind: ServiceAccount name: rabbitmq --- +# rbac.authorization.k8s.io/v1/RoleBinding registry-credential +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: registry-credential +subjects: +- kind: ServiceAccount + name: registry-credential +--- # rbac.authorization.k8s.io/v1/RoleBinding server apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -7589,7 +7736,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 08acb7a558503fa536bf6d5b21aaf37ba799fb4334edb308400f03753d646264 + gitpod.io/checksum_config: 627e2d5a5d50e8eb2531bd494ceb9cd26315e43008248fb6825dfc2b5189a3d3 creationTimestamp: null labels: app: gitpod @@ -7677,9 +7824,8 @@ spec: - mountPath: /ws-manager-client-tls-certs name: ws-manager-client-tls-certs readOnly: true - - mountPath: /mnt/pull-secret.json + - mountPath: /mnt/pull-secret name: pull-secret - subPath: .dockerconfigjson - mountPath: /mnt/certificates name: config-certificates - args: @@ -7768,6 +7914,9 @@ spec: secretName: ws-manager-client-tls - name: pull-secret secret: + items: + - key: .dockerconfigjson + path: pull-secret.json secretName: my-registry-credentials - hostPath: path: / @@ -8603,7 +8752,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 15d99333e20408bb28398cdfffeb658e161608de2b3f3d9fd983a85a796254d5 + gitpod.io/checksum_config: a46080fdf584e8531ec566bcd7761b7ceca365777f0859476a0a9c68beb99737 creationTimestamp: null labels: app: gitpod @@ -8678,9 +8827,8 @@ spec: readOnly: true - mountPath: /mnt/cache name: cache - - mountPath: /mnt/pull-secret.json + - mountPath: /mnt/pull-secret name: pull-secret - subPath: .dockerconfigjson - args: - --logtostderr - --insecure-listen-address=[$(IP)]:9500 @@ -8715,6 +8863,9 @@ spec: name: config - name: pull-secret secret: + items: + - key: .dockerconfigjson + path: pull-secret.json secretName: my-registry-credentials status: {} --- @@ -9463,7 +9614,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 2b5bc4558a8b47f881af721619dcf4893415ab3914e56abb9f009d093f00f9e9 + gitpod.io/checksum_config: d21a309ff74da6d1c59c56ab227fbdb81058c31d03d27171d97fb975032589b7 creationTimestamp: null labels: app: gitpod @@ -9523,9 +9674,8 @@ spec: - mountPath: /wsman-certs name: wsman-tls-certs readOnly: true - - mountPath: /config/pull-secret.json + - mountPath: /config/pull-secret name: pull-secret - subPath: .dockerconfigjson - args: - --logtostderr - --insecure-listen-address=[$(IP)]:9500 @@ -9580,6 +9730,9 @@ spec: secretName: ws-manager-client-tls - name: pull-secret secret: + items: + - key: .dockerconfigjson + path: pull-secret.json secretName: my-registry-credentials - emptyDir: {} name: gitpod-ca-certificate @@ -10972,6 +11125,41 @@ spec: ttlSecondsAfterFinished: 60 status: {} --- +# batch/v1/Job registry-credential +apiVersion: batch/v1 +kind: Job +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +spec: + backoffLimit: 10 + template: + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + spec: + containers: + - command: + - /aws-iam-credential-rotate + - ecr-update + image: jenting/aws-iam-credential-rotate + imagePullPolicy: IfNotPresent + name: registry-credential + resources: {} + securityContext: + allowPrivilegeEscalation: false + restartPolicy: OnFailure + serviceAccountName: registry-credential +status: {} +--- # batch/v1/CronJob gitpod-telemetry apiVersion: batch/v1 kind: CronJob @@ -11062,3 +11250,51 @@ spec: schedule: '@daily' successfulJobsHistoryLimit: 3 status: {} +--- +# batch/v1/CronJob registry-credential +apiVersion: batch/v1 +kind: CronJob +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +spec: + concurrencyPolicy: Replace + failedJobsHistoryLimit: 10 + jobTemplate: + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + spec: + backoffLimit: 10 + template: + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + spec: + containers: + - command: + - /aws-iam-credential-rotate + - ecr-update + image: jenting/aws-iam-credential-rotate + imagePullPolicy: IfNotPresent + name: registry-credential + resources: {} + securityContext: + allowPrivilegeEscalation: false + restartPolicy: OnFailure + serviceAccountName: registry-credential + schedule: '* */6 * * *' + successfulJobsHistoryLimit: 1 +status: {} diff --git a/install/installer/cmd/testdata/render/gcp-setup/output.golden b/install/installer/cmd/testdata/render/gcp-setup/output.golden index 622620ef44bf4d..d16ba387ca0482 100644 --- a/install/installer/cmd/testdata/render/gcp-setup/output.golden +++ b/install/installer/cmd/testdata/render/gcp-setup/output.golden @@ -950,6 +950,18 @@ automountServiceAccountToken: true secrets: - name: messagebus --- +# v1/ServiceAccount registry-credential +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +--- # v1/ServiceAccount registry-facade apiVersion: v1 automountServiceAccountToken: true @@ -1034,6 +1046,38 @@ metadata: name: ws-proxy namespace: default --- +# v1/Secret aws-ecr-credentials +apiVersion: v1 +kind: Secret +metadata: + annotations: + aws-ecr-updater/region: us-west-1 + aws-ecr-updater/secret: aws-iam-user-credentials + creationTimestamp: null + labels: + app: gitpod + aws-ecr-updater: "true" + component: registry-credential + name: aws-ecr-credentials + namespace: default +stringData: + .dockerconfigjson: '{}' +type: kubernetes.io/dockerconfigjson +--- +# v1/Secret aws-iam-user-credentials +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: aws-iam-user-credentials + namespace: default +stringData: + access_key_id: 8-WGqw2oTnsPfUDNSk0Y + secret_access_key: DpC.aSAxkWBPu2_bJ_AE +--- # v1/Secret load-definition # Source: rabbitmq/charts/rabbitmq/templates/secrets.yaml apiVersion: v1 @@ -1235,7 +1279,7 @@ data: "maxSizeBytes": 1073741824 } }, - "dockerAuth": "/mnt/pull-secret.json", + "dockerAuth": "/mnt/pull-secret/pull-secret.json", "pprofAddr": "127.0.0.1:6060", "prometheusAddr": "127.0.0.1:9500", "readinessProbeAddr": ":8086" @@ -3207,6 +3251,70 @@ data: name: image-builder-mk3 namespace: default --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + --- + apiVersion: v1 + kind: Secret + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: aws-iam-user-credentials + namespace: default + --- + apiVersion: v1 + kind: Secret + metadata: + annotations: + aws-ecr-updater/region: us-west-1 + aws-ecr-updater/secret: aws-iam-user-credentials + creationTimestamp: null + labels: + app: gitpod + aws-ecr-updater: "true" + component: registry-credential + name: aws-ecr-credentials + namespace: default + --- + apiVersion: batch/v1 + kind: CronJob + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + --- + apiVersion: v1 + kind: ServiceAccount + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -4600,7 +4708,7 @@ data: } }, "pullSecret": "gcp-registry", - "pullSecretFile": "/config/pull-secret.json", + "pullSecretFile": "/config/pull-secret/pull-secret.json", "baseImageRepository": "gcp.registry.com/base-images", "workspaceImageRepository": "gcp.registry.com/workspace-images", "builderImage": "eu.gcr.io/gitpod-core-dev/build/image-builder-mk3/bob:test" @@ -4780,7 +4888,7 @@ data: "key": "/mnt/certificates/tls.key" } }, - "dockerAuth": "/mnt/pull-secret.json", + "dockerAuth": "/mnt/pull-secret/pull-secret.json", "pprofAddr": "127.0.0.1:6060", "prometheusAddr": "127.0.0.1:9500", "readinessProbeAddr": ":8086" @@ -5995,6 +6103,27 @@ rules: resources: ["events"] verbs: ["create"] --- +# rbac.authorization.k8s.io/v1/Role registry-credential +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - update +--- # rbac.authorization.k8s.io/v1/Role server apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -6464,6 +6593,24 @@ subjects: - kind: ServiceAccount name: rabbitmq --- +# rbac.authorization.k8s.io/v1/RoleBinding registry-credential +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: registry-credential +subjects: +- kind: ServiceAccount + name: registry-credential +--- # rbac.authorization.k8s.io/v1/RoleBinding server apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -7281,7 +7428,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 08acb7a558503fa536bf6d5b21aaf37ba799fb4334edb308400f03753d646264 + gitpod.io/checksum_config: 627e2d5a5d50e8eb2531bd494ceb9cd26315e43008248fb6825dfc2b5189a3d3 creationTimestamp: null labels: app: gitpod @@ -7369,9 +7516,8 @@ spec: - mountPath: /ws-manager-client-tls-certs name: ws-manager-client-tls-certs readOnly: true - - mountPath: /mnt/pull-secret.json + - mountPath: /mnt/pull-secret name: pull-secret - subPath: .dockerconfigjson - mountPath: /mnt/certificates name: config-certificates - args: @@ -7460,6 +7606,9 @@ spec: secretName: ws-manager-client-tls - name: pull-secret secret: + items: + - key: .dockerconfigjson + path: pull-secret.json secretName: gcp-registry - hostPath: path: / @@ -8142,7 +8291,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 15d99333e20408bb28398cdfffeb658e161608de2b3f3d9fd983a85a796254d5 + gitpod.io/checksum_config: a46080fdf584e8531ec566bcd7761b7ceca365777f0859476a0a9c68beb99737 creationTimestamp: null labels: app: gitpod @@ -8217,9 +8366,8 @@ spec: readOnly: true - mountPath: /mnt/cache name: cache - - mountPath: /mnt/pull-secret.json + - mountPath: /mnt/pull-secret name: pull-secret - subPath: .dockerconfigjson - args: - --logtostderr - --insecure-listen-address=[$(IP)]:9500 @@ -8254,6 +8402,9 @@ spec: name: config - name: pull-secret secret: + items: + - key: .dockerconfigjson + path: pull-secret.json secretName: gcp-registry status: {} --- @@ -9066,7 +9217,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 99cc1fee844c39bd5073fe15bcf0636ee345fd13dbce15a6708ae656d6de7a9f + gitpod.io/checksum_config: 3ad6de41446efd5916e703ecf3f67a0227cf158984b3a42f22f4638f8fa4f384 creationTimestamp: null labels: app: gitpod @@ -9126,9 +9277,8 @@ spec: - mountPath: /wsman-certs name: wsman-tls-certs readOnly: true - - mountPath: /config/pull-secret.json + - mountPath: /config/pull-secret name: pull-secret - subPath: .dockerconfigjson - args: - --logtostderr - --insecure-listen-address=[$(IP)]:9500 @@ -9183,6 +9333,9 @@ spec: secretName: ws-manager-client-tls - name: pull-secret secret: + items: + - key: .dockerconfigjson + path: pull-secret.json secretName: gcp-registry - emptyDir: {} name: gitpod-ca-certificate @@ -10525,6 +10678,41 @@ spec: ttlSecondsAfterFinished: 60 status: {} --- +# batch/v1/Job registry-credential +apiVersion: batch/v1 +kind: Job +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +spec: + backoffLimit: 10 + template: + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + spec: + containers: + - command: + - /aws-iam-credential-rotate + - ecr-update + image: jenting/aws-iam-credential-rotate + imagePullPolicy: IfNotPresent + name: registry-credential + resources: {} + securityContext: + allowPrivilegeEscalation: false + restartPolicy: OnFailure + serviceAccountName: registry-credential +status: {} +--- # batch/v1/CronJob gitpod-telemetry apiVersion: batch/v1 kind: CronJob @@ -10609,3 +10797,51 @@ spec: schedule: '@daily' successfulJobsHistoryLimit: 3 status: {} +--- +# batch/v1/CronJob registry-credential +apiVersion: batch/v1 +kind: CronJob +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +spec: + concurrencyPolicy: Replace + failedJobsHistoryLimit: 10 + jobTemplate: + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + spec: + backoffLimit: 10 + template: + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + spec: + containers: + - command: + - /aws-iam-credential-rotate + - ecr-update + image: jenting/aws-iam-credential-rotate + imagePullPolicy: IfNotPresent + name: registry-credential + resources: {} + securityContext: + allowPrivilegeEscalation: false + restartPolicy: OnFailure + serviceAccountName: registry-credential + schedule: '* */6 * * *' + successfulJobsHistoryLimit: 1 +status: {} diff --git a/install/installer/cmd/testdata/render/http-proxy/output.golden b/install/installer/cmd/testdata/render/http-proxy/output.golden index be500068446207..d08b7b97b0ff75 100644 --- a/install/installer/cmd/testdata/render/http-proxy/output.golden +++ b/install/installer/cmd/testdata/render/http-proxy/output.golden @@ -991,6 +991,18 @@ automountServiceAccountToken: true secrets: - name: messagebus --- +# v1/ServiceAccount registry-credential +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +--- # v1/ServiceAccount registry-facade apiVersion: v1 automountServiceAccountToken: true @@ -1075,6 +1087,38 @@ metadata: name: ws-proxy namespace: default --- +# v1/Secret aws-ecr-credentials +apiVersion: v1 +kind: Secret +metadata: + annotations: + aws-ecr-updater/region: us-west-1 + aws-ecr-updater/secret: aws-iam-user-credentials + creationTimestamp: null + labels: + app: gitpod + aws-ecr-updater: "true" + component: registry-credential + name: aws-ecr-credentials + namespace: default +stringData: + .dockerconfigjson: '{}' +type: kubernetes.io/dockerconfigjson +--- +# v1/Secret aws-iam-user-credentials +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: aws-iam-user-credentials + namespace: default +stringData: + access_key_id: 8-WGqw2oTnsPfUDNSk0Y + secret_access_key: DpC.aSAxkWBPu2_bJ_AE +--- # v1/Secret builtin-registry-auth apiVersion: v1 data: @@ -1360,7 +1404,7 @@ data: "maxSizeBytes": 1073741824 } }, - "dockerAuth": "/mnt/pull-secret.json", + "dockerAuth": "/mnt/pull-secret/pull-secret.json", "pprofAddr": "127.0.0.1:6060", "prometheusAddr": "127.0.0.1:9500", "readinessProbeAddr": ":8086" @@ -3374,6 +3418,70 @@ data: name: image-builder-mk3 namespace: default --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + --- + apiVersion: v1 + kind: Secret + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: aws-iam-user-credentials + namespace: default + --- + apiVersion: v1 + kind: Secret + metadata: + annotations: + aws-ecr-updater/region: us-west-1 + aws-ecr-updater/secret: aws-iam-user-credentials + creationTimestamp: null + labels: + app: gitpod + aws-ecr-updater: "true" + component: registry-credential + name: aws-ecr-credentials + namespace: default + --- + apiVersion: batch/v1 + kind: CronJob + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + --- + apiVersion: v1 + kind: ServiceAccount + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + --- apiVersion: v1 kind: Secret metadata: @@ -4939,7 +5047,7 @@ data: } }, "pullSecret": "builtin-registry-auth", - "pullSecretFile": "/config/pull-secret.json", + "pullSecretFile": "/config/pull-secret/pull-secret.json", "baseImageRepository": "registry.gitpod.example.com/base-images", "workspaceImageRepository": "registry.gitpod.example.com/workspace-images", "builderImage": "eu.gcr.io/gitpod-core-dev/build/image-builder-mk3/bob:test" @@ -5229,7 +5337,7 @@ data: "key": "/mnt/certificates/tls.key" } }, - "dockerAuth": "/mnt/pull-secret.json", + "dockerAuth": "/mnt/pull-secret/pull-secret.json", "pprofAddr": "127.0.0.1:6060", "prometheusAddr": "127.0.0.1:9500", "readinessProbeAddr": ":8086" @@ -6484,6 +6592,27 @@ rules: resources: ["events"] verbs: ["create"] --- +# rbac.authorization.k8s.io/v1/Role registry-credential +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - update +--- # rbac.authorization.k8s.io/v1/Role server apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -6953,6 +7082,24 @@ subjects: - kind: ServiceAccount name: rabbitmq --- +# rbac.authorization.k8s.io/v1/RoleBinding registry-credential +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: registry-credential +subjects: +- kind: ServiceAccount + name: registry-credential +--- # rbac.authorization.k8s.io/v1/RoleBinding server apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -7952,7 +8099,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 1568539df3f78cad79c3dd7b7e3ae3f5cf4fa74ad7263936762f004a8a6af77c + gitpod.io/checksum_config: 3e487f9543c719b9ee3f5590a0f98cb535b4bf1b301c66de8f00f3aa9d61381d creationTimestamp: null labels: app: gitpod @@ -8080,9 +8227,8 @@ spec: - mountPath: /ws-manager-client-tls-certs name: ws-manager-client-tls-certs readOnly: true - - mountPath: /mnt/pull-secret.json + - mountPath: /mnt/pull-secret name: pull-secret - subPath: .dockerconfigjson - mountPath: /mnt/certificates name: config-certificates - args: @@ -8292,6 +8438,9 @@ spec: secretName: ws-manager-client-tls - name: pull-secret secret: + items: + - key: .dockerconfigjson + path: pull-secret.json secretName: builtin-registry-auth - hostPath: path: / @@ -9368,7 +9517,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: a93d22be9b0695e0bd3211bfd5e023b09c08a8cea026a41f080346023887bd74 + gitpod.io/checksum_config: cac138904f08d79e5598805683f8dc378bd52c58348489de22949ac38dd8b193 creationTimestamp: null labels: app: gitpod @@ -9483,9 +9632,8 @@ spec: readOnly: true - mountPath: /mnt/cache name: cache - - mountPath: /mnt/pull-secret.json + - mountPath: /mnt/pull-secret name: pull-secret - subPath: .dockerconfigjson - args: - --logtostderr - --insecure-listen-address=[$(IP)]:9500 @@ -9560,6 +9708,9 @@ spec: name: config - name: pull-secret secret: + items: + - key: .dockerconfigjson + path: pull-secret.json secretName: builtin-registry-auth status: {} --- @@ -10748,7 +10899,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 6b82d310231a10f059f0a9efebcf1422f6b2e72eacb55b1ac68f283695b1a167 + gitpod.io/checksum_config: af26ec864db5be86adfb79b972614487639aa67ad16de869e23e22e468f0bed8 creationTimestamp: null labels: app: gitpod @@ -10848,9 +10999,8 @@ spec: - mountPath: /wsman-certs name: wsman-tls-certs readOnly: true - - mountPath: /config/pull-secret.json + - mountPath: /config/pull-secret name: pull-secret - subPath: .dockerconfigjson - args: - --logtostderr - --insecure-listen-address=[$(IP)]:9500 @@ -10986,6 +11136,9 @@ spec: secretName: ws-manager-client-tls - name: pull-secret secret: + items: + - key: .dockerconfigjson + path: pull-secret.json secretName: builtin-registry-auth - emptyDir: {} name: gitpod-ca-certificate @@ -13195,6 +13348,41 @@ spec: ttlSecondsAfterFinished: 60 status: {} --- +# batch/v1/Job registry-credential +apiVersion: batch/v1 +kind: Job +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +spec: + backoffLimit: 10 + template: + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + spec: + containers: + - command: + - /aws-iam-credential-rotate + - ecr-update + image: jenting/aws-iam-credential-rotate + imagePullPolicy: IfNotPresent + name: registry-credential + resources: {} + securityContext: + allowPrivilegeEscalation: false + restartPolicy: OnFailure + serviceAccountName: registry-credential +status: {} +--- # batch/v1/CronJob gitpod-telemetry apiVersion: batch/v1 kind: CronJob @@ -13325,3 +13513,51 @@ spec: schedule: '@daily' successfulJobsHistoryLimit: 3 status: {} +--- +# batch/v1/CronJob registry-credential +apiVersion: batch/v1 +kind: CronJob +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +spec: + concurrencyPolicy: Replace + failedJobsHistoryLimit: 10 + jobTemplate: + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + spec: + backoffLimit: 10 + template: + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + spec: + containers: + - command: + - /aws-iam-credential-rotate + - ecr-update + image: jenting/aws-iam-credential-rotate + imagePullPolicy: IfNotPresent + name: registry-credential + resources: {} + securityContext: + allowPrivilegeEscalation: false + restartPolicy: OnFailure + serviceAccountName: registry-credential + schedule: '* */6 * * *' + successfulJobsHistoryLimit: 1 +status: {} diff --git a/install/installer/cmd/testdata/render/kind-ide/output.golden b/install/installer/cmd/testdata/render/kind-ide/output.golden index 3b692271cd948b..8718a9892abc90 100644 --- a/install/installer/cmd/testdata/render/kind-ide/output.golden +++ b/install/installer/cmd/testdata/render/kind-ide/output.golden @@ -417,7 +417,7 @@ data: "maxSizeBytes": 1073741824 } }, - "dockerAuth": "/mnt/pull-secret.json", + "dockerAuth": "/mnt/pull-secret/pull-secret.json", "pprofAddr": "127.0.0.1:6060", "prometheusAddr": "127.0.0.1:9500", "readinessProbeAddr": ":8086" @@ -3270,7 +3270,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: a93d22be9b0695e0bd3211bfd5e023b09c08a8cea026a41f080346023887bd74 + gitpod.io/checksum_config: cac138904f08d79e5598805683f8dc378bd52c58348489de22949ac38dd8b193 creationTimestamp: null labels: app: gitpod @@ -3345,9 +3345,8 @@ spec: readOnly: true - mountPath: /mnt/cache name: cache - - mountPath: /mnt/pull-secret.json + - mountPath: /mnt/pull-secret name: pull-secret - subPath: .dockerconfigjson - args: - --logtostderr - --insecure-listen-address=[$(IP)]:9500 @@ -3382,6 +3381,9 @@ spec: name: config - name: pull-secret secret: + items: + - key: .dockerconfigjson + path: pull-secret.json secretName: builtin-registry-auth status: {} --- diff --git a/install/installer/cmd/testdata/render/kind-meta/output.golden b/install/installer/cmd/testdata/render/kind-meta/output.golden index 881ab9276bc943..6f162186a18054 100644 --- a/install/installer/cmd/testdata/render/kind-meta/output.golden +++ b/install/installer/cmd/testdata/render/kind-meta/output.golden @@ -908,7 +908,7 @@ data: "maxSizeBytes": 1073741824 } }, - "dockerAuth": "/mnt/pull-secret.json", + "dockerAuth": "/mnt/pull-secret/pull-secret.json", "pprofAddr": "127.0.0.1:6060", "prometheusAddr": "127.0.0.1:9500", "readinessProbeAddr": ":8086" @@ -6207,7 +6207,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: a93d22be9b0695e0bd3211bfd5e023b09c08a8cea026a41f080346023887bd74 + gitpod.io/checksum_config: cac138904f08d79e5598805683f8dc378bd52c58348489de22949ac38dd8b193 creationTimestamp: null labels: app: gitpod @@ -6282,9 +6282,8 @@ spec: readOnly: true - mountPath: /mnt/cache name: cache - - mountPath: /mnt/pull-secret.json + - mountPath: /mnt/pull-secret name: pull-secret - subPath: .dockerconfigjson - args: - --logtostderr - --insecure-listen-address=[$(IP)]:9500 @@ -6319,6 +6318,9 @@ spec: name: config - name: pull-secret secret: + items: + - key: .dockerconfigjson + path: pull-secret.json secretName: builtin-registry-auth status: {} --- diff --git a/install/installer/cmd/testdata/render/kind-workspace/output.golden b/install/installer/cmd/testdata/render/kind-workspace/output.golden index 65be9cbf8c662d..eae2bd856adff5 100644 --- a/install/installer/cmd/testdata/render/kind-workspace/output.golden +++ b/install/installer/cmd/testdata/render/kind-workspace/output.golden @@ -501,6 +501,18 @@ metadata: name: nobody namespace: default --- +# v1/ServiceAccount registry-credential +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +--- # v1/ServiceAccount registry-facade apiVersion: v1 automountServiceAccountToken: true @@ -561,6 +573,38 @@ metadata: name: ws-proxy namespace: default --- +# v1/Secret aws-ecr-credentials +apiVersion: v1 +kind: Secret +metadata: + annotations: + aws-ecr-updater/region: us-west-1 + aws-ecr-updater/secret: aws-iam-user-credentials + creationTimestamp: null + labels: + app: gitpod + aws-ecr-updater: "true" + component: registry-credential + name: aws-ecr-credentials + namespace: default +stringData: + .dockerconfigjson: '{}' +type: kubernetes.io/dockerconfigjson +--- +# v1/Secret aws-iam-user-credentials +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: aws-iam-user-credentials + namespace: default +stringData: + access_key_id: 8-WGqw2oTnsPfUDNSk0Y + secret_access_key: DpC.aSAxkWBPu2_bJ_AE +--- # v1/Secret builtin-registry-auth apiVersion: v1 data: @@ -1572,6 +1616,70 @@ data: name: image-builder-mk3 namespace: default --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + --- + apiVersion: v1 + kind: Secret + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: aws-iam-user-credentials + namespace: default + --- + apiVersion: v1 + kind: Secret + metadata: + annotations: + aws-ecr-updater/region: us-west-1 + aws-ecr-updater/secret: aws-iam-user-credentials + creationTimestamp: null + labels: + app: gitpod + aws-ecr-updater: "true" + component: registry-credential + name: aws-ecr-credentials + namespace: default + --- + apiVersion: batch/v1 + kind: CronJob + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + --- + apiVersion: v1 + kind: ServiceAccount + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + --- apiVersion: v1 kind: Secret metadata: @@ -1666,7 +1774,7 @@ data: } }, "pullSecret": "builtin-registry-auth", - "pullSecretFile": "/config/pull-secret.json", + "pullSecretFile": "/config/pull-secret/pull-secret.json", "baseImageRepository": "registry.gitpod.example.com/base-images", "workspaceImageRepository": "registry.gitpod.example.com/workspace-images", "builderImage": "eu.gcr.io/gitpod-core-dev/build/image-builder-mk3/bob:test" @@ -1769,7 +1877,7 @@ data: "key": "/mnt/certificates/tls.key" } }, - "dockerAuth": "/mnt/pull-secret.json", + "dockerAuth": "/mnt/pull-secret/pull-secret.json", "pprofAddr": "127.0.0.1:6060", "prometheusAddr": "127.0.0.1:9500", "readinessProbeAddr": ":8086" @@ -2426,6 +2534,27 @@ rules: - get - update --- +# rbac.authorization.k8s.io/v1/Role registry-credential +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - update +--- # rbac.authorization.k8s.io/v1/Role ws-manager apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -2588,6 +2717,24 @@ subjects: - kind: ServiceAccount name: image-builder-mk3 --- +# rbac.authorization.k8s.io/v1/RoleBinding registry-credential +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: registry-credential +subjects: +- kind: ServiceAccount + name: registry-credential +--- # rbac.authorization.k8s.io/v1/RoleBinding workspace apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -2966,7 +3113,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 1568539df3f78cad79c3dd7b7e3ae3f5cf4fa74ad7263936762f004a8a6af77c + gitpod.io/checksum_config: 3e487f9543c719b9ee3f5590a0f98cb535b4bf1b301c66de8f00f3aa9d61381d creationTimestamp: null labels: app: gitpod @@ -3054,9 +3201,8 @@ spec: - mountPath: /ws-manager-client-tls-certs name: ws-manager-client-tls-certs readOnly: true - - mountPath: /mnt/pull-secret.json + - mountPath: /mnt/pull-secret name: pull-secret - subPath: .dockerconfigjson - mountPath: /mnt/certificates name: config-certificates - args: @@ -3145,6 +3291,9 @@ spec: secretName: ws-manager-client-tls - name: pull-secret secret: + items: + - key: .dockerconfigjson + path: pull-secret.json secretName: builtin-registry-auth - hostPath: path: / @@ -3476,7 +3625,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 6b82d310231a10f059f0a9efebcf1422f6b2e72eacb55b1ac68f283695b1a167 + gitpod.io/checksum_config: af26ec864db5be86adfb79b972614487639aa67ad16de869e23e22e468f0bed8 creationTimestamp: null labels: app: gitpod @@ -3536,9 +3685,8 @@ spec: - mountPath: /wsman-certs name: wsman-tls-certs readOnly: true - - mountPath: /config/pull-secret.json + - mountPath: /config/pull-secret name: pull-secret - subPath: .dockerconfigjson - args: - --logtostderr - --insecure-listen-address=[$(IP)]:9500 @@ -3593,6 +3741,9 @@ spec: secretName: ws-manager-client-tls - name: pull-secret secret: + items: + - key: .dockerconfigjson + path: pull-secret.json secretName: builtin-registry-auth - emptyDir: {} name: gitpod-ca-certificate @@ -3972,3 +4123,86 @@ spec: secret: secretName: https-certificates status: {} +--- +# batch/v1/Job registry-credential +apiVersion: batch/v1 +kind: Job +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +spec: + backoffLimit: 10 + template: + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + spec: + containers: + - command: + - /aws-iam-credential-rotate + - ecr-update + image: jenting/aws-iam-credential-rotate + imagePullPolicy: IfNotPresent + name: registry-credential + resources: {} + securityContext: + allowPrivilegeEscalation: false + restartPolicy: OnFailure + serviceAccountName: registry-credential +status: {} +--- +# batch/v1/CronJob registry-credential +apiVersion: batch/v1 +kind: CronJob +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +spec: + concurrencyPolicy: Replace + failedJobsHistoryLimit: 10 + jobTemplate: + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + spec: + backoffLimit: 10 + template: + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + spec: + containers: + - command: + - /aws-iam-credential-rotate + - ecr-update + image: jenting/aws-iam-credential-rotate + imagePullPolicy: IfNotPresent + name: registry-credential + resources: {} + securityContext: + allowPrivilegeEscalation: false + restartPolicy: OnFailure + serviceAccountName: registry-credential + schedule: '* */6 * * *' + successfulJobsHistoryLimit: 1 +status: {} diff --git a/install/installer/cmd/testdata/render/minimal/output.golden b/install/installer/cmd/testdata/render/minimal/output.golden index 1739e985a15ca3..42d5c9686d78c1 100644 --- a/install/installer/cmd/testdata/render/minimal/output.golden +++ b/install/installer/cmd/testdata/render/minimal/output.golden @@ -991,6 +991,18 @@ automountServiceAccountToken: true secrets: - name: messagebus --- +# v1/ServiceAccount registry-credential +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +--- # v1/ServiceAccount registry-facade apiVersion: v1 automountServiceAccountToken: true @@ -1075,6 +1087,38 @@ metadata: name: ws-proxy namespace: default --- +# v1/Secret aws-ecr-credentials +apiVersion: v1 +kind: Secret +metadata: + annotations: + aws-ecr-updater/region: us-west-1 + aws-ecr-updater/secret: aws-iam-user-credentials + creationTimestamp: null + labels: + app: gitpod + aws-ecr-updater: "true" + component: registry-credential + name: aws-ecr-credentials + namespace: default +stringData: + .dockerconfigjson: '{}' +type: kubernetes.io/dockerconfigjson +--- +# v1/Secret aws-iam-user-credentials +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: aws-iam-user-credentials + namespace: default +stringData: + access_key_id: 8-WGqw2oTnsPfUDNSk0Y + secret_access_key: DpC.aSAxkWBPu2_bJ_AE +--- # v1/Secret builtin-registry-auth apiVersion: v1 data: @@ -1360,7 +1404,7 @@ data: "maxSizeBytes": 1073741824 } }, - "dockerAuth": "/mnt/pull-secret.json", + "dockerAuth": "/mnt/pull-secret/pull-secret.json", "pprofAddr": "127.0.0.1:6060", "prometheusAddr": "127.0.0.1:9500", "readinessProbeAddr": ":8086" @@ -3371,6 +3415,70 @@ data: name: image-builder-mk3 namespace: default --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + --- + apiVersion: v1 + kind: Secret + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: aws-iam-user-credentials + namespace: default + --- + apiVersion: v1 + kind: Secret + metadata: + annotations: + aws-ecr-updater/region: us-west-1 + aws-ecr-updater/secret: aws-iam-user-credentials + creationTimestamp: null + labels: + app: gitpod + aws-ecr-updater: "true" + component: registry-credential + name: aws-ecr-credentials + namespace: default + --- + apiVersion: batch/v1 + kind: CronJob + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + --- + apiVersion: v1 + kind: ServiceAccount + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + --- apiVersion: v1 kind: Secret metadata: @@ -4936,7 +5044,7 @@ data: } }, "pullSecret": "builtin-registry-auth", - "pullSecretFile": "/config/pull-secret.json", + "pullSecretFile": "/config/pull-secret/pull-secret.json", "baseImageRepository": "registry.gitpod.example.com/base-images", "workspaceImageRepository": "registry.gitpod.example.com/workspace-images", "builderImage": "eu.gcr.io/gitpod-core-dev/build/image-builder-mk3/bob:test" @@ -5226,7 +5334,7 @@ data: "key": "/mnt/certificates/tls.key" } }, - "dockerAuth": "/mnt/pull-secret.json", + "dockerAuth": "/mnt/pull-secret/pull-secret.json", "pprofAddr": "127.0.0.1:6060", "prometheusAddr": "127.0.0.1:9500", "readinessProbeAddr": ":8086" @@ -6481,6 +6589,27 @@ rules: resources: ["events"] verbs: ["create"] --- +# rbac.authorization.k8s.io/v1/Role registry-credential +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - update +--- # rbac.authorization.k8s.io/v1/Role server apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -6950,6 +7079,24 @@ subjects: - kind: ServiceAccount name: rabbitmq --- +# rbac.authorization.k8s.io/v1/RoleBinding registry-credential +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: registry-credential +subjects: +- kind: ServiceAccount + name: registry-credential +--- # rbac.authorization.k8s.io/v1/RoleBinding server apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -7869,7 +8016,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 1568539df3f78cad79c3dd7b7e3ae3f5cf4fa74ad7263936762f004a8a6af77c + gitpod.io/checksum_config: 3e487f9543c719b9ee3f5590a0f98cb535b4bf1b301c66de8f00f3aa9d61381d creationTimestamp: null labels: app: gitpod @@ -7957,9 +8104,8 @@ spec: - mountPath: /ws-manager-client-tls-certs name: ws-manager-client-tls-certs readOnly: true - - mountPath: /mnt/pull-secret.json + - mountPath: /mnt/pull-secret name: pull-secret - subPath: .dockerconfigjson - mountPath: /mnt/certificates name: config-certificates - args: @@ -8048,6 +8194,9 @@ spec: secretName: ws-manager-client-tls - name: pull-secret secret: + items: + - key: .dockerconfigjson + path: pull-secret.json secretName: builtin-registry-auth - hostPath: path: / @@ -8883,7 +9032,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: a93d22be9b0695e0bd3211bfd5e023b09c08a8cea026a41f080346023887bd74 + gitpod.io/checksum_config: cac138904f08d79e5598805683f8dc378bd52c58348489de22949ac38dd8b193 creationTimestamp: null labels: app: gitpod @@ -8958,9 +9107,8 @@ spec: readOnly: true - mountPath: /mnt/cache name: cache - - mountPath: /mnt/pull-secret.json + - mountPath: /mnt/pull-secret name: pull-secret - subPath: .dockerconfigjson - args: - --logtostderr - --insecure-listen-address=[$(IP)]:9500 @@ -8995,6 +9143,9 @@ spec: name: config - name: pull-secret secret: + items: + - key: .dockerconfigjson + path: pull-secret.json secretName: builtin-registry-auth status: {} --- @@ -9743,7 +9894,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 6b82d310231a10f059f0a9efebcf1422f6b2e72eacb55b1ac68f283695b1a167 + gitpod.io/checksum_config: af26ec864db5be86adfb79b972614487639aa67ad16de869e23e22e468f0bed8 creationTimestamp: null labels: app: gitpod @@ -9803,9 +9954,8 @@ spec: - mountPath: /wsman-certs name: wsman-tls-certs readOnly: true - - mountPath: /config/pull-secret.json + - mountPath: /config/pull-secret name: pull-secret - subPath: .dockerconfigjson - args: - --logtostderr - --insecure-listen-address=[$(IP)]:9500 @@ -9860,6 +10010,9 @@ spec: secretName: ws-manager-client-tls - name: pull-secret secret: + items: + - key: .dockerconfigjson + path: pull-secret.json secretName: builtin-registry-auth - emptyDir: {} name: gitpod-ca-certificate @@ -11347,6 +11500,41 @@ spec: ttlSecondsAfterFinished: 60 status: {} --- +# batch/v1/Job registry-credential +apiVersion: batch/v1 +kind: Job +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +spec: + backoffLimit: 10 + template: + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + spec: + containers: + - command: + - /aws-iam-credential-rotate + - ecr-update + image: jenting/aws-iam-credential-rotate + imagePullPolicy: IfNotPresent + name: registry-credential + resources: {} + securityContext: + allowPrivilegeEscalation: false + restartPolicy: OnFailure + serviceAccountName: registry-credential +status: {} +--- # batch/v1/CronJob gitpod-telemetry apiVersion: batch/v1 kind: CronJob @@ -11437,3 +11625,51 @@ spec: schedule: '@daily' successfulJobsHistoryLimit: 3 status: {} +--- +# batch/v1/CronJob registry-credential +apiVersion: batch/v1 +kind: CronJob +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +spec: + concurrencyPolicy: Replace + failedJobsHistoryLimit: 10 + jobTemplate: + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + spec: + backoffLimit: 10 + template: + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + spec: + containers: + - command: + - /aws-iam-credential-rotate + - ecr-update + image: jenting/aws-iam-credential-rotate + imagePullPolicy: IfNotPresent + name: registry-credential + resources: {} + securityContext: + allowPrivilegeEscalation: false + restartPolicy: OnFailure + serviceAccountName: registry-credential + schedule: '* */6 * * *' + successfulJobsHistoryLimit: 1 +status: {} diff --git a/install/installer/cmd/testdata/render/shortname/output.golden b/install/installer/cmd/testdata/render/shortname/output.golden index faba81f57e5169..245803c4d96bbb 100644 --- a/install/installer/cmd/testdata/render/shortname/output.golden +++ b/install/installer/cmd/testdata/render/shortname/output.golden @@ -991,6 +991,18 @@ automountServiceAccountToken: true secrets: - name: messagebus --- +# v1/ServiceAccount registry-credential +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +--- # v1/ServiceAccount registry-facade apiVersion: v1 automountServiceAccountToken: true @@ -1075,6 +1087,38 @@ metadata: name: ws-proxy namespace: default --- +# v1/Secret aws-ecr-credentials +apiVersion: v1 +kind: Secret +metadata: + annotations: + aws-ecr-updater/region: us-west-1 + aws-ecr-updater/secret: aws-iam-user-credentials + creationTimestamp: null + labels: + app: gitpod + aws-ecr-updater: "true" + component: registry-credential + name: aws-ecr-credentials + namespace: default +stringData: + .dockerconfigjson: '{}' +type: kubernetes.io/dockerconfigjson +--- +# v1/Secret aws-iam-user-credentials +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: aws-iam-user-credentials + namespace: default +stringData: + access_key_id: 8-WGqw2oTnsPfUDNSk0Y + secret_access_key: DpC.aSAxkWBPu2_bJ_AE +--- # v1/Secret builtin-registry-auth apiVersion: v1 data: @@ -1360,7 +1404,7 @@ data: "maxSizeBytes": 1073741824 } }, - "dockerAuth": "/mnt/pull-secret.json", + "dockerAuth": "/mnt/pull-secret/pull-secret.json", "pprofAddr": "127.0.0.1:6060", "prometheusAddr": "127.0.0.1:9500", "readinessProbeAddr": ":8086" @@ -3371,6 +3415,70 @@ data: name: image-builder-mk3 namespace: default --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + --- + apiVersion: v1 + kind: Secret + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: aws-iam-user-credentials + namespace: default + --- + apiVersion: v1 + kind: Secret + metadata: + annotations: + aws-ecr-updater/region: us-west-1 + aws-ecr-updater/secret: aws-iam-user-credentials + creationTimestamp: null + labels: + app: gitpod + aws-ecr-updater: "true" + component: registry-credential + name: aws-ecr-credentials + namespace: default + --- + apiVersion: batch/v1 + kind: CronJob + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + --- + apiVersion: v1 + kind: ServiceAccount + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + --- apiVersion: v1 kind: Secret metadata: @@ -4936,7 +5044,7 @@ data: } }, "pullSecret": "builtin-registry-auth", - "pullSecretFile": "/config/pull-secret.json", + "pullSecretFile": "/config/pull-secret/pull-secret.json", "baseImageRepository": "registry.gitpod.example.com/base-images", "workspaceImageRepository": "registry.gitpod.example.com/workspace-images", "builderImage": "eu.gcr.io/gitpod-core-dev/build/image-builder-mk3/bob:test" @@ -5226,7 +5334,7 @@ data: "key": "/mnt/certificates/tls.key" } }, - "dockerAuth": "/mnt/pull-secret.json", + "dockerAuth": "/mnt/pull-secret/pull-secret.json", "pprofAddr": "127.0.0.1:6060", "prometheusAddr": "127.0.0.1:9500", "readinessProbeAddr": ":8086" @@ -6481,6 +6589,27 @@ rules: resources: ["events"] verbs: ["create"] --- +# rbac.authorization.k8s.io/v1/Role registry-credential +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - update +--- # rbac.authorization.k8s.io/v1/Role server apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -6950,6 +7079,24 @@ subjects: - kind: ServiceAccount name: rabbitmq --- +# rbac.authorization.k8s.io/v1/RoleBinding registry-credential +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: registry-credential +subjects: +- kind: ServiceAccount + name: registry-credential +--- # rbac.authorization.k8s.io/v1/RoleBinding server apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -7869,7 +8016,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 1568539df3f78cad79c3dd7b7e3ae3f5cf4fa74ad7263936762f004a8a6af77c + gitpod.io/checksum_config: 3e487f9543c719b9ee3f5590a0f98cb535b4bf1b301c66de8f00f3aa9d61381d creationTimestamp: null labels: app: gitpod @@ -7957,9 +8104,8 @@ spec: - mountPath: /ws-manager-client-tls-certs name: ws-manager-client-tls-certs readOnly: true - - mountPath: /mnt/pull-secret.json + - mountPath: /mnt/pull-secret name: pull-secret - subPath: .dockerconfigjson - mountPath: /mnt/certificates name: config-certificates - args: @@ -8048,6 +8194,9 @@ spec: secretName: ws-manager-client-tls - name: pull-secret secret: + items: + - key: .dockerconfigjson + path: pull-secret.json secretName: builtin-registry-auth - hostPath: path: / @@ -8883,7 +9032,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: a93d22be9b0695e0bd3211bfd5e023b09c08a8cea026a41f080346023887bd74 + gitpod.io/checksum_config: cac138904f08d79e5598805683f8dc378bd52c58348489de22949ac38dd8b193 creationTimestamp: null labels: app: gitpod @@ -8958,9 +9107,8 @@ spec: readOnly: true - mountPath: /mnt/cache name: cache - - mountPath: /mnt/pull-secret.json + - mountPath: /mnt/pull-secret name: pull-secret - subPath: .dockerconfigjson - args: - --logtostderr - --insecure-listen-address=[$(IP)]:9500 @@ -8995,6 +9143,9 @@ spec: name: config - name: pull-secret secret: + items: + - key: .dockerconfigjson + path: pull-secret.json secretName: builtin-registry-auth status: {} --- @@ -9743,7 +9894,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 6b82d310231a10f059f0a9efebcf1422f6b2e72eacb55b1ac68f283695b1a167 + gitpod.io/checksum_config: af26ec864db5be86adfb79b972614487639aa67ad16de869e23e22e468f0bed8 creationTimestamp: null labels: app: gitpod @@ -9803,9 +9954,8 @@ spec: - mountPath: /wsman-certs name: wsman-tls-certs readOnly: true - - mountPath: /config/pull-secret.json + - mountPath: /config/pull-secret name: pull-secret - subPath: .dockerconfigjson - args: - --logtostderr - --insecure-listen-address=[$(IP)]:9500 @@ -9860,6 +10010,9 @@ spec: secretName: ws-manager-client-tls - name: pull-secret secret: + items: + - key: .dockerconfigjson + path: pull-secret.json secretName: builtin-registry-auth - emptyDir: {} name: gitpod-ca-certificate @@ -11347,6 +11500,41 @@ spec: ttlSecondsAfterFinished: 60 status: {} --- +# batch/v1/Job registry-credential +apiVersion: batch/v1 +kind: Job +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +spec: + backoffLimit: 10 + template: + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + spec: + containers: + - command: + - /aws-iam-credential-rotate + - ecr-update + image: jenting/aws-iam-credential-rotate + imagePullPolicy: IfNotPresent + name: registry-credential + resources: {} + securityContext: + allowPrivilegeEscalation: false + restartPolicy: OnFailure + serviceAccountName: registry-credential +status: {} +--- # batch/v1/CronJob gitpod-telemetry apiVersion: batch/v1 kind: CronJob @@ -11437,3 +11625,51 @@ spec: schedule: '@daily' successfulJobsHistoryLimit: 3 status: {} +--- +# batch/v1/CronJob registry-credential +apiVersion: batch/v1 +kind: CronJob +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +spec: + concurrencyPolicy: Replace + failedJobsHistoryLimit: 10 + jobTemplate: + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + spec: + backoffLimit: 10 + template: + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + spec: + containers: + - command: + - /aws-iam-credential-rotate + - ecr-update + image: jenting/aws-iam-credential-rotate + imagePullPolicy: IfNotPresent + name: registry-credential + resources: {} + securityContext: + allowPrivilegeEscalation: false + restartPolicy: OnFailure + serviceAccountName: registry-credential + schedule: '* */6 * * *' + successfulJobsHistoryLimit: 1 +status: {} diff --git a/install/installer/cmd/testdata/render/statefulset-customization/output.golden b/install/installer/cmd/testdata/render/statefulset-customization/output.golden index ca16bd9b0dc43c..f53d35ee79acf4 100644 --- a/install/installer/cmd/testdata/render/statefulset-customization/output.golden +++ b/install/installer/cmd/testdata/render/statefulset-customization/output.golden @@ -991,6 +991,18 @@ automountServiceAccountToken: true secrets: - name: messagebus --- +# v1/ServiceAccount registry-credential +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +--- # v1/ServiceAccount registry-facade apiVersion: v1 automountServiceAccountToken: true @@ -1075,6 +1087,38 @@ metadata: name: ws-proxy namespace: default --- +# v1/Secret aws-ecr-credentials +apiVersion: v1 +kind: Secret +metadata: + annotations: + aws-ecr-updater/region: us-west-1 + aws-ecr-updater/secret: aws-iam-user-credentials + creationTimestamp: null + labels: + app: gitpod + aws-ecr-updater: "true" + component: registry-credential + name: aws-ecr-credentials + namespace: default +stringData: + .dockerconfigjson: '{}' +type: kubernetes.io/dockerconfigjson +--- +# v1/Secret aws-iam-user-credentials +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: aws-iam-user-credentials + namespace: default +stringData: + access_key_id: 8-WGqw2oTnsPfUDNSk0Y + secret_access_key: DpC.aSAxkWBPu2_bJ_AE +--- # v1/Secret builtin-registry-auth apiVersion: v1 data: @@ -1360,7 +1404,7 @@ data: "maxSizeBytes": 1073741824 } }, - "dockerAuth": "/mnt/pull-secret.json", + "dockerAuth": "/mnt/pull-secret/pull-secret.json", "pprofAddr": "127.0.0.1:6060", "prometheusAddr": "127.0.0.1:9500", "readinessProbeAddr": ":8086" @@ -3383,6 +3427,70 @@ data: name: image-builder-mk3 namespace: default --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + --- + apiVersion: v1 + kind: Secret + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: aws-iam-user-credentials + namespace: default + --- + apiVersion: v1 + kind: Secret + metadata: + annotations: + aws-ecr-updater/region: us-west-1 + aws-ecr-updater/secret: aws-iam-user-credentials + creationTimestamp: null + labels: + app: gitpod + aws-ecr-updater: "true" + component: registry-credential + name: aws-ecr-credentials + namespace: default + --- + apiVersion: batch/v1 + kind: CronJob + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + --- + apiVersion: v1 + kind: ServiceAccount + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + --- apiVersion: v1 kind: Secret metadata: @@ -4948,7 +5056,7 @@ data: } }, "pullSecret": "builtin-registry-auth", - "pullSecretFile": "/config/pull-secret.json", + "pullSecretFile": "/config/pull-secret/pull-secret.json", "baseImageRepository": "registry.gitpod.example.com/base-images", "workspaceImageRepository": "registry.gitpod.example.com/workspace-images", "builderImage": "eu.gcr.io/gitpod-core-dev/build/image-builder-mk3/bob:test" @@ -5238,7 +5346,7 @@ data: "key": "/mnt/certificates/tls.key" } }, - "dockerAuth": "/mnt/pull-secret.json", + "dockerAuth": "/mnt/pull-secret/pull-secret.json", "pprofAddr": "127.0.0.1:6060", "prometheusAddr": "127.0.0.1:9500", "readinessProbeAddr": ":8086" @@ -6493,6 +6601,27 @@ rules: resources: ["events"] verbs: ["create"] --- +# rbac.authorization.k8s.io/v1/Role registry-credential +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - update +--- # rbac.authorization.k8s.io/v1/Role server apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -6962,6 +7091,24 @@ subjects: - kind: ServiceAccount name: rabbitmq --- +# rbac.authorization.k8s.io/v1/RoleBinding registry-credential +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: registry-credential +subjects: +- kind: ServiceAccount + name: registry-credential +--- # rbac.authorization.k8s.io/v1/RoleBinding server apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -7881,7 +8028,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 1568539df3f78cad79c3dd7b7e3ae3f5cf4fa74ad7263936762f004a8a6af77c + gitpod.io/checksum_config: 3e487f9543c719b9ee3f5590a0f98cb535b4bf1b301c66de8f00f3aa9d61381d creationTimestamp: null labels: app: gitpod @@ -7969,9 +8116,8 @@ spec: - mountPath: /ws-manager-client-tls-certs name: ws-manager-client-tls-certs readOnly: true - - mountPath: /mnt/pull-secret.json + - mountPath: /mnt/pull-secret name: pull-secret - subPath: .dockerconfigjson - mountPath: /mnt/certificates name: config-certificates - args: @@ -8060,6 +8206,9 @@ spec: secretName: ws-manager-client-tls - name: pull-secret secret: + items: + - key: .dockerconfigjson + path: pull-secret.json secretName: builtin-registry-auth - hostPath: path: / @@ -8895,7 +9044,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: a93d22be9b0695e0bd3211bfd5e023b09c08a8cea026a41f080346023887bd74 + gitpod.io/checksum_config: cac138904f08d79e5598805683f8dc378bd52c58348489de22949ac38dd8b193 creationTimestamp: null labels: app: gitpod @@ -8970,9 +9119,8 @@ spec: readOnly: true - mountPath: /mnt/cache name: cache - - mountPath: /mnt/pull-secret.json + - mountPath: /mnt/pull-secret name: pull-secret - subPath: .dockerconfigjson - args: - --logtostderr - --insecure-listen-address=[$(IP)]:9500 @@ -9007,6 +9155,9 @@ spec: name: config - name: pull-secret secret: + items: + - key: .dockerconfigjson + path: pull-secret.json secretName: builtin-registry-auth status: {} --- @@ -9755,7 +9906,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 6b82d310231a10f059f0a9efebcf1422f6b2e72eacb55b1ac68f283695b1a167 + gitpod.io/checksum_config: af26ec864db5be86adfb79b972614487639aa67ad16de869e23e22e468f0bed8 creationTimestamp: null labels: app: gitpod @@ -9815,9 +9966,8 @@ spec: - mountPath: /wsman-certs name: wsman-tls-certs readOnly: true - - mountPath: /config/pull-secret.json + - mountPath: /config/pull-secret name: pull-secret - subPath: .dockerconfigjson - args: - --logtostderr - --insecure-listen-address=[$(IP)]:9500 @@ -9872,6 +10022,9 @@ spec: secretName: ws-manager-client-tls - name: pull-secret secret: + items: + - key: .dockerconfigjson + path: pull-secret.json secretName: builtin-registry-auth - emptyDir: {} name: gitpod-ca-certificate @@ -11359,6 +11512,41 @@ spec: ttlSecondsAfterFinished: 60 status: {} --- +# batch/v1/Job registry-credential +apiVersion: batch/v1 +kind: Job +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +spec: + backoffLimit: 10 + template: + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + spec: + containers: + - command: + - /aws-iam-credential-rotate + - ecr-update + image: jenting/aws-iam-credential-rotate + imagePullPolicy: IfNotPresent + name: registry-credential + resources: {} + securityContext: + allowPrivilegeEscalation: false + restartPolicy: OnFailure + serviceAccountName: registry-credential +status: {} +--- # batch/v1/CronJob gitpod-telemetry apiVersion: batch/v1 kind: CronJob @@ -11449,3 +11637,51 @@ spec: schedule: '@daily' successfulJobsHistoryLimit: 3 status: {} +--- +# batch/v1/CronJob registry-credential +apiVersion: batch/v1 +kind: CronJob +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +spec: + concurrencyPolicy: Replace + failedJobsHistoryLimit: 10 + jobTemplate: + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + spec: + backoffLimit: 10 + template: + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + spec: + containers: + - command: + - /aws-iam-credential-rotate + - ecr-update + image: jenting/aws-iam-credential-rotate + imagePullPolicy: IfNotPresent + name: registry-credential + resources: {} + securityContext: + allowPrivilegeEscalation: false + restartPolicy: OnFailure + serviceAccountName: registry-credential + schedule: '* */6 * * *' + successfulJobsHistoryLimit: 1 +status: {} diff --git a/install/installer/cmd/testdata/render/use-pod-security-policies/output.golden b/install/installer/cmd/testdata/render/use-pod-security-policies/output.golden index a6b3c694ac90f2..92de28ad7b8708 100644 --- a/install/installer/cmd/testdata/render/use-pod-security-policies/output.golden +++ b/install/installer/cmd/testdata/render/use-pod-security-policies/output.golden @@ -1213,6 +1213,18 @@ automountServiceAccountToken: true secrets: - name: messagebus --- +# v1/ServiceAccount registry-credential +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +--- # v1/ServiceAccount registry-facade apiVersion: v1 automountServiceAccountToken: true @@ -1297,6 +1309,38 @@ metadata: name: ws-proxy namespace: default --- +# v1/Secret aws-ecr-credentials +apiVersion: v1 +kind: Secret +metadata: + annotations: + aws-ecr-updater/region: us-west-1 + aws-ecr-updater/secret: aws-iam-user-credentials + creationTimestamp: null + labels: + app: gitpod + aws-ecr-updater: "true" + component: registry-credential + name: aws-ecr-credentials + namespace: default +stringData: + .dockerconfigjson: '{}' +type: kubernetes.io/dockerconfigjson +--- +# v1/Secret aws-iam-user-credentials +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: aws-iam-user-credentials + namespace: default +stringData: + access_key_id: 8-WGqw2oTnsPfUDNSk0Y + secret_access_key: DpC.aSAxkWBPu2_bJ_AE +--- # v1/Secret builtin-registry-auth apiVersion: v1 data: @@ -1582,7 +1626,7 @@ data: "maxSizeBytes": 1073741824 } }, - "dockerAuth": "/mnt/pull-secret.json", + "dockerAuth": "/mnt/pull-secret/pull-secret.json", "pprofAddr": "127.0.0.1:6060", "prometheusAddr": "127.0.0.1:9500", "readinessProbeAddr": ":8086" @@ -3704,6 +3748,70 @@ data: name: image-builder-mk3 namespace: default --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + --- + apiVersion: v1 + kind: Secret + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: aws-iam-user-credentials + namespace: default + --- + apiVersion: v1 + kind: Secret + metadata: + annotations: + aws-ecr-updater/region: us-west-1 + aws-ecr-updater/secret: aws-iam-user-credentials + creationTimestamp: null + labels: + app: gitpod + aws-ecr-updater: "true" + component: registry-credential + name: aws-ecr-credentials + namespace: default + --- + apiVersion: batch/v1 + kind: CronJob + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + --- + apiVersion: v1 + kind: ServiceAccount + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + --- apiVersion: v1 kind: Secret metadata: @@ -5269,7 +5377,7 @@ data: } }, "pullSecret": "builtin-registry-auth", - "pullSecretFile": "/config/pull-secret.json", + "pullSecretFile": "/config/pull-secret/pull-secret.json", "baseImageRepository": "registry.gitpod.example.com/base-images", "workspaceImageRepository": "registry.gitpod.example.com/workspace-images", "builderImage": "eu.gcr.io/gitpod-core-dev/build/image-builder-mk3/bob:test" @@ -5559,7 +5667,7 @@ data: "key": "/mnt/certificates/tls.key" } }, - "dockerAuth": "/mnt/pull-secret.json", + "dockerAuth": "/mnt/pull-secret/pull-secret.json", "pprofAddr": "127.0.0.1:6060", "prometheusAddr": "127.0.0.1:9500", "readinessProbeAddr": ":8086" @@ -6905,6 +7013,27 @@ rules: resources: ["events"] verbs: ["create"] --- +# rbac.authorization.k8s.io/v1/Role registry-credential +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - update +--- # rbac.authorization.k8s.io/v1/Role server apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -7394,6 +7523,24 @@ subjects: - kind: ServiceAccount name: rabbitmq --- +# rbac.authorization.k8s.io/v1/RoleBinding registry-credential +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: registry-credential +subjects: +- kind: ServiceAccount + name: registry-credential +--- # rbac.authorization.k8s.io/v1/RoleBinding server apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -8313,7 +8460,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 1568539df3f78cad79c3dd7b7e3ae3f5cf4fa74ad7263936762f004a8a6af77c + gitpod.io/checksum_config: 3e487f9543c719b9ee3f5590a0f98cb535b4bf1b301c66de8f00f3aa9d61381d creationTimestamp: null labels: app: gitpod @@ -8401,9 +8548,8 @@ spec: - mountPath: /ws-manager-client-tls-certs name: ws-manager-client-tls-certs readOnly: true - - mountPath: /mnt/pull-secret.json + - mountPath: /mnt/pull-secret name: pull-secret - subPath: .dockerconfigjson - mountPath: /mnt/certificates name: config-certificates - args: @@ -8492,6 +8638,9 @@ spec: secretName: ws-manager-client-tls - name: pull-secret secret: + items: + - key: .dockerconfigjson + path: pull-secret.json secretName: builtin-registry-auth - hostPath: path: / @@ -9327,7 +9476,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: a93d22be9b0695e0bd3211bfd5e023b09c08a8cea026a41f080346023887bd74 + gitpod.io/checksum_config: cac138904f08d79e5598805683f8dc378bd52c58348489de22949ac38dd8b193 creationTimestamp: null labels: app: gitpod @@ -9402,9 +9551,8 @@ spec: readOnly: true - mountPath: /mnt/cache name: cache - - mountPath: /mnt/pull-secret.json + - mountPath: /mnt/pull-secret name: pull-secret - subPath: .dockerconfigjson - args: - --logtostderr - --insecure-listen-address=[$(IP)]:9500 @@ -9439,6 +9587,9 @@ spec: name: config - name: pull-secret secret: + items: + - key: .dockerconfigjson + path: pull-secret.json secretName: builtin-registry-auth status: {} --- @@ -10187,7 +10338,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 6b82d310231a10f059f0a9efebcf1422f6b2e72eacb55b1ac68f283695b1a167 + gitpod.io/checksum_config: af26ec864db5be86adfb79b972614487639aa67ad16de869e23e22e468f0bed8 creationTimestamp: null labels: app: gitpod @@ -10247,9 +10398,8 @@ spec: - mountPath: /wsman-certs name: wsman-tls-certs readOnly: true - - mountPath: /config/pull-secret.json + - mountPath: /config/pull-secret name: pull-secret - subPath: .dockerconfigjson - args: - --logtostderr - --insecure-listen-address=[$(IP)]:9500 @@ -10304,6 +10454,9 @@ spec: secretName: ws-manager-client-tls - name: pull-secret secret: + items: + - key: .dockerconfigjson + path: pull-secret.json secretName: builtin-registry-auth - emptyDir: {} name: gitpod-ca-certificate @@ -11791,6 +11944,41 @@ spec: ttlSecondsAfterFinished: 60 status: {} --- +# batch/v1/Job registry-credential +apiVersion: batch/v1 +kind: Job +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +spec: + backoffLimit: 10 + template: + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + spec: + containers: + - command: + - /aws-iam-credential-rotate + - ecr-update + image: jenting/aws-iam-credential-rotate + imagePullPolicy: IfNotPresent + name: registry-credential + resources: {} + securityContext: + allowPrivilegeEscalation: false + restartPolicy: OnFailure + serviceAccountName: registry-credential +status: {} +--- # batch/v1/CronJob gitpod-telemetry apiVersion: batch/v1 kind: CronJob @@ -11881,3 +12069,51 @@ spec: schedule: '@daily' successfulJobsHistoryLimit: 3 status: {} +--- +# batch/v1/CronJob registry-credential +apiVersion: batch/v1 +kind: CronJob +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +spec: + concurrencyPolicy: Replace + failedJobsHistoryLimit: 10 + jobTemplate: + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + spec: + backoffLimit: 10 + template: + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + spec: + containers: + - command: + - /aws-iam-credential-rotate + - ecr-update + image: jenting/aws-iam-credential-rotate + imagePullPolicy: IfNotPresent + name: registry-credential + resources: {} + securityContext: + allowPrivilegeEscalation: false + restartPolicy: OnFailure + serviceAccountName: registry-credential + schedule: '* */6 * * *' + successfulJobsHistoryLimit: 1 +status: {} diff --git a/install/installer/cmd/testdata/render/vsxproxy-pvc/output.golden b/install/installer/cmd/testdata/render/vsxproxy-pvc/output.golden index a20c452c1fd8db..949845861658ac 100644 --- a/install/installer/cmd/testdata/render/vsxproxy-pvc/output.golden +++ b/install/installer/cmd/testdata/render/vsxproxy-pvc/output.golden @@ -991,6 +991,18 @@ automountServiceAccountToken: true secrets: - name: messagebus --- +# v1/ServiceAccount registry-credential +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +--- # v1/ServiceAccount registry-facade apiVersion: v1 automountServiceAccountToken: true @@ -1075,6 +1087,38 @@ metadata: name: ws-proxy namespace: default --- +# v1/Secret aws-ecr-credentials +apiVersion: v1 +kind: Secret +metadata: + annotations: + aws-ecr-updater/region: us-west-1 + aws-ecr-updater/secret: aws-iam-user-credentials + creationTimestamp: null + labels: + app: gitpod + aws-ecr-updater: "true" + component: registry-credential + name: aws-ecr-credentials + namespace: default +stringData: + .dockerconfigjson: '{}' +type: kubernetes.io/dockerconfigjson +--- +# v1/Secret aws-iam-user-credentials +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: aws-iam-user-credentials + namespace: default +stringData: + access_key_id: 8-WGqw2oTnsPfUDNSk0Y + secret_access_key: DpC.aSAxkWBPu2_bJ_AE +--- # v1/Secret builtin-registry-auth apiVersion: v1 data: @@ -1360,7 +1404,7 @@ data: "maxSizeBytes": 1073741824 } }, - "dockerAuth": "/mnt/pull-secret.json", + "dockerAuth": "/mnt/pull-secret/pull-secret.json", "pprofAddr": "127.0.0.1:6060", "prometheusAddr": "127.0.0.1:9500", "readinessProbeAddr": ":8086" @@ -3373,6 +3417,70 @@ data: name: image-builder-mk3 namespace: default --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + --- + apiVersion: v1 + kind: Secret + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: aws-iam-user-credentials + namespace: default + --- + apiVersion: v1 + kind: Secret + metadata: + annotations: + aws-ecr-updater/region: us-west-1 + aws-ecr-updater/secret: aws-iam-user-credentials + creationTimestamp: null + labels: + app: gitpod + aws-ecr-updater: "true" + component: registry-credential + name: aws-ecr-credentials + namespace: default + --- + apiVersion: batch/v1 + kind: CronJob + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + --- + apiVersion: v1 + kind: ServiceAccount + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + --- apiVersion: v1 kind: Secret metadata: @@ -4938,7 +5046,7 @@ data: } }, "pullSecret": "builtin-registry-auth", - "pullSecretFile": "/config/pull-secret.json", + "pullSecretFile": "/config/pull-secret/pull-secret.json", "baseImageRepository": "registry.gitpod.example.com/base-images", "workspaceImageRepository": "registry.gitpod.example.com/workspace-images", "builderImage": "eu.gcr.io/gitpod-core-dev/build/image-builder-mk3/bob:test" @@ -5228,7 +5336,7 @@ data: "key": "/mnt/certificates/tls.key" } }, - "dockerAuth": "/mnt/pull-secret.json", + "dockerAuth": "/mnt/pull-secret/pull-secret.json", "pprofAddr": "127.0.0.1:6060", "prometheusAddr": "127.0.0.1:9500", "readinessProbeAddr": ":8086" @@ -6483,6 +6591,27 @@ rules: resources: ["events"] verbs: ["create"] --- +# rbac.authorization.k8s.io/v1/Role registry-credential +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - update +--- # rbac.authorization.k8s.io/v1/Role server apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -6952,6 +7081,24 @@ subjects: - kind: ServiceAccount name: rabbitmq --- +# rbac.authorization.k8s.io/v1/RoleBinding registry-credential +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: registry-credential +subjects: +- kind: ServiceAccount + name: registry-credential +--- # rbac.authorization.k8s.io/v1/RoleBinding server apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -7871,7 +8018,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 1568539df3f78cad79c3dd7b7e3ae3f5cf4fa74ad7263936762f004a8a6af77c + gitpod.io/checksum_config: 3e487f9543c719b9ee3f5590a0f98cb535b4bf1b301c66de8f00f3aa9d61381d creationTimestamp: null labels: app: gitpod @@ -7959,9 +8106,8 @@ spec: - mountPath: /ws-manager-client-tls-certs name: ws-manager-client-tls-certs readOnly: true - - mountPath: /mnt/pull-secret.json + - mountPath: /mnt/pull-secret name: pull-secret - subPath: .dockerconfigjson - mountPath: /mnt/certificates name: config-certificates - args: @@ -8050,6 +8196,9 @@ spec: secretName: ws-manager-client-tls - name: pull-secret secret: + items: + - key: .dockerconfigjson + path: pull-secret.json secretName: builtin-registry-auth - hostPath: path: / @@ -8873,7 +9022,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: a93d22be9b0695e0bd3211bfd5e023b09c08a8cea026a41f080346023887bd74 + gitpod.io/checksum_config: cac138904f08d79e5598805683f8dc378bd52c58348489de22949ac38dd8b193 creationTimestamp: null labels: app: gitpod @@ -8948,9 +9097,8 @@ spec: readOnly: true - mountPath: /mnt/cache name: cache - - mountPath: /mnt/pull-secret.json + - mountPath: /mnt/pull-secret name: pull-secret - subPath: .dockerconfigjson - args: - --logtostderr - --insecure-listen-address=[$(IP)]:9500 @@ -8985,6 +9133,9 @@ spec: name: config - name: pull-secret secret: + items: + - key: .dockerconfigjson + path: pull-secret.json secretName: builtin-registry-auth status: {} --- @@ -9733,7 +9884,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 6b82d310231a10f059f0a9efebcf1422f6b2e72eacb55b1ac68f283695b1a167 + gitpod.io/checksum_config: af26ec864db5be86adfb79b972614487639aa67ad16de869e23e22e468f0bed8 creationTimestamp: null labels: app: gitpod @@ -9793,9 +9944,8 @@ spec: - mountPath: /wsman-certs name: wsman-tls-certs readOnly: true - - mountPath: /config/pull-secret.json + - mountPath: /config/pull-secret name: pull-secret - subPath: .dockerconfigjson - args: - --logtostderr - --insecure-listen-address=[$(IP)]:9500 @@ -9850,6 +10000,9 @@ spec: secretName: ws-manager-client-tls - name: pull-secret secret: + items: + - key: .dockerconfigjson + path: pull-secret.json secretName: builtin-registry-auth - emptyDir: {} name: gitpod-ca-certificate @@ -11337,6 +11490,41 @@ spec: ttlSecondsAfterFinished: 60 status: {} --- +# batch/v1/Job registry-credential +apiVersion: batch/v1 +kind: Job +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +spec: + backoffLimit: 10 + template: + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + spec: + containers: + - command: + - /aws-iam-credential-rotate + - ecr-update + image: jenting/aws-iam-credential-rotate + imagePullPolicy: IfNotPresent + name: registry-credential + resources: {} + securityContext: + allowPrivilegeEscalation: false + restartPolicy: OnFailure + serviceAccountName: registry-credential +status: {} +--- # batch/v1/CronJob gitpod-telemetry apiVersion: batch/v1 kind: CronJob @@ -11427,3 +11615,51 @@ spec: schedule: '@daily' successfulJobsHistoryLimit: 3 status: {} +--- +# batch/v1/CronJob registry-credential +apiVersion: batch/v1 +kind: CronJob +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +spec: + concurrencyPolicy: Replace + failedJobsHistoryLimit: 10 + jobTemplate: + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + spec: + backoffLimit: 10 + template: + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + spec: + containers: + - command: + - /aws-iam-credential-rotate + - ecr-update + image: jenting/aws-iam-credential-rotate + imagePullPolicy: IfNotPresent + name: registry-credential + resources: {} + securityContext: + allowPrivilegeEscalation: false + restartPolicy: OnFailure + serviceAccountName: registry-credential + schedule: '* */6 * * *' + successfulJobsHistoryLimit: 1 +status: {} diff --git a/install/installer/cmd/testdata/render/workspace-requests-limits/output.golden b/install/installer/cmd/testdata/render/workspace-requests-limits/output.golden index b9762b6d3cde94..74da6e318f6840 100644 --- a/install/installer/cmd/testdata/render/workspace-requests-limits/output.golden +++ b/install/installer/cmd/testdata/render/workspace-requests-limits/output.golden @@ -991,6 +991,18 @@ automountServiceAccountToken: true secrets: - name: messagebus --- +# v1/ServiceAccount registry-credential +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +--- # v1/ServiceAccount registry-facade apiVersion: v1 automountServiceAccountToken: true @@ -1075,6 +1087,38 @@ metadata: name: ws-proxy namespace: default --- +# v1/Secret aws-ecr-credentials +apiVersion: v1 +kind: Secret +metadata: + annotations: + aws-ecr-updater/region: us-west-1 + aws-ecr-updater/secret: aws-iam-user-credentials + creationTimestamp: null + labels: + app: gitpod + aws-ecr-updater: "true" + component: registry-credential + name: aws-ecr-credentials + namespace: default +stringData: + .dockerconfigjson: '{}' +type: kubernetes.io/dockerconfigjson +--- +# v1/Secret aws-iam-user-credentials +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: aws-iam-user-credentials + namespace: default +stringData: + access_key_id: 8-WGqw2oTnsPfUDNSk0Y + secret_access_key: DpC.aSAxkWBPu2_bJ_AE +--- # v1/Secret builtin-registry-auth apiVersion: v1 data: @@ -1360,7 +1404,7 @@ data: "maxSizeBytes": 1073741824 } }, - "dockerAuth": "/mnt/pull-secret.json", + "dockerAuth": "/mnt/pull-secret/pull-secret.json", "pprofAddr": "127.0.0.1:6060", "prometheusAddr": "127.0.0.1:9500", "readinessProbeAddr": ":8086" @@ -3374,6 +3418,70 @@ data: name: image-builder-mk3 namespace: default --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + --- + apiVersion: v1 + kind: Secret + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: aws-iam-user-credentials + namespace: default + --- + apiVersion: v1 + kind: Secret + metadata: + annotations: + aws-ecr-updater/region: us-west-1 + aws-ecr-updater/secret: aws-iam-user-credentials + creationTimestamp: null + labels: + app: gitpod + aws-ecr-updater: "true" + component: registry-credential + name: aws-ecr-credentials + namespace: default + --- + apiVersion: batch/v1 + kind: CronJob + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + --- + apiVersion: v1 + kind: ServiceAccount + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + --- apiVersion: v1 kind: Secret metadata: @@ -4939,7 +5047,7 @@ data: } }, "pullSecret": "builtin-registry-auth", - "pullSecretFile": "/config/pull-secret.json", + "pullSecretFile": "/config/pull-secret/pull-secret.json", "baseImageRepository": "registry.gitpod.example.com/base-images", "workspaceImageRepository": "registry.gitpod.example.com/workspace-images", "builderImage": "eu.gcr.io/gitpod-core-dev/build/image-builder-mk3/bob:test" @@ -5229,7 +5337,7 @@ data: "key": "/mnt/certificates/tls.key" } }, - "dockerAuth": "/mnt/pull-secret.json", + "dockerAuth": "/mnt/pull-secret/pull-secret.json", "pprofAddr": "127.0.0.1:6060", "prometheusAddr": "127.0.0.1:9500", "readinessProbeAddr": ":8086" @@ -6484,6 +6592,27 @@ rules: resources: ["events"] verbs: ["create"] --- +# rbac.authorization.k8s.io/v1/Role registry-credential +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - update +--- # rbac.authorization.k8s.io/v1/Role server apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -6953,6 +7082,24 @@ subjects: - kind: ServiceAccount name: rabbitmq --- +# rbac.authorization.k8s.io/v1/RoleBinding registry-credential +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: registry-credential +subjects: +- kind: ServiceAccount + name: registry-credential +--- # rbac.authorization.k8s.io/v1/RoleBinding server apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -7872,7 +8019,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 1568539df3f78cad79c3dd7b7e3ae3f5cf4fa74ad7263936762f004a8a6af77c + gitpod.io/checksum_config: 3e487f9543c719b9ee3f5590a0f98cb535b4bf1b301c66de8f00f3aa9d61381d creationTimestamp: null labels: app: gitpod @@ -7960,9 +8107,8 @@ spec: - mountPath: /ws-manager-client-tls-certs name: ws-manager-client-tls-certs readOnly: true - - mountPath: /mnt/pull-secret.json + - mountPath: /mnt/pull-secret name: pull-secret - subPath: .dockerconfigjson - mountPath: /mnt/certificates name: config-certificates - args: @@ -8051,6 +8197,9 @@ spec: secretName: ws-manager-client-tls - name: pull-secret secret: + items: + - key: .dockerconfigjson + path: pull-secret.json secretName: builtin-registry-auth - hostPath: path: / @@ -8886,7 +9035,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: a93d22be9b0695e0bd3211bfd5e023b09c08a8cea026a41f080346023887bd74 + gitpod.io/checksum_config: cac138904f08d79e5598805683f8dc378bd52c58348489de22949ac38dd8b193 creationTimestamp: null labels: app: gitpod @@ -8961,9 +9110,8 @@ spec: readOnly: true - mountPath: /mnt/cache name: cache - - mountPath: /mnt/pull-secret.json + - mountPath: /mnt/pull-secret name: pull-secret - subPath: .dockerconfigjson - args: - --logtostderr - --insecure-listen-address=[$(IP)]:9500 @@ -8998,6 +9146,9 @@ spec: name: config - name: pull-secret secret: + items: + - key: .dockerconfigjson + path: pull-secret.json secretName: builtin-registry-auth status: {} --- @@ -9746,7 +9897,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 6b82d310231a10f059f0a9efebcf1422f6b2e72eacb55b1ac68f283695b1a167 + gitpod.io/checksum_config: af26ec864db5be86adfb79b972614487639aa67ad16de869e23e22e468f0bed8 creationTimestamp: null labels: app: gitpod @@ -9806,9 +9957,8 @@ spec: - mountPath: /wsman-certs name: wsman-tls-certs readOnly: true - - mountPath: /config/pull-secret.json + - mountPath: /config/pull-secret name: pull-secret - subPath: .dockerconfigjson - args: - --logtostderr - --insecure-listen-address=[$(IP)]:9500 @@ -9863,6 +10013,9 @@ spec: secretName: ws-manager-client-tls - name: pull-secret secret: + items: + - key: .dockerconfigjson + path: pull-secret.json secretName: builtin-registry-auth - emptyDir: {} name: gitpod-ca-certificate @@ -11350,6 +11503,41 @@ spec: ttlSecondsAfterFinished: 60 status: {} --- +# batch/v1/Job registry-credential +apiVersion: batch/v1 +kind: Job +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +spec: + backoffLimit: 10 + template: + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + spec: + containers: + - command: + - /aws-iam-credential-rotate + - ecr-update + image: jenting/aws-iam-credential-rotate + imagePullPolicy: IfNotPresent + name: registry-credential + resources: {} + securityContext: + allowPrivilegeEscalation: false + restartPolicy: OnFailure + serviceAccountName: registry-credential +status: {} +--- # batch/v1/CronJob gitpod-telemetry apiVersion: batch/v1 kind: CronJob @@ -11440,3 +11628,51 @@ spec: schedule: '@daily' successfulJobsHistoryLimit: 3 status: {} +--- +# batch/v1/CronJob registry-credential +apiVersion: batch/v1 +kind: CronJob +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +spec: + concurrencyPolicy: Replace + failedJobsHistoryLimit: 10 + jobTemplate: + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + spec: + backoffLimit: 10 + template: + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + spec: + containers: + - command: + - /aws-iam-credential-rotate + - ecr-update + image: jenting/aws-iam-credential-rotate + imagePullPolicy: IfNotPresent + name: registry-credential + resources: {} + securityContext: + allowPrivilegeEscalation: false + restartPolicy: OnFailure + serviceAccountName: registry-credential + schedule: '* */6 * * *' + successfulJobsHistoryLimit: 1 +status: {} diff --git a/install/installer/pkg/components/components-workspace/components.go b/install/installer/pkg/components/components-workspace/components.go index 1f477670a37f7d..9a6f1b8ea24c04 100644 --- a/install/installer/pkg/components/components-workspace/components.go +++ b/install/installer/pkg/components/components-workspace/components.go @@ -8,6 +8,7 @@ import ( "github.com/gitpod-io/gitpod/installer/pkg/common" agentsmith "github.com/gitpod-io/gitpod/installer/pkg/components/agent-smith" imagebuildermk3 "github.com/gitpod-io/gitpod/installer/pkg/components/image-builder-mk3" + registrycredential "github.com/gitpod-io/gitpod/installer/pkg/components/registry-credential" registryfacade "github.com/gitpod-io/gitpod/installer/pkg/components/registry-facade" "github.com/gitpod-io/gitpod/installer/pkg/components/workspace" wsdaemon "github.com/gitpod-io/gitpod/installer/pkg/components/ws-daemon" @@ -23,6 +24,7 @@ var Objects = common.CompositeRenderFunc( wsmanager.Objects, wsproxy.Objects, imagebuildermk3.Objects, + registrycredential.Objects, ) var Helm = common.CompositeHelmFunc() diff --git a/install/installer/pkg/components/registry-credential/constants.go b/install/installer/pkg/components/registry-credential/constants.go new file mode 100644 index 00000000000000..80501e3c89ca7e --- /dev/null +++ b/install/installer/pkg/components/registry-credential/constants.go @@ -0,0 +1,13 @@ +// Copyright (c) 2022 Gitpod GmbH. All rights reserved. +// Licensed under the GNU Affero General Public License (AGPL). +// See License-AGPL.txt in the project root for license information. + +package registry_credential + +const ( + Component = "registry-credential" + + SecretNameAWSIAMUserCredentials = "aws-iam-user-credentials" + + CronSchedule = "* */6 * * *" +) diff --git a/install/installer/pkg/components/registry-credential/cronjob.go b/install/installer/pkg/components/registry-credential/cronjob.go new file mode 100644 index 00000000000000..1a90c033c2022a --- /dev/null +++ b/install/installer/pkg/components/registry-credential/cronjob.go @@ -0,0 +1,40 @@ +// Copyright (c) 2022 Gitpod GmbH. All rights reserved. +// Licensed under the GNU Affero General Public License (AGPL). +// See License-AGPL.txt in the project root for license information. + +package registry_credential + +import ( + batchv1 "k8s.io/api/batch/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/utils/pointer" + + "github.com/gitpod-io/gitpod/installer/pkg/common" +) + +func cronjob(ctx *common.RenderContext) ([]runtime.Object, error) { + objectMeta := metav1.ObjectMeta{ + Name: Component, + Namespace: ctx.Namespace, + Labels: common.DefaultLabels(Component), + } + + return []runtime.Object{ + &batchv1.CronJob{ + TypeMeta: common.TypeMetaBatchCronJob, + ObjectMeta: objectMeta, + Spec: batchv1.CronJobSpec{ + + Schedule: CronSchedule, + SuccessfulJobsHistoryLimit: pointer.Int32(1), + FailedJobsHistoryLimit: pointer.Int32(10), + ConcurrencyPolicy: batchv1.ReplaceConcurrent, + JobTemplate: batchv1.JobTemplateSpec{ + ObjectMeta: objectMeta, + Spec: jobSpec(objectMeta), + }, + }, + }, + }, nil +} diff --git a/install/installer/pkg/components/registry-credential/job.go b/install/installer/pkg/components/registry-credential/job.go new file mode 100644 index 00000000000000..08ccfeae12c054 --- /dev/null +++ b/install/installer/pkg/components/registry-credential/job.go @@ -0,0 +1,55 @@ +// Copyright (c) 2022 Gitpod GmbH. All rights reserved. +// Licensed under the GNU Affero General Public License (AGPL). +// See License-AGPL.txt in the project root for license information. + +package registry_credential + +import ( + batchv1 "k8s.io/api/batch/v1" + v1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/utils/pointer" + + "github.com/gitpod-io/gitpod/installer/pkg/common" +) + +func jobSpec(objectMeta metav1.ObjectMeta) batchv1.JobSpec { + return batchv1.JobSpec{ + BackoffLimit: pointer.Int32(10), + Template: v1.PodTemplateSpec{ + ObjectMeta: objectMeta, + Spec: v1.PodSpec{ + RestartPolicy: v1.RestartPolicyOnFailure, + ServiceAccountName: Component, + Containers: []v1.Container{ + { + Name: Component, + Image: "jenting/aws-iam-credential-rotate", + ImagePullPolicy: v1.PullIfNotPresent, + Command: []string{"/aws-iam-credential-rotate", "ecr-update"}, + SecurityContext: &v1.SecurityContext{ + AllowPrivilegeEscalation: pointer.Bool(false), + }, + }, + }, + }, + }, + } +} + +func job(ctx *common.RenderContext) ([]runtime.Object, error) { + objectMeta := metav1.ObjectMeta{ + Name: Component, + Namespace: ctx.Namespace, + Labels: common.DefaultLabels(Component), + } + + return []runtime.Object{ + &batchv1.Job{ + TypeMeta: common.TypeMetaBatchJob, + ObjectMeta: objectMeta, + Spec: jobSpec(objectMeta), + }, + }, nil +} diff --git a/install/installer/pkg/components/registry-credential/objects.go b/install/installer/pkg/components/registry-credential/objects.go new file mode 100644 index 00000000000000..eda34614826e77 --- /dev/null +++ b/install/installer/pkg/components/registry-credential/objects.go @@ -0,0 +1,16 @@ +// Copyright (c) 2022 Gitpod GmbH. All rights reserved. +// Licensed under the GNU Affero General Public License (AGPL). +// See License-AGPL.txt in the project root for license information. + +package registry_credential + +import "github.com/gitpod-io/gitpod/installer/pkg/common" + +var Objects = common.CompositeRenderFunc( + role, + rolebinding, + secret, + job, + cronjob, + common.DefaultServiceAccount(Component), +) diff --git a/install/installer/pkg/components/registry-credential/role.go b/install/installer/pkg/components/registry-credential/role.go new file mode 100644 index 00000000000000..75278d208238a4 --- /dev/null +++ b/install/installer/pkg/components/registry-credential/role.go @@ -0,0 +1,38 @@ +// Copyright (c) 2022 Gitpod GmbH. All rights reserved. +// Licensed under the GNU Affero General Public License (AGPL). +// See License-AGPL.txt in the project root for license information. + +package registry_credential + +import ( + rbacv1 "k8s.io/api/rbac/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + + "github.com/gitpod-io/gitpod/installer/pkg/common" +) + +func role(ctx *common.RenderContext) ([]runtime.Object, error) { + return []runtime.Object{ + &rbacv1.Role{ + TypeMeta: common.TypeMetaRole, + ObjectMeta: metav1.ObjectMeta{ + Name: Component, + Namespace: ctx.Namespace, + Labels: common.DefaultLabels(Component), + }, + Rules: []rbacv1.PolicyRule{ + { + APIGroups: []string{""}, + Resources: []string{"secrets"}, + Verbs: []string{ + "get", + "list", + "watch", + "update", + }, + }, + }, + }, + }, nil +} diff --git a/install/installer/pkg/components/registry-credential/rolebinding.go b/install/installer/pkg/components/registry-credential/rolebinding.go new file mode 100644 index 00000000000000..273358281bee7e --- /dev/null +++ b/install/installer/pkg/components/registry-credential/rolebinding.go @@ -0,0 +1,35 @@ +// Copyright (c) 2022 Gitpod GmbH. All rights reserved. +// Licensed under the GNU Affero General Public License (AGPL). +// See License-AGPL.txt in the project root for license information. + +package registry_credential + +import ( + rbacv1 "k8s.io/api/rbac/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + + "github.com/gitpod-io/gitpod/installer/pkg/common" +) + +func rolebinding(ctx *common.RenderContext) ([]runtime.Object, error) { + return []runtime.Object{ + &rbacv1.RoleBinding{ + TypeMeta: common.TypeMetaRoleBinding, + ObjectMeta: metav1.ObjectMeta{ + Name: Component, + Namespace: ctx.Namespace, + Labels: common.DefaultLabels(Component), + }, + RoleRef: rbacv1.RoleRef{ + Kind: "Role", + Name: Component, + APIGroup: "rbac.authorization.k8s.io", + }, + Subjects: []rbacv1.Subject{{ + Kind: "ServiceAccount", + Name: Component, + }}, + }, + }, nil +} diff --git a/install/installer/pkg/components/registry-credential/secret.go b/install/installer/pkg/components/registry-credential/secret.go new file mode 100644 index 00000000000000..7979e225ccc42a --- /dev/null +++ b/install/installer/pkg/components/registry-credential/secret.go @@ -0,0 +1,74 @@ +// Copyright (c) 2022 Gitpod GmbH. All rights reserved. +// Licensed under the GNU Affero General Public License (AGPL). +// See License-AGPL.txt in the project root for license information. + +package registry_credential + +import ( + "fmt" + + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + + "github.com/gitpod-io/gitpod/installer/pkg/common" +) + +func secret(ctx *common.RenderContext) ([]runtime.Object, error) { + accessKey := ctx.Values.StorageAccessKey + if accessKey == "" { + return nil, fmt.Errorf("unknown value: access key") + } + + secretKey := ctx.Values.StorageSecretKey + if secretKey == "" { + return nil, fmt.Errorf("unknown value: secret key") + } + + region := ctx.Values.Region + if region == "" { + return nil, fmt.Errorf("unknown value: region") + } + + commonLabels := common.DefaultLabels(Component) + + // copy a map + ecrLabels := make(map[string]string) + for k, v := range commonLabels { + ecrLabels[k] = v + } + ecrLabels["aws-ecr-updater"] = "true" + + return []runtime.Object{ + // IAM user credentials + &corev1.Secret{ + TypeMeta: common.TypeMetaSecret, + ObjectMeta: metav1.ObjectMeta{ + Name: SecretNameAWSIAMUserCredentials, + Namespace: ctx.Namespace, + Labels: commonLabels, + }, + StringData: map[string]string{ + "access_key_id": accessKey, + "secret_access_key": secretKey, + }, + }, + // ECR credentials + &corev1.Secret{ + TypeMeta: common.TypeMetaSecret, + ObjectMeta: metav1.ObjectMeta{ + Name: "aws-ecr-credentials", + Namespace: ctx.Namespace, + Labels: ecrLabels, + Annotations: map[string]string{ + "aws-ecr-updater/secret": SecretNameAWSIAMUserCredentials, + "aws-ecr-updater/region": region, + }, + }, + Type: corev1.SecretTypeDockerConfigJson, + StringData: map[string]string{ + ".dockerconfigjson": "{}", + }, + }, + }, nil +} From 101469b667cd0da36907de58991229df2c766cc1 Mon Sep 17 00:00:00 2001 From: JenTing Hsiao Date: Mon, 12 Dec 2022 04:34:20 +0000 Subject: [PATCH 03/14] A new component: registry-credential Signed-off-by: JenTing Hsiao --- components/BUILD.yaml | 2 + components/registry-credential/BUILD.yaml | 28 + components/registry-credential/cmd/root.go | 51 ++ components/registry-credential/go.mod | 93 ++ components/registry-credential/go.sum | 804 ++++++++++++++++++ .../registry-credential/leeway.Dockerfile | 17 + components/registry-credential/main.go | 11 + .../registry-credential/pkg/ecr/ecr_update.go | 168 ++++ gitpod-ws.code-workspace | 1 + 9 files changed, 1175 insertions(+) create mode 100644 components/registry-credential/BUILD.yaml create mode 100644 components/registry-credential/cmd/root.go create mode 100644 components/registry-credential/go.mod create mode 100644 components/registry-credential/go.sum create mode 100644 components/registry-credential/leeway.Dockerfile create mode 100644 components/registry-credential/main.go create mode 100644 components/registry-credential/pkg/ecr/ecr_update.go diff --git a/components/BUILD.yaml b/components/BUILD.yaml index 6247c18b82221e..d05acf9f36baea 100644 --- a/components/BUILD.yaml +++ b/components/BUILD.yaml @@ -68,6 +68,7 @@ packages: - components/proxy:docker - components/registry-facade:docker - components/registry-facade/ca-updater:docker + - components/registry-credential:docker - components/server:docker - components/service-waiter:docker - components/supervisor:docker @@ -122,6 +123,7 @@ packages: - components/openvsx-proxy:app - components/public-api-server:app - components/registry-facade:app + - components/registry-credential:app - components/server:app - components/service-waiter:app - components/supervisor:app diff --git a/components/registry-credential/BUILD.yaml b/components/registry-credential/BUILD.yaml new file mode 100644 index 00000000000000..b148167be6ddf4 --- /dev/null +++ b/components/registry-credential/BUILD.yaml @@ -0,0 +1,28 @@ +packages: + - name: app + type: go + srcs: + - "**/*.go" + - "go.mod" + - "go.sum" + deps: + - components/common-go:lib + env: + - CGO_ENABLED=0 + - GOOS=linux + config: + packaging: app + buildCommand: ["go", "build", "-trimpath", "-ldflags", "-buildid= -w -s -X 'github.com/gitpod-io/gitpod/registry-credential/cmd.Version=commit-${__git_commit}'"] + - name: docker + type: docker + deps: + - :app + argdeps: + - imageRepoBase + config: + dockerfile: leeway.Dockerfile + metadata: + helm-component: registryCredential + image: + - ${imageRepoBase}/registry-credential:${version} + - ${imageRepoBase}/registry-credential:commit-${__git_commit} diff --git a/components/registry-credential/cmd/root.go b/components/registry-credential/cmd/root.go new file mode 100644 index 00000000000000..ab442520e7320d --- /dev/null +++ b/components/registry-credential/cmd/root.go @@ -0,0 +1,51 @@ +// Copyright (c) 2022 Gitpod GmbH. All rights reserved. +// Licensed under the GNU Affero General Public License (AGPL). +// See License-AGPL.txt in the project root for license information. + +package cmd + +import ( + "fmt" + "os" + + "k8s.io/client-go/kubernetes" + ctrl "sigs.k8s.io/controller-runtime" + + "github.com/spf13/cobra" + + "github.com/gitpod-io/gitpod/common-go/log" + "github.com/gitpod-io/gitpod/registry-credential/pkg/ecr" +) + +var rootCmd = &cobra.Command{ + Use: "ecr-update", + Short: "Update ECR Secret with a new ecr login.", + Long: `Update ECR Secret with a new ecr login`, + Run: func(cmd *cobra.Command, args []string) { + kubeConfig, err := ctrl.GetConfig() + if err != nil { + log.WithError(err).Fatal("unable to getting Kubernetes client config") + } + + client, err := kubernetes.NewForConfig(kubeConfig) + if err != nil { + log.WithError(err).Fatal("constructing Kubernetes client") + } + namespace, _ := os.LookupEnv("NAMESPACE") + + ecr.UpdateCredential(client, namespace) + }, +} + +// Execute adds all child commands to the root command and sets flags appropriately. +// This is called by main.main(). It only needs to happen once to the rootCmd. +func Execute() { + if err := rootCmd.Execute(); err != nil { + fmt.Println(err) + os.Exit(1) + } +} + +func init() { + rootCmd.AddCommand(rootCmd) +} diff --git a/components/registry-credential/go.mod b/components/registry-credential/go.mod new file mode 100644 index 00000000000000..d1f05c3b551098 --- /dev/null +++ b/components/registry-credential/go.mod @@ -0,0 +1,93 @@ +module github.com/gitpod-io/gitpod/registry-credential + +go 1.19 + +require ( + github.com/aws/aws-sdk-go-v2 v1.17.2 + github.com/aws/aws-sdk-go-v2/config v1.18.4 + github.com/aws/aws-sdk-go-v2/credentials v1.13.4 + github.com/aws/aws-sdk-go-v2/service/ecr v1.17.24 + github.com/docker/cli v20.10.21+incompatible + github.com/gitpod-io/gitpod/common-go v0.0.0-00010101000000-000000000000 + github.com/spf13/cobra v1.4.0 + k8s.io/api v0.25.0 + k8s.io/apimachinery v0.25.0 + k8s.io/client-go v0.25.0 + sigs.k8s.io/controller-runtime v0.11.2 +) + +require ( + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.20 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.26 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.20 // indirect + github.com/aws/aws-sdk-go-v2/internal/ini v1.3.27 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.20 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.11.26 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.9 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.17.6 // indirect + github.com/aws/smithy-go v1.13.5 // indirect + github.com/beorn7/perks v1.0.1 // indirect + github.com/cespare/xxhash/v2 v2.1.2 // indirect + github.com/davecgh/go-spew v1.1.1 // indirect + github.com/docker/docker-credential-helpers v0.7.0 // indirect + github.com/emicklei/go-restful/v3 v3.9.0 // indirect + github.com/evanphx/json-patch v4.12.0+incompatible // indirect + github.com/fsnotify/fsnotify v1.5.4 // indirect + github.com/go-logr/logr v1.2.3 // indirect + github.com/go-openapi/jsonpointer v0.19.5 // indirect + github.com/go-openapi/jsonreference v0.20.0 // indirect + github.com/go-openapi/swag v0.19.14 // indirect + github.com/gogo/protobuf v1.3.2 // indirect + github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect + github.com/golang/protobuf v1.5.2 // indirect + github.com/google/gnostic v0.5.7-v3refs // indirect + github.com/google/go-cmp v0.5.9 // indirect + github.com/google/gofuzz v1.1.0 // indirect + github.com/google/uuid v1.1.2 // indirect + github.com/imdario/mergo v0.3.12 // indirect + github.com/inconshreveable/mousetrap v1.0.0 // indirect + github.com/jmespath/go-jmespath v0.4.0 // indirect + github.com/josharian/intern v1.0.0 // indirect + github.com/json-iterator/go v1.1.12 // indirect + github.com/mailru/easyjson v0.7.6 // indirect + github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect + github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect + github.com/modern-go/reflect2 v1.0.2 // indirect + github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect + github.com/pkg/errors v0.9.1 // indirect + github.com/prometheus/client_golang v1.13.0 // indirect + github.com/prometheus/client_model v0.2.0 // indirect + github.com/prometheus/common v0.37.0 // indirect + github.com/prometheus/procfs v0.8.0 // indirect + github.com/sirupsen/logrus v1.8.1 // indirect + github.com/spf13/pflag v1.0.5 // indirect + golang.org/x/net v0.3.1-0.20221206200815-1e63c2f08a10 // indirect + golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b // indirect + golang.org/x/sys v0.3.0 // indirect + golang.org/x/term v0.3.0 // indirect + golang.org/x/text v0.5.0 // indirect + golang.org/x/time v0.0.0-20220922220347-f3bd1da661af // indirect + gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect + google.golang.org/appengine v1.6.7 // indirect + google.golang.org/protobuf v1.28.1 // indirect + gopkg.in/inf.v0 v0.9.1 // indirect + gopkg.in/yaml.v2 v2.4.0 // indirect + gopkg.in/yaml.v3 v3.0.1 // indirect + gotest.tools/v3 v3.4.0 // indirect + k8s.io/apiextensions-apiserver v0.25.0 // indirect + k8s.io/component-base v0.25.0 // indirect + k8s.io/klog/v2 v2.80.1 // indirect + k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 // indirect + k8s.io/utils v0.0.0-20221107191617-1a15be271d1d // indirect + sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect + sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect + sigs.k8s.io/yaml v1.3.0 // indirect +) + +replace github.com/gitpod-io/gitpod/common-go => ../common-go // leeway + +replace k8s.io/api => k8s.io/api v0.24.4 // leeway indirect from components/common-go:lib + +replace k8s.io/apimachinery => k8s.io/apimachinery v0.24.4 // leeway indirect from components/common-go:lib + +replace k8s.io/client-go => k8s.io/client-go v0.24.4 // leeway indirect from components/common-go:lib diff --git a/components/registry-credential/go.sum b/components/registry-credential/go.sum new file mode 100644 index 00000000000000..cdc3ec6afdd2db --- /dev/null +++ b/components/registry-credential/go.sum @@ -0,0 +1,804 @@ +cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= +cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU= +cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY= +cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc= +cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0= +cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To= +cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4= +cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M= +cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc= +cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk= +cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs= +cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc= +cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY= +cloud.google.com/go v0.72.0/go.mod h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKPI= +cloud.google.com/go v0.74.0/go.mod h1:VV1xSbzvo+9QJOxLDaJfTjx5e+MePCpCWwvftOeQmWk= +cloud.google.com/go v0.78.0/go.mod h1:QjdrLG0uq+YwhjoVOLsS1t7TW8fs36kLs4XO5R5ECHg= +cloud.google.com/go v0.79.0/go.mod h1:3bzgcEeQlzbuEAYu4mrWhKqWjmpprinYgKJLgKHnbb8= +cloud.google.com/go v0.81.0/go.mod h1:mk/AM35KwGk/Nm2YSeZbxXdrNK3KZOYHmLkOqC2V6E0= +cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= +cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE= +cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc= +cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg= +cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc= +cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ= +cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= +cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= +cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= +cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw= +cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA= +cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU= +cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= +cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos= +cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk= +cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs= +cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= +dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= +github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= +github.com/Azure/go-autorest/autorest v0.11.18/go.mod h1:dSiJPy22c3u0OtOKDNttNgqpNFY/GeWa7GH/Pz56QRA= +github.com/Azure/go-autorest/autorest/adal v0.9.13/go.mod h1:W/MM4U6nLxnIskrw4UwWzlHfGjwUS50aOsc/I3yuU8M= +github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74= +github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= +github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= +github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= +github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= +github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= +github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= +github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= +github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= +github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= +github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= +github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= +github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho= +github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= +github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= +github.com/aws/aws-sdk-go-v2 v1.17.2 h1:r0yRZInwiPBNpQ4aDy/Ssh3ROWsGtKDwar2JS8Lm+N8= +github.com/aws/aws-sdk-go-v2 v1.17.2/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw= +github.com/aws/aws-sdk-go-v2/config v1.18.4 h1:VZKhr3uAADXHStS/Gf9xSYVmmaluTUfkc0dcbPiDsKE= +github.com/aws/aws-sdk-go-v2/config v1.18.4/go.mod h1:EZxMPLSdGAZ3eAmkqXfYbRppZJTzFTkv8VyEzJhKko4= +github.com/aws/aws-sdk-go-v2/credentials v1.13.4 h1:nEbHIyJy7mCvQ/kzGG7VWHSBpRB4H6sJy3bWierWUtg= +github.com/aws/aws-sdk-go-v2/credentials v1.13.4/go.mod h1:/Cj5w9LRsNTLSwexsohwDME32OzJ6U81Zs33zr2ZWOM= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.20 h1:tpNOglTZ8kg9T38NpcGBxudqfUAwUzyUnLQ4XSd0CHE= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.20/go.mod h1:d9xFpWd3qYwdIXM0fvu7deD08vvdRXyc/ueV+0SqaWE= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.26 h1:5WU31cY7m0tG+AiaXuXGoMzo2GBQ1IixtWa8Yywsgco= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.26/go.mod h1:2E0LdbJW6lbeU4uxjum99GZzI0ZjDpAb0CoSCM0oeEY= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.20 h1:WW0qSzDWoiWU2FS5DbKpxGilFVlCEJPwx4YtjdfI0Jw= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.20/go.mod h1:/+6lSiby8TBFpTVXZgKiN/rCfkYXEGvhlM4zCgPpt7w= +github.com/aws/aws-sdk-go-v2/internal/ini v1.3.27 h1:N2eKFw2S+JWRCtTt0IhIX7uoGGQciD4p6ba+SJv4WEU= +github.com/aws/aws-sdk-go-v2/internal/ini v1.3.27/go.mod h1:RdwFVc7PBYWY33fa2+8T1mSqQ7ZEK4ILpM0wfioDC3w= +github.com/aws/aws-sdk-go-v2/service/ecr v1.17.24 h1:Ax6tsTbbkkVFewkarjAuV50m3T9SdVNyngnQgrumYnE= +github.com/aws/aws-sdk-go-v2/service/ecr v1.17.24/go.mod h1:p0ME1/7PG+Gn6fUcBaXGyeuI+gL6JCD7aM1/EfwxmWo= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.20 h1:jlgyHbkZQAgAc7VIxJDmtouH8eNjOk2REVAQfVhdaiQ= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.20/go.mod h1:Xs52xaLBqDEKRcAfX/hgjmD3YQ7c/W+BEyfamlO/W2E= +github.com/aws/aws-sdk-go-v2/service/sso v1.11.26 h1:ActQgdTNQej/RuUJjB9uxYVLDOvRGtUreXF8L3c8wyg= +github.com/aws/aws-sdk-go-v2/service/sso v1.11.26/go.mod h1:uB9tV79ULEZUXc6Ob18A46KSQ0JDlrplPni9XW6Ot60= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.9 h1:wihKuqYUlA2T/Rx+yu2s6NDAns8B9DgnRooB1PVhY+Q= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.9/go.mod h1:2E/3D/mB8/r2J7nK42daoKP/ooCwbf0q1PznNc+DZTU= +github.com/aws/aws-sdk-go-v2/service/sts v1.17.6 h1:VQFOLQVL3BrKM/NLO/7FiS4vcp5bqK0mGMyk09xLoAY= +github.com/aws/aws-sdk-go-v2/service/sts v1.17.6/go.mod h1:Az3OXXYGyfNwQNsK/31L4R75qFYnO641RZGAoV3uH1c= +github.com/aws/smithy-go v1.13.5 h1:hgz0X/DX0dGqTYpGALqXJoRKRj5oQ7150i5FdTePzO8= +github.com/aws/smithy-go v1.13.5/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= +github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= +github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= +github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= +github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= +github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= +github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/cespare/xxhash/v2 v2.1.2 h1:YRXhKfTDauu4ajMg1TPgFO5jnlC2HCbmLXMcTG5cbYE= +github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= +github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= +github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= +github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= +github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= +github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= +github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= +github.com/cpuguy83/go-md2man/v2 v2.0.1/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/docker/cli v20.10.21+incompatible h1:qVkgyYUnOLQ98LtXBrwd/duVqPT2X4SHndOuGsfwyhU= +github.com/docker/cli v20.10.21+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A= +github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0= +github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= +github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= +github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= +github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= +github.com/emicklei/go-restful/v3 v3.9.0 h1:XwGDlfxEnQZzuopoqxwSEllNcCOM9DhhFyhFIIGKwxE= +github.com/emicklei/go-restful/v3 v3.9.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= +github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= +github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= +github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po= +github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= +github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= +github.com/evanphx/json-patch v0.5.2/go.mod h1:ZWS5hhDbVDyob71nXKNL0+PWn6ToqBHMikGIFbs31qQ= +github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH5pOlLGNtQ5lPWQu84= +github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= +github.com/form3tech-oss/jwt-go v3.2.3+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= +github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= +github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= +github.com/fsnotify/fsnotify v1.5.4 h1:jRbGcIw6P2Meqdwuo0H1p6JVLbL5DHKAKlYndzMwVZI= +github.com/fsnotify/fsnotify v1.5.4/go.mod h1:OVB6XrOHzAwXMpEM7uPOzcehqUV2UqJxmVXmkdnm1bU= +github.com/getkin/kin-openapi v0.76.0/go.mod h1:660oXbgy5JFMKreazJaQTw7o+X00qeSyhcnluiMv+Xg= +github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= +github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= +github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= +github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= +github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= +github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY= +github.com/go-kit/log v0.2.0/go.mod h1:NwTd00d/i8cPZ3xOwwiv2PO5MOcx78fFErGNcVmBjv0= +github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= +github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= +github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A= +github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs= +github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= +github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= +github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.2.3 h1:2DntVwHkVopvECVRSlL5PSo9eG+cAkDCuckLubN+rq0= +github.com/go-logr/logr v1.2.3/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/zapr v1.2.3 h1:a9vnzlIBPQBBkeaR9IuMUfmVOrQlkoC4YfPoFkX3T7A= +github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= +github.com/go-openapi/jsonpointer v0.19.5 h1:gZr+CIYByUqjcgeLXnQu2gHYQC9o73G2XUeOFYEICuY= +github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= +github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8= +github.com/go-openapi/jsonreference v0.19.5/go.mod h1:RdybgQwPxbL4UEjuAruzK1x3nE69AqPYEJeo/TWfEeg= +github.com/go-openapi/jsonreference v0.20.0 h1:MYlu0sBgChmCfJxxUKZ8g1cPWFOB37YSZqewK7OKeyA= +github.com/go-openapi/jsonreference v0.20.0/go.mod h1:Ag74Ico3lPc+zR+qjn4XBUmXymS4zJbYVCZmcgkasdo= +github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= +github.com/go-openapi/swag v0.19.14 h1:gm3vOOXfiuw5i9p5N9xJvfjvuofpyvLA9Wr6QfK5Fng= +github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= +github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= +github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= +github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= +github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= +github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= +github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y= +github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= +github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= +github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= +github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4= +github.com/golang/mock v1.5.0/go.mod h1:CWnOUgYIOo4TcNZ0wHX3YZCqsaM1I1Jvs6v3mP3KVu8= +github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= +github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= +github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk= +github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= +github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= +github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= +github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= +github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= +github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= +github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= +github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= +github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= +github.com/golang/protobuf v1.5.1/go.mod h1:DopwsBzvsk0Fs44TXzsVbJyPhcCPeIwnvohx4u74HPM= +github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw= +github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= +github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= +github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA= +github.com/google/gnostic v0.5.7-v3refs h1:FhTMOKj2VhjpouxvWJAV1TL304uMlb9zcDqkl6cEI54= +github.com/google/gnostic v0.5.7-v3refs/go.mod h1:73MKFl6jIHelAJNaBGFzt3SPtZULs9dYrGFt8OiIsHQ= +github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= +github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= +github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g= +github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= +github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= +github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= +github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= +github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= +github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210122040257-d980be63207e/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= +github.com/google/uuid v1.1.2 h1:EVhdT+1Kseyi1/pUmXKaFxYsDNy9RQYkMWRH68J/W7Y= +github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= +github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= +github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So= +github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= +github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= +github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= +github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= +github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= +github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= +github.com/imdario/mergo v0.3.12 h1:b6R2BslTbIEToALKP7LxUvijTsNI9TAe80pLWN2g/HU= +github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= +github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM= +github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= +github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= +github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= +github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= +github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8= +github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= +github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= +github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= +github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4= +github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= +github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= +github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= +github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= +github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= +github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= +github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM= +github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= +github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= +github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= +github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= +github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.7.6 h1:8yTIVnZgCoiM1TgqoeTl+LfU5Jg6/xL3QhGQnimLYnA= +github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= +github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= +github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 h1:I0XW9+e1XWDxdcEniV4rQAIOPUGDq67JSCiRCgGCZLI= +github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= +github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= +github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c= +github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= +github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= +github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= +github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= +github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= +github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs= +github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= +github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= +github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= +github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= +github.com/onsi/ginkgo v1.14.0/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY= +github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= +github.com/onsi/ginkgo/v2 v2.1.4 h1:GNapqRSid3zijZ9H77KrgVG4/8KqiyRsxcSxe+7ApXY= +github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= +github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= +github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= +github.com/onsi/gomega v1.19.0 h1:4ieX6qQjPP/BfC3mpsAtIGGlxTWPeA3Inl/7DtXw1tw= +github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= +github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= +github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= +github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= +github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M= +github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0= +github.com/prometheus/client_golang v1.12.1/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrbd179Rt297l4aS6nDY= +github.com/prometheus/client_golang v1.13.0 h1:b71QUfeo5M8gq2+evJdTPfZhYMAU0uKPkyPJ7TPsloU= +github.com/prometheus/client_golang v1.13.0/go.mod h1:vTeo+zgvILHsnnj/39Ou/1fPN5nJFOEMgftOUOmlvYQ= +github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= +github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/client_model v0.2.0 h1:uq5h0d+GuxiXLJLNABMgp2qUWDPiLvgCzz2dUR+/W/M= +github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= +github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo= +github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc= +github.com/prometheus/common v0.32.1/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= +github.com/prometheus/common v0.37.0 h1:ccBbHCgIiT9uSoFY0vX8H3zsNR5eLt17/RQLUvn8pXE= +github.com/prometheus/common v0.37.0/go.mod h1:phzohg0JFMnBEFGxTDbfu3QyL5GI8gTQJFhYO5B3mfA= +github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= +github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= +github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU= +github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= +github.com/prometheus/procfs v0.7.3/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= +github.com/prometheus/procfs v0.8.0 h1:ODq8ZFEaYeCaZOJlZZdJA2AbQR98dSHSM1KW/You5mo= +github.com/prometheus/procfs v0.8.0/go.mod h1:z7EfXMXOkbkqb9IINtpCn86r/to3BnA0uaxHdg830/4= +github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= +github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= +github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= +github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88= +github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE= +github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= +github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= +github.com/spf13/cobra v1.4.0 h1:y+wJpx64xcgO1V+RcnwW0LEHxTKRi2ZDPSBjWnrg88Q= +github.com/spf13/cobra v1.4.0/go.mod h1:Wo4iy3BUC+X2Fybo0PDqwJIv3dNRiZLHQymsfxlB84g= +github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= +github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= +github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= +github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY= +github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= +go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= +go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= +go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= +go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= +go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= +go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= +go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= +go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw= +go.uber.org/goleak v1.1.12 h1:gZAh5/EyT/HQwlpkCy6wTpqfH9H8Lz8zbm3dZh+OyzA= +go.uber.org/multierr v1.6.0 h1:y6IPFStTAIT5Ytl7/XYmHvzXQ7S3g/IeZW9hyZ5thw4= +go.uber.org/zap v1.19.1 h1:ue41HOKd1vGURxrmeKIgELGb3jPW9DMUDGtsinblHwI= +golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20220214200702-86341886e292/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= +golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek= +golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY= +golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= +golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= +golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= +golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= +golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= +golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= +golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= +golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= +golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs= +golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= +golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= +golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= +golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= +golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o= +golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc= +golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY= +golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= +golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= +golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= +golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc= +golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= +golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= +golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= +golang.org/x/net v0.3.1-0.20221206200815-1e63c2f08a10 h1:Frnccbp+ok2GkUS2tC84yAq/U9Vg+0sIO7aRL3T4Xnc= +golang.org/x/net v0.3.1-0.20221206200815-1e63c2f08a10/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE= +golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= +golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b h1:clP8eMhB30EHdc0bd2Twtq6kgU7yl5ub2cQLSdrv1Dg= +golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= +golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200519105757-fe76b779f299/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.3.0 h1:w8ZOecv6NaNa/zC8944JTU3vz4u6Lagfk4RPQxv92NQ= +golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.3.0 h1:qoo4akIqOcDME5bhc/NgxUdovd6BSS2uMsVjB56q1xI= +golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA= +golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.5.0 h1:OLmvp0KP+FVG99Ct/qFiL/Fhk4zp4QQnZ7b2U+5piUM= +golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20220210224613-90d013bbcef8/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20220922220347-f3bd1da661af h1:Yx9k8YCG3dvF87UAn2tu2HQLf2dt/eR1bXxpLMWeH+Y= +golang.org/x/time v0.0.0-20220922220347-f3bd1da661af/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= +golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200122220014-bf1340f18c4a/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200204074204-1cc6d1ef6c74/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200227222343-706bc42d1f0d/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= +golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= +golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8= +golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200505023115-26f46d2f7ef8/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= +golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= +golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= +golang.org/x/tools v0.0.0-20200904185747-39188db58858/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE= +golang.org/x/tools v0.0.0-20201110124207-079ba7bd75cd/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20201201161351-ac6f37ff4c2a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= +golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +gomodules.xyz/jsonpatch/v2 v2.2.0 h1:4pT439QV83L+G9FkcCriY6EkpcK6r6bK+A5FBUMI7qY= +gomodules.xyz/jsonpatch/v2 v2.2.0/go.mod h1:WXp+iVDkoLQqPudfQ9GBlwB2eZ5DKOnjQZCYdOS8GPY= +google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= +google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= +google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= +google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= +google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= +google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= +google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= +google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= +google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= +google.golang.org/api v0.19.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= +google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= +google.golang.org/api v0.22.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= +google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= +google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= +google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM= +google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc= +google.golang.org/api v0.35.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg= +google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34qYtE= +google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8= +google.golang.org/api v0.41.0/go.mod h1:RkxM5lITDfTzmyKFPt+wGrCJbVfniCr2ool8kTBzRTU= +google.golang.org/api v0.43.0/go.mod h1:nQsDGjRXMo4lvh5hP0TKqF244gqhGcr/YSIykhUk/94= +google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= +google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= +google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= +google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= +google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= +google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= +google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8= +google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA= +google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200228133532-8c2c7df3a383/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U= +google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= +google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA= +google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20201109203340-2640f1f9cdfb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20201201144952-b05cb90ed32e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210222152913-aa3ee6e6a81c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210319143718-93e7006c17a6/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210402141018-6c239bbf2bb1/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A= +google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= +google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= +google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= +google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= +google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= +google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60= +google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= +google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= +google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= +google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= +google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= +google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8= +google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= +google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= +google.golang.org/grpc v1.36.1/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= +google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= +google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= +google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= +google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= +google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= +google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4= +google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= +google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= +google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= +google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= +google.golang.org/protobuf v1.28.1 h1:d0NfwRgPtno5B1Wa6L2DAG+KivqkdutMf1UhdNx175w= +google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU= +gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= +gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= +gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= +gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= +gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= +gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= +gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= +gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gotest.tools/v3 v3.4.0 h1:ZazjZUfuVeZGLAmlKKuyv3IKP5orXcwtOwDQH6YVr6o= +gotest.tools/v3 v3.4.0/go.mod h1:CtbdzLSsqVhDgMtKsx03ird5YTGB3ar27v0u/yKBW5g= +honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= +honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= +honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= +k8s.io/api v0.24.4 h1:I5Y645gJ8zWKawyr78lVfDQkZrAViSbeRXsPZWTxmXk= +k8s.io/api v0.24.4/go.mod h1:42pVfA0NRxrtJhZQOvRSyZcJihzAdU59WBtTjYcB0/M= +k8s.io/apiextensions-apiserver v0.25.0 h1:CJ9zlyXAbq0FIW8CD7HHyozCMBpDSiH7EdrSTCZcZFY= +k8s.io/apiextensions-apiserver v0.25.0/go.mod h1:3pAjZiN4zw7R8aZC5gR0y3/vCkGlAjCazcg1me8iB/E= +k8s.io/apimachinery v0.24.4 h1:S0Ur3J/PbivTcL43EdSdPhqCqKla2NIuneNwZcTDeGQ= +k8s.io/apimachinery v0.24.4/go.mod h1:82Bi4sCzVBdpYjyI4jY6aHX+YCUchUIrZrXKedjd2UM= +k8s.io/client-go v0.24.4 h1:hIAIJZIPyaw46AkxwyR0FRfM/pRxpUNTd3ysYu9vyRg= +k8s.io/client-go v0.24.4/go.mod h1:+AxlPWw/H6f+EJhRSjIeALaJT4tbeB/8g9BNvXGPd0Y= +k8s.io/component-base v0.25.0 h1:haVKlLkPCFZhkcqB6WCvpVxftrg6+FK5x1ZuaIDaQ5Y= +k8s.io/component-base v0.25.0/go.mod h1:F2Sumv9CnbBlqrpdf7rKZTmmd2meJq0HizeyY/yAFxk= +k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= +k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= +k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= +k8s.io/klog/v2 v2.60.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= +k8s.io/klog/v2 v2.80.1 h1:atnLQ121W371wYYFawwYx1aEY2eUfs4l3J72wtgAwV4= +k8s.io/klog/v2 v2.80.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= +k8s.io/kube-openapi v0.0.0-20220328201542-3ee0da9b0b42/go.mod h1:Z/45zLw8lUo4wdiUkI+v/ImEGAvu3WatcZl3lPMR4Rk= +k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 h1:+70TFaan3hfJzs+7VK2o+OGxg8HsuBr/5f6tVAjDu6E= +k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280/go.mod h1:+Axhij7bCpeqhklhUTe3xmOn6bWxolyZEeyaFpjGtl4= +k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= +k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= +k8s.io/utils v0.0.0-20221107191617-1a15be271d1d h1:0Smp/HP1OH4Rvhe+4B8nWGERtlqAGSftbSbbmm45oFs= +k8s.io/utils v0.0.0-20221107191617-1a15be271d1d/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= +rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= +rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= +sigs.k8s.io/controller-runtime v0.11.2 h1:H5GTxQl0Mc9UjRJhORusqfJCIjBO8UtUxGggCwL1rLA= +sigs.k8s.io/controller-runtime v0.11.2/go.mod h1:P6QCzrEjLaZGqHsfd+os7JQ+WFZhvB8MRFsn4dWF7O4= +sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2/go.mod h1:B+TnT182UBxE84DiCz4CVE26eOSDAeYCpfDnC2kdKMY= +sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 h1:iXTIw73aPyC+oRdyqqvVJuloN1p0AC/kzH07hu3NE+k= +sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= +sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= +sigs.k8s.io/structured-merge-diff/v4 v4.2.1/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZawJtm+Yrr7PPRQ0Vg4= +sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE= +sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E= +sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= +sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo= +sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8= diff --git a/components/registry-credential/leeway.Dockerfile b/components/registry-credential/leeway.Dockerfile new file mode 100644 index 00000000000000..a3a728dc69faf9 --- /dev/null +++ b/components/registry-credential/leeway.Dockerfile @@ -0,0 +1,17 @@ +# Copyright (c) 2022 Gitpod GmbH. All rights reserved. +# Licensed under the GNU Affero General Public License (AGPL). +# See License-AGPL.txt in the project root for license information. + +FROM alpine:3.16 + +# Ensure latest packages are present, like security updates. +RUN apk upgrade --no-cache \ + && apk add --no-cache ca-certificates + +RUN adduser -S -D -H -h /app -u 31001 appuser +COPY components-registry-credential--app/registry-credential /app/registry-credential +RUN chown -R appuser /app + +USER appuser +ENTRYPOINT [ "/app/registry-credential" ] +CMD [ "-v", "help" ] diff --git a/components/registry-credential/main.go b/components/registry-credential/main.go new file mode 100644 index 00000000000000..37b011bc5b5e5f --- /dev/null +++ b/components/registry-credential/main.go @@ -0,0 +1,11 @@ +// Copyright (c) 2022 Gitpod GmbH. All rights reserved. +// Licensed under the GNU Affero General Public License (AGPL). +// See License-AGPL.txt in the project root for license information. + +package main + +import "github.com/gitpod-io/gitpod/registry-credential/cmd" + +func main() { + cmd.Execute() +} diff --git a/components/registry-credential/pkg/ecr/ecr_update.go b/components/registry-credential/pkg/ecr/ecr_update.go new file mode 100644 index 00000000000000..0d86628b9e2287 --- /dev/null +++ b/components/registry-credential/pkg/ecr/ecr_update.go @@ -0,0 +1,168 @@ +// Copyright (c) 2022 Gitpod GmbH. All rights reserved. +// Licensed under the GNU Affero General Public License (AGPL). +// See License-AGPL.txt in the project root for license information. + +package ecr + +import ( + "context" + "encoding/base64" + "encoding/json" + "fmt" + + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/client-go/kubernetes" + + aws "github.com/aws/aws-sdk-go-v2/aws" + awsconfig "github.com/aws/aws-sdk-go-v2/config" + awscred "github.com/aws/aws-sdk-go-v2/credentials" + ecr "github.com/aws/aws-sdk-go-v2/service/ecr" + ecrType "github.com/aws/aws-sdk-go-v2/service/ecr/types" + "github.com/docker/cli/cli/config/credentials" + + "github.com/gitpod-io/gitpod/common-go/log" +) + +const ( + accessKeyIdPropName = "access_key_id" + secretAccessKeyPropName = "secret_access_key" +) + +const ( + awsECRUpdater = "aws-ecr-updater" + awsECRUpdaterSecret = "aws-ecr-updater/secret" + awsECRUpdaterRegion = "aws-ecr-updater/region" + awsECRUpdaterExpiresAt = "aws-ecr-updater/expires-at" +) + +// Dont want to have full dependencies on k8s so copy/paste just +// to marshall dockerconfigJson +// https://github.com/kubernetes/kubernetes/blob/master/pkg/credentialprovider/config.go +type DockerConfigJson struct { + Auths DockerConfig `json:"auths"` +} + +// DockerConfig represents the config file used by the docker CLI. +// This config that represents the credentials that should be used +// when pulling images from specific image repositories. +type DockerConfig map[string]DockerConfigEntry + +type DockerConfigEntry struct { + Auth string `json:"auth"` +} + +func UpdateCredential(client *kubernetes.Clientset, namespace string) { + secrets, err := getSecretsToUpdate(client, namespace) + if err != nil { + log.Fatal(err) + } + + for _, secret := range secrets.Items { + log.Infof("Found ECR secret: %s", secret.Name) + + accessKeySecretName := secret.Annotations[awsECRUpdaterSecret] + region := secret.Annotations[awsECRUpdaterRegion] + + log.Infof("For region: %s", region) + + secret, err := client.CoreV1().Secrets(namespace).Get(context.TODO(), accessKeySecretName, metav1.GetOptions{}) + if err != nil { + log.Errorf("Unable to get the secret to build AccessKey") + log.Fatal(err) + } + + awsConfig, err := newAWSConfig(region, string(secret.Data[accessKeyIdPropName]), string(secret.Data[secretAccessKeyPropName]), "") + if err != nil { + log.Fatal(err) + } + + // Get an authorization Token from ECR + svc := ecr.NewFromConfig(awsConfig) + + input := &ecr.GetAuthorizationTokenInput{} + result, err := svc.GetAuthorizationToken(context.TODO(), input) + if err != nil { + log.Errorf("Unable to get an Authorization token from ECR") + log.Fatal(err) + } + + log.Infof("Found %d authorizationData", len(result.AuthorizationData)) + + err = updateSecretFromToken(client, namespace, secret, result.AuthorizationData[0]) + if err != nil { + log.Errorf("Unable to update secret with Token") + log.Fatal(err) + } + log.Infof("Secret %q updated with new ECR credentials", secret.Name) + } +} + +func newAWSConfig(region, accessKeyId, secretAccessKey, session string) (aws.Config, error) { + return awsconfig.LoadDefaultConfig( + context.TODO(), + awsconfig.WithRegion(region), + awsconfig.WithCredentialsProvider( + awscred.NewStaticCredentialsProvider( + accessKeyId, + secretAccessKey, + session, + ), + ), + ) +} + +// getSecretsToUpdate returns the list of secret that we want to rotate. +func getSecretsToUpdate(client *kubernetes.Clientset, namespace string) (*corev1.SecretList, error) { + return client.CoreV1().Secrets(namespace).List(context.TODO(), metav1.ListOptions{LabelSelector: fmt.Sprintf("%s=true", awsECRUpdater)}) +} + +// updateSecretFromToken updates a k8s secret with the given AWS ECR AuthorizationData. +func updateSecretFromToken(client *kubernetes.Clientset, namespace string, secret *corev1.Secret, authorizationData ecrType.AuthorizationData) error { + if secret.Data == nil { + secret.Data = make(map[string][]byte) + } + if secret.Annotations == nil { + secret.Annotations = make(map[string]string) + } + + dockerConfigJson := DockerConfigJson{} + if err := json.Unmarshal(secret.Data[".dockerconfigjson"], &dockerConfigJson); err != nil { + log.Errorf("Unable to unmarshal .dockerconfigjson") + return err + } + + json, err := buildDockerJsonConfig(dockerConfigJson, authorizationData) + if err != nil { + log.Errorf("Unable to build dockerJsonConfig from AuthorizationData") + return err + } + + secret.Annotations[awsECRUpdaterExpiresAt] = aws.ToTime(authorizationData.ExpiresAt).String() + secret.Data[".dockerconfigjson"] = json + _, err = client.CoreV1().Secrets(namespace).Update(context.TODO(), secret, metav1.UpdateOptions{}) + return err +} + +func buildDockerJsonConfig(dockerConfigJson DockerConfigJson, authorizationData ecrType.AuthorizationData) ([]byte, error) { + user := "AWS" + token := aws.ToString(authorizationData.AuthorizationToken) + password := decodePassword(token) + password = password[4:] + + endpoint := credentials.ConvertToHostname(aws.ToString(authorizationData.ProxyEndpoint)) + dockerConfigJson.Auths[endpoint] = DockerConfigEntry{ + Auth: encodeDockerConfigFieldAuth(user, password), + } + return json.Marshal(dockerConfigJson) +} + +func decodePassword(pass string) string { + bytes, _ := base64.StdEncoding.DecodeString(pass) + return string(bytes) +} + +func encodeDockerConfigFieldAuth(username, password string) string { + fieldValue := username + ":" + password + return base64.StdEncoding.EncodeToString([]byte(fieldValue)) +} diff --git a/gitpod-ws.code-workspace b/gitpod-ws.code-workspace index 1df4484578e36a..085159c0d41110 100644 --- a/gitpod-ws.code-workspace +++ b/gitpod-ws.code-workspace @@ -16,6 +16,7 @@ { "path": "components/licensor" }, { "path": "components/local-app" }, { "path": "components/registry-facade" }, + { "path": "components/registry-credential" }, { "path": "components/service-waiter" }, { "path": "components/supervisor" }, { "path": "components/usage" }, From 42c5372a9c26940ec82b49616d39f40597f9c9c6 Mon Sep 17 00:00:00 2001 From: JenTing Hsiao Date: Mon, 12 Dec 2022 06:37:14 +0000 Subject: [PATCH 04/14] installer: use container image from leeway built Signed-off-by: JenTing Hsiao --- .../cmd/testdata/render/aws-setup/output.golden | 13 +++++++------ .../cmd/testdata/render/azure-setup/output.golden | 13 +++++++------ .../cmd/testdata/render/customization/output.golden | 13 +++++++------ .../testdata/render/external-registry/output.golden | 13 +++++++------ .../cmd/testdata/render/gcp-setup/output.golden | 13 +++++++------ .../cmd/testdata/render/http-proxy/output.golden | 13 +++++++------ .../cmd/testdata/render/kind-ide/output.golden | 3 +++ .../cmd/testdata/render/kind-meta/output.golden | 3 +++ .../cmd/testdata/render/kind-webapp/output.golden | 3 +++ .../testdata/render/kind-workspace/output.golden | 13 +++++++------ .../cmd/testdata/render/minimal/output.golden | 13 +++++++------ .../cmd/testdata/render/shortname/output.golden | 13 +++++++------ .../render/statefulset-customization/output.golden | 13 +++++++------ .../render/use-pod-security-policies/output.golden | 13 +++++++------ install/installer/cmd/testdata/render/versions.yaml | 2 ++ .../cmd/testdata/render/vsxproxy-pvc/output.golden | 13 +++++++------ .../render/workspace-requests-limits/output.golden | 13 +++++++------ .../pkg/components/registry-credential/cronjob.go | 2 +- .../pkg/components/registry-credential/job.go | 8 ++++---- install/installer/pkg/config/versions/versions.go | 1 + 20 files changed, 108 insertions(+), 83 deletions(-) diff --git a/install/installer/cmd/testdata/render/aws-setup/output.golden b/install/installer/cmd/testdata/render/aws-setup/output.golden index b4a7cb2d590ab4..dc86ee05431d57 100644 --- a/install/installer/cmd/testdata/render/aws-setup/output.golden +++ b/install/installer/cmd/testdata/render/aws-setup/output.golden @@ -1558,6 +1558,9 @@ data: "public-api-server": { "version": "test" }, + "registryCredential": { + "version": "test" + }, "registryFacade": { "version": "test" }, @@ -10997,10 +11000,9 @@ spec: namespace: default spec: containers: - - command: - - /aws-iam-credential-rotate + - args: - ecr-update - image: jenting/aws-iam-credential-rotate + image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test imagePullPolicy: IfNotPresent name: registry-credential resources: {} @@ -11134,10 +11136,9 @@ spec: namespace: default spec: containers: - - command: - - /aws-iam-credential-rotate + - args: - ecr-update - image: jenting/aws-iam-credential-rotate + image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test imagePullPolicy: IfNotPresent name: registry-credential resources: {} diff --git a/install/installer/cmd/testdata/render/azure-setup/output.golden b/install/installer/cmd/testdata/render/azure-setup/output.golden index 17714ad25a0f72..3e5d24b8c9f944 100644 --- a/install/installer/cmd/testdata/render/azure-setup/output.golden +++ b/install/installer/cmd/testdata/render/azure-setup/output.golden @@ -1513,6 +1513,9 @@ data: "public-api-server": { "version": "test" }, + "registryCredential": { + "version": "test" + }, "registryFacade": { "version": "test" }, @@ -10836,10 +10839,9 @@ spec: namespace: default spec: containers: - - command: - - /aws-iam-credential-rotate + - args: - ecr-update - image: jenting/aws-iam-credential-rotate + image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test imagePullPolicy: IfNotPresent name: registry-credential resources: {} @@ -10973,10 +10975,9 @@ spec: namespace: default spec: containers: - - command: - - /aws-iam-credential-rotate + - args: - ecr-update - image: jenting/aws-iam-credential-rotate + image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test imagePullPolicy: IfNotPresent name: registry-credential resources: {} diff --git a/install/installer/cmd/testdata/render/customization/output.golden b/install/installer/cmd/testdata/render/customization/output.golden index 5d395660683db2..352a3e5bd619fa 100644 --- a/install/installer/cmd/testdata/render/customization/output.golden +++ b/install/installer/cmd/testdata/render/customization/output.golden @@ -1785,6 +1785,9 @@ data: "public-api-server": { "version": "test" }, + "registryCredential": { + "version": "test" + }, "registryFacade": { "version": "test" }, @@ -12425,10 +12428,9 @@ spec: namespace: default spec: containers: - - command: - - /aws-iam-credential-rotate + - args: - ecr-update - image: jenting/aws-iam-credential-rotate + image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test imagePullPolicy: IfNotPresent name: registry-credential resources: {} @@ -12562,10 +12564,9 @@ spec: namespace: default spec: containers: - - command: - - /aws-iam-credential-rotate + - args: - ecr-update - image: jenting/aws-iam-credential-rotate + image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test imagePullPolicy: IfNotPresent name: registry-credential resources: {} diff --git a/install/installer/cmd/testdata/render/external-registry/output.golden b/install/installer/cmd/testdata/render/external-registry/output.golden index 4ae8f6ef5dda75..0baa14dbd3e4d7 100644 --- a/install/installer/cmd/testdata/render/external-registry/output.golden +++ b/install/installer/cmd/testdata/render/external-registry/output.golden @@ -1560,6 +1560,9 @@ data: "public-api-server": { "version": "test" }, + "registryCredential": { + "version": "test" + }, "registryFacade": { "version": "test" }, @@ -11147,10 +11150,9 @@ spec: namespace: default spec: containers: - - command: - - /aws-iam-credential-rotate + - args: - ecr-update - image: jenting/aws-iam-credential-rotate + image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test imagePullPolicy: IfNotPresent name: registry-credential resources: {} @@ -11284,10 +11286,9 @@ spec: namespace: default spec: containers: - - command: - - /aws-iam-credential-rotate + - args: - ecr-update - image: jenting/aws-iam-credential-rotate + image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test imagePullPolicy: IfNotPresent name: registry-credential resources: {} diff --git a/install/installer/cmd/testdata/render/gcp-setup/output.golden b/install/installer/cmd/testdata/render/gcp-setup/output.golden index d16ba387ca0482..8258c8256e2b3d 100644 --- a/install/installer/cmd/testdata/render/gcp-setup/output.golden +++ b/install/installer/cmd/testdata/render/gcp-setup/output.golden @@ -1491,6 +1491,9 @@ data: "public-api-server": { "version": "test" }, + "registryCredential": { + "version": "test" + }, "registryFacade": { "version": "test" }, @@ -10700,10 +10703,9 @@ spec: namespace: default spec: containers: - - command: - - /aws-iam-credential-rotate + - args: - ecr-update - image: jenting/aws-iam-credential-rotate + image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test imagePullPolicy: IfNotPresent name: registry-credential resources: {} @@ -10831,10 +10833,9 @@ spec: namespace: default spec: containers: - - command: - - /aws-iam-credential-rotate + - args: - ecr-update - image: jenting/aws-iam-credential-rotate + image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test imagePullPolicy: IfNotPresent name: registry-credential resources: {} diff --git a/install/installer/cmd/testdata/render/http-proxy/output.golden b/install/installer/cmd/testdata/render/http-proxy/output.golden index d08b7b97b0ff75..8e741026e3e25d 100644 --- a/install/installer/cmd/testdata/render/http-proxy/output.golden +++ b/install/installer/cmd/testdata/render/http-proxy/output.golden @@ -1629,6 +1629,9 @@ data: "public-api-server": { "version": "test" }, + "registryCredential": { + "version": "test" + }, "registryFacade": { "version": "test" }, @@ -13370,10 +13373,9 @@ spec: namespace: default spec: containers: - - command: - - /aws-iam-credential-rotate + - args: - ecr-update - image: jenting/aws-iam-credential-rotate + image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test imagePullPolicy: IfNotPresent name: registry-credential resources: {} @@ -13547,10 +13549,9 @@ spec: namespace: default spec: containers: - - command: - - /aws-iam-credential-rotate + - args: - ecr-update - image: jenting/aws-iam-credential-rotate + image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test imagePullPolicy: IfNotPresent name: registry-credential resources: {} diff --git a/install/installer/cmd/testdata/render/kind-ide/output.golden b/install/installer/cmd/testdata/render/kind-ide/output.golden index 8718a9892abc90..bccd7deba85b2e 100644 --- a/install/installer/cmd/testdata/render/kind-ide/output.golden +++ b/install/installer/cmd/testdata/render/kind-ide/output.golden @@ -547,6 +547,9 @@ data: "public-api-server": { "version": "test" }, + "registryCredential": { + "version": "test" + }, "registryFacade": { "version": "test" }, diff --git a/install/installer/cmd/testdata/render/kind-meta/output.golden b/install/installer/cmd/testdata/render/kind-meta/output.golden index 6f162186a18054..43067836ac6f85 100644 --- a/install/installer/cmd/testdata/render/kind-meta/output.golden +++ b/install/installer/cmd/testdata/render/kind-meta/output.golden @@ -1130,6 +1130,9 @@ data: "public-api-server": { "version": "test" }, + "registryCredential": { + "version": "test" + }, "registryFacade": { "version": "test" }, diff --git a/install/installer/cmd/testdata/render/kind-webapp/output.golden b/install/installer/cmd/testdata/render/kind-webapp/output.golden index 317b823427afb6..336d5818083417 100644 --- a/install/installer/cmd/testdata/render/kind-webapp/output.golden +++ b/install/installer/cmd/testdata/render/kind-webapp/output.golden @@ -868,6 +868,9 @@ data: "public-api-server": { "version": "test" }, + "registryCredential": { + "version": "test" + }, "registryFacade": { "version": "test" }, diff --git a/install/installer/cmd/testdata/render/kind-workspace/output.golden b/install/installer/cmd/testdata/render/kind-workspace/output.golden index eae2bd856adff5..e6131a6460b7df 100644 --- a/install/installer/cmd/testdata/render/kind-workspace/output.golden +++ b/install/installer/cmd/testdata/render/kind-workspace/output.golden @@ -781,6 +781,9 @@ data: "public-api-server": { "version": "test" }, + "registryCredential": { + "version": "test" + }, "registryFacade": { "version": "test" }, @@ -4146,10 +4149,9 @@ spec: namespace: default spec: containers: - - command: - - /aws-iam-credential-rotate + - args: - ecr-update - image: jenting/aws-iam-credential-rotate + image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test imagePullPolicy: IfNotPresent name: registry-credential resources: {} @@ -4192,10 +4194,9 @@ spec: namespace: default spec: containers: - - command: - - /aws-iam-credential-rotate + - args: - ecr-update - image: jenting/aws-iam-credential-rotate + image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test imagePullPolicy: IfNotPresent name: registry-credential resources: {} diff --git a/install/installer/cmd/testdata/render/minimal/output.golden b/install/installer/cmd/testdata/render/minimal/output.golden index 42d5c9686d78c1..204eb53930cd0e 100644 --- a/install/installer/cmd/testdata/render/minimal/output.golden +++ b/install/installer/cmd/testdata/render/minimal/output.golden @@ -1626,6 +1626,9 @@ data: "public-api-server": { "version": "test" }, + "registryCredential": { + "version": "test" + }, "registryFacade": { "version": "test" }, @@ -11522,10 +11525,9 @@ spec: namespace: default spec: containers: - - command: - - /aws-iam-credential-rotate + - args: - ecr-update - image: jenting/aws-iam-credential-rotate + image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test imagePullPolicy: IfNotPresent name: registry-credential resources: {} @@ -11659,10 +11661,9 @@ spec: namespace: default spec: containers: - - command: - - /aws-iam-credential-rotate + - args: - ecr-update - image: jenting/aws-iam-credential-rotate + image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test imagePullPolicy: IfNotPresent name: registry-credential resources: {} diff --git a/install/installer/cmd/testdata/render/shortname/output.golden b/install/installer/cmd/testdata/render/shortname/output.golden index 245803c4d96bbb..bf1d01b367e0ba 100644 --- a/install/installer/cmd/testdata/render/shortname/output.golden +++ b/install/installer/cmd/testdata/render/shortname/output.golden @@ -1626,6 +1626,9 @@ data: "public-api-server": { "version": "test" }, + "registryCredential": { + "version": "test" + }, "registryFacade": { "version": "test" }, @@ -11522,10 +11525,9 @@ spec: namespace: default spec: containers: - - command: - - /aws-iam-credential-rotate + - args: - ecr-update - image: jenting/aws-iam-credential-rotate + image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test imagePullPolicy: IfNotPresent name: registry-credential resources: {} @@ -11659,10 +11661,9 @@ spec: namespace: default spec: containers: - - command: - - /aws-iam-credential-rotate + - args: - ecr-update - image: jenting/aws-iam-credential-rotate + image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test imagePullPolicy: IfNotPresent name: registry-credential resources: {} diff --git a/install/installer/cmd/testdata/render/statefulset-customization/output.golden b/install/installer/cmd/testdata/render/statefulset-customization/output.golden index f53d35ee79acf4..771a4a46873753 100644 --- a/install/installer/cmd/testdata/render/statefulset-customization/output.golden +++ b/install/installer/cmd/testdata/render/statefulset-customization/output.golden @@ -1638,6 +1638,9 @@ data: "public-api-server": { "version": "test" }, + "registryCredential": { + "version": "test" + }, "registryFacade": { "version": "test" }, @@ -11534,10 +11537,9 @@ spec: namespace: default spec: containers: - - command: - - /aws-iam-credential-rotate + - args: - ecr-update - image: jenting/aws-iam-credential-rotate + image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test imagePullPolicy: IfNotPresent name: registry-credential resources: {} @@ -11671,10 +11673,9 @@ spec: namespace: default spec: containers: - - command: - - /aws-iam-credential-rotate + - args: - ecr-update - image: jenting/aws-iam-credential-rotate + image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test imagePullPolicy: IfNotPresent name: registry-credential resources: {} diff --git a/install/installer/cmd/testdata/render/use-pod-security-policies/output.golden b/install/installer/cmd/testdata/render/use-pod-security-policies/output.golden index 92de28ad7b8708..dde0446af102da 100644 --- a/install/installer/cmd/testdata/render/use-pod-security-policies/output.golden +++ b/install/installer/cmd/testdata/render/use-pod-security-policies/output.golden @@ -1848,6 +1848,9 @@ data: "public-api-server": { "version": "test" }, + "registryCredential": { + "version": "test" + }, "registryFacade": { "version": "test" }, @@ -11966,10 +11969,9 @@ spec: namespace: default spec: containers: - - command: - - /aws-iam-credential-rotate + - args: - ecr-update - image: jenting/aws-iam-credential-rotate + image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test imagePullPolicy: IfNotPresent name: registry-credential resources: {} @@ -12103,10 +12105,9 @@ spec: namespace: default spec: containers: - - command: - - /aws-iam-credential-rotate + - args: - ecr-update - image: jenting/aws-iam-credential-rotate + image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test imagePullPolicy: IfNotPresent name: registry-credential resources: {} diff --git a/install/installer/cmd/testdata/render/versions.yaml b/install/installer/cmd/testdata/render/versions.yaml index 50e1f223d9b881..9b50fafc00d6e7 100644 --- a/install/installer/cmd/testdata/render/versions.yaml +++ b/install/installer/cmd/testdata/render/versions.yaml @@ -51,6 +51,8 @@ components: version: test public-api-server: version: test + registryCredential: + version: test registryFacade: version: test server: diff --git a/install/installer/cmd/testdata/render/vsxproxy-pvc/output.golden b/install/installer/cmd/testdata/render/vsxproxy-pvc/output.golden index 949845861658ac..075b0eff86adf4 100644 --- a/install/installer/cmd/testdata/render/vsxproxy-pvc/output.golden +++ b/install/installer/cmd/testdata/render/vsxproxy-pvc/output.golden @@ -1628,6 +1628,9 @@ data: "public-api-server": { "version": "test" }, + "registryCredential": { + "version": "test" + }, "registryFacade": { "version": "test" }, @@ -11512,10 +11515,9 @@ spec: namespace: default spec: containers: - - command: - - /aws-iam-credential-rotate + - args: - ecr-update - image: jenting/aws-iam-credential-rotate + image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test imagePullPolicy: IfNotPresent name: registry-credential resources: {} @@ -11649,10 +11651,9 @@ spec: namespace: default spec: containers: - - command: - - /aws-iam-credential-rotate + - args: - ecr-update - image: jenting/aws-iam-credential-rotate + image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test imagePullPolicy: IfNotPresent name: registry-credential resources: {} diff --git a/install/installer/cmd/testdata/render/workspace-requests-limits/output.golden b/install/installer/cmd/testdata/render/workspace-requests-limits/output.golden index 74da6e318f6840..e42ca7a7226deb 100644 --- a/install/installer/cmd/testdata/render/workspace-requests-limits/output.golden +++ b/install/installer/cmd/testdata/render/workspace-requests-limits/output.golden @@ -1629,6 +1629,9 @@ data: "public-api-server": { "version": "test" }, + "registryCredential": { + "version": "test" + }, "registryFacade": { "version": "test" }, @@ -11525,10 +11528,9 @@ spec: namespace: default spec: containers: - - command: - - /aws-iam-credential-rotate + - args: - ecr-update - image: jenting/aws-iam-credential-rotate + image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test imagePullPolicy: IfNotPresent name: registry-credential resources: {} @@ -11662,10 +11664,9 @@ spec: namespace: default spec: containers: - - command: - - /aws-iam-credential-rotate + - args: - ecr-update - image: jenting/aws-iam-credential-rotate + image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test imagePullPolicy: IfNotPresent name: registry-credential resources: {} diff --git a/install/installer/pkg/components/registry-credential/cronjob.go b/install/installer/pkg/components/registry-credential/cronjob.go index 1a90c033c2022a..3903b2a2fbc672 100644 --- a/install/installer/pkg/components/registry-credential/cronjob.go +++ b/install/installer/pkg/components/registry-credential/cronjob.go @@ -32,7 +32,7 @@ func cronjob(ctx *common.RenderContext) ([]runtime.Object, error) { ConcurrencyPolicy: batchv1.ReplaceConcurrent, JobTemplate: batchv1.JobTemplateSpec{ ObjectMeta: objectMeta, - Spec: jobSpec(objectMeta), + Spec: jobSpec(ctx, objectMeta), }, }, }, diff --git a/install/installer/pkg/components/registry-credential/job.go b/install/installer/pkg/components/registry-credential/job.go index 08ccfeae12c054..1d2858d33641da 100644 --- a/install/installer/pkg/components/registry-credential/job.go +++ b/install/installer/pkg/components/registry-credential/job.go @@ -14,7 +14,7 @@ import ( "github.com/gitpod-io/gitpod/installer/pkg/common" ) -func jobSpec(objectMeta metav1.ObjectMeta) batchv1.JobSpec { +func jobSpec(ctx *common.RenderContext, objectMeta metav1.ObjectMeta) batchv1.JobSpec { return batchv1.JobSpec{ BackoffLimit: pointer.Int32(10), Template: v1.PodTemplateSpec{ @@ -25,9 +25,9 @@ func jobSpec(objectMeta metav1.ObjectMeta) batchv1.JobSpec { Containers: []v1.Container{ { Name: Component, - Image: "jenting/aws-iam-credential-rotate", + Args: []string{"ecr-update"}, + Image: ctx.ImageName(ctx.Config.Repository, Component, ctx.VersionManifest.Components.RegistryCredential.Version), ImagePullPolicy: v1.PullIfNotPresent, - Command: []string{"/aws-iam-credential-rotate", "ecr-update"}, SecurityContext: &v1.SecurityContext{ AllowPrivilegeEscalation: pointer.Bool(false), }, @@ -49,7 +49,7 @@ func job(ctx *common.RenderContext) ([]runtime.Object, error) { &batchv1.Job{ TypeMeta: common.TypeMetaBatchJob, ObjectMeta: objectMeta, - Spec: jobSpec(objectMeta), + Spec: jobSpec(ctx, objectMeta), }, }, nil } diff --git a/install/installer/pkg/config/versions/versions.go b/install/installer/pkg/config/versions/versions.go index 6cba2dd1af6458..b9427c533421ff 100644 --- a/install/installer/pkg/config/versions/versions.go +++ b/install/installer/pkg/config/versions/versions.go @@ -36,6 +36,7 @@ type Components struct { PaymentEndpoint Versioned `json:"paymentEndpoint"` Proxy Versioned `json:"proxy"` PublicAPIServer Versioned `json:"public-api-server"` + RegistryCredential Versioned `json:"registryCredential"` RegistryFacade Versioned `json:"registryFacade"` Server Versioned `json:"server"` ServiceWaiter Versioned `json:"serviceWaiter"` From 8c1509376ea5f56e48e02805b9fb0d1ccf9ec5a9 Mon Sep 17 00:00:00 2001 From: JenTing Hsiao Date: Mon, 12 Dec 2022 09:42:13 +0000 Subject: [PATCH 05/14] registry-credential: load from config file Signed-off-by: JenTing Hsiao --- components/registry-credential/.gitignore | 1 + components/registry-credential/cmd/root.go | 18 +- .../registry-credential/example-config.json | 5 + .../registry-credential/pkg/config/config.go | 43 ++++ .../registry-credential/pkg/ecr/ecr_update.go | 168 ---------------- .../registry-credential/pkg/ecr/updater.go | 187 ++++++++++++++++++ 6 files changed, 245 insertions(+), 177 deletions(-) create mode 100644 components/registry-credential/.gitignore create mode 100644 components/registry-credential/example-config.json create mode 100644 components/registry-credential/pkg/config/config.go delete mode 100644 components/registry-credential/pkg/ecr/ecr_update.go create mode 100644 components/registry-credential/pkg/ecr/updater.go diff --git a/components/registry-credential/.gitignore b/components/registry-credential/.gitignore new file mode 100644 index 00000000000000..958b1c8af96991 --- /dev/null +++ b/components/registry-credential/.gitignore @@ -0,0 +1 @@ +registry-credential diff --git a/components/registry-credential/cmd/root.go b/components/registry-credential/cmd/root.go index ab442520e7320d..2a629f8df2bf47 100644 --- a/components/registry-credential/cmd/root.go +++ b/components/registry-credential/cmd/root.go @@ -14,14 +14,19 @@ import ( "github.com/spf13/cobra" "github.com/gitpod-io/gitpod/common-go/log" + "github.com/gitpod-io/gitpod/registry-credential/pkg/config" "github.com/gitpod-io/gitpod/registry-credential/pkg/ecr" ) var rootCmd = &cobra.Command{ - Use: "ecr-update", - Short: "Update ECR Secret with a new ecr login.", - Long: `Update ECR Secret with a new ecr login`, + Use: "ecr-update ", + Short: "Update the AWS ECR credential", + Args: cobra.ExactArgs(2), Run: func(cmd *cobra.Command, args []string) { + cfgFile := args[1] + cfg := config.Get(cfgFile) + log.WithField("config", cfg).Info("Starting registry-credential") + kubeConfig, err := ctrl.GetConfig() if err != nil { log.WithError(err).Fatal("unable to getting Kubernetes client config") @@ -31,9 +36,8 @@ var rootCmd = &cobra.Command{ if err != nil { log.WithError(err).Fatal("constructing Kubernetes client") } - namespace, _ := os.LookupEnv("NAMESPACE") - ecr.UpdateCredential(client, namespace) + ecr.UpdateCredential(client, cfg) }, } @@ -45,7 +49,3 @@ func Execute() { os.Exit(1) } } - -func init() { - rootCmd.AddCommand(rootCmd) -} diff --git a/components/registry-credential/example-config.json b/components/registry-credential/example-config.json new file mode 100644 index 00000000000000..d29a699468ee2d --- /dev/null +++ b/components/registry-credential/example-config.json @@ -0,0 +1,5 @@ +{ + "namespace": "default", + "credentialSecret": "", + "secretToUpdate": "" +} diff --git a/components/registry-credential/pkg/config/config.go b/components/registry-credential/pkg/config/config.go new file mode 100644 index 00000000000000..82d4100302b935 --- /dev/null +++ b/components/registry-credential/pkg/config/config.go @@ -0,0 +1,43 @@ +// Copyright (c) 2022 Gitpod GmbH. All rights reserved. +// Licensed under the GNU Affero General Public License (AGPL). +// See License-AGPL.txt in the project root for license information. + +package config + +import ( + "bytes" + "encoding/json" + "os" + + "github.com/gitpod-io/gitpod/common-go/log" +) + +type Configuration struct { + // Namespace describes which namespace the below secrets locates. + Namespace string `json:"namespace"` + + // CredentialSecret points to a Kubernetes secret which contains the credential to rotate + // the container registry credential . + CredentialSecret string `json:"credentialSecret"` + + // Region describes which public cloud region the container registry locates. + Region string `json:"region"` + + // SecretToUpdate names a Kubernetes secret which contains a `.dockerconfigjson` entry + // carrying the Docker authentication credentials. + SecretToUpdate string `json:"secretToUpdate"` +} + +func Get(cfgFile string) *Configuration { + ctnt, err := os.ReadFile(cfgFile) + if err != nil { + log.WithError(err).Fatal("cannot read configuration. Maybe missing --config?") + } + + var cfg Configuration + err = json.NewDecoder(bytes.NewReader(ctnt)).Decode(&cfg) + if err != nil { + log.WithError(err).Fatal("cannot decode configuration. Maybe missing --config?") + } + return &cfg +} diff --git a/components/registry-credential/pkg/ecr/ecr_update.go b/components/registry-credential/pkg/ecr/ecr_update.go deleted file mode 100644 index 0d86628b9e2287..00000000000000 --- a/components/registry-credential/pkg/ecr/ecr_update.go +++ /dev/null @@ -1,168 +0,0 @@ -// Copyright (c) 2022 Gitpod GmbH. All rights reserved. -// Licensed under the GNU Affero General Public License (AGPL). -// See License-AGPL.txt in the project root for license information. - -package ecr - -import ( - "context" - "encoding/base64" - "encoding/json" - "fmt" - - corev1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/client-go/kubernetes" - - aws "github.com/aws/aws-sdk-go-v2/aws" - awsconfig "github.com/aws/aws-sdk-go-v2/config" - awscred "github.com/aws/aws-sdk-go-v2/credentials" - ecr "github.com/aws/aws-sdk-go-v2/service/ecr" - ecrType "github.com/aws/aws-sdk-go-v2/service/ecr/types" - "github.com/docker/cli/cli/config/credentials" - - "github.com/gitpod-io/gitpod/common-go/log" -) - -const ( - accessKeyIdPropName = "access_key_id" - secretAccessKeyPropName = "secret_access_key" -) - -const ( - awsECRUpdater = "aws-ecr-updater" - awsECRUpdaterSecret = "aws-ecr-updater/secret" - awsECRUpdaterRegion = "aws-ecr-updater/region" - awsECRUpdaterExpiresAt = "aws-ecr-updater/expires-at" -) - -// Dont want to have full dependencies on k8s so copy/paste just -// to marshall dockerconfigJson -// https://github.com/kubernetes/kubernetes/blob/master/pkg/credentialprovider/config.go -type DockerConfigJson struct { - Auths DockerConfig `json:"auths"` -} - -// DockerConfig represents the config file used by the docker CLI. -// This config that represents the credentials that should be used -// when pulling images from specific image repositories. -type DockerConfig map[string]DockerConfigEntry - -type DockerConfigEntry struct { - Auth string `json:"auth"` -} - -func UpdateCredential(client *kubernetes.Clientset, namespace string) { - secrets, err := getSecretsToUpdate(client, namespace) - if err != nil { - log.Fatal(err) - } - - for _, secret := range secrets.Items { - log.Infof("Found ECR secret: %s", secret.Name) - - accessKeySecretName := secret.Annotations[awsECRUpdaterSecret] - region := secret.Annotations[awsECRUpdaterRegion] - - log.Infof("For region: %s", region) - - secret, err := client.CoreV1().Secrets(namespace).Get(context.TODO(), accessKeySecretName, metav1.GetOptions{}) - if err != nil { - log.Errorf("Unable to get the secret to build AccessKey") - log.Fatal(err) - } - - awsConfig, err := newAWSConfig(region, string(secret.Data[accessKeyIdPropName]), string(secret.Data[secretAccessKeyPropName]), "") - if err != nil { - log.Fatal(err) - } - - // Get an authorization Token from ECR - svc := ecr.NewFromConfig(awsConfig) - - input := &ecr.GetAuthorizationTokenInput{} - result, err := svc.GetAuthorizationToken(context.TODO(), input) - if err != nil { - log.Errorf("Unable to get an Authorization token from ECR") - log.Fatal(err) - } - - log.Infof("Found %d authorizationData", len(result.AuthorizationData)) - - err = updateSecretFromToken(client, namespace, secret, result.AuthorizationData[0]) - if err != nil { - log.Errorf("Unable to update secret with Token") - log.Fatal(err) - } - log.Infof("Secret %q updated with new ECR credentials", secret.Name) - } -} - -func newAWSConfig(region, accessKeyId, secretAccessKey, session string) (aws.Config, error) { - return awsconfig.LoadDefaultConfig( - context.TODO(), - awsconfig.WithRegion(region), - awsconfig.WithCredentialsProvider( - awscred.NewStaticCredentialsProvider( - accessKeyId, - secretAccessKey, - session, - ), - ), - ) -} - -// getSecretsToUpdate returns the list of secret that we want to rotate. -func getSecretsToUpdate(client *kubernetes.Clientset, namespace string) (*corev1.SecretList, error) { - return client.CoreV1().Secrets(namespace).List(context.TODO(), metav1.ListOptions{LabelSelector: fmt.Sprintf("%s=true", awsECRUpdater)}) -} - -// updateSecretFromToken updates a k8s secret with the given AWS ECR AuthorizationData. -func updateSecretFromToken(client *kubernetes.Clientset, namespace string, secret *corev1.Secret, authorizationData ecrType.AuthorizationData) error { - if secret.Data == nil { - secret.Data = make(map[string][]byte) - } - if secret.Annotations == nil { - secret.Annotations = make(map[string]string) - } - - dockerConfigJson := DockerConfigJson{} - if err := json.Unmarshal(secret.Data[".dockerconfigjson"], &dockerConfigJson); err != nil { - log.Errorf("Unable to unmarshal .dockerconfigjson") - return err - } - - json, err := buildDockerJsonConfig(dockerConfigJson, authorizationData) - if err != nil { - log.Errorf("Unable to build dockerJsonConfig from AuthorizationData") - return err - } - - secret.Annotations[awsECRUpdaterExpiresAt] = aws.ToTime(authorizationData.ExpiresAt).String() - secret.Data[".dockerconfigjson"] = json - _, err = client.CoreV1().Secrets(namespace).Update(context.TODO(), secret, metav1.UpdateOptions{}) - return err -} - -func buildDockerJsonConfig(dockerConfigJson DockerConfigJson, authorizationData ecrType.AuthorizationData) ([]byte, error) { - user := "AWS" - token := aws.ToString(authorizationData.AuthorizationToken) - password := decodePassword(token) - password = password[4:] - - endpoint := credentials.ConvertToHostname(aws.ToString(authorizationData.ProxyEndpoint)) - dockerConfigJson.Auths[endpoint] = DockerConfigEntry{ - Auth: encodeDockerConfigFieldAuth(user, password), - } - return json.Marshal(dockerConfigJson) -} - -func decodePassword(pass string) string { - bytes, _ := base64.StdEncoding.DecodeString(pass) - return string(bytes) -} - -func encodeDockerConfigFieldAuth(username, password string) string { - fieldValue := username + ":" + password - return base64.StdEncoding.EncodeToString([]byte(fieldValue)) -} diff --git a/components/registry-credential/pkg/ecr/updater.go b/components/registry-credential/pkg/ecr/updater.go new file mode 100644 index 00000000000000..2dc8d49c218c0a --- /dev/null +++ b/components/registry-credential/pkg/ecr/updater.go @@ -0,0 +1,187 @@ +// Copyright (c) 2022 Gitpod GmbH. All rights reserved. +// Licensed under the GNU Affero General Public License (AGPL). +// See License-AGPL.txt in the project root for license information. + +package ecr + +import ( + "context" + "encoding/base64" + "encoding/json" + + corev1 "k8s.io/api/core/v1" + k8serr "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/client-go/kubernetes" + + aws "github.com/aws/aws-sdk-go-v2/aws" + awsconfig "github.com/aws/aws-sdk-go-v2/config" + awscred "github.com/aws/aws-sdk-go-v2/credentials" + ecr "github.com/aws/aws-sdk-go-v2/service/ecr" + ecrType "github.com/aws/aws-sdk-go-v2/service/ecr/types" + "github.com/docker/cli/cli/config/credentials" + + "github.com/gitpod-io/gitpod/common-go/log" + "github.com/gitpod-io/gitpod/registry-credential/pkg/config" +) + +const ( + accessKeyIdPropName = "access_key_id" + secretAccessKeyPropName = "secret_access_key" +) + +const ( + ecrUpdaterExpiresAt = "ecr-updater/expires-at" +) + +// DockerConfigJSON represents ~/.docker/config.json file info +// see https://github.com/docker/docker/pull/12009 +type DockerConfigJSON struct { + Auths DockerConfig `json:"auths"` +} + +// DockerConfig represents the config file used by the docker CLI. +// This config that represents the credentials that should be used +// when pulling images from specific image repositories. +type DockerConfig map[string]DockerConfigEntry + +type DockerConfigEntry struct { + Auth string `json:"auth"` +} + +func UpdateCredential(client *kubernetes.Clientset, cfg *config.Configuration) { + credSecret, err := getSecret(client, cfg.Namespace, cfg.CredentialSecret) + if err != nil { + log.WithError(err).Fatalf("cannot find the credential secret %s/%s", cfg.CredentialSecret, cfg.Namespace) + } + + accessKey := string(credSecret.Data[accessKeyIdPropName]) + secretKey := string(credSecret.Data[secretAccessKeyPropName]) + region := cfg.Region + + log.Infof("Prepare to rotate AWS ECR secret %s/%s for region %s", cfg.SecretToUpdate, cfg.Namespace, region) + + awsConfig, err := newAWSConfig(region, accessKey, secretKey, "") + if err != nil { + log.WithError(err).Fatal("unable to new aws config") + } + + // Get an authorization token from ECR + ecrClient := ecr.NewFromConfig(awsConfig) + result, err := ecrClient.GetAuthorizationToken(context.TODO(), &ecr.GetAuthorizationTokenInput{}) + if err != nil { + log.WithError(err).Fatal("unable to get an Authorization token from ECR") + } + log.Infof("Found %d authorizationData", len(result.AuthorizationData)) + + secretToUpdate, err := getSecret(client, cfg.Namespace, cfg.SecretToUpdate) + if err != nil { + if !k8serr.IsNotFound(err) { + log.WithError(err).Fatalf("cannot find the secret to update %s/%s", cfg.SecretToUpdate, cfg.Namespace) + } + + secretToCreate := &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: cfg.SecretToUpdate, + Namespace: cfg.Namespace, + Labels: map[string]string{ + "app": "gitpod", + "component": "registry-credential", + }, + }, + Type: corev1.SecretTypeDockerConfigJson, + StringData: map[string]string{ + ".dockerconfigjson": "{}", + }, + } + + secretToUpdate, err = createSecret(client, cfg.Namespace, secretToCreate) + if err != nil { + log.WithError(err).Fatalf("cannot create the secret %s/%s", cfg.SecretToUpdate, cfg.Namespace) + } + } + + err = updateSecretFromToken(client, cfg.Namespace, secretToUpdate, result.AuthorizationData[0]) + if err != nil { + log.WithError(err).Fatalf("Unable to update secret") + } + + log.Infof("Secret %s/%s for region %s updated with new ECR credentials", cfg.SecretToUpdate, cfg.Namespace, region) +} + +func newAWSConfig(region, accessKeyId, secretAccessKey, session string) (aws.Config, error) { + return awsconfig.LoadDefaultConfig( + context.TODO(), + awsconfig.WithRegion(region), + awsconfig.WithCredentialsProvider( + awscred.NewStaticCredentialsProvider( + accessKeyId, + secretAccessKey, + session, + ), + ), + ) +} + +// getSecret returns the Kubernetes secret. +func getSecret(client *kubernetes.Clientset, namespace, secretName string) (*corev1.Secret, error) { + return client.CoreV1().Secrets(namespace).Get(context.TODO(), secretName, metav1.GetOptions{}) +} + +// createSecret creates the Kubernetes secret. +func createSecret(client *kubernetes.Clientset, namespace string, secret *corev1.Secret) (*corev1.Secret, error) { + return client.CoreV1().Secrets(namespace).Create(context.TODO(), secret, metav1.CreateOptions{}) +} + +// updateSecretFromToken updates a Kubernetes secret with the given AWS ECR AuthorizationData. +func updateSecretFromToken(client *kubernetes.Clientset, namespace string, secret *corev1.Secret, authorizationData ecrType.AuthorizationData) error { + if secret.Data == nil { + secret.Data = make(map[string][]byte) + } + if secret.Annotations == nil { + secret.Annotations = make(map[string]string) + } + + dockerConfigJson := DockerConfigJSON{} + if err := json.Unmarshal(secret.Data[".dockerconfigjson"], &dockerConfigJson); err != nil { + log.Errorf("Unable to unmarshal .dockerconfigjson") + return err + } + + json, err := buildDockerJSONConfig(dockerConfigJson, authorizationData) + if err != nil { + log.Errorf("Unable to build dockerJsonConfig from AuthorizationData") + return err + } + + secret.Annotations[ecrUpdaterExpiresAt] = aws.ToTime(authorizationData.ExpiresAt).String() + secret.Data[".dockerconfigjson"] = json + _, err = client.CoreV1().Secrets(namespace).Update(context.TODO(), secret, metav1.UpdateOptions{}) + return err +} + +func buildDockerJSONConfig(dockerConfigJson DockerConfigJSON, authorizationData ecrType.AuthorizationData) ([]byte, error) { + user := "AWS" + token := aws.ToString(authorizationData.AuthorizationToken) + password := decodePassword(token) + password = password[4:] + + if dockerConfigJson.Auths == nil { + dockerConfigJson.Auths = make(DockerConfig) + } + endpoint := credentials.ConvertToHostname(aws.ToString(authorizationData.ProxyEndpoint)) + dockerConfigJson.Auths[endpoint] = DockerConfigEntry{ + Auth: encodeDockerConfigFieldAuth(user, password), + } + return json.Marshal(dockerConfigJson) +} + +func decodePassword(pass string) string { + bytes, _ := base64.StdEncoding.DecodeString(pass) + return string(bytes) +} + +func encodeDockerConfigFieldAuth(username, password string) string { + fieldValue := username + ":" + password + return base64.StdEncoding.EncodeToString([]byte(fieldValue)) +} From 2f7ebf93f0e330ac6bb98b28a7fc324a35b1c123 Mon Sep 17 00:00:00 2001 From: JenTing Hsiao Date: Mon, 12 Dec 2022 07:14:26 +0000 Subject: [PATCH 06/14] installer: update according to load from config Signed-off-by: JenTing Hsiao --- .../testdata/render/aws-setup/output.golden | 228 ----------------- .../testdata/render/azure-setup/output.golden | 228 ----------------- .../render/customization/output.golden | 238 ------------------ .../render/external-registry/output.golden | 228 ----------------- .../testdata/render/gcp-setup/output.golden | 228 ----------------- .../testdata/render/http-proxy/output.golden | 228 ----------------- .../render/kind-workspace/output.golden | 228 ----------------- .../cmd/testdata/render/minimal/output.golden | 228 ----------------- .../testdata/render/shortname/output.golden | 228 ----------------- .../statefulset-customization/output.golden | 228 ----------------- .../use-pod-security-policies/output.golden | 228 ----------------- .../render/vsxproxy-pvc/output.golden | 228 ----------------- .../workspace-requests-limits/output.golden | 228 ----------------- install/installer/go.mod | 51 ++-- install/installer/go.sum | 65 ++--- .../components/registry-credential/common.go | 28 +++ .../registry-credential/configmap.go | 79 ++++++ .../registry-credential/constants.go | 2 - .../components/registry-credential/cronjob.go | 5 +- .../pkg/components/registry-credential/job.go | 37 ++- .../components/registry-credential/objects.go | 16 +- .../components/registry-credential/role.go | 4 + .../registry-credential/rolebinding.go | 4 + .../components/registry-credential/secret.go | 74 ------ install/installer/pkg/config/v1/config.go | 5 +- 25 files changed, 226 insertions(+), 3118 deletions(-) create mode 100644 install/installer/pkg/components/registry-credential/common.go create mode 100644 install/installer/pkg/components/registry-credential/configmap.go delete mode 100644 install/installer/pkg/components/registry-credential/secret.go diff --git a/install/installer/cmd/testdata/render/aws-setup/output.golden b/install/installer/cmd/testdata/render/aws-setup/output.golden index dc86ee05431d57..0f212ea11a013d 100644 --- a/install/installer/cmd/testdata/render/aws-setup/output.golden +++ b/install/installer/cmd/testdata/render/aws-setup/output.golden @@ -975,18 +975,6 @@ automountServiceAccountToken: true secrets: - name: messagebus --- -# v1/ServiceAccount registry-credential -apiVersion: v1 -automountServiceAccountToken: true -kind: ServiceAccount -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default ---- # v1/ServiceAccount registry-facade apiVersion: v1 automountServiceAccountToken: true @@ -1071,38 +1059,6 @@ metadata: name: ws-proxy namespace: default --- -# v1/Secret aws-ecr-credentials -apiVersion: v1 -kind: Secret -metadata: - annotations: - aws-ecr-updater/region: us-west-1 - aws-ecr-updater/secret: aws-iam-user-credentials - creationTimestamp: null - labels: - app: gitpod - aws-ecr-updater: "true" - component: registry-credential - name: aws-ecr-credentials - namespace: default -stringData: - .dockerconfigjson: '{}' -type: kubernetes.io/dockerconfigjson ---- -# v1/Secret aws-iam-user-credentials -apiVersion: v1 -kind: Secret -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: aws-iam-user-credentials - namespace: default -stringData: - access_key_id: 8-WGqw2oTnsPfUDNSk0Y - secret_access_key: DpC.aSAxkWBPu2_bJ_AE ---- # v1/Secret builtin-registry-auth apiVersion: v1 data: @@ -3320,70 +3276,6 @@ data: name: image-builder-mk3 namespace: default --- - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - --- - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - --- - apiVersion: v1 - kind: Secret - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: aws-iam-user-credentials - namespace: default - --- - apiVersion: v1 - kind: Secret - metadata: - annotations: - aws-ecr-updater/region: us-west-1 - aws-ecr-updater/secret: aws-iam-user-credentials - creationTimestamp: null - labels: - app: gitpod - aws-ecr-updater: "true" - component: registry-credential - name: aws-ecr-credentials - namespace: default - --- - apiVersion: batch/v1 - kind: CronJob - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - --- - apiVersion: v1 - kind: ServiceAccount - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - --- apiVersion: v1 kind: Secret metadata: @@ -6294,27 +6186,6 @@ rules: resources: ["events"] verbs: ["create"] --- -# rbac.authorization.k8s.io/v1/Role registry-credential -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch - - update ---- # rbac.authorization.k8s.io/v1/Role server apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -6784,24 +6655,6 @@ subjects: - kind: ServiceAccount name: rabbitmq --- -# rbac.authorization.k8s.io/v1/RoleBinding registry-credential -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: registry-credential -subjects: -- kind: ServiceAccount - name: registry-credential ---- # rbac.authorization.k8s.io/v1/RoleBinding server apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -10978,40 +10831,6 @@ spec: ttlSecondsAfterFinished: 60 status: {} --- -# batch/v1/Job registry-credential -apiVersion: batch/v1 -kind: Job -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default -spec: - backoffLimit: 10 - template: - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - spec: - containers: - - args: - - ecr-update - image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test - imagePullPolicy: IfNotPresent - name: registry-credential - resources: {} - securityContext: - allowPrivilegeEscalation: false - restartPolicy: OnFailure - serviceAccountName: registry-credential -status: {} ---- # batch/v1/CronJob gitpod-telemetry apiVersion: batch/v1 kind: CronJob @@ -11102,50 +10921,3 @@ spec: schedule: '@daily' successfulJobsHistoryLimit: 3 status: {} ---- -# batch/v1/CronJob registry-credential -apiVersion: batch/v1 -kind: CronJob -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default -spec: - concurrencyPolicy: Replace - failedJobsHistoryLimit: 10 - jobTemplate: - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - spec: - backoffLimit: 10 - template: - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - spec: - containers: - - args: - - ecr-update - image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test - imagePullPolicy: IfNotPresent - name: registry-credential - resources: {} - securityContext: - allowPrivilegeEscalation: false - restartPolicy: OnFailure - serviceAccountName: registry-credential - schedule: '* */6 * * *' - successfulJobsHistoryLimit: 1 -status: {} diff --git a/install/installer/cmd/testdata/render/azure-setup/output.golden b/install/installer/cmd/testdata/render/azure-setup/output.golden index 3e5d24b8c9f944..349c5e76054b59 100644 --- a/install/installer/cmd/testdata/render/azure-setup/output.golden +++ b/install/installer/cmd/testdata/render/azure-setup/output.golden @@ -954,18 +954,6 @@ automountServiceAccountToken: true secrets: - name: messagebus --- -# v1/ServiceAccount registry-credential -apiVersion: v1 -automountServiceAccountToken: true -kind: ServiceAccount -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default ---- # v1/ServiceAccount registry-facade apiVersion: v1 automountServiceAccountToken: true @@ -1050,38 +1038,6 @@ metadata: name: ws-proxy namespace: default --- -# v1/Secret aws-ecr-credentials -apiVersion: v1 -kind: Secret -metadata: - annotations: - aws-ecr-updater/region: us-west-1 - aws-ecr-updater/secret: aws-iam-user-credentials - creationTimestamp: null - labels: - app: gitpod - aws-ecr-updater: "true" - component: registry-credential - name: aws-ecr-credentials - namespace: default -stringData: - .dockerconfigjson: '{}' -type: kubernetes.io/dockerconfigjson ---- -# v1/Secret aws-iam-user-credentials -apiVersion: v1 -kind: Secret -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: aws-iam-user-credentials - namespace: default -stringData: - access_key_id: 8-WGqw2oTnsPfUDNSk0Y - secret_access_key: DpC.aSAxkWBPu2_bJ_AE ---- # v1/Secret load-definition # Source: rabbitmq/charts/rabbitmq/templates/secrets.yaml apiVersion: v1 @@ -3235,70 +3191,6 @@ data: name: image-builder-mk3 namespace: default --- - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - --- - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - --- - apiVersion: v1 - kind: Secret - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: aws-iam-user-credentials - namespace: default - --- - apiVersion: v1 - kind: Secret - metadata: - annotations: - aws-ecr-updater/region: us-west-1 - aws-ecr-updater/secret: aws-iam-user-credentials - creationTimestamp: null - labels: - app: gitpod - aws-ecr-updater: "true" - component: registry-credential - name: aws-ecr-credentials - namespace: default - --- - apiVersion: batch/v1 - kind: CronJob - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - --- - apiVersion: v1 - kind: ServiceAccount - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - --- apiVersion: v1 kind: ServiceAccount metadata: @@ -6147,27 +6039,6 @@ rules: resources: ["events"] verbs: ["create"] --- -# rbac.authorization.k8s.io/v1/Role registry-credential -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch - - update ---- # rbac.authorization.k8s.io/v1/Role server apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -6619,24 +6490,6 @@ subjects: - kind: ServiceAccount name: rabbitmq --- -# rbac.authorization.k8s.io/v1/RoleBinding registry-credential -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: registry-credential -subjects: -- kind: ServiceAccount - name: registry-credential ---- # rbac.authorization.k8s.io/v1/RoleBinding server apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -10817,40 +10670,6 @@ spec: ttlSecondsAfterFinished: 60 status: {} --- -# batch/v1/Job registry-credential -apiVersion: batch/v1 -kind: Job -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default -spec: - backoffLimit: 10 - template: - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - spec: - containers: - - args: - - ecr-update - image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test - imagePullPolicy: IfNotPresent - name: registry-credential - resources: {} - securityContext: - allowPrivilegeEscalation: false - restartPolicy: OnFailure - serviceAccountName: registry-credential -status: {} ---- # batch/v1/CronJob gitpod-telemetry apiVersion: batch/v1 kind: CronJob @@ -10941,50 +10760,3 @@ spec: schedule: '@daily' successfulJobsHistoryLimit: 3 status: {} ---- -# batch/v1/CronJob registry-credential -apiVersion: batch/v1 -kind: CronJob -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default -spec: - concurrencyPolicy: Replace - failedJobsHistoryLimit: 10 - jobTemplate: - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - spec: - backoffLimit: 10 - template: - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - spec: - containers: - - args: - - ecr-update - image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test - imagePullPolicy: IfNotPresent - name: registry-credential - resources: {} - securityContext: - allowPrivilegeEscalation: false - restartPolicy: OnFailure - serviceAccountName: registry-credential - schedule: '* */6 * * *' - successfulJobsHistoryLimit: 1 -status: {} diff --git a/install/installer/cmd/testdata/render/customization/output.golden b/install/installer/cmd/testdata/render/customization/output.golden index 352a3e5bd619fa..055d173a920e1d 100644 --- a/install/installer/cmd/testdata/render/customization/output.golden +++ b/install/installer/cmd/testdata/render/customization/output.golden @@ -1076,23 +1076,6 @@ automountServiceAccountToken: true secrets: - name: messagebus --- -# v1/ServiceAccount registry-credential -apiVersion: v1 -automountServiceAccountToken: true -kind: ServiceAccount -metadata: - annotations: - gitpod.io: hello - hello: world - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - gitpod.io: hello - hello: world - name: registry-credential - namespace: default ---- # v1/ServiceAccount registry-facade apiVersion: v1 automountServiceAccountToken: true @@ -1212,38 +1195,6 @@ metadata: name: ws-proxy namespace: default --- -# v1/Secret aws-ecr-credentials -apiVersion: v1 -kind: Secret -metadata: - annotations: - aws-ecr-updater/region: us-west-1 - aws-ecr-updater/secret: aws-iam-user-credentials - creationTimestamp: null - labels: - app: gitpod - aws-ecr-updater: "true" - component: registry-credential - name: aws-ecr-credentials - namespace: default -stringData: - .dockerconfigjson: '{}' -type: kubernetes.io/dockerconfigjson ---- -# v1/Secret aws-iam-user-credentials -apiVersion: v1 -kind: Secret -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: aws-iam-user-credentials - namespace: default -stringData: - access_key_id: 8-WGqw2oTnsPfUDNSk0Y - secret_access_key: DpC.aSAxkWBPu2_bJ_AE ---- # v1/Secret builtin-registry-auth apiVersion: v1 data: @@ -3963,75 +3914,6 @@ data: name: image-builder-mk3 namespace: default --- - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - --- - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - --- - apiVersion: v1 - kind: Secret - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: aws-iam-user-credentials - namespace: default - --- - apiVersion: v1 - kind: Secret - metadata: - annotations: - aws-ecr-updater/region: us-west-1 - aws-ecr-updater/secret: aws-iam-user-credentials - creationTimestamp: null - labels: - app: gitpod - aws-ecr-updater: "true" - component: registry-credential - name: aws-ecr-credentials - namespace: default - --- - apiVersion: batch/v1 - kind: CronJob - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - --- - apiVersion: v1 - kind: ServiceAccount - metadata: - annotations: - gitpod.io: hello - hello: world - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - gitpod.io: hello - hello: world - name: registry-credential - namespace: default - --- apiVersion: v1 kind: Secret metadata: @@ -7230,27 +7112,6 @@ rules: resources: ["events"] verbs: ["create"] --- -# rbac.authorization.k8s.io/v1/Role registry-credential -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch - - update ---- # rbac.authorization.k8s.io/v1/Role server apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -7720,24 +7581,6 @@ subjects: - kind: ServiceAccount name: rabbitmq --- -# rbac.authorization.k8s.io/v1/RoleBinding registry-credential -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: registry-credential -subjects: -- kind: ServiceAccount - name: registry-credential ---- # rbac.authorization.k8s.io/v1/RoleBinding server apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -12406,40 +12249,6 @@ spec: ttlSecondsAfterFinished: 60 status: {} --- -# batch/v1/Job registry-credential -apiVersion: batch/v1 -kind: Job -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default -spec: - backoffLimit: 10 - template: - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - spec: - containers: - - args: - - ecr-update - image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test - imagePullPolicy: IfNotPresent - name: registry-credential - resources: {} - securityContext: - allowPrivilegeEscalation: false - restartPolicy: OnFailure - serviceAccountName: registry-credential -status: {} ---- # batch/v1/CronJob gitpod-telemetry apiVersion: batch/v1 kind: CronJob @@ -12530,50 +12339,3 @@ spec: schedule: '@daily' successfulJobsHistoryLimit: 3 status: {} ---- -# batch/v1/CronJob registry-credential -apiVersion: batch/v1 -kind: CronJob -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default -spec: - concurrencyPolicy: Replace - failedJobsHistoryLimit: 10 - jobTemplate: - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - spec: - backoffLimit: 10 - template: - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - spec: - containers: - - args: - - ecr-update - image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test - imagePullPolicy: IfNotPresent - name: registry-credential - resources: {} - securityContext: - allowPrivilegeEscalation: false - restartPolicy: OnFailure - serviceAccountName: registry-credential - schedule: '* */6 * * *' - successfulJobsHistoryLimit: 1 -status: {} diff --git a/install/installer/cmd/testdata/render/external-registry/output.golden b/install/installer/cmd/testdata/render/external-registry/output.golden index 0baa14dbd3e4d7..736cc983cfaf9f 100644 --- a/install/installer/cmd/testdata/render/external-registry/output.golden +++ b/install/installer/cmd/testdata/render/external-registry/output.golden @@ -954,18 +954,6 @@ automountServiceAccountToken: true secrets: - name: messagebus --- -# v1/ServiceAccount registry-credential -apiVersion: v1 -automountServiceAccountToken: true -kind: ServiceAccount -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default ---- # v1/ServiceAccount registry-facade apiVersion: v1 automountServiceAccountToken: true @@ -1050,38 +1038,6 @@ metadata: name: ws-proxy namespace: default --- -# v1/Secret aws-ecr-credentials -apiVersion: v1 -kind: Secret -metadata: - annotations: - aws-ecr-updater/region: us-west-1 - aws-ecr-updater/secret: aws-iam-user-credentials - creationTimestamp: null - labels: - app: gitpod - aws-ecr-updater: "true" - component: registry-credential - name: aws-ecr-credentials - namespace: default -stringData: - .dockerconfigjson: '{}' -type: kubernetes.io/dockerconfigjson ---- -# v1/Secret aws-iam-user-credentials -apiVersion: v1 -kind: Secret -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: aws-iam-user-credentials - namespace: default -stringData: - access_key_id: 8-WGqw2oTnsPfUDNSk0Y - secret_access_key: DpC.aSAxkWBPu2_bJ_AE ---- # v1/Secret db-password apiVersion: v1 data: @@ -3312,70 +3268,6 @@ data: name: image-builder-mk3 namespace: default --- - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - --- - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - --- - apiVersion: v1 - kind: Secret - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: aws-iam-user-credentials - namespace: default - --- - apiVersion: v1 - kind: Secret - metadata: - annotations: - aws-ecr-updater/region: us-west-1 - aws-ecr-updater/secret: aws-iam-user-credentials - creationTimestamp: null - labels: - app: gitpod - aws-ecr-updater: "true" - component: registry-credential - name: aws-ecr-credentials - namespace: default - --- - apiVersion: batch/v1 - kind: CronJob - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - --- - apiVersion: v1 - kind: ServiceAccount - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - --- apiVersion: v1 kind: ConfigMap metadata: @@ -6353,27 +6245,6 @@ rules: resources: ["events"] verbs: ["create"] --- -# rbac.authorization.k8s.io/v1/Role registry-credential -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch - - update ---- # rbac.authorization.k8s.io/v1/Role server apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -6825,24 +6696,6 @@ subjects: - kind: ServiceAccount name: rabbitmq --- -# rbac.authorization.k8s.io/v1/RoleBinding registry-credential -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: registry-credential -subjects: -- kind: ServiceAccount - name: registry-credential ---- # rbac.authorization.k8s.io/v1/RoleBinding server apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -11128,40 +10981,6 @@ spec: ttlSecondsAfterFinished: 60 status: {} --- -# batch/v1/Job registry-credential -apiVersion: batch/v1 -kind: Job -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default -spec: - backoffLimit: 10 - template: - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - spec: - containers: - - args: - - ecr-update - image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test - imagePullPolicy: IfNotPresent - name: registry-credential - resources: {} - securityContext: - allowPrivilegeEscalation: false - restartPolicy: OnFailure - serviceAccountName: registry-credential -status: {} ---- # batch/v1/CronJob gitpod-telemetry apiVersion: batch/v1 kind: CronJob @@ -11252,50 +11071,3 @@ spec: schedule: '@daily' successfulJobsHistoryLimit: 3 status: {} ---- -# batch/v1/CronJob registry-credential -apiVersion: batch/v1 -kind: CronJob -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default -spec: - concurrencyPolicy: Replace - failedJobsHistoryLimit: 10 - jobTemplate: - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - spec: - backoffLimit: 10 - template: - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - spec: - containers: - - args: - - ecr-update - image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test - imagePullPolicy: IfNotPresent - name: registry-credential - resources: {} - securityContext: - allowPrivilegeEscalation: false - restartPolicy: OnFailure - serviceAccountName: registry-credential - schedule: '* */6 * * *' - successfulJobsHistoryLimit: 1 -status: {} diff --git a/install/installer/cmd/testdata/render/gcp-setup/output.golden b/install/installer/cmd/testdata/render/gcp-setup/output.golden index 8258c8256e2b3d..6d39ec2967a3ab 100644 --- a/install/installer/cmd/testdata/render/gcp-setup/output.golden +++ b/install/installer/cmd/testdata/render/gcp-setup/output.golden @@ -950,18 +950,6 @@ automountServiceAccountToken: true secrets: - name: messagebus --- -# v1/ServiceAccount registry-credential -apiVersion: v1 -automountServiceAccountToken: true -kind: ServiceAccount -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default ---- # v1/ServiceAccount registry-facade apiVersion: v1 automountServiceAccountToken: true @@ -1046,38 +1034,6 @@ metadata: name: ws-proxy namespace: default --- -# v1/Secret aws-ecr-credentials -apiVersion: v1 -kind: Secret -metadata: - annotations: - aws-ecr-updater/region: us-west-1 - aws-ecr-updater/secret: aws-iam-user-credentials - creationTimestamp: null - labels: - app: gitpod - aws-ecr-updater: "true" - component: registry-credential - name: aws-ecr-credentials - namespace: default -stringData: - .dockerconfigjson: '{}' -type: kubernetes.io/dockerconfigjson ---- -# v1/Secret aws-iam-user-credentials -apiVersion: v1 -kind: Secret -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: aws-iam-user-credentials - namespace: default -stringData: - access_key_id: 8-WGqw2oTnsPfUDNSk0Y - secret_access_key: DpC.aSAxkWBPu2_bJ_AE ---- # v1/Secret load-definition # Source: rabbitmq/charts/rabbitmq/templates/secrets.yaml apiVersion: v1 @@ -3254,70 +3210,6 @@ data: name: image-builder-mk3 namespace: default --- - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - --- - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - --- - apiVersion: v1 - kind: Secret - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: aws-iam-user-credentials - namespace: default - --- - apiVersion: v1 - kind: Secret - metadata: - annotations: - aws-ecr-updater/region: us-west-1 - aws-ecr-updater/secret: aws-iam-user-credentials - creationTimestamp: null - labels: - app: gitpod - aws-ecr-updater: "true" - component: registry-credential - name: aws-ecr-credentials - namespace: default - --- - apiVersion: batch/v1 - kind: CronJob - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - --- - apiVersion: v1 - kind: ServiceAccount - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -6106,27 +5998,6 @@ rules: resources: ["events"] verbs: ["create"] --- -# rbac.authorization.k8s.io/v1/Role registry-credential -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch - - update ---- # rbac.authorization.k8s.io/v1/Role server apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -6596,24 +6467,6 @@ subjects: - kind: ServiceAccount name: rabbitmq --- -# rbac.authorization.k8s.io/v1/RoleBinding registry-credential -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: registry-credential -subjects: -- kind: ServiceAccount - name: registry-credential ---- # rbac.authorization.k8s.io/v1/RoleBinding server apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -10681,40 +10534,6 @@ spec: ttlSecondsAfterFinished: 60 status: {} --- -# batch/v1/Job registry-credential -apiVersion: batch/v1 -kind: Job -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default -spec: - backoffLimit: 10 - template: - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - spec: - containers: - - args: - - ecr-update - image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test - imagePullPolicy: IfNotPresent - name: registry-credential - resources: {} - securityContext: - allowPrivilegeEscalation: false - restartPolicy: OnFailure - serviceAccountName: registry-credential -status: {} ---- # batch/v1/CronJob gitpod-telemetry apiVersion: batch/v1 kind: CronJob @@ -10799,50 +10618,3 @@ spec: schedule: '@daily' successfulJobsHistoryLimit: 3 status: {} ---- -# batch/v1/CronJob registry-credential -apiVersion: batch/v1 -kind: CronJob -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default -spec: - concurrencyPolicy: Replace - failedJobsHistoryLimit: 10 - jobTemplate: - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - spec: - backoffLimit: 10 - template: - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - spec: - containers: - - args: - - ecr-update - image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test - imagePullPolicy: IfNotPresent - name: registry-credential - resources: {} - securityContext: - allowPrivilegeEscalation: false - restartPolicy: OnFailure - serviceAccountName: registry-credential - schedule: '* */6 * * *' - successfulJobsHistoryLimit: 1 -status: {} diff --git a/install/installer/cmd/testdata/render/http-proxy/output.golden b/install/installer/cmd/testdata/render/http-proxy/output.golden index 8e741026e3e25d..3a4f3b131e0deb 100644 --- a/install/installer/cmd/testdata/render/http-proxy/output.golden +++ b/install/installer/cmd/testdata/render/http-proxy/output.golden @@ -991,18 +991,6 @@ automountServiceAccountToken: true secrets: - name: messagebus --- -# v1/ServiceAccount registry-credential -apiVersion: v1 -automountServiceAccountToken: true -kind: ServiceAccount -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default ---- # v1/ServiceAccount registry-facade apiVersion: v1 automountServiceAccountToken: true @@ -1087,38 +1075,6 @@ metadata: name: ws-proxy namespace: default --- -# v1/Secret aws-ecr-credentials -apiVersion: v1 -kind: Secret -metadata: - annotations: - aws-ecr-updater/region: us-west-1 - aws-ecr-updater/secret: aws-iam-user-credentials - creationTimestamp: null - labels: - app: gitpod - aws-ecr-updater: "true" - component: registry-credential - name: aws-ecr-credentials - namespace: default -stringData: - .dockerconfigjson: '{}' -type: kubernetes.io/dockerconfigjson ---- -# v1/Secret aws-iam-user-credentials -apiVersion: v1 -kind: Secret -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: aws-iam-user-credentials - namespace: default -stringData: - access_key_id: 8-WGqw2oTnsPfUDNSk0Y - secret_access_key: DpC.aSAxkWBPu2_bJ_AE ---- # v1/Secret builtin-registry-auth apiVersion: v1 data: @@ -3421,70 +3377,6 @@ data: name: image-builder-mk3 namespace: default --- - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - --- - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - --- - apiVersion: v1 - kind: Secret - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: aws-iam-user-credentials - namespace: default - --- - apiVersion: v1 - kind: Secret - metadata: - annotations: - aws-ecr-updater/region: us-west-1 - aws-ecr-updater/secret: aws-iam-user-credentials - creationTimestamp: null - labels: - app: gitpod - aws-ecr-updater: "true" - component: registry-credential - name: aws-ecr-credentials - namespace: default - --- - apiVersion: batch/v1 - kind: CronJob - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - --- - apiVersion: v1 - kind: ServiceAccount - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - --- apiVersion: v1 kind: Secret metadata: @@ -6595,27 +6487,6 @@ rules: resources: ["events"] verbs: ["create"] --- -# rbac.authorization.k8s.io/v1/Role registry-credential -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch - - update ---- # rbac.authorization.k8s.io/v1/Role server apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -7085,24 +6956,6 @@ subjects: - kind: ServiceAccount name: rabbitmq --- -# rbac.authorization.k8s.io/v1/RoleBinding registry-credential -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: registry-credential -subjects: -- kind: ServiceAccount - name: registry-credential ---- # rbac.authorization.k8s.io/v1/RoleBinding server apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -13351,40 +13204,6 @@ spec: ttlSecondsAfterFinished: 60 status: {} --- -# batch/v1/Job registry-credential -apiVersion: batch/v1 -kind: Job -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default -spec: - backoffLimit: 10 - template: - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - spec: - containers: - - args: - - ecr-update - image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test - imagePullPolicy: IfNotPresent - name: registry-credential - resources: {} - securityContext: - allowPrivilegeEscalation: false - restartPolicy: OnFailure - serviceAccountName: registry-credential -status: {} ---- # batch/v1/CronJob gitpod-telemetry apiVersion: batch/v1 kind: CronJob @@ -13515,50 +13334,3 @@ spec: schedule: '@daily' successfulJobsHistoryLimit: 3 status: {} ---- -# batch/v1/CronJob registry-credential -apiVersion: batch/v1 -kind: CronJob -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default -spec: - concurrencyPolicy: Replace - failedJobsHistoryLimit: 10 - jobTemplate: - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - spec: - backoffLimit: 10 - template: - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - spec: - containers: - - args: - - ecr-update - image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test - imagePullPolicy: IfNotPresent - name: registry-credential - resources: {} - securityContext: - allowPrivilegeEscalation: false - restartPolicy: OnFailure - serviceAccountName: registry-credential - schedule: '* */6 * * *' - successfulJobsHistoryLimit: 1 -status: {} diff --git a/install/installer/cmd/testdata/render/kind-workspace/output.golden b/install/installer/cmd/testdata/render/kind-workspace/output.golden index e6131a6460b7df..a2c6dc323e0ca1 100644 --- a/install/installer/cmd/testdata/render/kind-workspace/output.golden +++ b/install/installer/cmd/testdata/render/kind-workspace/output.golden @@ -501,18 +501,6 @@ metadata: name: nobody namespace: default --- -# v1/ServiceAccount registry-credential -apiVersion: v1 -automountServiceAccountToken: true -kind: ServiceAccount -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default ---- # v1/ServiceAccount registry-facade apiVersion: v1 automountServiceAccountToken: true @@ -573,38 +561,6 @@ metadata: name: ws-proxy namespace: default --- -# v1/Secret aws-ecr-credentials -apiVersion: v1 -kind: Secret -metadata: - annotations: - aws-ecr-updater/region: us-west-1 - aws-ecr-updater/secret: aws-iam-user-credentials - creationTimestamp: null - labels: - app: gitpod - aws-ecr-updater: "true" - component: registry-credential - name: aws-ecr-credentials - namespace: default -stringData: - .dockerconfigjson: '{}' -type: kubernetes.io/dockerconfigjson ---- -# v1/Secret aws-iam-user-credentials -apiVersion: v1 -kind: Secret -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: aws-iam-user-credentials - namespace: default -stringData: - access_key_id: 8-WGqw2oTnsPfUDNSk0Y - secret_access_key: DpC.aSAxkWBPu2_bJ_AE ---- # v1/Secret builtin-registry-auth apiVersion: v1 data: @@ -1619,70 +1575,6 @@ data: name: image-builder-mk3 namespace: default --- - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - --- - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - --- - apiVersion: v1 - kind: Secret - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: aws-iam-user-credentials - namespace: default - --- - apiVersion: v1 - kind: Secret - metadata: - annotations: - aws-ecr-updater/region: us-west-1 - aws-ecr-updater/secret: aws-iam-user-credentials - creationTimestamp: null - labels: - app: gitpod - aws-ecr-updater: "true" - component: registry-credential - name: aws-ecr-credentials - namespace: default - --- - apiVersion: batch/v1 - kind: CronJob - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - --- - apiVersion: v1 - kind: ServiceAccount - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - --- apiVersion: v1 kind: Secret metadata: @@ -2537,27 +2429,6 @@ rules: - get - update --- -# rbac.authorization.k8s.io/v1/Role registry-credential -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch - - update ---- # rbac.authorization.k8s.io/v1/Role ws-manager apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -2720,24 +2591,6 @@ subjects: - kind: ServiceAccount name: image-builder-mk3 --- -# rbac.authorization.k8s.io/v1/RoleBinding registry-credential -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: registry-credential -subjects: -- kind: ServiceAccount - name: registry-credential ---- # rbac.authorization.k8s.io/v1/RoleBinding workspace apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -4126,84 +3979,3 @@ spec: secret: secretName: https-certificates status: {} ---- -# batch/v1/Job registry-credential -apiVersion: batch/v1 -kind: Job -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default -spec: - backoffLimit: 10 - template: - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - spec: - containers: - - args: - - ecr-update - image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test - imagePullPolicy: IfNotPresent - name: registry-credential - resources: {} - securityContext: - allowPrivilegeEscalation: false - restartPolicy: OnFailure - serviceAccountName: registry-credential -status: {} ---- -# batch/v1/CronJob registry-credential -apiVersion: batch/v1 -kind: CronJob -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default -spec: - concurrencyPolicy: Replace - failedJobsHistoryLimit: 10 - jobTemplate: - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - spec: - backoffLimit: 10 - template: - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - spec: - containers: - - args: - - ecr-update - image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test - imagePullPolicy: IfNotPresent - name: registry-credential - resources: {} - securityContext: - allowPrivilegeEscalation: false - restartPolicy: OnFailure - serviceAccountName: registry-credential - schedule: '* */6 * * *' - successfulJobsHistoryLimit: 1 -status: {} diff --git a/install/installer/cmd/testdata/render/minimal/output.golden b/install/installer/cmd/testdata/render/minimal/output.golden index 204eb53930cd0e..211c0d535f9583 100644 --- a/install/installer/cmd/testdata/render/minimal/output.golden +++ b/install/installer/cmd/testdata/render/minimal/output.golden @@ -991,18 +991,6 @@ automountServiceAccountToken: true secrets: - name: messagebus --- -# v1/ServiceAccount registry-credential -apiVersion: v1 -automountServiceAccountToken: true -kind: ServiceAccount -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default ---- # v1/ServiceAccount registry-facade apiVersion: v1 automountServiceAccountToken: true @@ -1087,38 +1075,6 @@ metadata: name: ws-proxy namespace: default --- -# v1/Secret aws-ecr-credentials -apiVersion: v1 -kind: Secret -metadata: - annotations: - aws-ecr-updater/region: us-west-1 - aws-ecr-updater/secret: aws-iam-user-credentials - creationTimestamp: null - labels: - app: gitpod - aws-ecr-updater: "true" - component: registry-credential - name: aws-ecr-credentials - namespace: default -stringData: - .dockerconfigjson: '{}' -type: kubernetes.io/dockerconfigjson ---- -# v1/Secret aws-iam-user-credentials -apiVersion: v1 -kind: Secret -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: aws-iam-user-credentials - namespace: default -stringData: - access_key_id: 8-WGqw2oTnsPfUDNSk0Y - secret_access_key: DpC.aSAxkWBPu2_bJ_AE ---- # v1/Secret builtin-registry-auth apiVersion: v1 data: @@ -3418,70 +3374,6 @@ data: name: image-builder-mk3 namespace: default --- - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - --- - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - --- - apiVersion: v1 - kind: Secret - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: aws-iam-user-credentials - namespace: default - --- - apiVersion: v1 - kind: Secret - metadata: - annotations: - aws-ecr-updater/region: us-west-1 - aws-ecr-updater/secret: aws-iam-user-credentials - creationTimestamp: null - labels: - app: gitpod - aws-ecr-updater: "true" - component: registry-credential - name: aws-ecr-credentials - namespace: default - --- - apiVersion: batch/v1 - kind: CronJob - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - --- - apiVersion: v1 - kind: ServiceAccount - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - --- apiVersion: v1 kind: Secret metadata: @@ -6592,27 +6484,6 @@ rules: resources: ["events"] verbs: ["create"] --- -# rbac.authorization.k8s.io/v1/Role registry-credential -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch - - update ---- # rbac.authorization.k8s.io/v1/Role server apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -7082,24 +6953,6 @@ subjects: - kind: ServiceAccount name: rabbitmq --- -# rbac.authorization.k8s.io/v1/RoleBinding registry-credential -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: registry-credential -subjects: -- kind: ServiceAccount - name: registry-credential ---- # rbac.authorization.k8s.io/v1/RoleBinding server apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -11503,40 +11356,6 @@ spec: ttlSecondsAfterFinished: 60 status: {} --- -# batch/v1/Job registry-credential -apiVersion: batch/v1 -kind: Job -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default -spec: - backoffLimit: 10 - template: - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - spec: - containers: - - args: - - ecr-update - image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test - imagePullPolicy: IfNotPresent - name: registry-credential - resources: {} - securityContext: - allowPrivilegeEscalation: false - restartPolicy: OnFailure - serviceAccountName: registry-credential -status: {} ---- # batch/v1/CronJob gitpod-telemetry apiVersion: batch/v1 kind: CronJob @@ -11627,50 +11446,3 @@ spec: schedule: '@daily' successfulJobsHistoryLimit: 3 status: {} ---- -# batch/v1/CronJob registry-credential -apiVersion: batch/v1 -kind: CronJob -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default -spec: - concurrencyPolicy: Replace - failedJobsHistoryLimit: 10 - jobTemplate: - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - spec: - backoffLimit: 10 - template: - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - spec: - containers: - - args: - - ecr-update - image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test - imagePullPolicy: IfNotPresent - name: registry-credential - resources: {} - securityContext: - allowPrivilegeEscalation: false - restartPolicy: OnFailure - serviceAccountName: registry-credential - schedule: '* */6 * * *' - successfulJobsHistoryLimit: 1 -status: {} diff --git a/install/installer/cmd/testdata/render/shortname/output.golden b/install/installer/cmd/testdata/render/shortname/output.golden index bf1d01b367e0ba..9ca790481ed4ca 100644 --- a/install/installer/cmd/testdata/render/shortname/output.golden +++ b/install/installer/cmd/testdata/render/shortname/output.golden @@ -991,18 +991,6 @@ automountServiceAccountToken: true secrets: - name: messagebus --- -# v1/ServiceAccount registry-credential -apiVersion: v1 -automountServiceAccountToken: true -kind: ServiceAccount -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default ---- # v1/ServiceAccount registry-facade apiVersion: v1 automountServiceAccountToken: true @@ -1087,38 +1075,6 @@ metadata: name: ws-proxy namespace: default --- -# v1/Secret aws-ecr-credentials -apiVersion: v1 -kind: Secret -metadata: - annotations: - aws-ecr-updater/region: us-west-1 - aws-ecr-updater/secret: aws-iam-user-credentials - creationTimestamp: null - labels: - app: gitpod - aws-ecr-updater: "true" - component: registry-credential - name: aws-ecr-credentials - namespace: default -stringData: - .dockerconfigjson: '{}' -type: kubernetes.io/dockerconfigjson ---- -# v1/Secret aws-iam-user-credentials -apiVersion: v1 -kind: Secret -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: aws-iam-user-credentials - namespace: default -stringData: - access_key_id: 8-WGqw2oTnsPfUDNSk0Y - secret_access_key: DpC.aSAxkWBPu2_bJ_AE ---- # v1/Secret builtin-registry-auth apiVersion: v1 data: @@ -3418,70 +3374,6 @@ data: name: image-builder-mk3 namespace: default --- - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - --- - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - --- - apiVersion: v1 - kind: Secret - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: aws-iam-user-credentials - namespace: default - --- - apiVersion: v1 - kind: Secret - metadata: - annotations: - aws-ecr-updater/region: us-west-1 - aws-ecr-updater/secret: aws-iam-user-credentials - creationTimestamp: null - labels: - app: gitpod - aws-ecr-updater: "true" - component: registry-credential - name: aws-ecr-credentials - namespace: default - --- - apiVersion: batch/v1 - kind: CronJob - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - --- - apiVersion: v1 - kind: ServiceAccount - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - --- apiVersion: v1 kind: Secret metadata: @@ -6592,27 +6484,6 @@ rules: resources: ["events"] verbs: ["create"] --- -# rbac.authorization.k8s.io/v1/Role registry-credential -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch - - update ---- # rbac.authorization.k8s.io/v1/Role server apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -7082,24 +6953,6 @@ subjects: - kind: ServiceAccount name: rabbitmq --- -# rbac.authorization.k8s.io/v1/RoleBinding registry-credential -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: registry-credential -subjects: -- kind: ServiceAccount - name: registry-credential ---- # rbac.authorization.k8s.io/v1/RoleBinding server apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -11503,40 +11356,6 @@ spec: ttlSecondsAfterFinished: 60 status: {} --- -# batch/v1/Job registry-credential -apiVersion: batch/v1 -kind: Job -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default -spec: - backoffLimit: 10 - template: - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - spec: - containers: - - args: - - ecr-update - image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test - imagePullPolicy: IfNotPresent - name: registry-credential - resources: {} - securityContext: - allowPrivilegeEscalation: false - restartPolicy: OnFailure - serviceAccountName: registry-credential -status: {} ---- # batch/v1/CronJob gitpod-telemetry apiVersion: batch/v1 kind: CronJob @@ -11627,50 +11446,3 @@ spec: schedule: '@daily' successfulJobsHistoryLimit: 3 status: {} ---- -# batch/v1/CronJob registry-credential -apiVersion: batch/v1 -kind: CronJob -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default -spec: - concurrencyPolicy: Replace - failedJobsHistoryLimit: 10 - jobTemplate: - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - spec: - backoffLimit: 10 - template: - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - spec: - containers: - - args: - - ecr-update - image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test - imagePullPolicy: IfNotPresent - name: registry-credential - resources: {} - securityContext: - allowPrivilegeEscalation: false - restartPolicy: OnFailure - serviceAccountName: registry-credential - schedule: '* */6 * * *' - successfulJobsHistoryLimit: 1 -status: {} diff --git a/install/installer/cmd/testdata/render/statefulset-customization/output.golden b/install/installer/cmd/testdata/render/statefulset-customization/output.golden index 771a4a46873753..d0df31d248a9e7 100644 --- a/install/installer/cmd/testdata/render/statefulset-customization/output.golden +++ b/install/installer/cmd/testdata/render/statefulset-customization/output.golden @@ -991,18 +991,6 @@ automountServiceAccountToken: true secrets: - name: messagebus --- -# v1/ServiceAccount registry-credential -apiVersion: v1 -automountServiceAccountToken: true -kind: ServiceAccount -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default ---- # v1/ServiceAccount registry-facade apiVersion: v1 automountServiceAccountToken: true @@ -1087,38 +1075,6 @@ metadata: name: ws-proxy namespace: default --- -# v1/Secret aws-ecr-credentials -apiVersion: v1 -kind: Secret -metadata: - annotations: - aws-ecr-updater/region: us-west-1 - aws-ecr-updater/secret: aws-iam-user-credentials - creationTimestamp: null - labels: - app: gitpod - aws-ecr-updater: "true" - component: registry-credential - name: aws-ecr-credentials - namespace: default -stringData: - .dockerconfigjson: '{}' -type: kubernetes.io/dockerconfigjson ---- -# v1/Secret aws-iam-user-credentials -apiVersion: v1 -kind: Secret -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: aws-iam-user-credentials - namespace: default -stringData: - access_key_id: 8-WGqw2oTnsPfUDNSk0Y - secret_access_key: DpC.aSAxkWBPu2_bJ_AE ---- # v1/Secret builtin-registry-auth apiVersion: v1 data: @@ -3430,70 +3386,6 @@ data: name: image-builder-mk3 namespace: default --- - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - --- - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - --- - apiVersion: v1 - kind: Secret - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: aws-iam-user-credentials - namespace: default - --- - apiVersion: v1 - kind: Secret - metadata: - annotations: - aws-ecr-updater/region: us-west-1 - aws-ecr-updater/secret: aws-iam-user-credentials - creationTimestamp: null - labels: - app: gitpod - aws-ecr-updater: "true" - component: registry-credential - name: aws-ecr-credentials - namespace: default - --- - apiVersion: batch/v1 - kind: CronJob - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - --- - apiVersion: v1 - kind: ServiceAccount - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - --- apiVersion: v1 kind: Secret metadata: @@ -6604,27 +6496,6 @@ rules: resources: ["events"] verbs: ["create"] --- -# rbac.authorization.k8s.io/v1/Role registry-credential -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch - - update ---- # rbac.authorization.k8s.io/v1/Role server apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -7094,24 +6965,6 @@ subjects: - kind: ServiceAccount name: rabbitmq --- -# rbac.authorization.k8s.io/v1/RoleBinding registry-credential -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: registry-credential -subjects: -- kind: ServiceAccount - name: registry-credential ---- # rbac.authorization.k8s.io/v1/RoleBinding server apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -11515,40 +11368,6 @@ spec: ttlSecondsAfterFinished: 60 status: {} --- -# batch/v1/Job registry-credential -apiVersion: batch/v1 -kind: Job -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default -spec: - backoffLimit: 10 - template: - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - spec: - containers: - - args: - - ecr-update - image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test - imagePullPolicy: IfNotPresent - name: registry-credential - resources: {} - securityContext: - allowPrivilegeEscalation: false - restartPolicy: OnFailure - serviceAccountName: registry-credential -status: {} ---- # batch/v1/CronJob gitpod-telemetry apiVersion: batch/v1 kind: CronJob @@ -11639,50 +11458,3 @@ spec: schedule: '@daily' successfulJobsHistoryLimit: 3 status: {} ---- -# batch/v1/CronJob registry-credential -apiVersion: batch/v1 -kind: CronJob -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default -spec: - concurrencyPolicy: Replace - failedJobsHistoryLimit: 10 - jobTemplate: - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - spec: - backoffLimit: 10 - template: - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - spec: - containers: - - args: - - ecr-update - image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test - imagePullPolicy: IfNotPresent - name: registry-credential - resources: {} - securityContext: - allowPrivilegeEscalation: false - restartPolicy: OnFailure - serviceAccountName: registry-credential - schedule: '* */6 * * *' - successfulJobsHistoryLimit: 1 -status: {} diff --git a/install/installer/cmd/testdata/render/use-pod-security-policies/output.golden b/install/installer/cmd/testdata/render/use-pod-security-policies/output.golden index dde0446af102da..2d49633cfcbcb9 100644 --- a/install/installer/cmd/testdata/render/use-pod-security-policies/output.golden +++ b/install/installer/cmd/testdata/render/use-pod-security-policies/output.golden @@ -1213,18 +1213,6 @@ automountServiceAccountToken: true secrets: - name: messagebus --- -# v1/ServiceAccount registry-credential -apiVersion: v1 -automountServiceAccountToken: true -kind: ServiceAccount -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default ---- # v1/ServiceAccount registry-facade apiVersion: v1 automountServiceAccountToken: true @@ -1309,38 +1297,6 @@ metadata: name: ws-proxy namespace: default --- -# v1/Secret aws-ecr-credentials -apiVersion: v1 -kind: Secret -metadata: - annotations: - aws-ecr-updater/region: us-west-1 - aws-ecr-updater/secret: aws-iam-user-credentials - creationTimestamp: null - labels: - app: gitpod - aws-ecr-updater: "true" - component: registry-credential - name: aws-ecr-credentials - namespace: default -stringData: - .dockerconfigjson: '{}' -type: kubernetes.io/dockerconfigjson ---- -# v1/Secret aws-iam-user-credentials -apiVersion: v1 -kind: Secret -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: aws-iam-user-credentials - namespace: default -stringData: - access_key_id: 8-WGqw2oTnsPfUDNSk0Y - secret_access_key: DpC.aSAxkWBPu2_bJ_AE ---- # v1/Secret builtin-registry-auth apiVersion: v1 data: @@ -3751,70 +3707,6 @@ data: name: image-builder-mk3 namespace: default --- - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - --- - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - --- - apiVersion: v1 - kind: Secret - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: aws-iam-user-credentials - namespace: default - --- - apiVersion: v1 - kind: Secret - metadata: - annotations: - aws-ecr-updater/region: us-west-1 - aws-ecr-updater/secret: aws-iam-user-credentials - creationTimestamp: null - labels: - app: gitpod - aws-ecr-updater: "true" - component: registry-credential - name: aws-ecr-credentials - namespace: default - --- - apiVersion: batch/v1 - kind: CronJob - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - --- - apiVersion: v1 - kind: ServiceAccount - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - --- apiVersion: v1 kind: Secret metadata: @@ -7016,27 +6908,6 @@ rules: resources: ["events"] verbs: ["create"] --- -# rbac.authorization.k8s.io/v1/Role registry-credential -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch - - update ---- # rbac.authorization.k8s.io/v1/Role server apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -7526,24 +7397,6 @@ subjects: - kind: ServiceAccount name: rabbitmq --- -# rbac.authorization.k8s.io/v1/RoleBinding registry-credential -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: registry-credential -subjects: -- kind: ServiceAccount - name: registry-credential ---- # rbac.authorization.k8s.io/v1/RoleBinding server apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -11947,40 +11800,6 @@ spec: ttlSecondsAfterFinished: 60 status: {} --- -# batch/v1/Job registry-credential -apiVersion: batch/v1 -kind: Job -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default -spec: - backoffLimit: 10 - template: - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - spec: - containers: - - args: - - ecr-update - image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test - imagePullPolicy: IfNotPresent - name: registry-credential - resources: {} - securityContext: - allowPrivilegeEscalation: false - restartPolicy: OnFailure - serviceAccountName: registry-credential -status: {} ---- # batch/v1/CronJob gitpod-telemetry apiVersion: batch/v1 kind: CronJob @@ -12071,50 +11890,3 @@ spec: schedule: '@daily' successfulJobsHistoryLimit: 3 status: {} ---- -# batch/v1/CronJob registry-credential -apiVersion: batch/v1 -kind: CronJob -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default -spec: - concurrencyPolicy: Replace - failedJobsHistoryLimit: 10 - jobTemplate: - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - spec: - backoffLimit: 10 - template: - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - spec: - containers: - - args: - - ecr-update - image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test - imagePullPolicy: IfNotPresent - name: registry-credential - resources: {} - securityContext: - allowPrivilegeEscalation: false - restartPolicy: OnFailure - serviceAccountName: registry-credential - schedule: '* */6 * * *' - successfulJobsHistoryLimit: 1 -status: {} diff --git a/install/installer/cmd/testdata/render/vsxproxy-pvc/output.golden b/install/installer/cmd/testdata/render/vsxproxy-pvc/output.golden index 075b0eff86adf4..37860c219d3abf 100644 --- a/install/installer/cmd/testdata/render/vsxproxy-pvc/output.golden +++ b/install/installer/cmd/testdata/render/vsxproxy-pvc/output.golden @@ -991,18 +991,6 @@ automountServiceAccountToken: true secrets: - name: messagebus --- -# v1/ServiceAccount registry-credential -apiVersion: v1 -automountServiceAccountToken: true -kind: ServiceAccount -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default ---- # v1/ServiceAccount registry-facade apiVersion: v1 automountServiceAccountToken: true @@ -1087,38 +1075,6 @@ metadata: name: ws-proxy namespace: default --- -# v1/Secret aws-ecr-credentials -apiVersion: v1 -kind: Secret -metadata: - annotations: - aws-ecr-updater/region: us-west-1 - aws-ecr-updater/secret: aws-iam-user-credentials - creationTimestamp: null - labels: - app: gitpod - aws-ecr-updater: "true" - component: registry-credential - name: aws-ecr-credentials - namespace: default -stringData: - .dockerconfigjson: '{}' -type: kubernetes.io/dockerconfigjson ---- -# v1/Secret aws-iam-user-credentials -apiVersion: v1 -kind: Secret -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: aws-iam-user-credentials - namespace: default -stringData: - access_key_id: 8-WGqw2oTnsPfUDNSk0Y - secret_access_key: DpC.aSAxkWBPu2_bJ_AE ---- # v1/Secret builtin-registry-auth apiVersion: v1 data: @@ -3420,70 +3376,6 @@ data: name: image-builder-mk3 namespace: default --- - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - --- - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - --- - apiVersion: v1 - kind: Secret - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: aws-iam-user-credentials - namespace: default - --- - apiVersion: v1 - kind: Secret - metadata: - annotations: - aws-ecr-updater/region: us-west-1 - aws-ecr-updater/secret: aws-iam-user-credentials - creationTimestamp: null - labels: - app: gitpod - aws-ecr-updater: "true" - component: registry-credential - name: aws-ecr-credentials - namespace: default - --- - apiVersion: batch/v1 - kind: CronJob - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - --- - apiVersion: v1 - kind: ServiceAccount - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - --- apiVersion: v1 kind: Secret metadata: @@ -6594,27 +6486,6 @@ rules: resources: ["events"] verbs: ["create"] --- -# rbac.authorization.k8s.io/v1/Role registry-credential -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch - - update ---- # rbac.authorization.k8s.io/v1/Role server apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -7084,24 +6955,6 @@ subjects: - kind: ServiceAccount name: rabbitmq --- -# rbac.authorization.k8s.io/v1/RoleBinding registry-credential -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: registry-credential -subjects: -- kind: ServiceAccount - name: registry-credential ---- # rbac.authorization.k8s.io/v1/RoleBinding server apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -11493,40 +11346,6 @@ spec: ttlSecondsAfterFinished: 60 status: {} --- -# batch/v1/Job registry-credential -apiVersion: batch/v1 -kind: Job -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default -spec: - backoffLimit: 10 - template: - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - spec: - containers: - - args: - - ecr-update - image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test - imagePullPolicy: IfNotPresent - name: registry-credential - resources: {} - securityContext: - allowPrivilegeEscalation: false - restartPolicy: OnFailure - serviceAccountName: registry-credential -status: {} ---- # batch/v1/CronJob gitpod-telemetry apiVersion: batch/v1 kind: CronJob @@ -11617,50 +11436,3 @@ spec: schedule: '@daily' successfulJobsHistoryLimit: 3 status: {} ---- -# batch/v1/CronJob registry-credential -apiVersion: batch/v1 -kind: CronJob -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default -spec: - concurrencyPolicy: Replace - failedJobsHistoryLimit: 10 - jobTemplate: - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - spec: - backoffLimit: 10 - template: - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - spec: - containers: - - args: - - ecr-update - image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test - imagePullPolicy: IfNotPresent - name: registry-credential - resources: {} - securityContext: - allowPrivilegeEscalation: false - restartPolicy: OnFailure - serviceAccountName: registry-credential - schedule: '* */6 * * *' - successfulJobsHistoryLimit: 1 -status: {} diff --git a/install/installer/cmd/testdata/render/workspace-requests-limits/output.golden b/install/installer/cmd/testdata/render/workspace-requests-limits/output.golden index e42ca7a7226deb..de4bad3dd9b078 100644 --- a/install/installer/cmd/testdata/render/workspace-requests-limits/output.golden +++ b/install/installer/cmd/testdata/render/workspace-requests-limits/output.golden @@ -991,18 +991,6 @@ automountServiceAccountToken: true secrets: - name: messagebus --- -# v1/ServiceAccount registry-credential -apiVersion: v1 -automountServiceAccountToken: true -kind: ServiceAccount -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default ---- # v1/ServiceAccount registry-facade apiVersion: v1 automountServiceAccountToken: true @@ -1087,38 +1075,6 @@ metadata: name: ws-proxy namespace: default --- -# v1/Secret aws-ecr-credentials -apiVersion: v1 -kind: Secret -metadata: - annotations: - aws-ecr-updater/region: us-west-1 - aws-ecr-updater/secret: aws-iam-user-credentials - creationTimestamp: null - labels: - app: gitpod - aws-ecr-updater: "true" - component: registry-credential - name: aws-ecr-credentials - namespace: default -stringData: - .dockerconfigjson: '{}' -type: kubernetes.io/dockerconfigjson ---- -# v1/Secret aws-iam-user-credentials -apiVersion: v1 -kind: Secret -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: aws-iam-user-credentials - namespace: default -stringData: - access_key_id: 8-WGqw2oTnsPfUDNSk0Y - secret_access_key: DpC.aSAxkWBPu2_bJ_AE ---- # v1/Secret builtin-registry-auth apiVersion: v1 data: @@ -3421,70 +3377,6 @@ data: name: image-builder-mk3 namespace: default --- - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - --- - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - --- - apiVersion: v1 - kind: Secret - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: aws-iam-user-credentials - namespace: default - --- - apiVersion: v1 - kind: Secret - metadata: - annotations: - aws-ecr-updater/region: us-west-1 - aws-ecr-updater/secret: aws-iam-user-credentials - creationTimestamp: null - labels: - app: gitpod - aws-ecr-updater: "true" - component: registry-credential - name: aws-ecr-credentials - namespace: default - --- - apiVersion: batch/v1 - kind: CronJob - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - --- - apiVersion: v1 - kind: ServiceAccount - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - --- apiVersion: v1 kind: Secret metadata: @@ -6595,27 +6487,6 @@ rules: resources: ["events"] verbs: ["create"] --- -# rbac.authorization.k8s.io/v1/Role registry-credential -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch - - update ---- # rbac.authorization.k8s.io/v1/Role server apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -7085,24 +6956,6 @@ subjects: - kind: ServiceAccount name: rabbitmq --- -# rbac.authorization.k8s.io/v1/RoleBinding registry-credential -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: registry-credential -subjects: -- kind: ServiceAccount - name: registry-credential ---- # rbac.authorization.k8s.io/v1/RoleBinding server apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -11506,40 +11359,6 @@ spec: ttlSecondsAfterFinished: 60 status: {} --- -# batch/v1/Job registry-credential -apiVersion: batch/v1 -kind: Job -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default -spec: - backoffLimit: 10 - template: - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - spec: - containers: - - args: - - ecr-update - image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test - imagePullPolicy: IfNotPresent - name: registry-credential - resources: {} - securityContext: - allowPrivilegeEscalation: false - restartPolicy: OnFailure - serviceAccountName: registry-credential -status: {} ---- # batch/v1/CronJob gitpod-telemetry apiVersion: batch/v1 kind: CronJob @@ -11630,50 +11449,3 @@ spec: schedule: '@daily' successfulJobsHistoryLimit: 3 status: {} ---- -# batch/v1/CronJob registry-credential -apiVersion: batch/v1 -kind: CronJob -metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default -spec: - concurrencyPolicy: Replace - failedJobsHistoryLimit: 10 - jobTemplate: - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - spec: - backoffLimit: 10 - template: - metadata: - creationTimestamp: null - labels: - app: gitpod - component: registry-credential - name: registry-credential - namespace: default - spec: - containers: - - args: - - ecr-update - image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test - imagePullPolicy: IfNotPresent - name: registry-credential - resources: {} - securityContext: - allowPrivilegeEscalation: false - restartPolicy: OnFailure - serviceAccountName: registry-credential - schedule: '* */6 * * *' - successfulJobsHistoryLimit: 1 -status: {} diff --git a/install/installer/go.mod b/install/installer/go.mod index 551d8f05512e37..f67dccdc0dcfc7 100644 --- a/install/installer/go.mod +++ b/install/installer/go.mod @@ -17,6 +17,7 @@ require ( github.com/gitpod-io/gitpod/ide-service-api v0.0.0-00010101000000-000000000000 github.com/gitpod-io/gitpod/image-builder/api v0.0.0-00010101000000-000000000000 github.com/gitpod-io/gitpod/openvsx-proxy v0.0.0-00010101000000-000000000000 + github.com/gitpod-io/gitpod/registry-credential v0.0.0-00010101000000-000000000000 github.com/gitpod-io/gitpod/registry-facade/api v0.0.0-00010101000000-000000000000 github.com/gitpod-io/gitpod/usage v0.0.0-00010101000000-000000000000 github.com/gitpod-io/gitpod/ws-daemon v0.0.0-00010101000000-000000000000 @@ -25,7 +26,7 @@ require ( github.com/gitpod-io/gitpod/ws-proxy v0.0.0-00010101000000-000000000000 github.com/go-playground/validator/v10 v10.9.0 github.com/go-test/deep v1.0.7 - github.com/google/go-cmp v0.5.8 + github.com/google/go-cmp v0.5.9 github.com/jetstack/cert-manager v1.5.0 github.com/mikefarah/yq/v4 v4.25.3 github.com/prometheus/client_golang v1.13.0 @@ -36,11 +37,11 @@ require ( golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e gopkg.in/op/go-logging.v1 v1.0.0-20160211212156-b2cb9fa56473 helm.sh/helm/v3 v3.9.3 - k8s.io/api v0.24.4 - k8s.io/apimachinery v0.24.4 - k8s.io/client-go v0.24.4 + k8s.io/api v0.25.0 + k8s.io/apimachinery v0.25.0 + k8s.io/client-go v0.25.0 k8s.io/kubectl v0.24.4 - k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 + k8s.io/utils v0.0.0-20221107191617-1a15be271d1d sigs.k8s.io/yaml v1.3.0 ) @@ -64,8 +65,6 @@ require ( github.com/Masterminds/squirrel v1.5.3 // indirect github.com/Microsoft/go-winio v0.5.2 // indirect github.com/Microsoft/hcsshim v0.9.4 // indirect - github.com/PuerkitoBio/purell v1.1.1 // indirect - github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect github.com/a8m/envsubst v1.3.0 // indirect github.com/allegro/bigcache v1.2.1 // indirect github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect @@ -110,9 +109,9 @@ require ( github.com/cyphar/filepath-securejoin v0.2.3 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect - github.com/docker/cli v20.10.17+incompatible // indirect + github.com/docker/cli v20.10.21+incompatible // indirect github.com/docker/docker v20.10.17+incompatible // indirect - github.com/docker/docker-credential-helpers v0.6.4 // indirect + github.com/docker/docker-credential-helpers v0.7.0 // indirect github.com/docker/go-connections v0.4.0 // indirect github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect github.com/docker/go-metrics v0.0.1 // indirect @@ -120,14 +119,14 @@ require ( github.com/dustin/go-humanize v1.0.0 // indirect github.com/eko/gocache v1.1.1 // indirect github.com/elliotchance/orderedmap v1.4.0 // indirect - github.com/emicklei/go-restful/v3 v3.8.0 // indirect + github.com/emicklei/go-restful/v3 v3.9.0 // indirect github.com/evanphx/json-patch v4.12.0+incompatible // indirect github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect github.com/fatih/camelcase v1.0.0 // indirect github.com/fatih/color v1.13.0 // indirect github.com/fatih/gomodifytags v1.14.0 // indirect github.com/felixge/httpsnoop v1.0.2 // indirect - github.com/fsnotify/fsnotify v1.5.1 // indirect + github.com/fsnotify/fsnotify v1.5.4 // indirect github.com/fvbommel/sortorder v1.0.1 // indirect github.com/gitpod-io/gitpod/content-service v0.0.0-00010101000000-000000000000 // indirect github.com/gitpod-io/gitpod/registry-facade v0.0.0-00010101000000-000000000000 // indirect @@ -138,7 +137,7 @@ require ( github.com/go-logr/logr v1.2.3 // indirect github.com/go-ole/go-ole v1.2.6 // indirect github.com/go-openapi/jsonpointer v0.19.5 // indirect - github.com/go-openapi/jsonreference v0.19.5 // indirect + github.com/go-openapi/jsonreference v0.20.0 // indirect github.com/go-openapi/swag v0.19.14 // indirect github.com/go-ozzo/ozzo-validation v3.6.0+incompatible // indirect github.com/go-playground/locales v0.14.0 // indirect @@ -304,15 +303,15 @@ require ( go.uber.org/atomic v1.9.0 // indirect go.uber.org/multierr v1.7.0 // indirect go.uber.org/zap v1.19.1 // indirect - golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3 // indirect - golang.org/x/net v0.0.0-20220909164309-bea034e7d591 // indirect + golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect + golang.org/x/net v0.3.1-0.20221206200815-1e63c2f08a10 // indirect golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1 // indirect - golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f // indirect - golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10 // indirect - golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect - golang.org/x/text v0.3.7 // indirect + golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 // indirect + golang.org/x/sys v0.3.0 // indirect + golang.org/x/term v0.3.0 // indirect + golang.org/x/text v0.5.0 // indirect golang.org/x/time v0.0.0-20220922220347-f3bd1da661af // indirect - golang.org/x/tools v0.1.10 // indirect + golang.org/x/tools v0.1.12 // indirect golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f // indirect gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect google.golang.org/api v0.97.0 // indirect @@ -328,19 +327,19 @@ require ( gorm.io/driver/mysql v1.4.4 // indirect gorm.io/gorm v1.24.1 // indirect honnef.co/go/tools v0.2.2 // indirect - k8s.io/apiextensions-apiserver v0.24.2 // indirect + k8s.io/apiextensions-apiserver v0.25.0 // indirect k8s.io/apiserver v0.24.4 // indirect k8s.io/cli-runtime v0.24.4 // indirect - k8s.io/component-base v0.24.4 // indirect - k8s.io/klog/v2 v2.60.1 // indirect - k8s.io/kube-openapi v0.0.0-20220627174259-011e075b9cb8 // indirect + k8s.io/component-base v0.25.0 // indirect + k8s.io/klog/v2 v2.80.1 // indirect + k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 // indirect lukechampine.com/blake3 v1.1.6 // indirect oras.land/oras-go v1.2.0 // indirect sigs.k8s.io/controller-runtime v0.11.2 // indirect - sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 // indirect + sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect sigs.k8s.io/kustomize/api v0.11.4 // indirect sigs.k8s.io/kustomize/kyaml v0.13.6 // indirect - sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect + sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect ) replace github.com/gitpod-io/gitpod/image-builder => ../components/image-builder-mk3 // leeway @@ -371,6 +370,8 @@ replace github.com/gitpod-io/gitpod/openvsx-proxy => ../../components/openvsx-pr replace github.com/gitpod-io/gitpod/components/public-api/go => ../../components/public-api/go // leeway +replace github.com/gitpod-io/gitpod/registry-credential => ../../components/registry-credential // leeway + replace github.com/gitpod-io/gitpod/registry-facade => ../../components/registry-facade // leeway replace github.com/gitpod-io/gitpod/registry-facade/api => ../../components/registry-facade-api/go // leeway diff --git a/install/installer/go.sum b/install/installer/go.sum index cc5ef81950f62c..7f64f5536e352c 100644 --- a/install/installer/go.sum +++ b/install/installer/go.sum @@ -157,9 +157,7 @@ github.com/Microsoft/hcsshim/test v0.0.0-20210227013316-43a75bb4edd3/go.mod h1:m github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= -github.com/PuerkitoBio/purell v1.1.1 h1:WEQqlqaGbrPkxLJWfBwQmfEAE1Z7ONdDLqrN38tNFfI= github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= -github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 h1:d+Bc7a5rLufV/sSk/8dngufqelfh6jnri85riMAaF/M= github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d h1:UrqY+r/OJnIp5u0s1SbQ8dVfLCZJsnvazdBP5hS4iRs= github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d/go.mod h1:HI8ITrYtUY+O+ZhtlqUnD8+KwNPOyugEhfP9fdUIaEQ= @@ -492,7 +490,6 @@ github.com/d2g/dhcp4 v0.0.0-20170904100407-a1d1b6c41b1c/go.mod h1:Ct2BUK8SB0YC1S github.com/d2g/dhcp4client v1.0.0/go.mod h1:j0hNfjhrt2SxUOw55nL0ATM/z4Yt3t2Kd1mW34z5W5s= github.com/d2g/dhcp4server v0.0.0-20181031114812-7d4a0a7f59a5/go.mod h1:Eo87+Kg/IX2hfWJfwxMzLyuSZyxSoAug2nGa1G2QAi8= github.com/d2g/hardwareaddr v0.0.0-20190221164911-e7d9fbe030e4/go.mod h1:bMl4RjIciD2oAxI7DmWRx6gbeqrkoLqv3MV0vzNad+I= -github.com/danieljoos/wincred v1.1.0/go.mod h1:XYlo+eRTsVA9aHGp7NGjFkPla4m+DCL7hqDjlFjiygg= github.com/davecgh/go-spew v0.0.0-20171005155431-ecdeabc65495/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= @@ -527,8 +524,8 @@ github.com/dnaeon/go-vcr v1.0.1/go.mod h1:aBB1+wY4s93YsC3HHjMBMrwTj2R9FHDzUr9KyG github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ= github.com/docker/cli v0.0.0-20191017083524-a8ff7f821017/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/cli v20.10.5+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= -github.com/docker/cli v20.10.17+incompatible h1:eO2KS7ZFeov5UJeaDmIs1NFEDRf32PaqRpvoEkKBy5M= -github.com/docker/cli v20.10.17+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v20.10.21+incompatible h1:qVkgyYUnOLQ98LtXBrwd/duVqPT2X4SHndOuGsfwyhU= +github.com/docker/cli v20.10.21+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v0.0.0-20190905152932-14b96e55d84c/go.mod h1:0+TTO4EOBfRPhZXAeF1Vu+W3hHZ8eLp8PgKVZlcvtFY= github.com/docker/distribution v0.0.0-20191216044856-a8371794149d/go.mod h1:0+TTO4EOBfRPhZXAeF1Vu+W3hHZ8eLp8PgKVZlcvtFY= github.com/docker/distribution v2.7.1-0.20190205005809-0d3efadf0154+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= @@ -541,8 +538,8 @@ github.com/docker/docker v17.12.0-ce-rc1.0.20200618181300-9dc6525e6118+incompati github.com/docker/docker v20.10.17+incompatible h1:JYCuMrWaVNophQTOrMMoSwudOVEfcegoZZrleKc1xwE= github.com/docker/docker v20.10.17+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.6.3/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y= -github.com/docker/docker-credential-helpers v0.6.4 h1:axCks+yV+2MR3/kZhAmy07yC56WZ2Pwu/fKWtKuZB0o= -github.com/docker/docker-credential-helpers v0.6.4/go.mod h1:ofX3UI0Gz1TteYBjtgs07O36Pyasyp66D2uKT7H8W1c= +github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A= +github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0= github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ= github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec= github.com/docker/go-events v0.0.0-20170721190031-9461782956ad/go.mod h1:Uw6UezgYA44ePAFQYUehOuCzmy5zmg/+nl2ZfMWGkpA= @@ -571,8 +568,8 @@ github.com/elliotchance/orderedmap v1.4.0 h1:wZtfeEONCbx6in1CZyE6bELEt/vFayMvsxq github.com/elliotchance/orderedmap v1.4.0/go.mod h1:wsDwEaX5jEoyhbs7x93zk2H/qv0zwuhg4inXhDkYqys= github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= -github.com/emicklei/go-restful/v3 v3.8.0 h1:eCZ8ulSerjdAiaNpF7GxXIE7ZCMo1moN1qX+S609eVw= -github.com/emicklei/go-restful/v3 v3.8.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/emicklei/go-restful/v3 v3.9.0 h1:XwGDlfxEnQZzuopoqxwSEllNcCOM9DhhFyhFIIGKwxE= +github.com/emicklei/go-restful/v3 v3.9.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/envoyproxy/go-control-plane v0.6.9/go.mod h1:SBwIajubJHhxtWwsL9s8ss4safvEdbitLhGGK48rN6g= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= @@ -622,8 +619,8 @@ github.com/frankban/quicktest v1.11.3 h1:8sXhOn0uLys67V8EsXLc6eszDs8VXWxL3iRvebP github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= -github.com/fsnotify/fsnotify v1.5.1 h1:mZcQUHVQUQWoPXXtuf9yuEXKudkV2sx1E06UadKWpgI= -github.com/fsnotify/fsnotify v1.5.1/go.mod h1:T3375wBYaZdLLcVNkcVbzGHY7f1l/uK5T5Ai1i3InKU= +github.com/fsnotify/fsnotify v1.5.4 h1:jRbGcIw6P2Meqdwuo0H1p6JVLbL5DHKAKlYndzMwVZI= +github.com/fsnotify/fsnotify v1.5.4/go.mod h1:OVB6XrOHzAwXMpEM7uPOzcehqUV2UqJxmVXmkdnm1bU= github.com/fsouza/fake-gcs-server v1.37.11 h1:Of18n+AunBntGLiv7O96wzOuT8PBEt8CYXcJkc/ehsI= github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa/go.mod h1:KnogPXtdwXqoenmZCw6S+25EAm2MkxbG0deNDu4cbSA= github.com/fvbommel/sortorder v1.0.1 h1:dSnXLt4mJYH25uDDGa3biZNQsozaUWDSWeKJ0qqFfzE= @@ -673,8 +670,9 @@ github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34 github.com/go-openapi/jsonpointer v0.19.5 h1:gZr+CIYByUqjcgeLXnQu2gHYQC9o73G2XUeOFYEICuY= github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8= -github.com/go-openapi/jsonreference v0.19.5 h1:1WJP/wi4OjB4iV8KVbH73rQaoialJrqv8gitZLxGLtM= github.com/go-openapi/jsonreference v0.19.5/go.mod h1:RdybgQwPxbL4UEjuAruzK1x3nE69AqPYEJeo/TWfEeg= +github.com/go-openapi/jsonreference v0.20.0 h1:MYlu0sBgChmCfJxxUKZ8g1cPWFOB37YSZqewK7OKeyA= +github.com/go-openapi/jsonreference v0.20.0/go.mod h1:Ag74Ico3lPc+zR+qjn4XBUmXymS4zJbYVCZmcgkasdo= github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= github.com/go-openapi/swag v0.19.14 h1:gm3vOOXfiuw5i9p5N9xJvfjvuofpyvLA9Wr6QfK5Fng= github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= @@ -821,8 +819,9 @@ github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE= -github.com/google/go-cmp v0.5.8 h1:e6P7q2lk1O+qJJb4BtCQXlK8vWEO8V1ZeuEdJNOqZyg= github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= +github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-containerregistry v0.5.1/go.mod h1:Ct15B4yir3PLOP5jsy0GNeYVaIZs/MK/Jz5any1wFW0= github.com/google/go-github v17.0.0+incompatible/go.mod h1:zLgOLi98H3fifZn+44m+umXrS52loVEgC2AApnigrVQ= github.com/google/go-intervals v0.0.2/go.mod h1:MkaR3LNRfeKLPmqgJYs4E66z5InYjmCjbbr4TQlcT6Y= @@ -2362,8 +2361,9 @@ golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro= -golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3 h1:kQgndtyPBW/JIYERgdxfwMYh3AVStj88WQTlNDi2a+o= golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3/go.mod h1:3p9vT2HGsQu2K1YbXdKPJLVgG5VJdoTa1poYQBtP1AY= +golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 h1:6zppjxzCulZykYSLyVDYbneBfbaBIQPYMevg0bEwv2s= +golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/net v0.0.0-20180719180050-a680a1efc54d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -2448,8 +2448,9 @@ golang.org/x/net v0.0.0-20220412020605-290c469a71a5/go.mod h1:CfG3xpIq0wQ8r1q4Su golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= -golang.org/x/net v0.0.0-20220909164309-bea034e7d591 h1:D0B/7al0LLrVC8aWF4+oxpv/m8bc7ViFfVS8/gXGdqI= golang.org/x/net v0.0.0-20220909164309-bea034e7d591/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= +golang.org/x/net v0.3.1-0.20221206200815-1e63c2f08a10 h1:Frnccbp+ok2GkUS2tC84yAq/U9Vg+0sIO7aRL3T4Xnc= +golang.org/x/net v0.3.1-0.20221206200815-1e63c2f08a10/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20181017192945-9dcd33a902f4/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20181203162652-d668ce993890/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= @@ -2488,8 +2489,9 @@ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f h1:Ax0t5p6N38Ga0dThY21weqDEyz2oklo4IvDkpigvkD8= golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 h1:uVc8UZUe6tr40fFVnUP5Oj+veunVezqYl9z7DYw9xzw= +golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -2639,13 +2641,15 @@ golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10 h1:WIoqL4EROvwiPdUtaip4VcDdpZ4kha7wBWZrbVKCIZg= golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.3.0 h1:w8ZOecv6NaNa/zC8944JTU3vz4u6Lagfk4RPQxv92NQ= +golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.3.0 h1:qoo4akIqOcDME5bhc/NgxUdovd6BSS2uMsVjB56q1xI= +golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -2654,8 +2658,9 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.5.0 h1:OLmvp0KP+FVG99Ct/qFiL/Fhk4zp4QQnZ7b2U+5piUM= +golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -2745,8 +2750,8 @@ golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo= golang.org/x/tools v0.1.10-0.20220218145154-897bd77cd717/go.mod h1:Uh6Zz+xoGYZom868N8YTex3t7RhtHDBrE8Gzo9bV56E= -golang.org/x/tools v0.1.10 h1:QjFRCZxdOhBJ/UNgnBZLbNV13DlbnK0quyivTnXJM20= -golang.org/x/tools v0.1.10/go.mod h1:Uh6Zz+xoGYZom868N8YTex3t7RhtHDBrE8Gzo9bV56E= +golang.org/x/tools v0.1.12 h1:VveCTK38A2rkS8ZqFY25HIDFscX5X9OoEhJd3quQmXU= +golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20190513163551-3ee3066db522/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -3043,8 +3048,8 @@ gorm.io/gorm v1.24.1/go.mod h1:DVrVomtaYTbqs7gB/x2uVvqnXzv0nqjB396B8cG4dBA= gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo= gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw= gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk= -gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0= gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8= +gotest.tools/v3 v3.4.0 h1:ZazjZUfuVeZGLAmlKKuyv3IKP5orXcwtOwDQH6YVr6o= grpc.go4.org v0.0.0-20170609214715-11d0a25b4919/go.mod h1:77eQGdRu53HpSqPFJFmuJdjuHRquDANNeA4x7B8WQ9o= helm.sh/helm/v3 v3.6.3/go.mod h1:mIIus8EOqj+obtycw3sidsR4ORr2aFDmXMSI3k+oeVY= helm.sh/helm/v3 v3.9.3 h1:etd4Qc45/bnIkBofZIRwrAzYuG3bNWR1EdMN4fsfzoE= @@ -3087,14 +3092,15 @@ k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= k8s.io/klog/v2 v2.4.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= k8s.io/klog/v2 v2.8.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec= -k8s.io/klog/v2 v2.60.1 h1:VW25q3bZx9uE3vvdL6M8ezOX79vA2Aq1nEWLqNQclHc= k8s.io/klog/v2 v2.60.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= +k8s.io/klog/v2 v2.80.1 h1:atnLQ121W371wYYFawwYx1aEY2eUfs4l3J72wtgAwV4= +k8s.io/klog/v2 v2.80.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= k8s.io/kube-aggregator v0.24.4/go.mod h1:5h/GX6F1Tk1YZf6N8l3TElwR+nB+lT8dKRUlxeMaMBs= k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e/go.mod h1:vHXdDvt9+2spS2Rx9ql3I8tycm3H9FDfdUoIuKCefvw= k8s.io/kube-openapi v0.0.0-20210527164424-3c818078ee3d/go.mod h1:vHXdDvt9+2spS2Rx9ql3I8tycm3H9FDfdUoIuKCefvw= k8s.io/kube-openapi v0.0.0-20220328201542-3ee0da9b0b42/go.mod h1:Z/45zLw8lUo4wdiUkI+v/ImEGAvu3WatcZl3lPMR4Rk= -k8s.io/kube-openapi v0.0.0-20220627174259-011e075b9cb8 h1:yEQKdMCjzAOvGeiTwG4hO/hNVNtDOuUFvMUZ0OlaIzs= -k8s.io/kube-openapi v0.0.0-20220627174259-011e075b9cb8/go.mod h1:mbJ+NSUoAhuR14N0S63bPkh8MGVSo3VYSGZtH/mfMe0= +k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 h1:+70TFaan3hfJzs+7VK2o+OGxg8HsuBr/5f6tVAjDu6E= +k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280/go.mod h1:+Axhij7bCpeqhklhUTe3xmOn6bWxolyZEeyaFpjGtl4= k8s.io/kubectl v0.24.4 h1:fPEBkAV3/cu3BQVIUCXNngCCY62AlZ+2rkRVHcmJPn0= k8s.io/kubectl v0.24.4/go.mod h1:AVyJzxUwA5UMGTDyKGL6nd6RRW36FbmAdtIDMhrZtW0= k8s.io/kubernetes v1.13.0/go.mod h1:ocZa8+6APFNC2tX1DZASIbocyYT5jHzqFVsY5aoB7Jk= @@ -3104,8 +3110,9 @@ k8s.io/utils v0.0.0-20210111153108-fddb29f9d009/go.mod h1:jPW/WVKK9YHAvNhRxK0md/ k8s.io/utils v0.0.0-20210305010621-2afb4311ab10/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20210527160623-6fdb442a123b/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= -k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 h1:HNSDgDCrr/6Ly3WEGKZftiE7IY19Vz2GdbOCyI4qqhc= k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= +k8s.io/utils v0.0.0-20221107191617-1a15be271d1d h1:0Smp/HP1OH4Rvhe+4B8nWGERtlqAGSftbSbbmm45oFs= +k8s.io/utils v0.0.0-20221107191617-1a15be271d1d/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= lukechampine.com/blake3 v1.1.6 h1:H3cROdztr7RCfoaTpGZFQsrqvweFLrqS73j7L7cmR5c= lukechampine.com/blake3 v1.1.6/go.mod h1:tkKEOtDkNtklkXtLNEOGNq5tcV90tJiA1vAA12R78LA= oras.land/oras-go v1.2.0 h1:yoKosVIbsPoFMqAIFHTnrmOuafHal+J/r+I5bdbVWu4= @@ -3122,8 +3129,9 @@ sigs.k8s.io/controller-runtime v0.11.2/go.mod h1:P6QCzrEjLaZGqHsfd+os7JQ+WFZhvB8 sigs.k8s.io/controller-tools v0.5.0/go.mod h1:JTsstrMpxs+9BUj6eGuAaEb6SDSPTeVtUyp0jmnAM/I= sigs.k8s.io/controller-tools v0.6.0/go.mod h1:baRMVPrctU77F+rfAuH2uPqW93k6yQnZA2dhUOr7ihc= sigs.k8s.io/gateway-api v0.3.0/go.mod h1:Wb8bx7QhGVZxOSEU3i9vw/JqTB5Nlai9MLMYVZeDmRQ= -sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 h1:kDi4JBNAsJWfz1aEXhO8Jg87JJaPNLh5tIzYHgStQ9Y= sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2/go.mod h1:B+TnT182UBxE84DiCz4CVE26eOSDAeYCpfDnC2kdKMY= +sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 h1:iXTIw73aPyC+oRdyqqvVJuloN1p0AC/kzH07hu3NE+k= +sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/kustomize/api v0.11.4 h1:/0Mr3kfBBNcNPOW5Qwk/3eb8zkswCwnqQxxKtmrTkRo= sigs.k8s.io/kustomize/api v0.11.4/go.mod h1:k+8RsqYbgpkIrJ4p9jcdPqe8DprLxFUUO0yNOq8C+xI= sigs.k8s.io/kustomize/cmd/config v0.10.6/go.mod h1:/S4A4nUANUa4bZJ/Edt7ZQTyKOY9WCER0uBS1SW2Rco= @@ -3131,8 +3139,9 @@ sigs.k8s.io/kustomize/kustomize/v4 v4.5.4/go.mod h1:Zo/Xc5FKD6sHl0lilbrieeGeZHVY sigs.k8s.io/kustomize/kyaml v0.13.6 h1:eF+wsn4J7GOAXlvajv6OknSunxpcOBQQqsnPxObtkGs= sigs.k8s.io/kustomize/kyaml v0.13.6/go.mod h1:yHP031rn1QX1lr/Xd934Ri/xdVNG8BE2ECa78Ht/kEg= sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= -sigs.k8s.io/structured-merge-diff/v4 v4.2.1 h1:bKCqE9GvQ5tiVHn5rfn1r+yao3aLQEaLzkkmAkf+A6Y= sigs.k8s.io/structured-merge-diff/v4 v4.2.1/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZawJtm+Yrr7PPRQ0Vg4= +sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE= +sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E= sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo= diff --git a/install/installer/pkg/components/registry-credential/common.go b/install/installer/pkg/components/registry-credential/common.go new file mode 100644 index 00000000000000..904e9b74a6d129 --- /dev/null +++ b/install/installer/pkg/components/registry-credential/common.go @@ -0,0 +1,28 @@ +// Copyright (c) 2022 Gitpod GmbH. All rights reserved. +// Licensed under the GNU Affero General Public License (AGPL). +// See License-AGPL.txt in the project root for license information. + +package registry_credential + +import ( + "regexp" + + "github.com/gitpod-io/gitpod/installer/pkg/common" + "k8s.io/utils/pointer" +) + +// isAWSRegistry checks the external container registry URL is a private AWS ECR container registry. +func isAWSRegistry(ctx *common.RenderContext) bool { + if pointer.BoolDeref(ctx.Config.ContainerRegistry.InCluster, false) && + ctx.Config.ContainerRegistry.External != nil { + // We support private AWS ECR container registry now. + re := regexp.MustCompile(`^\d{12}\.dkr\.ecr\.[a-z]{2}-[a-z]+-\d\.amazonaws\.com$`) + return re.MatchString(ctx.Config.ContainerRegistry.External.URL) + } + return false +} + +// TODO(jenting): parse the AWS region from the container registry URL +func getAWSRegion(url string) string { + return "us-west-1" +} diff --git a/install/installer/pkg/components/registry-credential/configmap.go b/install/installer/pkg/components/registry-credential/configmap.go new file mode 100644 index 00000000000000..558e79af978944 --- /dev/null +++ b/install/installer/pkg/components/registry-credential/configmap.go @@ -0,0 +1,79 @@ +// Copyright (c) 2022 Gitpod GmbH. All rights reserved. +// Licensed under the MIT License. See License-MIT.txt in the project root for license information. + +package registry_credential + +import ( + "fmt" + + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + + "github.com/gitpod-io/gitpod/installer/pkg/common" + "github.com/gitpod-io/gitpod/registry-credential/pkg/config" +) + +func configmap(ctx *common.RenderContext) ([]runtime.Object, error) { + if !isAWSRegistry(ctx) { + return []runtime.Object{}, nil + } + + credentialSecretName, err := credentialSecretName(ctx) + if err != nil { + return nil, err + } + + region := getAWSRegion(ctx.Config.ContainerRegistry.External.URL) + + secretToUpdateName, err := secretToUpdateName(ctx) + if err != nil { + return nil, err + } + + registryCredentialCfg := config.Configuration{ + Namespace: ctx.Namespace, + CredentialSecret: credentialSecretName, + Region: region, + SecretToUpdate: secretToUpdateName, + } + + json, err := common.ToJSONString(registryCredentialCfg) + if err != nil { + return nil, fmt.Errorf("failed to marshal %s config: %w", Component, err) + } + + return []runtime.Object{ + &corev1.ConfigMap{ + TypeMeta: common.TypeMetaConfigmap, + ObjectMeta: metav1.ObjectMeta{ + Name: Component, + Namespace: ctx.Namespace, + Labels: common.DefaultLabels(Component), + }, + Data: map[string]string{ + "registry-credential.json": string(json), + }, + }, + }, nil +} + +func secretToUpdateName(ctx *common.RenderContext) (string, error) { + var secretName string + if ctx.Config.ContainerRegistry.External != nil { + secretName = ctx.Config.ContainerRegistry.External.Certificate.Name + } else { + return "", fmt.Errorf("%s: invalid container registry config", Component) + } + return secretName, nil +} + +func credentialSecretName(ctx *common.RenderContext) (string, error) { + var secretName string + if ctx.Config.ContainerRegistry.External != nil { + secretName = ctx.Config.ContainerRegistry.External.Credential.Name + } else { + return "", fmt.Errorf("%s: invalid container registry config", Component) + } + return secretName, nil +} diff --git a/install/installer/pkg/components/registry-credential/constants.go b/install/installer/pkg/components/registry-credential/constants.go index 80501e3c89ca7e..0aba81deec58f8 100644 --- a/install/installer/pkg/components/registry-credential/constants.go +++ b/install/installer/pkg/components/registry-credential/constants.go @@ -7,7 +7,5 @@ package registry_credential const ( Component = "registry-credential" - SecretNameAWSIAMUserCredentials = "aws-iam-user-credentials" - CronSchedule = "* */6 * * *" ) diff --git a/install/installer/pkg/components/registry-credential/cronjob.go b/install/installer/pkg/components/registry-credential/cronjob.go index 3903b2a2fbc672..f26c5ffd30d749 100644 --- a/install/installer/pkg/components/registry-credential/cronjob.go +++ b/install/installer/pkg/components/registry-credential/cronjob.go @@ -14,6 +14,10 @@ import ( ) func cronjob(ctx *common.RenderContext) ([]runtime.Object, error) { + if !isAWSRegistry(ctx) { + return []runtime.Object{}, nil + } + objectMeta := metav1.ObjectMeta{ Name: Component, Namespace: ctx.Namespace, @@ -25,7 +29,6 @@ func cronjob(ctx *common.RenderContext) ([]runtime.Object, error) { TypeMeta: common.TypeMetaBatchCronJob, ObjectMeta: objectMeta, Spec: batchv1.CronJobSpec{ - Schedule: CronSchedule, SuccessfulJobsHistoryLimit: pointer.Int32(1), FailedJobsHistoryLimit: pointer.Int32(10), diff --git a/install/installer/pkg/components/registry-credential/job.go b/install/installer/pkg/components/registry-credential/job.go index 1d2858d33641da..64c42d67950251 100644 --- a/install/installer/pkg/components/registry-credential/job.go +++ b/install/installer/pkg/components/registry-credential/job.go @@ -6,7 +6,7 @@ package registry_credential import ( batchv1 "k8s.io/api/batch/v1" - v1 "k8s.io/api/core/v1" + corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/utils/pointer" @@ -17,20 +17,37 @@ import ( func jobSpec(ctx *common.RenderContext, objectMeta metav1.ObjectMeta) batchv1.JobSpec { return batchv1.JobSpec{ BackoffLimit: pointer.Int32(10), - Template: v1.PodTemplateSpec{ + Template: corev1.PodTemplateSpec{ ObjectMeta: objectMeta, - Spec: v1.PodSpec{ - RestartPolicy: v1.RestartPolicyOnFailure, + Spec: corev1.PodSpec{ + RestartPolicy: corev1.RestartPolicyOnFailure, ServiceAccountName: Component, - Containers: []v1.Container{ + Containers: []corev1.Container{ { Name: Component, - Args: []string{"ecr-update"}, + Args: []string{"ecr-update", "/config/config.json"}, Image: ctx.ImageName(ctx.Config.Repository, Component, ctx.VersionManifest.Components.RegistryCredential.Version), - ImagePullPolicy: v1.PullIfNotPresent, - SecurityContext: &v1.SecurityContext{ + ImagePullPolicy: corev1.PullIfNotPresent, + SecurityContext: &corev1.SecurityContext{ AllowPrivilegeEscalation: pointer.Bool(false), }, + VolumeMounts: []corev1.VolumeMount{ + { + Name: "config", + MountPath: "/config", + ReadOnly: true, + }, + }, + }, + }, + Volumes: []corev1.Volume{ + { + Name: "config", + VolumeSource: corev1.VolumeSource{ + ConfigMap: &corev1.ConfigMapVolumeSource{ + LocalObjectReference: corev1.LocalObjectReference{Name: Component}, + }, + }, }, }, }, @@ -39,6 +56,10 @@ func jobSpec(ctx *common.RenderContext, objectMeta metav1.ObjectMeta) batchv1.Jo } func job(ctx *common.RenderContext) ([]runtime.Object, error) { + if !isAWSRegistry(ctx) { + return []runtime.Object{}, nil + } + objectMeta := metav1.ObjectMeta{ Name: Component, Namespace: ctx.Namespace, diff --git a/install/installer/pkg/components/registry-credential/objects.go b/install/installer/pkg/components/registry-credential/objects.go index eda34614826e77..abc7e97cd97d28 100644 --- a/install/installer/pkg/components/registry-credential/objects.go +++ b/install/installer/pkg/components/registry-credential/objects.go @@ -4,13 +4,21 @@ package registry_credential -import "github.com/gitpod-io/gitpod/installer/pkg/common" +import ( + "github.com/gitpod-io/gitpod/installer/pkg/common" + "k8s.io/apimachinery/pkg/runtime" +) var Objects = common.CompositeRenderFunc( + configmap, role, rolebinding, - secret, - job, cronjob, - common.DefaultServiceAccount(Component), + job, + func(ctx *common.RenderContext) ([]runtime.Object, error) { + if !isAWSRegistry(ctx) { + return nil, nil + } + return common.DefaultServiceAccount(Component)(ctx) + }, ) diff --git a/install/installer/pkg/components/registry-credential/role.go b/install/installer/pkg/components/registry-credential/role.go index 75278d208238a4..516a5ad23d5273 100644 --- a/install/installer/pkg/components/registry-credential/role.go +++ b/install/installer/pkg/components/registry-credential/role.go @@ -13,6 +13,10 @@ import ( ) func role(ctx *common.RenderContext) ([]runtime.Object, error) { + if !isAWSRegistry(ctx) { + return []runtime.Object{}, nil + } + return []runtime.Object{ &rbacv1.Role{ TypeMeta: common.TypeMetaRole, diff --git a/install/installer/pkg/components/registry-credential/rolebinding.go b/install/installer/pkg/components/registry-credential/rolebinding.go index 273358281bee7e..c14534c1664168 100644 --- a/install/installer/pkg/components/registry-credential/rolebinding.go +++ b/install/installer/pkg/components/registry-credential/rolebinding.go @@ -13,6 +13,10 @@ import ( ) func rolebinding(ctx *common.RenderContext) ([]runtime.Object, error) { + if !isAWSRegistry(ctx) { + return []runtime.Object{}, nil + } + return []runtime.Object{ &rbacv1.RoleBinding{ TypeMeta: common.TypeMetaRoleBinding, diff --git a/install/installer/pkg/components/registry-credential/secret.go b/install/installer/pkg/components/registry-credential/secret.go deleted file mode 100644 index 7979e225ccc42a..00000000000000 --- a/install/installer/pkg/components/registry-credential/secret.go +++ /dev/null @@ -1,74 +0,0 @@ -// Copyright (c) 2022 Gitpod GmbH. All rights reserved. -// Licensed under the GNU Affero General Public License (AGPL). -// See License-AGPL.txt in the project root for license information. - -package registry_credential - -import ( - "fmt" - - corev1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - - "github.com/gitpod-io/gitpod/installer/pkg/common" -) - -func secret(ctx *common.RenderContext) ([]runtime.Object, error) { - accessKey := ctx.Values.StorageAccessKey - if accessKey == "" { - return nil, fmt.Errorf("unknown value: access key") - } - - secretKey := ctx.Values.StorageSecretKey - if secretKey == "" { - return nil, fmt.Errorf("unknown value: secret key") - } - - region := ctx.Values.Region - if region == "" { - return nil, fmt.Errorf("unknown value: region") - } - - commonLabels := common.DefaultLabels(Component) - - // copy a map - ecrLabels := make(map[string]string) - for k, v := range commonLabels { - ecrLabels[k] = v - } - ecrLabels["aws-ecr-updater"] = "true" - - return []runtime.Object{ - // IAM user credentials - &corev1.Secret{ - TypeMeta: common.TypeMetaSecret, - ObjectMeta: metav1.ObjectMeta{ - Name: SecretNameAWSIAMUserCredentials, - Namespace: ctx.Namespace, - Labels: commonLabels, - }, - StringData: map[string]string{ - "access_key_id": accessKey, - "secret_access_key": secretKey, - }, - }, - // ECR credentials - &corev1.Secret{ - TypeMeta: common.TypeMetaSecret, - ObjectMeta: metav1.ObjectMeta{ - Name: "aws-ecr-credentials", - Namespace: ctx.Namespace, - Labels: ecrLabels, - Annotations: map[string]string{ - "aws-ecr-updater/secret": SecretNameAWSIAMUserCredentials, - "aws-ecr-updater/region": region, - }, - }, - Type: corev1.SecretTypeDockerConfigJson, - StringData: map[string]string{ - ".dockerconfigjson": "{}", - }, - }, - }, nil -} diff --git a/install/installer/pkg/config/v1/config.go b/install/installer/pkg/config/v1/config.go index e73a365ec264a6..3d3758c3bd23d4 100644 --- a/install/installer/pkg/config/v1/config.go +++ b/install/installer/pkg/config/v1/config.go @@ -301,8 +301,9 @@ type ContainerRegistry struct { } type ContainerRegistryExternal struct { - URL string `json:"url" validate:"required"` - Certificate ObjectRef `json:"certificate" validate:"required"` + URL string `json:"url" validate:"required"` + Certificate ObjectRef `json:"certificate" validate:"required"` + Credential *ObjectRef `json:"credential,omitempty"` } type S3Storage struct { From 3ebe4f945760a6efe1c0e9da52eb0295c2b797be Mon Sep 17 00:00:00 2001 From: Simon Emms Date: Mon, 12 Dec 2022 14:14:18 +0000 Subject: [PATCH 07/14] [installer]: add registry-credential as leeway dependency (#15306) --- components/registry-credential/BUILD.yaml | 10 ++++++++++ install/installer/BUILD.yaml | 1 + 2 files changed, 11 insertions(+) diff --git a/components/registry-credential/BUILD.yaml b/components/registry-credential/BUILD.yaml index b148167be6ddf4..4b99d438a557e4 100644 --- a/components/registry-credential/BUILD.yaml +++ b/components/registry-credential/BUILD.yaml @@ -26,3 +26,13 @@ packages: image: - ${imageRepoBase}/registry-credential:${version} - ${imageRepoBase}/registry-credential:commit-${__git_commit} + - name: lib + type: go + srcs: + - "**/*.go" + - "go.mod" + - "go.sum" + config: + packaging: library + deps: + - components/common-go:lib diff --git a/install/installer/BUILD.yaml b/install/installer/BUILD.yaml index af5dc03e94b5c7..5fc682ab17fe64 100644 --- a/install/installer/BUILD.yaml +++ b/install/installer/BUILD.yaml @@ -29,6 +29,7 @@ packages: - components/image-builder-api/go:lib - components/openvsx-proxy:lib - components/public-api/go:lib + - components/registry-credential:lib - components/registry-facade-api/go:lib - components/registry-facade:lib - components/ws-daemon-api/go:lib From 329f6319ff169d277e88f99e97a179189cff2997 Mon Sep 17 00:00:00 2001 From: JenTing Hsiao Date: Mon, 12 Dec 2022 15:47:26 +0000 Subject: [PATCH 08/14] registry-credential: support public AWS ECR credential rotation Signed-off-by: JenTing Hsiao --- .../registry-credential/example-config.json | 2 + components/registry-credential/go.mod | 1 + components/registry-credential/go.sum | 2 + .../registry-credential/pkg/config/config.go | 3 + .../registry-credential/pkg/ecr/updater.go | 88 ++- .../cmd/testdata/render/aws-setup/config.yaml | 10 +- .../testdata/render/aws-setup/output.golden | 517 ++++++------------ install/installer/go.mod | 24 +- install/installer/go.sum | 36 +- .../components/registry-credential/common.go | 80 ++- .../registry-credential/common_test.go | 113 ++++ .../registry-credential/configmap.go | 26 +- .../components/registry-credential/cronjob.go | 44 +- .../pkg/components/registry-credential/job.go | 76 --- .../components/registry-credential/objects.go | 6 +- .../components/registry-credential/role.go | 4 +- .../registry-credential/rolebinding.go | 4 +- 17 files changed, 530 insertions(+), 506 deletions(-) create mode 100644 install/installer/pkg/components/registry-credential/common_test.go delete mode 100644 install/installer/pkg/components/registry-credential/job.go diff --git a/components/registry-credential/example-config.json b/components/registry-credential/example-config.json index d29a699468ee2d..0152ecf70dc573 100644 --- a/components/registry-credential/example-config.json +++ b/components/registry-credential/example-config.json @@ -1,5 +1,7 @@ { "namespace": "default", "credentialSecret": "", + "region": "", + "publicRegistry": false, "secretToUpdate": "" } diff --git a/components/registry-credential/go.mod b/components/registry-credential/go.mod index d1f05c3b551098..265e8c90cc24ed 100644 --- a/components/registry-credential/go.mod +++ b/components/registry-credential/go.mod @@ -7,6 +7,7 @@ require ( github.com/aws/aws-sdk-go-v2/config v1.18.4 github.com/aws/aws-sdk-go-v2/credentials v1.13.4 github.com/aws/aws-sdk-go-v2/service/ecr v1.17.24 + github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.13.21 github.com/docker/cli v20.10.21+incompatible github.com/gitpod-io/gitpod/common-go v0.0.0-00010101000000-000000000000 github.com/spf13/cobra v1.4.0 diff --git a/components/registry-credential/go.sum b/components/registry-credential/go.sum index cdc3ec6afdd2db..ff7cd6154b34d9 100644 --- a/components/registry-credential/go.sum +++ b/components/registry-credential/go.sum @@ -71,6 +71,8 @@ github.com/aws/aws-sdk-go-v2/internal/ini v1.3.27 h1:N2eKFw2S+JWRCtTt0IhIX7uoGGQ github.com/aws/aws-sdk-go-v2/internal/ini v1.3.27/go.mod h1:RdwFVc7PBYWY33fa2+8T1mSqQ7ZEK4ILpM0wfioDC3w= github.com/aws/aws-sdk-go-v2/service/ecr v1.17.24 h1:Ax6tsTbbkkVFewkarjAuV50m3T9SdVNyngnQgrumYnE= github.com/aws/aws-sdk-go-v2/service/ecr v1.17.24/go.mod h1:p0ME1/7PG+Gn6fUcBaXGyeuI+gL6JCD7aM1/EfwxmWo= +github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.13.21 h1:MDdhSMk2TImYUtVmgjgdNHnMEUXHlQrKJV7wfxSupjg= +github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.13.21/go.mod h1:q9zznamieyKrNWiI4gaPMmjni3r2MDyb+509ukpOrJk= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.20 h1:jlgyHbkZQAgAc7VIxJDmtouH8eNjOk2REVAQfVhdaiQ= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.20/go.mod h1:Xs52xaLBqDEKRcAfX/hgjmD3YQ7c/W+BEyfamlO/W2E= github.com/aws/aws-sdk-go-v2/service/sso v1.11.26 h1:ActQgdTNQej/RuUJjB9uxYVLDOvRGtUreXF8L3c8wyg= diff --git a/components/registry-credential/pkg/config/config.go b/components/registry-credential/pkg/config/config.go index 82d4100302b935..676efa3f446b58 100644 --- a/components/registry-credential/pkg/config/config.go +++ b/components/registry-credential/pkg/config/config.go @@ -23,6 +23,9 @@ type Configuration struct { // Region describes which public cloud region the container registry locates. Region string `json:"region"` + // PublicRegistry indicates it's a private or public container registry. + PublicRegistry bool `json:"publicRegistry"` + // SecretToUpdate names a Kubernetes secret which contains a `.dockerconfigjson` entry // carrying the Docker authentication credentials. SecretToUpdate string `json:"secretToUpdate"` diff --git a/components/registry-credential/pkg/ecr/updater.go b/components/registry-credential/pkg/ecr/updater.go index 2dc8d49c218c0a..ec3380ffc7524e 100644 --- a/components/registry-credential/pkg/ecr/updater.go +++ b/components/registry-credential/pkg/ecr/updater.go @@ -8,6 +8,7 @@ import ( "context" "encoding/base64" "encoding/json" + "time" corev1 "k8s.io/api/core/v1" k8serr "k8s.io/apimachinery/pkg/api/errors" @@ -18,7 +19,7 @@ import ( awsconfig "github.com/aws/aws-sdk-go-v2/config" awscred "github.com/aws/aws-sdk-go-v2/credentials" ecr "github.com/aws/aws-sdk-go-v2/service/ecr" - ecrType "github.com/aws/aws-sdk-go-v2/service/ecr/types" + ecrPublic "github.com/aws/aws-sdk-go-v2/service/ecrpublic" "github.com/docker/cli/cli/config/credentials" "github.com/gitpod-io/gitpod/common-go/log" @@ -26,12 +27,12 @@ import ( ) const ( - accessKeyIdPropName = "access_key_id" - secretAccessKeyPropName = "secret_access_key" + accessKeyIdName = "access_key_id" + secretAccessKeyName = "secret_access_key" ) const ( - ecrUpdaterExpiresAt = "ecr-updater/expires-at" + ecrExpiresAtAnnotation = "registry-credential-updater/ecr-expires-at" ) // DockerConfigJSON represents ~/.docker/config.json file info @@ -50,16 +51,20 @@ type DockerConfigEntry struct { } func UpdateCredential(client *kubernetes.Clientset, cfg *config.Configuration) { + private := !cfg.PublicRegistry + region := cfg.Region + + log := log.WithField("private", private).WithField("region", region) + credSecret, err := getSecret(client, cfg.Namespace, cfg.CredentialSecret) if err != nil { log.WithError(err).Fatalf("cannot find the credential secret %s/%s", cfg.CredentialSecret, cfg.Namespace) } - accessKey := string(credSecret.Data[accessKeyIdPropName]) - secretKey := string(credSecret.Data[secretAccessKeyPropName]) - region := cfg.Region + accessKey := string(credSecret.Data[accessKeyIdName]) + secretKey := string(credSecret.Data[secretAccessKeyName]) - log.Infof("Prepare to rotate AWS ECR secret %s/%s for region %s", cfg.SecretToUpdate, cfg.Namespace, region) + log.Infof("Prepare to rotate AWS ECR secret %s/%s", cfg.SecretToUpdate, cfg.Namespace) awsConfig, err := newAWSConfig(region, accessKey, secretKey, "") if err != nil { @@ -67,12 +72,50 @@ func UpdateCredential(client *kubernetes.Clientset, cfg *config.Configuration) { } // Get an authorization token from ECR - ecrClient := ecr.NewFromConfig(awsConfig) - result, err := ecrClient.GetAuthorizationToken(context.TODO(), &ecr.GetAuthorizationTokenInput{}) - if err != nil { - log.WithError(err).Fatal("unable to get an Authorization token from ECR") + var ( + authorizationToken string + expiresAt time.Time + endpoint string + ) + if private { + ecrClient := ecr.NewFromConfig(awsConfig) + result, err := ecrClient.GetAuthorizationToken(context.TODO(), &ecr.GetAuthorizationTokenInput{}) + if err != nil { + log.WithError(err).Fatal("unable to get an authorization token with private ECR") + } + if len(result.AuthorizationData) == 0 { + log.Fatal("cannot get the authorization data") + } + + authorizationToken = aws.ToString(result.AuthorizationData[0].AuthorizationToken) + if authorizationToken == "" { + log.Fatal("cannot get the authorization token") + } + + endpoint = aws.ToString(result.AuthorizationData[0].ProxyEndpoint) + if endpoint == "" { + log.Fatal("cannot get proxy endpoint") + } + + expiresAt = aws.ToTime(result.AuthorizationData[0].ExpiresAt) + } else { + ecrClient := ecrPublic.NewFromConfig(awsConfig) + result, err := ecrClient.GetAuthorizationToken(context.TODO(), &ecrPublic.GetAuthorizationTokenInput{}) + if err != nil { + log.WithError(err).Fatal("unable to get an authorization token from public ECR") + } + if result.AuthorizationData == nil { + log.Fatal("cannot get the authorization data") + } + + authorizationToken = aws.ToString(result.AuthorizationData.AuthorizationToken) + if authorizationToken == "" { + log.Fatal("cannot get the authorization token") + } + + expiresAt = aws.ToTime(result.AuthorizationData.ExpiresAt) + endpoint = "public.ecr.aws" } - log.Infof("Found %d authorizationData", len(result.AuthorizationData)) secretToUpdate, err := getSecret(client, cfg.Namespace, cfg.SecretToUpdate) if err != nil { @@ -101,12 +144,12 @@ func UpdateCredential(client *kubernetes.Clientset, cfg *config.Configuration) { } } - err = updateSecretFromToken(client, cfg.Namespace, secretToUpdate, result.AuthorizationData[0]) + err = updateSecretFromToken(client, cfg.Namespace, secretToUpdate, authorizationToken, expiresAt, endpoint) if err != nil { log.WithError(err).Fatalf("Unable to update secret") } - log.Infof("Secret %s/%s for region %s updated with new ECR credentials", cfg.SecretToUpdate, cfg.Namespace, region) + log.Infof("Secret %s/%s updated with new ECR credentials", cfg.SecretToUpdate, cfg.Namespace) } func newAWSConfig(region, accessKeyId, secretAccessKey, session string) (aws.Config, error) { @@ -134,7 +177,7 @@ func createSecret(client *kubernetes.Clientset, namespace string, secret *corev1 } // updateSecretFromToken updates a Kubernetes secret with the given AWS ECR AuthorizationData. -func updateSecretFromToken(client *kubernetes.Clientset, namespace string, secret *corev1.Secret, authorizationData ecrType.AuthorizationData) error { +func updateSecretFromToken(client *kubernetes.Clientset, namespace string, secret *corev1.Secret, authorizationToken string, expiresAt time.Time, endpoint string) error { if secret.Data == nil { secret.Data = make(map[string][]byte) } @@ -148,29 +191,28 @@ func updateSecretFromToken(client *kubernetes.Clientset, namespace string, secre return err } - json, err := buildDockerJSONConfig(dockerConfigJson, authorizationData) + json, err := buildDockerJSONConfig(dockerConfigJson, authorizationToken, expiresAt, endpoint) if err != nil { log.Errorf("Unable to build dockerJsonConfig from AuthorizationData") return err } - secret.Annotations[ecrUpdaterExpiresAt] = aws.ToTime(authorizationData.ExpiresAt).String() + secret.Annotations[ecrExpiresAtAnnotation] = expiresAt.String() secret.Data[".dockerconfigjson"] = json _, err = client.CoreV1().Secrets(namespace).Update(context.TODO(), secret, metav1.UpdateOptions{}) return err } -func buildDockerJSONConfig(dockerConfigJson DockerConfigJSON, authorizationData ecrType.AuthorizationData) ([]byte, error) { +func buildDockerJSONConfig(dockerConfigJson DockerConfigJSON, authorizationToken string, expiresAt time.Time, endpoint string) ([]byte, error) { user := "AWS" - token := aws.ToString(authorizationData.AuthorizationToken) - password := decodePassword(token) + password := decodePassword(authorizationToken) password = password[4:] if dockerConfigJson.Auths == nil { dockerConfigJson.Auths = make(DockerConfig) } - endpoint := credentials.ConvertToHostname(aws.ToString(authorizationData.ProxyEndpoint)) - dockerConfigJson.Auths[endpoint] = DockerConfigEntry{ + hostname := credentials.ConvertToHostname(endpoint) + dockerConfigJson.Auths[hostname] = DockerConfigEntry{ Auth: encodeDockerConfigFieldAuth(user, password), } return json.Marshal(dockerConfigJson) diff --git a/install/installer/cmd/testdata/render/aws-setup/config.yaml b/install/installer/cmd/testdata/render/aws-setup/config.yaml index 0b47b128150036..a2ed74d9b6bfd7 100644 --- a/install/installer/cmd/testdata/render/aws-setup/config.yaml +++ b/install/installer/cmd/testdata/render/aws-setup/config.yaml @@ -5,7 +5,15 @@ apiVersion: v1 domain: gitpod.example.com containerRegistry: - inCluster: true + inCluster: false + external: + url: 012345678969.dkr.ecr.eu-west-2.amazonaws.com + certificate: + kind: secret + name: aws-ecr-credential + credential: + kind: secret + name: aws-iam-user-credential s3storage: region: eu-west-2 endpoint: registry.amazonaws.com # Invalid endpoint - use to differentiate from objectStorage diff --git a/install/installer/cmd/testdata/render/aws-setup/output.golden b/install/installer/cmd/testdata/render/aws-setup/output.golden index 0f212ea11a013d..cfa0179051d02b 100644 --- a/install/installer/cmd/testdata/render/aws-setup/output.golden +++ b/install/installer/cmd/testdata/render/aws-setup/output.golden @@ -573,31 +573,6 @@ spec: selfSigned: {} status: {} --- -# cert-manager.io/v1/Certificate builtin-registry-certs -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - creationTimestamp: null - labels: - app: gitpod - component: docker-registry - name: builtin-registry-certs - namespace: default -spec: - dnsNames: - - registry.default.svc.cluster.local - duration: 2160h0m0s - issuerRef: - group: cert-manager.io - kind: Issuer - name: ca-issuer - secretName: builtin-registry-certs - secretTemplate: - labels: - app: gitpod - component: docker-registry -status: {} ---- # cert-manager.io/v1/Certificate builtin-registry-facade-cert apiVersion: cert-manager.io/v1 kind: Certificate @@ -815,18 +790,6 @@ metadata: name: dbinit namespace: default --- -# v1/ServiceAccount docker-registry -apiVersion: v1 -automountServiceAccountToken: true -kind: ServiceAccount -metadata: - creationTimestamp: null - labels: - app: gitpod - component: docker-registry - name: docker-registry - namespace: default ---- # v1/ServiceAccount gitpod apiVersion: v1 automountServiceAccountToken: true @@ -975,6 +938,18 @@ automountServiceAccountToken: true secrets: - name: messagebus --- +# v1/ServiceAccount registry-credential +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +--- # v1/ServiceAccount registry-facade apiVersion: v1 automountServiceAccountToken: true @@ -1059,22 +1034,6 @@ metadata: name: ws-proxy namespace: default --- -# v1/Secret builtin-registry-auth -apiVersion: v1 -data: - .dockerconfigjson: eyJhdXRocyI6eyJyZWdpc3RyeS5naXRwb2QuZXhhbXBsZS5jb20iOnsiYXV0aCI6ImVGTmxaRXBwUkdkS1VWRm5ORUpyVnpWNFMzVTZRMWMwUTFKQ2FtazJVakJpUjBjNE1XZDVSWGs9In19fQ== - password: Q1c0Q1JCamk2UjBiR0c4MWd5RXk= - user: eFNlZEppRGdKUVFnNEJrVzV4S3U= -kind: Secret -metadata: - creationTimestamp: null - labels: - app: gitpod - component: docker-registry - name: builtin-registry-auth - namespace: default -type: kubernetes.io/dockerconfigjson ---- # v1/Secret load-definition # Source: rabbitmq/charts/rabbitmq/templates/secrets.yaml apiVersion: v1 @@ -1169,24 +1128,6 @@ stringData: password: uq4KxOLtrA-QsDTfuwQ- username: gitpod --- -# v1/Secret registry-secret -# Source: docker-registry/charts/docker-registry/templates/secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: registry-secret - namespace: default - labels: - app: docker-registry - chart: docker-registry-1.16.0 - heritage: Helm - release: docker-registry -type: Opaque -data: - haSharedSecret: "ZTI1UHRYNk1MOGdDVzMxbWl3MFQ=" - proxyUsername: "" - proxyPassword: "" ---- # v1/ConfigMap agent-smith apiVersion: v1 data: @@ -1393,7 +1334,15 @@ data: kind: secret name: https-certificates containerRegistry: - inCluster: true + external: + certificate: + kind: secret + name: aws-ecr-credential + credential: + kind: secret + name: aws-iam-user-credential + url: 012345678969.dkr.ecr.eu-west-2.amazonaws.com + inCluster: false privateBaseImageAllowList: [] s3storage: bucket: s3-container-registry @@ -1644,46 +1593,6 @@ metadata: apiVersion: v1 data: app.yaml: | - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - creationTimestamp: null - labels: - app: gitpod - component: docker-registry - name: builtin-registry-certs - namespace: default - --- - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - creationTimestamp: null - labels: - app: gitpod - component: docker-registry - name: docker-registry - namespace: default - --- - apiVersion: v1 - kind: Secret - metadata: - creationTimestamp: null - labels: - app: gitpod - component: docker-registry - name: builtin-registry-auth - namespace: default - --- - apiVersion: v1 - kind: ServiceAccount - metadata: - creationTimestamp: null - labels: - app: gitpod - component: docker-registry - name: docker-registry - namespace: default - --- apiVersion: cert-manager.io/v1 kind: Issuer metadata: @@ -3277,51 +3186,53 @@ data: namespace: default --- apiVersion: v1 - kind: Secret + kind: ConfigMap metadata: creationTimestamp: null labels: - app: docker-registry - chart: docker-registry-1.16.0 - heritage: Helm - release: docker-registry - name: registry-secret + app: gitpod + component: registry-credential + name: registry-credential namespace: default --- - apiVersion: v1 - kind: ConfigMap + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role metadata: creationTimestamp: null labels: - app: docker-registry - chart: docker-registry-1.16.0 - heritage: Helm - release: docker-registry - name: registry-config + app: gitpod + component: registry-credential + name: registry-credential namespace: default --- - apiVersion: v1 - kind: Service + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding metadata: creationTimestamp: null labels: - app: docker-registry - chart: docker-registry-1.16.0 - heritage: Helm - release: docker-registry - name: registry + app: gitpod + component: registry-credential + name: registry-credential namespace: default --- - apiVersion: apps/v1 - kind: Deployment + apiVersion: batch/v1 + kind: CronJob metadata: creationTimestamp: null labels: - app: docker-registry - chart: docker-registry-1.16.0 - heritage: Helm - release: docker-registry - name: registry + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + --- + apiVersion: v1 + kind: ServiceAccount + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential namespace: default --- apiVersion: networking.k8s.io/v1 @@ -4716,10 +4627,10 @@ data: "key": "/wsman-certs/tls.key" } }, - "pullSecret": "builtin-registry-auth", + "pullSecret": "aws-ecr-credential", "pullSecretFile": "/config/pull-secret/pull-secret.json", - "baseImageRepository": "registry.gitpod.example.com/base-images", - "workspaceImageRepository": "registry.gitpod.example.com/workspace-images", + "baseImageRepository": "012345678969.dkr.ecr.eu-west-2.amazonaws.com/base-images", + "workspaceImageRepository": "012345678969.dkr.ecr.eu-west-2.amazonaws.com/workspace-images", "builderImage": "eu.gcr.io/gitpod-core-dev/build/image-builder-mk3/bob:test" }, "refCache": { @@ -4776,23 +4687,6 @@ metadata: # v1/ConfigMap proxy-config apiVersion: v1 data: - vhost.docker-registry: |- - https://registry.gitpod.example.com { - import enable_log - import remove_server_header - import ssl_configuration - - basicauth bcrypt "Docker Registry" { - xSedJiDgJQQg4BkW5xKu JDJhJDEwJFFTRGRRMHZZY2pIS2JqUC9aMDNnVC5HbEg2Z1dOQm5TL0pySnpYSm5iNy9DeVh0ZUw2cFM2 - } - - reverse_proxy https://registry.default.svc.cluster.local { - flush_interval -1 - transport http { - tls_trusted_ca_certs /etc/caddy/registry-certs/ca.crt - } - } - } vhost.empty: '# Placeholder to avoid errors loading files using a glob pattern' vhost.ide-proxy: | https://ide.gitpod.example.com { @@ -4886,42 +4780,25 @@ metadata: name: public-api-server namespace: default --- -# v1/ConfigMap registry-config -# Source: docker-registry/charts/docker-registry/templates/configmap.yaml +# v1/ConfigMap registry-credential apiVersion: v1 +data: + config.json: |- + { + "namespace": "default", + "credentialSecret": "aws-iam-user-credential", + "region": "eu-west-2", + "publicRegistry": false, + "secretToUpdate": "aws-ecr-credential" + } kind: ConfigMap metadata: - name: registry-config - namespace: default + creationTimestamp: null labels: - app: docker-registry - chart: docker-registry-1.16.0 - heritage: Helm - release: docker-registry -data: - config.yml: |- - health: - storagedriver: - enabled: true - interval: 10s - threshold: 3 - http: - addr: :5000 - debug: - addr: :5001 - prometheus: - enabled: false - path: /metrics - headers: - X-Content-Type-Options: - - nosniff - log: - fields: - service: registry - storage: - cache: - blobdescriptor: inmemory - version: 0.1 + app: gitpod + component: registry-credential + name: registry-credential + namespace: default --- # v1/ConfigMap registry-facade apiVersion: v1 @@ -6186,6 +6063,27 @@ rules: resources: ["events"] verbs: ["create"] --- +# rbac.authorization.k8s.io/v1/Role registry-credential +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - update +--- # rbac.authorization.k8s.io/v1/Role server apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -6401,24 +6299,6 @@ subjects: name: nobody namespace: default --- -# rbac.authorization.k8s.io/v1/RoleBinding docker-registry -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - creationTimestamp: null - labels: - app: gitpod - component: docker-registry - name: docker-registry - namespace: default -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: default-ns-psp:restricted-root-user -subjects: -- kind: ServiceAccount - name: docker-registry ---- # rbac.authorization.k8s.io/v1/RoleBinding gitpod apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -6655,6 +6535,24 @@ subjects: - kind: ServiceAccount name: rabbitmq --- +# rbac.authorization.k8s.io/v1/RoleBinding registry-credential +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: registry-credential +subjects: +- kind: ServiceAccount + name: registry-credential +--- # rbac.authorization.k8s.io/v1/RoleBinding server apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -7169,29 +7067,6 @@ spec: status: loadBalancer: {} --- -# v1/Service registry -# Source: docker-registry/charts/docker-registry/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: registry - namespace: default - labels: - app: docker-registry - chart: docker-registry-1.16.0 - release: docker-registry - heritage: Helm -spec: - type: ClusterIP - ports: - - port: 443 - protocol: TCP - name: https-443 - targetPort: 5000 - selector: - app: docker-registry - release: docker-registry ---- # v1/Service registry-facade apiVersion: v1 kind: Service @@ -7471,7 +7346,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 3e487f9543c719b9ee3f5590a0f98cb535b4bf1b301c66de8f00f3aa9d61381d + gitpod.io/checksum_config: 627e2d5a5d50e8eb2531bd494ceb9cd26315e43008248fb6825dfc2b5189a3d3 creationTimestamp: null labels: app: gitpod @@ -7652,7 +7527,7 @@ spec: items: - key: .dockerconfigjson path: pull-secret.json - secretName: builtin-registry-auth + secretName: aws-ecr-credential - hostPath: path: / name: hostfs @@ -8334,7 +8209,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: cac138904f08d79e5598805683f8dc378bd52c58348489de22949ac38dd8b193 + gitpod.io/checksum_config: a46080fdf584e8531ec566bcd7761b7ceca365777f0859476a0a9c68beb99737 creationTimestamp: null labels: app: gitpod @@ -8448,7 +8323,7 @@ spec: items: - key: .dockerconfigjson path: pull-secret.json - secretName: builtin-registry-auth + secretName: aws-ecr-credential status: {} --- # apps/v1/Deployment content-service @@ -9202,7 +9077,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: af26ec864db5be86adfb79b972614487639aa67ad16de869e23e22e468f0bed8 + gitpod.io/checksum_config: cc800373849134b29aa04bf2f88b41d073ed09f59d04e65f2b028898453cb0ca creationTimestamp: null labels: app: gitpod @@ -9321,7 +9196,7 @@ spec: items: - key: .dockerconfigjson path: pull-secret.json - secretName: builtin-registry-auth + secretName: aws-ecr-credential - emptyDir: {} name: gitpod-ca-certificate - emptyDir: {} @@ -9352,7 +9227,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: c52c73e63eaa95613a8f4fe77167c754cd48eaf757dd69c2048400311a5ae0a6 + gitpod.io/checksum_config: e6eea49478778c68ec71eee2aa5d2be8b67ebcfda86107a44d2cc80b88c1ecfe creationTimestamp: null labels: app: gitpod @@ -9446,10 +9321,6 @@ spec: name: vhosts - mountPath: /etc/caddy/certificates name: config-certificates - - mountPath: /etc/caddy/registry-auth - name: builtin-registry-auth - - mountPath: /etc/caddy/registry-certs - name: builtin-registry-certs dnsPolicy: ClusterFirst enableServiceLinks: false initContainers: @@ -9477,12 +9348,6 @@ spec: - name: config-certificates secret: secretName: https-certificates - - name: builtin-registry-auth - secret: - secretName: builtin-registry-auth - - name: builtin-registry-certs - secret: - secretName: builtin-registry-certs status: {} --- # apps/v1/Deployment public-api-server @@ -9677,104 +9542,6 @@ spec: name: config status: {} --- -# apps/v1/Deployment registry -# Source: docker-registry/charts/docker-registry/templates/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: registry - namespace: default - labels: - app: docker-registry - chart: docker-registry-1.16.0 - release: docker-registry - heritage: Helm -spec: - selector: - matchLabels: - app: docker-registry - release: docker-registry - replicas: 1 - minReadySeconds: 5 - template: - metadata: - labels: - app: docker-registry - release: docker-registry - annotations: - checksum/config: 1d22b82e19bbc654e029029c4fb86ad02dc13422dc3ac52f8175ad190e52a0bb - gitpod.io/checksum_config: 0ce55d51677cd683df3c7a244542c6aeaaf5dd6dca0f0458e8053a713228f535 - spec: - serviceAccountName: docker-registry - securityContext: - fsGroup: 1000 - runAsUser: 1000 - containers: - - name: docker-registry - image: "docker.io/library/registry:2.7.1" - imagePullPolicy: IfNotPresent - command: - - /bin/registry - - serve - - /etc/docker/registry/config.yml - ports: - - containerPort: 5000 - livenessProbe: - httpGet: - scheme: HTTPS - path: / - port: 5000 - readinessProbe: - httpGet: - scheme: HTTPS - path: / - port: 5000 - resources: - {} - env: - - name: REGISTRY_HTTP_SECRET - valueFrom: - secretKeyRef: - name: registry-secret - key: haSharedSecret - - name: REGISTRY_HTTP_TLS_CERTIFICATE - value: /etc/ssl/docker/tls.crt - - name: REGISTRY_HTTP_TLS_KEY - value: /etc/ssl/docker/tls.key - - name: REGISTRY_STORAGE_S3_ACCESSKEY - valueFrom: - secretKeyRef: - name: container-registry-s3-backend - key: s3AccessKey - - name: REGISTRY_STORAGE_S3_SECRETKEY - valueFrom: - secretKeyRef: - name: container-registry-s3-backend - key: s3SecretKey - - name: REGISTRY_STORAGE_S3_REGION - value: eu-west-2 - - name: REGISTRY_STORAGE_S3_REGIONENDPOINT - value: registry.amazonaws.com - - name: REGISTRY_STORAGE_S3_BUCKET - value: s3-container-registry - - name: REGISTRY_STORAGE_S3_ENCRYPT - value: "true" - - name: REGISTRY_STORAGE_S3_SECURE - value: "true" - volumeMounts: - - name: "registry-config" - mountPath: "/etc/docker/registry" - - mountPath: /etc/ssl/docker - name: tls-cert - readOnly: true - volumes: - - name: registry-config - configMap: - name: registry-config - - name: tls-cert - secret: - secretName: builtin-registry-certs ---- # apps/v1/Deployment server apiVersion: apps/v1 kind: Deployment @@ -10921,3 +10688,59 @@ spec: schedule: '@daily' successfulJobsHistoryLimit: 3 status: {} +--- +# batch/v1/CronJob registry-credential +apiVersion: batch/v1 +kind: CronJob +metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default +spec: + concurrencyPolicy: Replace + failedJobsHistoryLimit: 10 + jobTemplate: + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + spec: + backoffLimit: 10 + template: + metadata: + creationTimestamp: null + labels: + app: gitpod + component: registry-credential + name: registry-credential + namespace: default + spec: + containers: + - args: + - ecr-update + - /config/config.json + image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test + imagePullPolicy: IfNotPresent + name: registry-credential + resources: {} + securityContext: + allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /config + name: config + readOnly: true + restartPolicy: OnFailure + serviceAccountName: registry-credential + volumes: + - configMap: + name: registry-credential + name: config + schedule: '* */6 * * *' + successfulJobsHistoryLimit: 1 +status: {} diff --git a/install/installer/go.mod b/install/installer/go.mod index f67dccdc0dcfc7..408e5c097ac80e 100644 --- a/install/installer/go.mod +++ b/install/installer/go.mod @@ -68,25 +68,25 @@ require ( github.com/a8m/envsubst v1.3.0 // indirect github.com/allegro/bigcache v1.2.1 // indirect github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect - github.com/aws/aws-sdk-go-v2 v1.17.1 // indirect + github.com/aws/aws-sdk-go-v2 v1.17.2 // indirect github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.9 // indirect - github.com/aws/aws-sdk-go-v2/config v1.18.3 // indirect - github.com/aws/aws-sdk-go-v2/credentials v1.13.3 // indirect - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.19 // indirect + github.com/aws/aws-sdk-go-v2/config v1.18.4 // indirect + github.com/aws/aws-sdk-go-v2/credentials v1.13.4 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.20 // indirect github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.42 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.25 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.19 // indirect - github.com/aws/aws-sdk-go-v2/internal/ini v1.3.26 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.26 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.20 // indirect + github.com/aws/aws-sdk-go-v2/internal/ini v1.3.27 // indirect github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.16 // indirect github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.10 // indirect github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.20 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.19 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.20 // indirect github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.13.19 // indirect github.com/aws/aws-sdk-go-v2/service/s3 v1.29.4 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.11.25 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.8 // indirect - github.com/aws/aws-sdk-go-v2/service/sts v1.17.5 // indirect - github.com/aws/smithy-go v1.13.4 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.11.26 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.9 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.17.6 // indirect + github.com/aws/smithy-go v1.13.5 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver v3.5.1+incompatible // indirect github.com/bradfitz/gomemcache v0.0.0-20190913173617-a41fca850d0b // indirect diff --git a/install/installer/go.sum b/install/installer/go.sum index 7f64f5536e352c..d158a329b311cc 100644 --- a/install/installer/go.sum +++ b/install/installer/go.sum @@ -207,44 +207,56 @@ github.com/aws/aws-sdk-go v1.27.0/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN github.com/aws/aws-sdk-go v1.30.27/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0= github.com/aws/aws-sdk-go v1.40.14/go.mod h1:585smgzpB/KqRA+K3y/NL/oYRqQvpNJYvLm+LY1U59Q= github.com/aws/aws-sdk-go-v2 v0.18.0/go.mod h1:JWVYvqSMppoMJC0x5wdwiImzgXTI9FuZwxzkQq9wy+g= -github.com/aws/aws-sdk-go-v2 v1.17.1 h1:02c72fDJr87N8RAC2s3Qu0YuvMRZKNZJ9F+lAehCazk= github.com/aws/aws-sdk-go-v2 v1.17.1/go.mod h1:JLnGeGONAyi2lWXI1p0PCIOIy333JMVK1U7Hf0aRFLw= +github.com/aws/aws-sdk-go-v2 v1.17.2 h1:r0yRZInwiPBNpQ4aDy/Ssh3ROWsGtKDwar2JS8Lm+N8= +github.com/aws/aws-sdk-go-v2 v1.17.2/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.9 h1:RKci2D7tMwpvGpDNZnGQw9wk6v7o/xSwFcUAuNPoB8k= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.9/go.mod h1:vCmV1q1VK8eoQJ5+aYE7PkK1K6v41qJ5pJdK3ggCDvg= -github.com/aws/aws-sdk-go-v2/config v1.18.3 h1:3kfBKcX3votFX84dm00U8RGA1sCCh3eRMOGzg5dCWfU= github.com/aws/aws-sdk-go-v2/config v1.18.3/go.mod h1:BYdrbeCse3ZnOD5+2/VE/nATOK8fEUpBtmPMdKSyhMU= -github.com/aws/aws-sdk-go-v2/credentials v1.13.3 h1:ur+FHdp4NbVIv/49bUjBW+FE7e57HOo03ELodttmagk= +github.com/aws/aws-sdk-go-v2/config v1.18.4 h1:VZKhr3uAADXHStS/Gf9xSYVmmaluTUfkc0dcbPiDsKE= +github.com/aws/aws-sdk-go-v2/config v1.18.4/go.mod h1:EZxMPLSdGAZ3eAmkqXfYbRppZJTzFTkv8VyEzJhKko4= github.com/aws/aws-sdk-go-v2/credentials v1.13.3/go.mod h1:/rOMmqYBcFfNbRPU0iN9IgGqD5+V2yp3iWNmIlz0wI4= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.19 h1:E3PXZSI3F2bzyj6XxUXdTIfvp425HHhwKsFvmzBwHgs= +github.com/aws/aws-sdk-go-v2/credentials v1.13.4 h1:nEbHIyJy7mCvQ/kzGG7VWHSBpRB4H6sJy3bWierWUtg= +github.com/aws/aws-sdk-go-v2/credentials v1.13.4/go.mod h1:/Cj5w9LRsNTLSwexsohwDME32OzJ6U81Zs33zr2ZWOM= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.19/go.mod h1:VihW95zQpeKQWVPGkwT+2+WJNQV8UXFfMTWdU6VErL8= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.20 h1:tpNOglTZ8kg9T38NpcGBxudqfUAwUzyUnLQ4XSd0CHE= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.20/go.mod h1:d9xFpWd3qYwdIXM0fvu7deD08vvdRXyc/ueV+0SqaWE= github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.42 h1:bxgBYvvBh+W1RnNYP4ROXEB8N+HSSucDszfE7Rb+kfU= github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.42/go.mod h1:LHOsygMiW/14CkFxdXxvzKyMh3jbk/QfZVaDtCbLkl8= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.25 h1:nBO/RFxeq/IS5G9Of+ZrgucRciie2qpLy++3UGZ+q2E= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.25/go.mod h1:Zb29PYkf42vVYQY6pvSyJCJcFHlPIiY+YKdPtwnvMkY= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.19 h1:oRHDrwCTVT8ZXi4sr9Ld+EXk7N/KGssOr2ygNeojEhw= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.26 h1:5WU31cY7m0tG+AiaXuXGoMzo2GBQ1IixtWa8Yywsgco= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.26/go.mod h1:2E0LdbJW6lbeU4uxjum99GZzI0ZjDpAb0CoSCM0oeEY= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.19/go.mod h1:6Q0546uHDp421okhmmGfbxzq2hBqbXFNpi4k+Q1JnQA= -github.com/aws/aws-sdk-go-v2/internal/ini v1.3.26 h1:Mza+vlnZr+fPKFKRq/lKGVvM6B/8ZZmNdEopOwSQLms= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.20 h1:WW0qSzDWoiWU2FS5DbKpxGilFVlCEJPwx4YtjdfI0Jw= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.20/go.mod h1:/+6lSiby8TBFpTVXZgKiN/rCfkYXEGvhlM4zCgPpt7w= github.com/aws/aws-sdk-go-v2/internal/ini v1.3.26/go.mod h1:Y2OJ+P+MC1u1VKnavT+PshiEuGPyh/7DqxoDNij4/bg= +github.com/aws/aws-sdk-go-v2/internal/ini v1.3.27 h1:N2eKFw2S+JWRCtTt0IhIX7uoGGQciD4p6ba+SJv4WEU= +github.com/aws/aws-sdk-go-v2/internal/ini v1.3.27/go.mod h1:RdwFVc7PBYWY33fa2+8T1mSqQ7ZEK4ILpM0wfioDC3w= github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.16 h1:2EXB7dtGwRYIN3XQ9qwIW504DVbKIw3r89xQnonGdsQ= github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.16/go.mod h1:XH+3h395e3WVdd6T2Z3mPxuI+x/HVtdqVOREkTiyubs= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.10 h1:dpiPHgmFstgkLG07KaYAewvuptq5kvo52xn7tVSrtrQ= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.10/go.mod h1:9cBNUHI2aW4ho0A5T87O294iPDuuUOSIEDjnd1Lq/z0= github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.20 h1:KSvtm1+fPXE0swe9GPjc6msyrdTT0LB/BP8eLugL1FI= github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.20/go.mod h1:Mp4XI/CkWGD79AQxZ5lIFlgvC0A+gl+4BmyG1F+SfNc= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.19 h1:GE25AWCdNUPh9AOJzI9KIJnja7IwUc1WyUqz/JTyJ/I= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.19/go.mod h1:02CP6iuYP+IVnBX5HULVdSAku/85eHB2Y9EsFhrkEwU= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.20 h1:jlgyHbkZQAgAc7VIxJDmtouH8eNjOk2REVAQfVhdaiQ= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.20/go.mod h1:Xs52xaLBqDEKRcAfX/hgjmD3YQ7c/W+BEyfamlO/W2E= github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.13.19 h1:piDBAaWkaxkkVV3xJJbTehXCZRXYs49kvpi/LG6LR2o= github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.13.19/go.mod h1:BmQWRVkLTmyNzYPFAZgon53qKLWBNSvonugD1MrSWUs= github.com/aws/aws-sdk-go-v2/service/s3 v1.29.4 h1:QgmmWifaYZZcpaw3y1+ccRlgH6jAvLm4K/MBGUc7cNM= github.com/aws/aws-sdk-go-v2/service/s3 v1.29.4/go.mod h1:/NHbqPRiwxSPVOB2Xr+StDEH+GWV/64WwnUjv4KYzV0= -github.com/aws/aws-sdk-go-v2/service/sso v1.11.25 h1:GFZitO48N/7EsFDt8fMa5iYdmWqkUDDB3Eje6z3kbG0= github.com/aws/aws-sdk-go-v2/service/sso v1.11.25/go.mod h1:IARHuzTXmj1C0KS35vboR0FeJ89OkEy1M9mWbK2ifCI= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.8 h1:jcw6kKZrtNfBPJkaHrscDOZoe5gvi9wjudnxvozYFJo= +github.com/aws/aws-sdk-go-v2/service/sso v1.11.26 h1:ActQgdTNQej/RuUJjB9uxYVLDOvRGtUreXF8L3c8wyg= +github.com/aws/aws-sdk-go-v2/service/sso v1.11.26/go.mod h1:uB9tV79ULEZUXc6Ob18A46KSQ0JDlrplPni9XW6Ot60= github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.8/go.mod h1:er2JHN+kBY6FcMfcBBKNGCT3CarImmdFzishsqBmSRI= -github.com/aws/aws-sdk-go-v2/service/sts v1.17.5 h1:60SJ4lhvn///8ygCzYy2l53bFW/Q15bVfyjyAWo6zuw= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.9 h1:wihKuqYUlA2T/Rx+yu2s6NDAns8B9DgnRooB1PVhY+Q= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.9/go.mod h1:2E/3D/mB8/r2J7nK42daoKP/ooCwbf0q1PznNc+DZTU= github.com/aws/aws-sdk-go-v2/service/sts v1.17.5/go.mod h1:bXcN3koeVYiJcdDU89n3kCYILob7Y34AeLopUbZgLT4= -github.com/aws/smithy-go v1.13.4 h1:/RN2z1txIJWeXeOkzX+Hk/4Uuvv7dWtCjbmVJcrskyk= +github.com/aws/aws-sdk-go-v2/service/sts v1.17.6 h1:VQFOLQVL3BrKM/NLO/7FiS4vcp5bqK0mGMyk09xLoAY= +github.com/aws/aws-sdk-go-v2/service/sts v1.17.6/go.mod h1:Az3OXXYGyfNwQNsK/31L4R75qFYnO641RZGAoV3uH1c= github.com/aws/smithy-go v1.13.4/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= +github.com/aws/smithy-go v1.13.5 h1:hgz0X/DX0dGqTYpGALqXJoRKRj5oQ7150i5FdTePzO8= +github.com/aws/smithy-go v1.13.5/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= github.com/benbjohnson/clock v1.0.3/go.mod h1:bGMdMPoPVvcYyt1gHDf4J2KE153Yf9BuiUKYMaxlTDM= github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8= github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= diff --git a/install/installer/pkg/components/registry-credential/common.go b/install/installer/pkg/components/registry-credential/common.go index 904e9b74a6d129..9399ebd3c05c3e 100644 --- a/install/installer/pkg/components/registry-credential/common.go +++ b/install/installer/pkg/components/registry-credential/common.go @@ -5,24 +5,84 @@ package registry_credential import ( + "net/url" "regexp" + "strings" + "github.com/gitpod-io/gitpod/common-go/log" "github.com/gitpod-io/gitpod/installer/pkg/common" - "k8s.io/utils/pointer" ) -// isAWSRegistry checks the external container registry URL is a private AWS ECR container registry. -func isAWSRegistry(ctx *common.RenderContext) bool { - if pointer.BoolDeref(ctx.Config.ContainerRegistry.InCluster, false) && - ctx.Config.ContainerRegistry.External != nil { - // We support private AWS ECR container registry now. - re := regexp.MustCompile(`^\d{12}\.dkr\.ecr\.[a-z]{2}-[a-z]+-\d\.amazonaws\.com$`) - return re.MatchString(ctx.Config.ContainerRegistry.External.URL) +// IsAWSECRURL parses the external container registry URL exists and then +// checks whether the external container registry URL is a AWS ECR container registry. +func IsAWSECRURL(ctx *common.RenderContext) bool { + if ctx.Config.ContainerRegistry.External == nil { + return false + } + return isAWSECRURL(ctx.Config.ContainerRegistry.External.URL) +} + +// isAWSECRURL checks whether the URL is a AWS ECR URL or not. +func isAWSECRURL(URL string) bool { + if isPrivateAWSECRURL(URL) || isPublicAWSECRURL(URL) { + return true } return false } -// TODO(jenting): parse the AWS region from the container registry URL +// isPrivateAWSECRURL check if it's a private AWS ECR URL. +// The private AWS ECR URL with the format aws_account_id.dkr.ecr.region.amazonaws.com. +func isPrivateAWSECRURL(URL string) bool { + u, err := url.Parse(URL) + if err != nil { + log.WithError(err).Errorf("unable to parse url %s", URL) + return false + } + + host := u.Host + if host == "" { + host = URL + } + + re, err := regexp.Compile(`^[0-9]+\.dkr\.ecr\.[a-z]+-[a-z]+-[0-9]+\.amazonaws\.com*`) + if err != nil { + log.WithError(err).Fatal("invalid private regexp pattern") + return false + } + return re.MatchString(host) +} + +// isPublicAWSECRURL check if it's a public AWS ECR URL. +// The public AWS ECR URL with the format public.ecr.aws/. +func isPublicAWSECRURL(URL string) bool { + u, err := url.Parse(URL) + if err != nil { + log.WithError(err).Errorf("unable to parse url %s", URL) + return false + } + + host := u.Host + if host == "" { + host = URL + } + + re, err := regexp.Compile(`^public\.ecr\.aws*`) + if err != nil { + log.WithError(err).Fatal("invalid public regexp pattern") + return false + } + return re.MatchString(host) +} + +// getAWSRegion returns the AWS region according to the container registry URL. func getAWSRegion(url string) string { - return "us-west-1" + if isPrivateAWSECRURL(url) { + return strings.Split(url, ".")[3] + } + if isPublicAWSECRURL(url) { + // If it's a public registry, force to use us-east-1 region + // https://docs.aws.amazon.com/general/latest/gr/ecr-public.html#ecr-public-region + return "us-east-1" + } + return "" } diff --git a/install/installer/pkg/components/registry-credential/common_test.go b/install/installer/pkg/components/registry-credential/common_test.go new file mode 100644 index 00000000000000..14915be92a7a93 --- /dev/null +++ b/install/installer/pkg/components/registry-credential/common_test.go @@ -0,0 +1,113 @@ +// Copyright (c) 2022 Gitpod GmbH. All rights reserved. +// Licensed under the GNU Affero General Public License (AGPL). +// See License-AGPL.txt in the project root for license information. + +package registry_credential + +import "testing" + +func TestIsAWSECRPrivateRegistry(t *testing.T) { + tests := []struct { + URL string + Expect bool + }{ + { + URL: "012345678969.dkr.ecr.us-west-1.amazonaws.com", + Expect: true, + }, + { + URL: "012345678969.dkr.ecr.us-west-1.amazonaws.com/", + Expect: true, + }, + { + URL: "012345678969.dkr.ecr.us-west-1.amazonaws.com/build", + Expect: true, + }, + { + URL: "https://012345678969.dkr.ecr.us-west-1.amazonaws.com/build/foo/bar", + Expect: true, + }, + { + URL: "public.ecr.aws", + Expect: true, + }, + { + URL: "public.ecr.aws/", + Expect: true, + }, + { + URL: "public.ecr.aws/build", + Expect: true, + }, + { + URL: "https://public.ecr.aws/build/foo/bar", + Expect: true, + }, + { + URL: "gitpod.io", + Expect: false, + }, + } + + for _, test := range tests { + t.Run(test.URL, func(t *testing.T) { + got := isAWSECRURL(test.URL) + if got != test.Expect { + t.Errorf("expect url %t, got %t", test.Expect, got) + } + }) + } +} + +func TestGetAWSRegion(t *testing.T) { + tests := []struct { + URL string + Expect string + }{ + { + URL: "012345678969.dkr.ecr.us-west-1.amazonaws.com", + Expect: "us-west-1", + }, + { + URL: "https://012345678969.dkr.ecr.us-west-1.amazonaws.com", + Expect: "us-west-1", + }, + { + URL: "012345678969.dkr.ecr.us-west-1.amazonaws.com/build", + Expect: "us-west-1", + }, + { + URL: "https://012345678969.dkr.ecr.us-west-1.amazonaws.com/build/foo/bar", + Expect: "us-west-1", + }, + { + URL: "public.ecr.aws", + Expect: "us-east-1", + }, + { + URL: "public.ecr.aws/", + Expect: "us-east-1", + }, + { + URL: "public.ecr.aws/build", + Expect: "us-east-1", + }, + { + URL: "https://public.ecr.aws/build/foo/bar", + Expect: "us-east-1", + }, + { + URL: "gitpod.io", + Expect: "", + }, + } + + for _, test := range tests { + t.Run(test.URL, func(t *testing.T) { + got := getAWSRegion(test.URL) + if got != test.Expect { + t.Errorf("expect url %s, got %s", test.Expect, got) + } + }) + } +} diff --git a/install/installer/pkg/components/registry-credential/configmap.go b/install/installer/pkg/components/registry-credential/configmap.go index 558e79af978944..97e6bfea0e50cd 100644 --- a/install/installer/pkg/components/registry-credential/configmap.go +++ b/install/installer/pkg/components/registry-credential/configmap.go @@ -15,17 +15,18 @@ import ( ) func configmap(ctx *common.RenderContext) ([]runtime.Object, error) { - if !isAWSRegistry(ctx) { - return []runtime.Object{}, nil + if !IsAWSECRURL(ctx) { + return nil, nil } + privateRegistry := isPrivateAWSECRURL(ctx.Config.ContainerRegistry.External.URL) + region := getAWSRegion(ctx.Config.ContainerRegistry.External.URL) + credentialSecretName, err := credentialSecretName(ctx) if err != nil { return nil, err } - region := getAWSRegion(ctx.Config.ContainerRegistry.External.URL) - secretToUpdateName, err := secretToUpdateName(ctx) if err != nil { return nil, err @@ -35,6 +36,7 @@ func configmap(ctx *common.RenderContext) ([]runtime.Object, error) { Namespace: ctx.Namespace, CredentialSecret: credentialSecretName, Region: region, + PublicRegistry: !privateRegistry, SecretToUpdate: secretToUpdateName, } @@ -52,28 +54,22 @@ func configmap(ctx *common.RenderContext) ([]runtime.Object, error) { Labels: common.DefaultLabels(Component), }, Data: map[string]string{ - "registry-credential.json": string(json), + "config.json": string(json), }, }, }, nil } func secretToUpdateName(ctx *common.RenderContext) (string, error) { - var secretName string - if ctx.Config.ContainerRegistry.External != nil { - secretName = ctx.Config.ContainerRegistry.External.Certificate.Name - } else { + if ctx.Config.ContainerRegistry.External == nil { return "", fmt.Errorf("%s: invalid container registry config", Component) } - return secretName, nil + return ctx.Config.ContainerRegistry.External.Certificate.Name, nil } func credentialSecretName(ctx *common.RenderContext) (string, error) { - var secretName string - if ctx.Config.ContainerRegistry.External != nil { - secretName = ctx.Config.ContainerRegistry.External.Credential.Name - } else { + if ctx.Config.ContainerRegistry.External == nil { return "", fmt.Errorf("%s: invalid container registry config", Component) } - return secretName, nil + return ctx.Config.ContainerRegistry.External.Credential.Name, nil } diff --git a/install/installer/pkg/components/registry-credential/cronjob.go b/install/installer/pkg/components/registry-credential/cronjob.go index f26c5ffd30d749..1f619398a5697c 100644 --- a/install/installer/pkg/components/registry-credential/cronjob.go +++ b/install/installer/pkg/components/registry-credential/cronjob.go @@ -6,6 +6,7 @@ package registry_credential import ( batchv1 "k8s.io/api/batch/v1" + corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/utils/pointer" @@ -14,8 +15,8 @@ import ( ) func cronjob(ctx *common.RenderContext) ([]runtime.Object, error) { - if !isAWSRegistry(ctx) { - return []runtime.Object{}, nil + if !IsAWSECRURL(ctx) { + return nil, nil } objectMeta := metav1.ObjectMeta{ @@ -35,7 +36,44 @@ func cronjob(ctx *common.RenderContext) ([]runtime.Object, error) { ConcurrencyPolicy: batchv1.ReplaceConcurrent, JobTemplate: batchv1.JobTemplateSpec{ ObjectMeta: objectMeta, - Spec: jobSpec(ctx, objectMeta), + Spec: batchv1.JobSpec{ + BackoffLimit: pointer.Int32(10), + Template: corev1.PodTemplateSpec{ + ObjectMeta: objectMeta, + Spec: corev1.PodSpec{ + RestartPolicy: corev1.RestartPolicyOnFailure, + ServiceAccountName: Component, + Containers: []corev1.Container{ + { + Name: Component, + Args: []string{"ecr-update", "/config/config.json"}, + Image: ctx.ImageName(ctx.Config.Repository, Component, ctx.VersionManifest.Components.RegistryCredential.Version), + ImagePullPolicy: corev1.PullIfNotPresent, + SecurityContext: &corev1.SecurityContext{ + AllowPrivilegeEscalation: pointer.Bool(false), + }, + VolumeMounts: []corev1.VolumeMount{ + { + Name: "config", + MountPath: "/config", + ReadOnly: true, + }, + }, + }, + }, + Volumes: []corev1.Volume{ + { + Name: "config", + VolumeSource: corev1.VolumeSource{ + ConfigMap: &corev1.ConfigMapVolumeSource{ + LocalObjectReference: corev1.LocalObjectReference{Name: Component}, + }, + }, + }, + }, + }, + }, + }, }, }, }, diff --git a/install/installer/pkg/components/registry-credential/job.go b/install/installer/pkg/components/registry-credential/job.go deleted file mode 100644 index 64c42d67950251..00000000000000 --- a/install/installer/pkg/components/registry-credential/job.go +++ /dev/null @@ -1,76 +0,0 @@ -// Copyright (c) 2022 Gitpod GmbH. All rights reserved. -// Licensed under the GNU Affero General Public License (AGPL). -// See License-AGPL.txt in the project root for license information. - -package registry_credential - -import ( - batchv1 "k8s.io/api/batch/v1" - corev1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/utils/pointer" - - "github.com/gitpod-io/gitpod/installer/pkg/common" -) - -func jobSpec(ctx *common.RenderContext, objectMeta metav1.ObjectMeta) batchv1.JobSpec { - return batchv1.JobSpec{ - BackoffLimit: pointer.Int32(10), - Template: corev1.PodTemplateSpec{ - ObjectMeta: objectMeta, - Spec: corev1.PodSpec{ - RestartPolicy: corev1.RestartPolicyOnFailure, - ServiceAccountName: Component, - Containers: []corev1.Container{ - { - Name: Component, - Args: []string{"ecr-update", "/config/config.json"}, - Image: ctx.ImageName(ctx.Config.Repository, Component, ctx.VersionManifest.Components.RegistryCredential.Version), - ImagePullPolicy: corev1.PullIfNotPresent, - SecurityContext: &corev1.SecurityContext{ - AllowPrivilegeEscalation: pointer.Bool(false), - }, - VolumeMounts: []corev1.VolumeMount{ - { - Name: "config", - MountPath: "/config", - ReadOnly: true, - }, - }, - }, - }, - Volumes: []corev1.Volume{ - { - Name: "config", - VolumeSource: corev1.VolumeSource{ - ConfigMap: &corev1.ConfigMapVolumeSource{ - LocalObjectReference: corev1.LocalObjectReference{Name: Component}, - }, - }, - }, - }, - }, - }, - } -} - -func job(ctx *common.RenderContext) ([]runtime.Object, error) { - if !isAWSRegistry(ctx) { - return []runtime.Object{}, nil - } - - objectMeta := metav1.ObjectMeta{ - Name: Component, - Namespace: ctx.Namespace, - Labels: common.DefaultLabels(Component), - } - - return []runtime.Object{ - &batchv1.Job{ - TypeMeta: common.TypeMetaBatchJob, - ObjectMeta: objectMeta, - Spec: jobSpec(ctx, objectMeta), - }, - }, nil -} diff --git a/install/installer/pkg/components/registry-credential/objects.go b/install/installer/pkg/components/registry-credential/objects.go index abc7e97cd97d28..f8de54de85abb5 100644 --- a/install/installer/pkg/components/registry-credential/objects.go +++ b/install/installer/pkg/components/registry-credential/objects.go @@ -5,8 +5,9 @@ package registry_credential import ( - "github.com/gitpod-io/gitpod/installer/pkg/common" "k8s.io/apimachinery/pkg/runtime" + + "github.com/gitpod-io/gitpod/installer/pkg/common" ) var Objects = common.CompositeRenderFunc( @@ -14,9 +15,8 @@ var Objects = common.CompositeRenderFunc( role, rolebinding, cronjob, - job, func(ctx *common.RenderContext) ([]runtime.Object, error) { - if !isAWSRegistry(ctx) { + if !IsAWSECRURL(ctx) { return nil, nil } return common.DefaultServiceAccount(Component)(ctx) diff --git a/install/installer/pkg/components/registry-credential/role.go b/install/installer/pkg/components/registry-credential/role.go index 516a5ad23d5273..40d489c0a02a83 100644 --- a/install/installer/pkg/components/registry-credential/role.go +++ b/install/installer/pkg/components/registry-credential/role.go @@ -13,8 +13,8 @@ import ( ) func role(ctx *common.RenderContext) ([]runtime.Object, error) { - if !isAWSRegistry(ctx) { - return []runtime.Object{}, nil + if !IsAWSECRURL(ctx) { + return nil, nil } return []runtime.Object{ diff --git a/install/installer/pkg/components/registry-credential/rolebinding.go b/install/installer/pkg/components/registry-credential/rolebinding.go index c14534c1664168..36a0648679ec39 100644 --- a/install/installer/pkg/components/registry-credential/rolebinding.go +++ b/install/installer/pkg/components/registry-credential/rolebinding.go @@ -13,8 +13,8 @@ import ( ) func rolebinding(ctx *common.RenderContext) ([]runtime.Object, error) { - if !isAWSRegistry(ctx) { - return []runtime.Object{}, nil + if !IsAWSECRURL(ctx) { + return nil, nil } return []runtime.Object{ From d0d0cb4d515bd481c7553e0085747ad28ed945e7 Mon Sep 17 00:00:00 2001 From: JenTing Hsiao Date: Wed, 14 Dec 2022 07:00:55 +0000 Subject: [PATCH 09/14] installer: add create secrets permission Signed-off-by: JenTing Hsiao --- install/installer/cmd/testdata/render/aws-setup/output.golden | 1 + install/installer/pkg/components/registry-credential/role.go | 1 + 2 files changed, 2 insertions(+) diff --git a/install/installer/cmd/testdata/render/aws-setup/output.golden b/install/installer/cmd/testdata/render/aws-setup/output.golden index cfa0179051d02b..40da25d41cae7e 100644 --- a/install/installer/cmd/testdata/render/aws-setup/output.golden +++ b/install/installer/cmd/testdata/render/aws-setup/output.golden @@ -6079,6 +6079,7 @@ rules: resources: - secrets verbs: + - create - get - list - watch diff --git a/install/installer/pkg/components/registry-credential/role.go b/install/installer/pkg/components/registry-credential/role.go index 40d489c0a02a83..9c0b80b8b41975 100644 --- a/install/installer/pkg/components/registry-credential/role.go +++ b/install/installer/pkg/components/registry-credential/role.go @@ -30,6 +30,7 @@ func role(ctx *common.RenderContext) ([]runtime.Object, error) { APIGroups: []string{""}, Resources: []string{"secrets"}, Verbs: []string{ + "create", "get", "list", "watch", From fe1542d0253531462f7695cb7a2b17a8c743190e Mon Sep 17 00:00:00 2001 From: JenTing Hsiao Date: Wed, 14 Dec 2022 09:11:18 +0000 Subject: [PATCH 10/14] Add README for registry-credential Signed-off-by: JenTing Hsiao --- components/registry-credential/README.md | 46 ++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 components/registry-credential/README.md diff --git a/components/registry-credential/README.md b/components/registry-credential/README.md new file mode 100644 index 00000000000000..941abb145e2f6c --- /dev/null +++ b/components/registry-credential/README.md @@ -0,0 +1,46 @@ +# registry-credential + +`registry-credential` is a service for rotating the AWS ECR authorization token because the authorization token is valid for 12 hours. + +## Development + +### Prepare a Kubernetes cluster + +```console +# Set up kube context. The registry-credential will connect to this Kubernetes cluster. +kubectx [cluster-name] +``` + +### Prepare the AWS access/secret key pair + +```console +kubectl create secret generic aws-iam-credential \ + --from-literal=access_key_id= \ + --from-literal=secret_access_key= +``` + +### Prepare the configuration + +```json +{ + "namespace": "default", # The namespace to find the Kubernetes secret name + "credentialSecret": "aws-iam-credential", # The secret name with AWS access/secret key pair + "region": "", # The AWS ECR registry region + "publicRegistry": false, # Indicate it's a private or public registry + "secretToUpdate": "" # The authorization token written to +} +``` + +> **Note* +> If you are using public a AWS ECR registry, the region name is either `us-east-1` or `us-west-2`. Reference to the [AWS ECR Public endpoints](https://docs.aws.amazon.com/general/latest/gr/ecr-public.html). + +### Running locally + +To run `registry-credential` locally, the `example-config.json` can be used as follows: + +```console +cd /workspace/gitpod/components/registry-credential + +# Run registry-credential to update the AWS ECR authorization token. +go run . ecr-update example-config.json +``` From ae4f39db43423e83edbeddaba3fe9f4b9d0b9f52 Mon Sep 17 00:00:00 2001 From: JenTing Hsiao Date: Wed, 14 Dec 2022 13:21:31 +0000 Subject: [PATCH 11/14] Address review comment - Provide AWS doc/code link - Check IsAWSECRURL in Object once - Check credential AWS access/secret key pair exists Signed-off-by: JenTing Hsiao --- components/registry-credential/README.md | 4 ++-- .../registry-credential/pkg/ecr/updater.go | 4 ++-- .../components/registry-credential/common.go | 2 ++ .../registry-credential/configmap.go | 4 ---- .../components/registry-credential/cronjob.go | 4 ---- .../components/registry-credential/objects.go | 24 +++++++++---------- .../components/registry-credential/role.go | 4 ---- .../registry-credential/rolebinding.go | 4 ---- install/installer/pkg/config/v1/validation.go | 5 ++++ 9 files changed, 23 insertions(+), 32 deletions(-) diff --git a/components/registry-credential/README.md b/components/registry-credential/README.md index 941abb145e2f6c..cdb62f1bc0788d 100644 --- a/components/registry-credential/README.md +++ b/components/registry-credential/README.md @@ -15,8 +15,8 @@ kubectx [cluster-name] ```console kubectl create secret generic aws-iam-credential \ - --from-literal=access_key_id= \ - --from-literal=secret_access_key= + --from-literal=accessKeyId= \ + --from-literal=secretAccessKey= ``` ### Prepare the configuration diff --git a/components/registry-credential/pkg/ecr/updater.go b/components/registry-credential/pkg/ecr/updater.go index ec3380ffc7524e..6bfe1c0ccad6ba 100644 --- a/components/registry-credential/pkg/ecr/updater.go +++ b/components/registry-credential/pkg/ecr/updater.go @@ -27,8 +27,8 @@ import ( ) const ( - accessKeyIdName = "access_key_id" - secretAccessKeyName = "secret_access_key" + accessKeyIdName = "accessKeyId" + secretAccessKeyName = "secretAccessKey" ) const ( diff --git a/install/installer/pkg/components/registry-credential/common.go b/install/installer/pkg/components/registry-credential/common.go index 9399ebd3c05c3e..758cfa7c2b7ffd 100644 --- a/install/installer/pkg/components/registry-credential/common.go +++ b/install/installer/pkg/components/registry-credential/common.go @@ -32,6 +32,7 @@ func isAWSECRURL(URL string) bool { // isPrivateAWSECRURL check if it's a private AWS ECR URL. // The private AWS ECR URL with the format aws_account_id.dkr.ecr.region.amazonaws.com. +// Reference to https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html func isPrivateAWSECRURL(URL string) bool { u, err := url.Parse(URL) if err != nil { @@ -54,6 +55,7 @@ func isPrivateAWSECRURL(URL string) bool { // isPublicAWSECRURL check if it's a public AWS ECR URL. // The public AWS ECR URL with the format public.ecr.aws/. +// Reference to https://github.com/awslabs/amazon-ecr-credential-helper/blob/3b42f427f89a8adec0e42e673e7c94cf80d40b0c/ecr-login/api/client.go#L36 func isPublicAWSECRURL(URL string) bool { u, err := url.Parse(URL) if err != nil { diff --git a/install/installer/pkg/components/registry-credential/configmap.go b/install/installer/pkg/components/registry-credential/configmap.go index 97e6bfea0e50cd..5864fae1ad2fe4 100644 --- a/install/installer/pkg/components/registry-credential/configmap.go +++ b/install/installer/pkg/components/registry-credential/configmap.go @@ -15,10 +15,6 @@ import ( ) func configmap(ctx *common.RenderContext) ([]runtime.Object, error) { - if !IsAWSECRURL(ctx) { - return nil, nil - } - privateRegistry := isPrivateAWSECRURL(ctx.Config.ContainerRegistry.External.URL) region := getAWSRegion(ctx.Config.ContainerRegistry.External.URL) diff --git a/install/installer/pkg/components/registry-credential/cronjob.go b/install/installer/pkg/components/registry-credential/cronjob.go index 1f619398a5697c..33a7fd13486e74 100644 --- a/install/installer/pkg/components/registry-credential/cronjob.go +++ b/install/installer/pkg/components/registry-credential/cronjob.go @@ -15,10 +15,6 @@ import ( ) func cronjob(ctx *common.RenderContext) ([]runtime.Object, error) { - if !IsAWSECRURL(ctx) { - return nil, nil - } - objectMeta := metav1.ObjectMeta{ Name: Component, Namespace: ctx.Namespace, diff --git a/install/installer/pkg/components/registry-credential/objects.go b/install/installer/pkg/components/registry-credential/objects.go index f8de54de85abb5..7b0f34a163e0d4 100644 --- a/install/installer/pkg/components/registry-credential/objects.go +++ b/install/installer/pkg/components/registry-credential/objects.go @@ -10,15 +10,15 @@ import ( "github.com/gitpod-io/gitpod/installer/pkg/common" ) -var Objects = common.CompositeRenderFunc( - configmap, - role, - rolebinding, - cronjob, - func(ctx *common.RenderContext) ([]runtime.Object, error) { - if !IsAWSECRURL(ctx) { - return nil, nil - } - return common.DefaultServiceAccount(Component)(ctx) - }, -) +func Objects(ctx *common.RenderContext) ([]runtime.Object, error) { + if !IsAWSECRURL(ctx) { + return nil, nil + } + return common.CompositeRenderFunc( + configmap, + role, + rolebinding, + cronjob, + common.DefaultServiceAccount(Component), + )(ctx) +} diff --git a/install/installer/pkg/components/registry-credential/role.go b/install/installer/pkg/components/registry-credential/role.go index 9c0b80b8b41975..b738f07051f4d6 100644 --- a/install/installer/pkg/components/registry-credential/role.go +++ b/install/installer/pkg/components/registry-credential/role.go @@ -13,10 +13,6 @@ import ( ) func role(ctx *common.RenderContext) ([]runtime.Object, error) { - if !IsAWSECRURL(ctx) { - return nil, nil - } - return []runtime.Object{ &rbacv1.Role{ TypeMeta: common.TypeMetaRole, diff --git a/install/installer/pkg/components/registry-credential/rolebinding.go b/install/installer/pkg/components/registry-credential/rolebinding.go index 36a0648679ec39..273358281bee7e 100644 --- a/install/installer/pkg/components/registry-credential/rolebinding.go +++ b/install/installer/pkg/components/registry-credential/rolebinding.go @@ -13,10 +13,6 @@ import ( ) func rolebinding(ctx *common.RenderContext) ([]runtime.Object, error) { - if !IsAWSECRURL(ctx) { - return nil, nil - } - return []runtime.Object{ &rbacv1.RoleBinding{ TypeMeta: common.TypeMetaRoleBinding, diff --git a/install/installer/pkg/config/v1/validation.go b/install/installer/pkg/config/v1/validation.go index 2eba42a9d1b397..241fa0bb9b0736 100644 --- a/install/installer/pkg/config/v1/validation.go +++ b/install/installer/pkg/config/v1/validation.go @@ -149,6 +149,11 @@ func (v version) ClusterValidation(rcfg interface{}) cluster.ValidationChecks { if cfg.ContainerRegistry.External != nil { secretName := cfg.ContainerRegistry.External.Certificate.Name res = append(res, cluster.CheckSecret(secretName, cluster.CheckSecretRequiredData(".dockerconfigjson"))) + + if cfg.ContainerRegistry.External.Credential != nil { + credSecretName := cfg.ContainerRegistry.External.Credential.Name + res = append(res, cluster.CheckSecret(credSecretName, cluster.CheckSecretRequiredData("accessKeyId", "secretAccessKey"))) + } } if cfg.ContainerRegistry.S3Storage != nil { From 397b18ddec43ed6a8da624184f5977da30dabeda Mon Sep 17 00:00:00 2001 From: JenTing Hsiao Date: Thu, 15 Dec 2022 02:07:36 +0000 Subject: [PATCH 12/14] Rename from registry-credential to refresh-credential Signed-off-by: JenTing Hsiao --- components/BUILD.yaml | 4 +- components/refresh-credential/.gitignore | 1 + .../BUILD.yaml | 8 +- components/refresh-credential/README.md | 44 ++++++++++ .../cmd/root.go | 12 +-- .../example-config.json | 2 +- .../go.mod | 2 +- .../go.sum | 0 .../leeway.Dockerfile | 4 +- .../main.go | 2 +- .../pkg/config/config.go | 4 +- .../pkg/ecr/updater.go | 49 +++-------- components/registry-credential/.gitignore | 1 - components/registry-credential/README.md | 46 ---------- gitpod-ws.code-workspace | 2 +- install/installer/BUILD.yaml | 2 +- .../cmd/testdata/render/aws-setup/config.yaml | 4 +- .../testdata/render/aws-setup/output.golden | 84 ++++++++++--------- .../testdata/render/azure-setup/output.golden | 2 +- .../render/customization/output.golden | 2 +- .../render/external-registry/output.golden | 2 +- .../testdata/render/gcp-setup/output.golden | 2 +- .../testdata/render/http-proxy/output.golden | 2 +- .../testdata/render/kind-ide/output.golden | 2 +- .../testdata/render/kind-meta/output.golden | 2 +- .../testdata/render/kind-webapp/output.golden | 2 +- .../render/kind-workspace/output.golden | 2 +- .../cmd/testdata/render/minimal/output.golden | 2 +- .../testdata/render/shortname/output.golden | 2 +- .../statefulset-customization/output.golden | 2 +- .../use-pod-security-policies/output.golden | 2 +- .../cmd/testdata/render/versions.yaml | 2 +- .../render/vsxproxy-pvc/output.golden | 2 +- .../workspace-requests-limits/output.golden | 2 +- install/installer/go.mod | 4 +- install/installer/pkg/common/storage.go | 14 ++-- .../components-workspace/components.go | 4 +- .../common.go | 2 +- .../common_test.go | 2 +- .../configmap.go | 31 +++---- .../constants.go | 4 +- .../cronjob.go | 70 ++++++++-------- .../objects.go | 2 +- .../role.go | 2 +- .../rolebinding.go | 2 +- install/installer/pkg/config/v1/config.go | 2 +- install/installer/pkg/config/v1/validation.go | 4 +- .../installer/pkg/config/versions/versions.go | 2 +- 48 files changed, 210 insertions(+), 238 deletions(-) create mode 100644 components/refresh-credential/.gitignore rename components/{registry-credential => refresh-credential}/BUILD.yaml (69%) create mode 100644 components/refresh-credential/README.md rename components/{registry-credential => refresh-credential}/cmd/root.go (77%) rename components/{registry-credential => refresh-credential}/example-config.json (63%) rename components/{registry-credential => refresh-credential}/go.mod (98%) rename components/{registry-credential => refresh-credential}/go.sum (100%) rename components/{registry-credential => refresh-credential}/leeway.Dockerfile (77%) rename components/{registry-credential => refresh-credential}/main.go (79%) rename components/{registry-credential => refresh-credential}/pkg/config/config.go (89%) rename components/{registry-credential => refresh-credential}/pkg/ecr/updater.go (83%) delete mode 100644 components/registry-credential/.gitignore delete mode 100644 components/registry-credential/README.md rename install/installer/pkg/components/{registry-credential => refresh-credential}/common.go (98%) rename install/installer/pkg/components/{registry-credential => refresh-credential}/common_test.go (98%) rename install/installer/pkg/components/{registry-credential => refresh-credential}/configmap.go (64%) rename install/installer/pkg/components/{registry-credential => refresh-credential}/constants.go (78%) rename install/installer/pkg/components/{registry-credential => refresh-credential}/cronjob.go (51%) rename install/installer/pkg/components/{registry-credential => refresh-credential}/objects.go (95%) rename install/installer/pkg/components/{registry-credential => refresh-credential}/role.go (96%) rename install/installer/pkg/components/{registry-credential => refresh-credential}/rolebinding.go (96%) diff --git a/components/BUILD.yaml b/components/BUILD.yaml index d05acf9f36baea..23167fbd37c459 100644 --- a/components/BUILD.yaml +++ b/components/BUILD.yaml @@ -66,9 +66,9 @@ packages: - components/usage:docker - components/openvsx-proxy:docker - components/proxy:docker + - components/refresh-credential:docker - components/registry-facade:docker - components/registry-facade/ca-updater:docker - - components/registry-credential:docker - components/server:docker - components/service-waiter:docker - components/supervisor:docker @@ -122,8 +122,8 @@ packages: - components/image-builder-mk3:app - components/openvsx-proxy:app - components/public-api-server:app + - components/refresh-credential:app - components/registry-facade:app - - components/registry-credential:app - components/server:app - components/service-waiter:app - components/supervisor:app diff --git a/components/refresh-credential/.gitignore b/components/refresh-credential/.gitignore new file mode 100644 index 00000000000000..f1d646a2571997 --- /dev/null +++ b/components/refresh-credential/.gitignore @@ -0,0 +1 @@ +refresh-credential diff --git a/components/registry-credential/BUILD.yaml b/components/refresh-credential/BUILD.yaml similarity index 69% rename from components/registry-credential/BUILD.yaml rename to components/refresh-credential/BUILD.yaml index 4b99d438a557e4..bd1869e90052c5 100644 --- a/components/registry-credential/BUILD.yaml +++ b/components/refresh-credential/BUILD.yaml @@ -12,7 +12,7 @@ packages: - GOOS=linux config: packaging: app - buildCommand: ["go", "build", "-trimpath", "-ldflags", "-buildid= -w -s -X 'github.com/gitpod-io/gitpod/registry-credential/cmd.Version=commit-${__git_commit}'"] + buildCommand: ["go", "build", "-trimpath", "-ldflags", "-buildid= -w -s -X 'github.com/gitpod-io/gitpod/refresh-credential/cmd.Version=commit-${__git_commit}'"] - name: docker type: docker deps: @@ -22,10 +22,10 @@ packages: config: dockerfile: leeway.Dockerfile metadata: - helm-component: registryCredential + helm-component: refreshCredential image: - - ${imageRepoBase}/registry-credential:${version} - - ${imageRepoBase}/registry-credential:commit-${__git_commit} + - ${imageRepoBase}/refresh-credential:${version} + - ${imageRepoBase}/refresh-credential:commit-${__git_commit} - name: lib type: go srcs: diff --git a/components/refresh-credential/README.md b/components/refresh-credential/README.md new file mode 100644 index 00000000000000..01fb1baef235f0 --- /dev/null +++ b/components/refresh-credential/README.md @@ -0,0 +1,44 @@ +# refresh-credential + +`refresh-credential` is a service to refresh the AWS ECR authorization token because the authorization token is valid for 12 hours. + +## Development + +### Prepare a Kubernetes cluster + +```console +# Set up kube context. The refresh-credential will connect to this Kubernetes cluster. +kubectx [cluster-name] +``` + +### Prepare the AWS access/secret key pair + +```console +aws configure +``` + +### Prepare the configuration + +```json +{ + "namespace": "default", # The namespace to find the Kubernetes secret name + "credentialSecret": "$HOME/.aws/credentials", # The secret name with AWS access/secret key pair + "region": "", # The AWS ECR registry region + "publicRegistry": false, # Indicate it's a private or public registry + "secretToUpdate": "" # The authorization token written to +} +``` + +> **Note* +> If you are using public a AWS ECR registry, the region name is either `us-east-1` or `us-west-2`. Reference to the [AWS ECR Public endpoints](https://docs.aws.amazon.com/general/latest/gr/ecr-public.html). + +### Running locally + +To run `refresh-credential` locally, the `example-config.json` can be used as follows: + +```console +cd /workspace/gitpod/components/refresh-credential + +# Run refresh-credential to refresh the AWS ECR authorization token. +go run . ecr example-config.json +``` diff --git a/components/registry-credential/cmd/root.go b/components/refresh-credential/cmd/root.go similarity index 77% rename from components/registry-credential/cmd/root.go rename to components/refresh-credential/cmd/root.go index 2a629f8df2bf47..2022cdb03c54ef 100644 --- a/components/registry-credential/cmd/root.go +++ b/components/refresh-credential/cmd/root.go @@ -14,18 +14,18 @@ import ( "github.com/spf13/cobra" "github.com/gitpod-io/gitpod/common-go/log" - "github.com/gitpod-io/gitpod/registry-credential/pkg/config" - "github.com/gitpod-io/gitpod/registry-credential/pkg/ecr" + "github.com/gitpod-io/gitpod/refresh-credential/pkg/config" + "github.com/gitpod-io/gitpod/refresh-credential/pkg/ecr" ) var rootCmd = &cobra.Command{ - Use: "ecr-update ", - Short: "Update the AWS ECR credential", + Use: "ecr ", + Short: "Refresh the AWS ECR credential", Args: cobra.ExactArgs(2), Run: func(cmd *cobra.Command, args []string) { cfgFile := args[1] cfg := config.Get(cfgFile) - log.WithField("config", cfg).Info("Starting registry-credential") + log.WithField("config", cfg).Info("Starting refresh-credential") kubeConfig, err := ctrl.GetConfig() if err != nil { @@ -37,7 +37,7 @@ var rootCmd = &cobra.Command{ log.WithError(err).Fatal("constructing Kubernetes client") } - ecr.UpdateCredential(client, cfg) + ecr.RefreshCredential(client, cfg) }, } diff --git a/components/registry-credential/example-config.json b/components/refresh-credential/example-config.json similarity index 63% rename from components/registry-credential/example-config.json rename to components/refresh-credential/example-config.json index 0152ecf70dc573..f37db3a61a9d0b 100644 --- a/components/registry-credential/example-config.json +++ b/components/refresh-credential/example-config.json @@ -1,6 +1,6 @@ { "namespace": "default", - "credentialSecret": "", + "credentialSecret": "/home/gitpod/.aws/credentials", "region": "", "publicRegistry": false, "secretToUpdate": "" diff --git a/components/registry-credential/go.mod b/components/refresh-credential/go.mod similarity index 98% rename from components/registry-credential/go.mod rename to components/refresh-credential/go.mod index 265e8c90cc24ed..76179a2f510484 100644 --- a/components/registry-credential/go.mod +++ b/components/refresh-credential/go.mod @@ -1,4 +1,4 @@ -module github.com/gitpod-io/gitpod/registry-credential +module github.com/gitpod-io/gitpod/refresh-credential go 1.19 diff --git a/components/registry-credential/go.sum b/components/refresh-credential/go.sum similarity index 100% rename from components/registry-credential/go.sum rename to components/refresh-credential/go.sum diff --git a/components/registry-credential/leeway.Dockerfile b/components/refresh-credential/leeway.Dockerfile similarity index 77% rename from components/registry-credential/leeway.Dockerfile rename to components/refresh-credential/leeway.Dockerfile index a3a728dc69faf9..89d62d9390a680 100644 --- a/components/registry-credential/leeway.Dockerfile +++ b/components/refresh-credential/leeway.Dockerfile @@ -9,9 +9,9 @@ RUN apk upgrade --no-cache \ && apk add --no-cache ca-certificates RUN adduser -S -D -H -h /app -u 31001 appuser -COPY components-registry-credential--app/registry-credential /app/registry-credential +COPY components-refresh-credential--app/refresh-credential /app/refresh-credential RUN chown -R appuser /app USER appuser -ENTRYPOINT [ "/app/registry-credential" ] +ENTRYPOINT [ "/app/refresh-credential" ] CMD [ "-v", "help" ] diff --git a/components/registry-credential/main.go b/components/refresh-credential/main.go similarity index 79% rename from components/registry-credential/main.go rename to components/refresh-credential/main.go index 37b011bc5b5e5f..a249971d4d3ac4 100644 --- a/components/registry-credential/main.go +++ b/components/refresh-credential/main.go @@ -4,7 +4,7 @@ package main -import "github.com/gitpod-io/gitpod/registry-credential/cmd" +import "github.com/gitpod-io/gitpod/refresh-credential/cmd" func main() { cmd.Execute() diff --git a/components/registry-credential/pkg/config/config.go b/components/refresh-credential/pkg/config/config.go similarity index 89% rename from components/registry-credential/pkg/config/config.go rename to components/refresh-credential/pkg/config/config.go index 676efa3f446b58..9c6880bdf55f70 100644 --- a/components/registry-credential/pkg/config/config.go +++ b/components/refresh-credential/pkg/config/config.go @@ -16,9 +16,9 @@ type Configuration struct { // Namespace describes which namespace the below secrets locates. Namespace string `json:"namespace"` - // CredentialSecret points to a Kubernetes secret which contains the credential to rotate + // CredentialsFile points to a Kubernetes secret which contains the credential to refresh // the container registry credential . - CredentialSecret string `json:"credentialSecret"` + CredentialsFile string `json:"credentialsFile"` // Region describes which public cloud region the container registry locates. Region string `json:"region"` diff --git a/components/registry-credential/pkg/ecr/updater.go b/components/refresh-credential/pkg/ecr/updater.go similarity index 83% rename from components/registry-credential/pkg/ecr/updater.go rename to components/refresh-credential/pkg/ecr/updater.go index 6bfe1c0ccad6ba..2f45c3ea1f99d0 100644 --- a/components/registry-credential/pkg/ecr/updater.go +++ b/components/refresh-credential/pkg/ecr/updater.go @@ -17,22 +17,16 @@ import ( aws "github.com/aws/aws-sdk-go-v2/aws" awsconfig "github.com/aws/aws-sdk-go-v2/config" - awscred "github.com/aws/aws-sdk-go-v2/credentials" ecr "github.com/aws/aws-sdk-go-v2/service/ecr" ecrPublic "github.com/aws/aws-sdk-go-v2/service/ecrpublic" "github.com/docker/cli/cli/config/credentials" "github.com/gitpod-io/gitpod/common-go/log" - "github.com/gitpod-io/gitpod/registry-credential/pkg/config" + "github.com/gitpod-io/gitpod/refresh-credential/pkg/config" ) const ( - accessKeyIdName = "accessKeyId" - secretAccessKeyName = "secretAccessKey" -) - -const ( - ecrExpiresAtAnnotation = "registry-credential-updater/ecr-expires-at" + ecrExpiresAtAnnotation = "refresh-credential/ecr-expires-at" ) // DockerConfigJSON represents ~/.docker/config.json file info @@ -50,27 +44,22 @@ type DockerConfigEntry struct { Auth string `json:"auth"` } -func UpdateCredential(client *kubernetes.Clientset, cfg *config.Configuration) { +func RefreshCredential(client *kubernetes.Clientset, cfg *config.Configuration) { private := !cfg.PublicRegistry region := cfg.Region log := log.WithField("private", private).WithField("region", region) - credSecret, err := getSecret(client, cfg.Namespace, cfg.CredentialSecret) - if err != nil { - log.WithError(err).Fatalf("cannot find the credential secret %s/%s", cfg.CredentialSecret, cfg.Namespace) - } - - accessKey := string(credSecret.Data[accessKeyIdName]) - secretKey := string(credSecret.Data[secretAccessKeyName]) - - log.Infof("Prepare to rotate AWS ECR secret %s/%s", cfg.SecretToUpdate, cfg.Namespace) - - awsConfig, err := newAWSConfig(region, accessKey, secretKey, "") + awsCfg, err := awsconfig.LoadDefaultConfig(context.TODO(), + awsconfig.WithRegion(region), + awsconfig.WithSharedConfigFiles([]string{cfg.CredentialsFile}), + ) if err != nil { log.WithError(err).Fatal("unable to new aws config") } + log.Infof("Prepare to refresh AWS ECR secret %s/%s", cfg.SecretToUpdate, cfg.Namespace) + // Get an authorization token from ECR var ( authorizationToken string @@ -78,7 +67,7 @@ func UpdateCredential(client *kubernetes.Clientset, cfg *config.Configuration) { endpoint string ) if private { - ecrClient := ecr.NewFromConfig(awsConfig) + ecrClient := ecr.NewFromConfig(awsCfg) result, err := ecrClient.GetAuthorizationToken(context.TODO(), &ecr.GetAuthorizationTokenInput{}) if err != nil { log.WithError(err).Fatal("unable to get an authorization token with private ECR") @@ -99,7 +88,7 @@ func UpdateCredential(client *kubernetes.Clientset, cfg *config.Configuration) { expiresAt = aws.ToTime(result.AuthorizationData[0].ExpiresAt) } else { - ecrClient := ecrPublic.NewFromConfig(awsConfig) + ecrClient := ecrPublic.NewFromConfig(awsCfg) result, err := ecrClient.GetAuthorizationToken(context.TODO(), &ecrPublic.GetAuthorizationTokenInput{}) if err != nil { log.WithError(err).Fatal("unable to get an authorization token from public ECR") @@ -129,7 +118,7 @@ func UpdateCredential(client *kubernetes.Clientset, cfg *config.Configuration) { Namespace: cfg.Namespace, Labels: map[string]string{ "app": "gitpod", - "component": "registry-credential", + "component": "refresh-credential", }, }, Type: corev1.SecretTypeDockerConfigJson, @@ -152,20 +141,6 @@ func UpdateCredential(client *kubernetes.Clientset, cfg *config.Configuration) { log.Infof("Secret %s/%s updated with new ECR credentials", cfg.SecretToUpdate, cfg.Namespace) } -func newAWSConfig(region, accessKeyId, secretAccessKey, session string) (aws.Config, error) { - return awsconfig.LoadDefaultConfig( - context.TODO(), - awsconfig.WithRegion(region), - awsconfig.WithCredentialsProvider( - awscred.NewStaticCredentialsProvider( - accessKeyId, - secretAccessKey, - session, - ), - ), - ) -} - // getSecret returns the Kubernetes secret. func getSecret(client *kubernetes.Clientset, namespace, secretName string) (*corev1.Secret, error) { return client.CoreV1().Secrets(namespace).Get(context.TODO(), secretName, metav1.GetOptions{}) diff --git a/components/registry-credential/.gitignore b/components/registry-credential/.gitignore deleted file mode 100644 index 958b1c8af96991..00000000000000 --- a/components/registry-credential/.gitignore +++ /dev/null @@ -1 +0,0 @@ -registry-credential diff --git a/components/registry-credential/README.md b/components/registry-credential/README.md deleted file mode 100644 index cdb62f1bc0788d..00000000000000 --- a/components/registry-credential/README.md +++ /dev/null @@ -1,46 +0,0 @@ -# registry-credential - -`registry-credential` is a service for rotating the AWS ECR authorization token because the authorization token is valid for 12 hours. - -## Development - -### Prepare a Kubernetes cluster - -```console -# Set up kube context. The registry-credential will connect to this Kubernetes cluster. -kubectx [cluster-name] -``` - -### Prepare the AWS access/secret key pair - -```console -kubectl create secret generic aws-iam-credential \ - --from-literal=accessKeyId= \ - --from-literal=secretAccessKey= -``` - -### Prepare the configuration - -```json -{ - "namespace": "default", # The namespace to find the Kubernetes secret name - "credentialSecret": "aws-iam-credential", # The secret name with AWS access/secret key pair - "region": "", # The AWS ECR registry region - "publicRegistry": false, # Indicate it's a private or public registry - "secretToUpdate": "" # The authorization token written to -} -``` - -> **Note* -> If you are using public a AWS ECR registry, the region name is either `us-east-1` or `us-west-2`. Reference to the [AWS ECR Public endpoints](https://docs.aws.amazon.com/general/latest/gr/ecr-public.html). - -### Running locally - -To run `registry-credential` locally, the `example-config.json` can be used as follows: - -```console -cd /workspace/gitpod/components/registry-credential - -# Run registry-credential to update the AWS ECR authorization token. -go run . ecr-update example-config.json -``` diff --git a/gitpod-ws.code-workspace b/gitpod-ws.code-workspace index 085159c0d41110..bdb5e92494fc8c 100644 --- a/gitpod-ws.code-workspace +++ b/gitpod-ws.code-workspace @@ -15,8 +15,8 @@ { "path": "components/image-builder-mk3" }, { "path": "components/licensor" }, { "path": "components/local-app" }, + { "path": "components/refresh-credential" }, { "path": "components/registry-facade" }, - { "path": "components/registry-credential" }, { "path": "components/service-waiter" }, { "path": "components/supervisor" }, { "path": "components/usage" }, diff --git a/install/installer/BUILD.yaml b/install/installer/BUILD.yaml index 5fc682ab17fe64..33d165b72a65b9 100644 --- a/install/installer/BUILD.yaml +++ b/install/installer/BUILD.yaml @@ -29,7 +29,7 @@ packages: - components/image-builder-api/go:lib - components/openvsx-proxy:lib - components/public-api/go:lib - - components/registry-credential:lib + - components/refresh-credential:lib - components/registry-facade-api/go:lib - components/registry-facade:lib - components/ws-daemon-api/go:lib diff --git a/install/installer/cmd/testdata/render/aws-setup/config.yaml b/install/installer/cmd/testdata/render/aws-setup/config.yaml index a2ed74d9b6bfd7..81d36c6e368343 100644 --- a/install/installer/cmd/testdata/render/aws-setup/config.yaml +++ b/install/installer/cmd/testdata/render/aws-setup/config.yaml @@ -11,9 +11,9 @@ containerRegistry: certificate: kind: secret name: aws-ecr-credential - credential: + credentials: kind: secret - name: aws-iam-user-credential + name: aws-storage s3storage: region: eu-west-2 endpoint: registry.amazonaws.com # Invalid endpoint - use to differentiate from objectStorage diff --git a/install/installer/cmd/testdata/render/aws-setup/output.golden b/install/installer/cmd/testdata/render/aws-setup/output.golden index 40da25d41cae7e..cf51641e26640d 100644 --- a/install/installer/cmd/testdata/render/aws-setup/output.golden +++ b/install/installer/cmd/testdata/render/aws-setup/output.golden @@ -938,7 +938,7 @@ automountServiceAccountToken: true secrets: - name: messagebus --- -# v1/ServiceAccount registry-credential +# v1/ServiceAccount refresh-credential apiVersion: v1 automountServiceAccountToken: true kind: ServiceAccount @@ -946,8 +946,8 @@ metadata: creationTimestamp: null labels: app: gitpod - component: registry-credential - name: registry-credential + component: refresh-credential + name: refresh-credential namespace: default --- # v1/ServiceAccount registry-facade @@ -1338,9 +1338,9 @@ data: certificate: kind: secret name: aws-ecr-credential - credential: + credentials: kind: secret - name: aws-iam-user-credential + name: aws-storage url: 012345678969.dkr.ecr.eu-west-2.amazonaws.com inCluster: false privateBaseImageAllowList: [] @@ -1463,7 +1463,7 @@ data: "public-api-server": { "version": "test" }, - "registryCredential": { + "refreshCredential": { "version": "test" }, "registryFacade": { @@ -3191,8 +3191,8 @@ data: creationTimestamp: null labels: app: gitpod - component: registry-credential - name: registry-credential + component: refresh-credential + name: refresh-credential namespace: default --- apiVersion: rbac.authorization.k8s.io/v1 @@ -3201,8 +3201,8 @@ data: creationTimestamp: null labels: app: gitpod - component: registry-credential - name: registry-credential + component: refresh-credential + name: refresh-credential namespace: default --- apiVersion: rbac.authorization.k8s.io/v1 @@ -3211,8 +3211,8 @@ data: creationTimestamp: null labels: app: gitpod - component: registry-credential - name: registry-credential + component: refresh-credential + name: refresh-credential namespace: default --- apiVersion: batch/v1 @@ -3221,8 +3221,8 @@ data: creationTimestamp: null labels: app: gitpod - component: registry-credential - name: registry-credential + component: refresh-credential + name: refresh-credential namespace: default --- apiVersion: v1 @@ -3231,8 +3231,8 @@ data: creationTimestamp: null labels: app: gitpod - component: registry-credential - name: registry-credential + component: refresh-credential + name: refresh-credential namespace: default --- apiVersion: networking.k8s.io/v1 @@ -4780,13 +4780,13 @@ metadata: name: public-api-server namespace: default --- -# v1/ConfigMap registry-credential +# v1/ConfigMap refresh-credential apiVersion: v1 data: config.json: |- { "namespace": "default", - "credentialSecret": "aws-iam-user-credential", + "credentialsFile": "/mnt/secrets/storage/credentials", "region": "eu-west-2", "publicRegistry": false, "secretToUpdate": "aws-ecr-credential" @@ -4796,8 +4796,8 @@ metadata: creationTimestamp: null labels: app: gitpod - component: registry-credential - name: registry-credential + component: refresh-credential + name: refresh-credential namespace: default --- # v1/ConfigMap registry-facade @@ -6063,15 +6063,15 @@ rules: resources: ["events"] verbs: ["create"] --- -# rbac.authorization.k8s.io/v1/Role registry-credential +# rbac.authorization.k8s.io/v1/Role refresh-credential apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: creationTimestamp: null labels: app: gitpod - component: registry-credential - name: registry-credential + component: refresh-credential + name: refresh-credential namespace: default rules: - apiGroups: @@ -6536,23 +6536,23 @@ subjects: - kind: ServiceAccount name: rabbitmq --- -# rbac.authorization.k8s.io/v1/RoleBinding registry-credential +# rbac.authorization.k8s.io/v1/RoleBinding refresh-credential apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: creationTimestamp: null labels: app: gitpod - component: registry-credential - name: registry-credential + component: refresh-credential + name: refresh-credential namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: registry-credential + name: refresh-credential subjects: - kind: ServiceAccount - name: registry-credential + name: refresh-credential --- # rbac.authorization.k8s.io/v1/RoleBinding server apiVersion: rbac.authorization.k8s.io/v1 @@ -10690,15 +10690,15 @@ spec: successfulJobsHistoryLimit: 3 status: {} --- -# batch/v1/CronJob registry-credential +# batch/v1/CronJob refresh-credential apiVersion: batch/v1 kind: CronJob metadata: creationTimestamp: null labels: app: gitpod - component: registry-credential - name: registry-credential + component: refresh-credential + name: refresh-credential namespace: default spec: concurrencyPolicy: Replace @@ -10708,8 +10708,8 @@ spec: creationTimestamp: null labels: app: gitpod - component: registry-credential - name: registry-credential + component: refresh-credential + name: refresh-credential namespace: default spec: backoffLimit: 10 @@ -10718,17 +10718,17 @@ spec: creationTimestamp: null labels: app: gitpod - component: registry-credential - name: registry-credential + component: refresh-credential + name: refresh-credential namespace: default spec: containers: - args: - ecr-update - /config/config.json - image: eu.gcr.io/gitpod-core-dev/build/registry-credential:test + image: eu.gcr.io/gitpod-core-dev/build/refresh-credential:test imagePullPolicy: IfNotPresent - name: registry-credential + name: refresh-credential resources: {} securityContext: allowPrivilegeEscalation: false @@ -10736,12 +10736,18 @@ spec: - mountPath: /config name: config readOnly: true + - mountPath: /mnt/secrets/storage + name: storage-volume + readOnly: true restartPolicy: OnFailure - serviceAccountName: registry-credential + serviceAccountName: refresh-credential volumes: - configMap: - name: registry-credential + name: refresh-credential name: config + - name: storage-volume + secret: + secretName: aws-storage schedule: '* */6 * * *' successfulJobsHistoryLimit: 1 status: {} diff --git a/install/installer/cmd/testdata/render/azure-setup/output.golden b/install/installer/cmd/testdata/render/azure-setup/output.golden index 349c5e76054b59..f3d5220efe3b31 100644 --- a/install/installer/cmd/testdata/render/azure-setup/output.golden +++ b/install/installer/cmd/testdata/render/azure-setup/output.golden @@ -1469,7 +1469,7 @@ data: "public-api-server": { "version": "test" }, - "registryCredential": { + "refreshCredential": { "version": "test" }, "registryFacade": { diff --git a/install/installer/cmd/testdata/render/customization/output.golden b/install/installer/cmd/testdata/render/customization/output.golden index 055d173a920e1d..9a278d4fd5a8eb 100644 --- a/install/installer/cmd/testdata/render/customization/output.golden +++ b/install/installer/cmd/testdata/render/customization/output.golden @@ -1736,7 +1736,7 @@ data: "public-api-server": { "version": "test" }, - "registryCredential": { + "refreshCredential": { "version": "test" }, "registryFacade": { diff --git a/install/installer/cmd/testdata/render/external-registry/output.golden b/install/installer/cmd/testdata/render/external-registry/output.golden index 736cc983cfaf9f..50a57a9b6b0db0 100644 --- a/install/installer/cmd/testdata/render/external-registry/output.golden +++ b/install/installer/cmd/testdata/render/external-registry/output.golden @@ -1516,7 +1516,7 @@ data: "public-api-server": { "version": "test" }, - "registryCredential": { + "refreshCredential": { "version": "test" }, "registryFacade": { diff --git a/install/installer/cmd/testdata/render/gcp-setup/output.golden b/install/installer/cmd/testdata/render/gcp-setup/output.golden index 6d39ec2967a3ab..2847e6b637c8d1 100644 --- a/install/installer/cmd/testdata/render/gcp-setup/output.golden +++ b/install/installer/cmd/testdata/render/gcp-setup/output.golden @@ -1447,7 +1447,7 @@ data: "public-api-server": { "version": "test" }, - "registryCredential": { + "refreshCredential": { "version": "test" }, "registryFacade": { diff --git a/install/installer/cmd/testdata/render/http-proxy/output.golden b/install/installer/cmd/testdata/render/http-proxy/output.golden index 3a4f3b131e0deb..109e773de4f3bc 100644 --- a/install/installer/cmd/testdata/render/http-proxy/output.golden +++ b/install/installer/cmd/testdata/render/http-proxy/output.golden @@ -1585,7 +1585,7 @@ data: "public-api-server": { "version": "test" }, - "registryCredential": { + "refreshCredential": { "version": "test" }, "registryFacade": { diff --git a/install/installer/cmd/testdata/render/kind-ide/output.golden b/install/installer/cmd/testdata/render/kind-ide/output.golden index bccd7deba85b2e..cb312d248ce6bc 100644 --- a/install/installer/cmd/testdata/render/kind-ide/output.golden +++ b/install/installer/cmd/testdata/render/kind-ide/output.golden @@ -547,7 +547,7 @@ data: "public-api-server": { "version": "test" }, - "registryCredential": { + "refreshCredential": { "version": "test" }, "registryFacade": { diff --git a/install/installer/cmd/testdata/render/kind-meta/output.golden b/install/installer/cmd/testdata/render/kind-meta/output.golden index 43067836ac6f85..f8927b87cd7403 100644 --- a/install/installer/cmd/testdata/render/kind-meta/output.golden +++ b/install/installer/cmd/testdata/render/kind-meta/output.golden @@ -1130,7 +1130,7 @@ data: "public-api-server": { "version": "test" }, - "registryCredential": { + "refreshCredential": { "version": "test" }, "registryFacade": { diff --git a/install/installer/cmd/testdata/render/kind-webapp/output.golden b/install/installer/cmd/testdata/render/kind-webapp/output.golden index 336d5818083417..37e2c99fae8453 100644 --- a/install/installer/cmd/testdata/render/kind-webapp/output.golden +++ b/install/installer/cmd/testdata/render/kind-webapp/output.golden @@ -868,7 +868,7 @@ data: "public-api-server": { "version": "test" }, - "registryCredential": { + "refreshCredential": { "version": "test" }, "registryFacade": { diff --git a/install/installer/cmd/testdata/render/kind-workspace/output.golden b/install/installer/cmd/testdata/render/kind-workspace/output.golden index a2c6dc323e0ca1..b0bb16794ee66e 100644 --- a/install/installer/cmd/testdata/render/kind-workspace/output.golden +++ b/install/installer/cmd/testdata/render/kind-workspace/output.golden @@ -737,7 +737,7 @@ data: "public-api-server": { "version": "test" }, - "registryCredential": { + "refreshCredential": { "version": "test" }, "registryFacade": { diff --git a/install/installer/cmd/testdata/render/minimal/output.golden b/install/installer/cmd/testdata/render/minimal/output.golden index 211c0d535f9583..ea4c09ea64bd0a 100644 --- a/install/installer/cmd/testdata/render/minimal/output.golden +++ b/install/installer/cmd/testdata/render/minimal/output.golden @@ -1582,7 +1582,7 @@ data: "public-api-server": { "version": "test" }, - "registryCredential": { + "refreshCredential": { "version": "test" }, "registryFacade": { diff --git a/install/installer/cmd/testdata/render/shortname/output.golden b/install/installer/cmd/testdata/render/shortname/output.golden index 9ca790481ed4ca..ab00b4319aabc6 100644 --- a/install/installer/cmd/testdata/render/shortname/output.golden +++ b/install/installer/cmd/testdata/render/shortname/output.golden @@ -1582,7 +1582,7 @@ data: "public-api-server": { "version": "test" }, - "registryCredential": { + "refreshCredential": { "version": "test" }, "registryFacade": { diff --git a/install/installer/cmd/testdata/render/statefulset-customization/output.golden b/install/installer/cmd/testdata/render/statefulset-customization/output.golden index d0df31d248a9e7..24492c4f361da4 100644 --- a/install/installer/cmd/testdata/render/statefulset-customization/output.golden +++ b/install/installer/cmd/testdata/render/statefulset-customization/output.golden @@ -1594,7 +1594,7 @@ data: "public-api-server": { "version": "test" }, - "registryCredential": { + "refreshCredential": { "version": "test" }, "registryFacade": { diff --git a/install/installer/cmd/testdata/render/use-pod-security-policies/output.golden b/install/installer/cmd/testdata/render/use-pod-security-policies/output.golden index 2d49633cfcbcb9..82382e8769c3f6 100644 --- a/install/installer/cmd/testdata/render/use-pod-security-policies/output.golden +++ b/install/installer/cmd/testdata/render/use-pod-security-policies/output.golden @@ -1804,7 +1804,7 @@ data: "public-api-server": { "version": "test" }, - "registryCredential": { + "refreshCredential": { "version": "test" }, "registryFacade": { diff --git a/install/installer/cmd/testdata/render/versions.yaml b/install/installer/cmd/testdata/render/versions.yaml index 9b50fafc00d6e7..5d3933a4111fac 100644 --- a/install/installer/cmd/testdata/render/versions.yaml +++ b/install/installer/cmd/testdata/render/versions.yaml @@ -51,7 +51,7 @@ components: version: test public-api-server: version: test - registryCredential: + refreshCredential: version: test registryFacade: version: test diff --git a/install/installer/cmd/testdata/render/vsxproxy-pvc/output.golden b/install/installer/cmd/testdata/render/vsxproxy-pvc/output.golden index 37860c219d3abf..4ff1089fa07038 100644 --- a/install/installer/cmd/testdata/render/vsxproxy-pvc/output.golden +++ b/install/installer/cmd/testdata/render/vsxproxy-pvc/output.golden @@ -1584,7 +1584,7 @@ data: "public-api-server": { "version": "test" }, - "registryCredential": { + "refreshCredential": { "version": "test" }, "registryFacade": { diff --git a/install/installer/cmd/testdata/render/workspace-requests-limits/output.golden b/install/installer/cmd/testdata/render/workspace-requests-limits/output.golden index de4bad3dd9b078..2977322adc7c95 100644 --- a/install/installer/cmd/testdata/render/workspace-requests-limits/output.golden +++ b/install/installer/cmd/testdata/render/workspace-requests-limits/output.golden @@ -1585,7 +1585,7 @@ data: "public-api-server": { "version": "test" }, - "registryCredential": { + "refreshCredential": { "version": "test" }, "registryFacade": { diff --git a/install/installer/go.mod b/install/installer/go.mod index 408e5c097ac80e..c3c067f9d26915 100644 --- a/install/installer/go.mod +++ b/install/installer/go.mod @@ -17,7 +17,7 @@ require ( github.com/gitpod-io/gitpod/ide-service-api v0.0.0-00010101000000-000000000000 github.com/gitpod-io/gitpod/image-builder/api v0.0.0-00010101000000-000000000000 github.com/gitpod-io/gitpod/openvsx-proxy v0.0.0-00010101000000-000000000000 - github.com/gitpod-io/gitpod/registry-credential v0.0.0-00010101000000-000000000000 + github.com/gitpod-io/gitpod/refresh-credential v0.0.0-00010101000000-000000000000 github.com/gitpod-io/gitpod/registry-facade/api v0.0.0-00010101000000-000000000000 github.com/gitpod-io/gitpod/usage v0.0.0-00010101000000-000000000000 github.com/gitpod-io/gitpod/ws-daemon v0.0.0-00010101000000-000000000000 @@ -370,7 +370,7 @@ replace github.com/gitpod-io/gitpod/openvsx-proxy => ../../components/openvsx-pr replace github.com/gitpod-io/gitpod/components/public-api/go => ../../components/public-api/go // leeway -replace github.com/gitpod-io/gitpod/registry-credential => ../../components/registry-credential // leeway +replace github.com/gitpod-io/gitpod/refresh-credential => ../../components/refresh-credential // leeway replace github.com/gitpod-io/gitpod/registry-facade => ../../components/registry-facade // leeway diff --git a/install/installer/pkg/common/storage.go b/install/installer/pkg/common/storage.go index f5393a8376bfa2..c45859c792909b 100644 --- a/install/installer/pkg/common/storage.go +++ b/install/installer/pkg/common/storage.go @@ -16,7 +16,7 @@ import ( corev1 "k8s.io/api/core/v1" ) -const storageMount = "/mnt/secrets/storage" +const StorageMount = "/mnt/secrets/storage" // StorageConfig produces config service configuration from the installer config @@ -39,7 +39,7 @@ func StorageConfig(context *RenderContext) storageconfig.StorageConfig { GCloudConfig: storageconfig.GCPConfig{ Region: context.Config.Metadata.Region, Project: context.Config.ObjectStorage.CloudStorage.Project, - CredentialsFile: filepath.Join(storageMount, "service-account.json"), + CredentialsFile: filepath.Join(StorageMount, "service-account.json"), }, } } @@ -50,7 +50,7 @@ func StorageConfig(context *RenderContext) storageconfig.StorageConfig { S3Config: &storageconfig.S3Config{ Region: context.Config.Metadata.Region, Bucket: context.Config.ObjectStorage.S3.BucketName, - CredentialsFile: filepath.Join(storageMount, "credentials"), + CredentialsFile: filepath.Join(StorageMount, "credentials"), }, } } @@ -90,7 +90,7 @@ func StorageConfig(context *RenderContext) storageconfig.StorageConfig { } // mountStorage performs the actual storage mount, which is common across all providers -func mountStorage(pod *corev1.PodSpec, secret string, container ...string) { +func MountStorage(pod *corev1.PodSpec, secret string, container ...string) { volumeName := "storage-volume" pod.Volumes = append(pod.Volumes, @@ -124,7 +124,7 @@ func mountStorage(pod *corev1.PodSpec, secret string, container ...string) { corev1.VolumeMount{ Name: volumeName, ReadOnly: true, - MountPath: storageMount, + MountPath: StorageMount, }, ) } @@ -136,13 +136,13 @@ func mountStorage(pod *corev1.PodSpec, secret string, container ...string) { // added to all containers. func AddStorageMounts(ctx *RenderContext, pod *corev1.PodSpec, container ...string) error { if ctx.Config.ObjectStorage.CloudStorage != nil { - mountStorage(pod, ctx.Config.ObjectStorage.CloudStorage.ServiceAccount.Name, container...) + MountStorage(pod, ctx.Config.ObjectStorage.CloudStorage.ServiceAccount.Name, container...) return nil } if ctx.Config.ObjectStorage.S3 != nil { - mountStorage(pod, ctx.Config.ObjectStorage.S3.Credentials.Name, container...) + MountStorage(pod, ctx.Config.ObjectStorage.S3.Credentials.Name, container...) return nil } diff --git a/install/installer/pkg/components/components-workspace/components.go b/install/installer/pkg/components/components-workspace/components.go index 9a6f1b8ea24c04..72bbfd72dbdd3e 100644 --- a/install/installer/pkg/components/components-workspace/components.go +++ b/install/installer/pkg/components/components-workspace/components.go @@ -8,7 +8,7 @@ import ( "github.com/gitpod-io/gitpod/installer/pkg/common" agentsmith "github.com/gitpod-io/gitpod/installer/pkg/components/agent-smith" imagebuildermk3 "github.com/gitpod-io/gitpod/installer/pkg/components/image-builder-mk3" - registrycredential "github.com/gitpod-io/gitpod/installer/pkg/components/registry-credential" + refreshcredential "github.com/gitpod-io/gitpod/installer/pkg/components/refresh-credential" registryfacade "github.com/gitpod-io/gitpod/installer/pkg/components/registry-facade" "github.com/gitpod-io/gitpod/installer/pkg/components/workspace" wsdaemon "github.com/gitpod-io/gitpod/installer/pkg/components/ws-daemon" @@ -24,7 +24,7 @@ var Objects = common.CompositeRenderFunc( wsmanager.Objects, wsproxy.Objects, imagebuildermk3.Objects, - registrycredential.Objects, + refreshcredential.Objects, ) var Helm = common.CompositeHelmFunc() diff --git a/install/installer/pkg/components/registry-credential/common.go b/install/installer/pkg/components/refresh-credential/common.go similarity index 98% rename from install/installer/pkg/components/registry-credential/common.go rename to install/installer/pkg/components/refresh-credential/common.go index 758cfa7c2b7ffd..7bd8c449804c0d 100644 --- a/install/installer/pkg/components/registry-credential/common.go +++ b/install/installer/pkg/components/refresh-credential/common.go @@ -2,7 +2,7 @@ // Licensed under the GNU Affero General Public License (AGPL). // See License-AGPL.txt in the project root for license information. -package registry_credential +package refresh_credential import ( "net/url" diff --git a/install/installer/pkg/components/registry-credential/common_test.go b/install/installer/pkg/components/refresh-credential/common_test.go similarity index 98% rename from install/installer/pkg/components/registry-credential/common_test.go rename to install/installer/pkg/components/refresh-credential/common_test.go index 14915be92a7a93..9454b3749cf7db 100644 --- a/install/installer/pkg/components/registry-credential/common_test.go +++ b/install/installer/pkg/components/refresh-credential/common_test.go @@ -2,7 +2,7 @@ // Licensed under the GNU Affero General Public License (AGPL). // See License-AGPL.txt in the project root for license information. -package registry_credential +package refresh_credential import "testing" diff --git a/install/installer/pkg/components/registry-credential/configmap.go b/install/installer/pkg/components/refresh-credential/configmap.go similarity index 64% rename from install/installer/pkg/components/registry-credential/configmap.go rename to install/installer/pkg/components/refresh-credential/configmap.go index 5864fae1ad2fe4..544cea2d8430df 100644 --- a/install/installer/pkg/components/registry-credential/configmap.go +++ b/install/installer/pkg/components/refresh-credential/configmap.go @@ -1,42 +1,38 @@ // Copyright (c) 2022 Gitpod GmbH. All rights reserved. // Licensed under the MIT License. See License-MIT.txt in the project root for license information. -package registry_credential +package refresh_credential import ( "fmt" + "path/filepath" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "github.com/gitpod-io/gitpod/installer/pkg/common" - "github.com/gitpod-io/gitpod/registry-credential/pkg/config" + "github.com/gitpod-io/gitpod/refresh-credential/pkg/config" ) func configmap(ctx *common.RenderContext) ([]runtime.Object, error) { privateRegistry := isPrivateAWSECRURL(ctx.Config.ContainerRegistry.External.URL) region := getAWSRegion(ctx.Config.ContainerRegistry.External.URL) - credentialSecretName, err := credentialSecretName(ctx) - if err != nil { - return nil, err - } - secretToUpdateName, err := secretToUpdateName(ctx) if err != nil { return nil, err } - registryCredentialCfg := config.Configuration{ - Namespace: ctx.Namespace, - CredentialSecret: credentialSecretName, - Region: region, - PublicRegistry: !privateRegistry, - SecretToUpdate: secretToUpdateName, + refreshCredentialCfg := config.Configuration{ + Namespace: ctx.Namespace, + CredentialsFile: filepath.Join(common.StorageMount, "credentials"), + Region: region, + PublicRegistry: !privateRegistry, + SecretToUpdate: secretToUpdateName, } - json, err := common.ToJSONString(registryCredentialCfg) + json, err := common.ToJSONString(refreshCredentialCfg) if err != nil { return nil, fmt.Errorf("failed to marshal %s config: %w", Component, err) } @@ -62,10 +58,3 @@ func secretToUpdateName(ctx *common.RenderContext) (string, error) { } return ctx.Config.ContainerRegistry.External.Certificate.Name, nil } - -func credentialSecretName(ctx *common.RenderContext) (string, error) { - if ctx.Config.ContainerRegistry.External == nil { - return "", fmt.Errorf("%s: invalid container registry config", Component) - } - return ctx.Config.ContainerRegistry.External.Credential.Name, nil -} diff --git a/install/installer/pkg/components/registry-credential/constants.go b/install/installer/pkg/components/refresh-credential/constants.go similarity index 78% rename from install/installer/pkg/components/registry-credential/constants.go rename to install/installer/pkg/components/refresh-credential/constants.go index 0aba81deec58f8..63c68fb89ddf00 100644 --- a/install/installer/pkg/components/registry-credential/constants.go +++ b/install/installer/pkg/components/refresh-credential/constants.go @@ -2,10 +2,10 @@ // Licensed under the GNU Affero General Public License (AGPL). // See License-AGPL.txt in the project root for license information. -package registry_credential +package refresh_credential const ( - Component = "registry-credential" + Component = "refresh-credential" CronSchedule = "* */6 * * *" ) diff --git a/install/installer/pkg/components/registry-credential/cronjob.go b/install/installer/pkg/components/refresh-credential/cronjob.go similarity index 51% rename from install/installer/pkg/components/registry-credential/cronjob.go rename to install/installer/pkg/components/refresh-credential/cronjob.go index 33a7fd13486e74..1bef81e8523e67 100644 --- a/install/installer/pkg/components/registry-credential/cronjob.go +++ b/install/installer/pkg/components/refresh-credential/cronjob.go @@ -2,7 +2,7 @@ // Licensed under the GNU Affero General Public License (AGPL). // See License-AGPL.txt in the project root for license information. -package registry_credential +package refresh_credential import ( batchv1 "k8s.io/api/batch/v1" @@ -15,6 +15,41 @@ import ( ) func cronjob(ctx *common.RenderContext) ([]runtime.Object, error) { + podSpec := corev1.PodSpec{ + RestartPolicy: corev1.RestartPolicyOnFailure, + ServiceAccountName: Component, + Containers: []corev1.Container{ + { + Name: Component, + Args: []string{"ecr-update", "/config/config.json"}, + Image: ctx.ImageName(ctx.Config.Repository, Component, ctx.VersionManifest.Components.RefreshCredential.Version), + ImagePullPolicy: corev1.PullIfNotPresent, + SecurityContext: &corev1.SecurityContext{ + AllowPrivilegeEscalation: pointer.Bool(false), + }, + VolumeMounts: []corev1.VolumeMount{ + { + Name: "config", + MountPath: "/config", + ReadOnly: true, + }, + }, + }, + }, + Volumes: []corev1.Volume{ + { + Name: "config", + VolumeSource: corev1.VolumeSource{ + ConfigMap: &corev1.ConfigMapVolumeSource{ + LocalObjectReference: corev1.LocalObjectReference{Name: Component}, + }, + }, + }, + }, + } + + common.MountStorage(&podSpec, ctx.Config.ContainerRegistry.External.Credentials.Name, Component) + objectMeta := metav1.ObjectMeta{ Name: Component, Namespace: ctx.Namespace, @@ -36,38 +71,7 @@ func cronjob(ctx *common.RenderContext) ([]runtime.Object, error) { BackoffLimit: pointer.Int32(10), Template: corev1.PodTemplateSpec{ ObjectMeta: objectMeta, - Spec: corev1.PodSpec{ - RestartPolicy: corev1.RestartPolicyOnFailure, - ServiceAccountName: Component, - Containers: []corev1.Container{ - { - Name: Component, - Args: []string{"ecr-update", "/config/config.json"}, - Image: ctx.ImageName(ctx.Config.Repository, Component, ctx.VersionManifest.Components.RegistryCredential.Version), - ImagePullPolicy: corev1.PullIfNotPresent, - SecurityContext: &corev1.SecurityContext{ - AllowPrivilegeEscalation: pointer.Bool(false), - }, - VolumeMounts: []corev1.VolumeMount{ - { - Name: "config", - MountPath: "/config", - ReadOnly: true, - }, - }, - }, - }, - Volumes: []corev1.Volume{ - { - Name: "config", - VolumeSource: corev1.VolumeSource{ - ConfigMap: &corev1.ConfigMapVolumeSource{ - LocalObjectReference: corev1.LocalObjectReference{Name: Component}, - }, - }, - }, - }, - }, + Spec: podSpec, }, }, }, diff --git a/install/installer/pkg/components/registry-credential/objects.go b/install/installer/pkg/components/refresh-credential/objects.go similarity index 95% rename from install/installer/pkg/components/registry-credential/objects.go rename to install/installer/pkg/components/refresh-credential/objects.go index 7b0f34a163e0d4..5b5524888789d7 100644 --- a/install/installer/pkg/components/registry-credential/objects.go +++ b/install/installer/pkg/components/refresh-credential/objects.go @@ -2,7 +2,7 @@ // Licensed under the GNU Affero General Public License (AGPL). // See License-AGPL.txt in the project root for license information. -package registry_credential +package refresh_credential import ( "k8s.io/apimachinery/pkg/runtime" diff --git a/install/installer/pkg/components/registry-credential/role.go b/install/installer/pkg/components/refresh-credential/role.go similarity index 96% rename from install/installer/pkg/components/registry-credential/role.go rename to install/installer/pkg/components/refresh-credential/role.go index b738f07051f4d6..faf3c7efc52f80 100644 --- a/install/installer/pkg/components/registry-credential/role.go +++ b/install/installer/pkg/components/refresh-credential/role.go @@ -2,7 +2,7 @@ // Licensed under the GNU Affero General Public License (AGPL). // See License-AGPL.txt in the project root for license information. -package registry_credential +package refresh_credential import ( rbacv1 "k8s.io/api/rbac/v1" diff --git a/install/installer/pkg/components/registry-credential/rolebinding.go b/install/installer/pkg/components/refresh-credential/rolebinding.go similarity index 96% rename from install/installer/pkg/components/registry-credential/rolebinding.go rename to install/installer/pkg/components/refresh-credential/rolebinding.go index 273358281bee7e..3d23f0e7311fec 100644 --- a/install/installer/pkg/components/registry-credential/rolebinding.go +++ b/install/installer/pkg/components/refresh-credential/rolebinding.go @@ -2,7 +2,7 @@ // Licensed under the GNU Affero General Public License (AGPL). // See License-AGPL.txt in the project root for license information. -package registry_credential +package refresh_credential import ( rbacv1 "k8s.io/api/rbac/v1" diff --git a/install/installer/pkg/config/v1/config.go b/install/installer/pkg/config/v1/config.go index 3d3758c3bd23d4..3ff7146768dc02 100644 --- a/install/installer/pkg/config/v1/config.go +++ b/install/installer/pkg/config/v1/config.go @@ -303,7 +303,7 @@ type ContainerRegistry struct { type ContainerRegistryExternal struct { URL string `json:"url" validate:"required"` Certificate ObjectRef `json:"certificate" validate:"required"` - Credential *ObjectRef `json:"credential,omitempty"` + Credentials *ObjectRef `json:"credentials,omitempty"` } type S3Storage struct { diff --git a/install/installer/pkg/config/v1/validation.go b/install/installer/pkg/config/v1/validation.go index 241fa0bb9b0736..186b650e3b118a 100644 --- a/install/installer/pkg/config/v1/validation.go +++ b/install/installer/pkg/config/v1/validation.go @@ -150,8 +150,8 @@ func (v version) ClusterValidation(rcfg interface{}) cluster.ValidationChecks { secretName := cfg.ContainerRegistry.External.Certificate.Name res = append(res, cluster.CheckSecret(secretName, cluster.CheckSecretRequiredData(".dockerconfigjson"))) - if cfg.ContainerRegistry.External.Credential != nil { - credSecretName := cfg.ContainerRegistry.External.Credential.Name + if cfg.ContainerRegistry.External != nil { + credSecretName := cfg.ContainerRegistry.External.Credentials.Name res = append(res, cluster.CheckSecret(credSecretName, cluster.CheckSecretRequiredData("accessKeyId", "secretAccessKey"))) } } diff --git a/install/installer/pkg/config/versions/versions.go b/install/installer/pkg/config/versions/versions.go index b9427c533421ff..cccb5f7b06c5bf 100644 --- a/install/installer/pkg/config/versions/versions.go +++ b/install/installer/pkg/config/versions/versions.go @@ -36,7 +36,7 @@ type Components struct { PaymentEndpoint Versioned `json:"paymentEndpoint"` Proxy Versioned `json:"proxy"` PublicAPIServer Versioned `json:"public-api-server"` - RegistryCredential Versioned `json:"registryCredential"` + RefreshCredential Versioned `json:"refreshCredential"` RegistryFacade Versioned `json:"registryFacade"` Server Versioned `json:"server"` ServiceWaiter Versioned `json:"serviceWaiter"` From c09d2f9a4fa27a3d4dec13935507db342bb4c90c Mon Sep 17 00:00:00 2001 From: JenTing Hsiao Date: Thu, 15 Dec 2022 05:06:47 +0000 Subject: [PATCH 13/14] Check secret key credentials Signed-off-by: JenTing Hsiao --- install/installer/pkg/config/v1/validation.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/install/installer/pkg/config/v1/validation.go b/install/installer/pkg/config/v1/validation.go index 186b650e3b118a..25accefba77e6d 100644 --- a/install/installer/pkg/config/v1/validation.go +++ b/install/installer/pkg/config/v1/validation.go @@ -150,9 +150,9 @@ func (v version) ClusterValidation(rcfg interface{}) cluster.ValidationChecks { secretName := cfg.ContainerRegistry.External.Certificate.Name res = append(res, cluster.CheckSecret(secretName, cluster.CheckSecretRequiredData(".dockerconfigjson"))) - if cfg.ContainerRegistry.External != nil { + if cfg.ContainerRegistry.External.Credentials != nil { credSecretName := cfg.ContainerRegistry.External.Credentials.Name - res = append(res, cluster.CheckSecret(credSecretName, cluster.CheckSecretRequiredData("accessKeyId", "secretAccessKey"))) + res = append(res, cluster.CheckSecret(credSecretName, cluster.CheckSecretRequiredData("credentials"))) } } From 7aedf1ca34e8e667e12ae5a1c98f6f816b14aa4c Mon Sep 17 00:00:00 2001 From: JenTing Hsiao Date: Thu, 15 Dec 2022 06:50:47 +0000 Subject: [PATCH 14/14] Forbid job to run concurrency When using concurrentPolicy=Replace and the job failed but haven't reach the backoff limit, the new job will replace the original one if the schedule time is less than the sum of the backoff time. It causes a problem that the job alert `kube_job_status_failed{job_name=~"refresh-credential.*",reason="BackoffLimitExceeded"}` can't be fired. Signed-off-by: JenTing Hsiao --- install/installer/cmd/testdata/render/aws-setup/output.golden | 4 ++-- .../installer/pkg/components/refresh-credential/cronjob.go | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/install/installer/cmd/testdata/render/aws-setup/output.golden b/install/installer/cmd/testdata/render/aws-setup/output.golden index cf51641e26640d..998d844216d4a6 100644 --- a/install/installer/cmd/testdata/render/aws-setup/output.golden +++ b/install/installer/cmd/testdata/render/aws-setup/output.golden @@ -10701,8 +10701,8 @@ metadata: name: refresh-credential namespace: default spec: - concurrencyPolicy: Replace - failedJobsHistoryLimit: 10 + concurrencyPolicy: Forbid + failedJobsHistoryLimit: 1 jobTemplate: metadata: creationTimestamp: null diff --git a/install/installer/pkg/components/refresh-credential/cronjob.go b/install/installer/pkg/components/refresh-credential/cronjob.go index 1bef81e8523e67..d7cbf24cb28286 100644 --- a/install/installer/pkg/components/refresh-credential/cronjob.go +++ b/install/installer/pkg/components/refresh-credential/cronjob.go @@ -63,8 +63,8 @@ func cronjob(ctx *common.RenderContext) ([]runtime.Object, error) { Spec: batchv1.CronJobSpec{ Schedule: CronSchedule, SuccessfulJobsHistoryLimit: pointer.Int32(1), - FailedJobsHistoryLimit: pointer.Int32(10), - ConcurrencyPolicy: batchv1.ReplaceConcurrent, + FailedJobsHistoryLimit: pointer.Int32(1), + ConcurrencyPolicy: batchv1.ForbidConcurrent, JobTemplate: batchv1.JobTemplateSpec{ ObjectMeta: objectMeta, Spec: batchv1.JobSpec{