Configure object storage access

Author: aledbf

Dockerfile

@@ -1,4 +1,4 @@
-ARG GITPOD_VERSION="aledbf-eksinstaller.29"
+ARG GITPOD_VERSION="aledbf-insts3.1"
 
 FROM eu.gcr.io/gitpod-core-dev/build/installer:$GITPOD_VERSION as installer
 

lib/registry.ts

@@ -11,10 +11,6 @@ export interface RegistryProps extends cdk.StackProps {
 }
 
 export class Registry extends cdk.Stack {
-    readonly _bucket: string
-    readonly _iamAccessKey: string
-    readonly _iamSecretKey: string
-
     constructor(scope: cdk.Construct, id: string, props: RegistryProps) {
         super(scope, id, props);
 
@@ -34,8 +30,6 @@ export class Registry extends cdk.Stack {
             });
         }
 
-        this._bucket = props.bucketName;
-
         const GitpodRegistryAccess = new iam.Policy(this, 'RegistryAccess', {
             policyName: 'GitpodS3Access',
             statements: [
@@ -82,19 +76,13 @@ export class Registry extends cdk.Stack {
         });
         accessKey.node.addDependency(user);
 
-        this._iamAccessKey = accessKey.ref;
-        this._iamSecretKey = accessKey.attrSecretAccessKey;
-    }
-
-    get bucketName() {
-        return this._bucket;
-    }
-
-    get accessKey() {
-        return this._iamAccessKey;
-    }
-
-    get secretKey() {
-        return this._iamSecretKey;
+        new cdk.CfnOutput(this, "AccessKeyId", {
+            value: accessKey.ref,
+            exportName: "AccessKeyId",
+        });
+        new cdk.CfnOutput(this, "SecretAccessKey", {
+            value: accessKey.attrSecretAccessKey,
+            exportName: "SecretAccessKey",
+        });
     }
 }

lib/services.ts

@@ -3,7 +3,7 @@ import * as cdk from '@aws-cdk/core'
 import * as ec2 from '@aws-cdk/aws-ec2'
 
 import { Database } from './database';
-//import { Registry } from './registry';
+import { Registry } from './registry';
 
 export class ServicesStack extends cdk.Stack {
     //readonly registry: Registry
@@ -27,13 +27,11 @@ export class ServicesStack extends cdk.Stack {
         database.node.addDependency(vpc);
 
         // create permissions to access S3 buckets
-        /*
-        this.registry = new Registry(this, 'Registry', {
+        const registry = new Registry(this, 'Registry', {
             env: props.env,
             clusterName: `${process.env.CLUSTER_NAME}`,
             bucketName: `${process.env.CONTAINER_REGISTRY_BUCKET}`,
             createBucket: process.env.CREATE_S3_BUCKET === 'true',
         });
-        */
     }
 }

setup.sh

@@ -145,6 +145,7 @@ function install() {
     MYSQL_GITPOD_PASSWORD=$(openssl rand -hex 18)
     MYSQL_GITPOD_SECRET="mysql-gitpod-token"
     MYSQL_GITPOD_ENCRYPTION_KEY='[{"name":"general","version":1,"primary":true,"material":"4uGh1q8y2DYryJwrVMHs0kWXJlqvHWWt/KJuNi04edI="}]'
+    SECRET_STORAGE="object-storage-gitpod-token"
 
     # generated password cannot excede 41 characters (RDS limitation)
     SSM_KEY="/gitpod/cluster/${CLUSTER_NAME}/region/${AWS_REGION}"
@@ -195,6 +196,13 @@ EOF
         --dry-run=client -o yaml | \
         kubectl replace --force -f -
 
+    echo "Create storage secret..."
+    kubectl create secret generic "${SECRET_STORAGE}" \
+        --from-literal=s3AccessKey="$(jq -r '. | to_entries[] | select(.key | startswith("ServicesRegistry")).value.AccessKeyId ' < cdk-outputs.json)" \
+        --from-literal=s3SecretKey="$(jq -r '. | to_entries[] | select(.key | startswith("ServicesRegistry")).value.SecretAccessKey ' < cdk-outputs.json)" \
+        --dry-run=client -o yaml | \
+        kubectl replace --force -f -
+
     local CONFIG_FILE="${DIR}/gitpod-config.yaml"
     gitpod-installer init > "${CONFIG_FILE}"
 
@@ -205,6 +213,9 @@ EOF
     yq e -i ".database.external.certificate.kind = \"secret\"" "${CONFIG_FILE}"
     yq e -i ".database.external.certificate.name = \"${MYSQL_GITPOD_SECRET}\"" "${CONFIG_FILE}"
     yq e -i '.workspace.runtime.containerdRuntimeDir = "/var/lib/containerd/io.containerd.runtime.v2.task/k8s.io"' "${CONFIG_FILE}"
+    yq e -i ".containerRegistry.s3storage.bucket = \"${CONTAINER_REGISTRY_BUCKET}\"" "${CONFIG_FILE}"
+    yq e -i ".containerRegistry.s3storage.certificate.kind = \"secret\"" "${CONFIG_FILE}"
+    yq e -i ".containerRegistry.s3storage.certificate.name = \"${SECRET_STORAGE}\"" "${CONFIG_FILE}"
 
     gitpod-installer \
         render \