[ws-manager] Introduce GITPOD_DOCKERD_PROXY_ENABLED and if set, run docker-proxy in enclave and have supervisor configure dockerd for it

geropl · geropl · commit 25244425e752 · 2025-01-30T19:48:55.000Z
Tool: gitpod/catfood.gitpod.cloud
diff --git a/components/ws-manager-mk2/controllers/create.go b/components/ws-manager-mk2/controllers/create.go
@@ -25,6 +25,7 @@ import (
 
 	wsk8s "github.com/gitpod-io/gitpod/common-go/kubernetes"
 	"github.com/gitpod-io/gitpod/common-go/tracing"
+	"github.com/gitpod-io/gitpod/common-go/util"
 	csapi "github.com/gitpod-io/gitpod/content-service/api"
 	regapi "github.com/gitpod-io/gitpod/registry-facade/api"
 	"github.com/gitpod-io/gitpod/ws-manager-mk2/pkg/constants"
@@ -574,6 +575,23 @@ func createWorkspaceEnvironment(sctx *startWorkspaceContext) ([]corev1.EnvVar, e
 		result = append(result, corev1.EnvVar{Name: "GIT_SSL_CAINFO", Value: customCAMountPath})
 	}
 
+	if sctx.Workspace.Annotations[wsk8s.WorkspaceDockerdProxyAnnotation] == util.BooleanTrueString {
+		var imageAuth string
+		for _, ev := range sctx.Workspace.Spec.UserEnvVars {
+			if ev.Name == "GITPOD_IMAGE_AUTH" {
+				imageAuth = ev.Value
+				break
+			}
+		}
+		if imageAuth != "" {
+			// Start the dockerd-proxy which injects all HTTP(S) requests with the credentials we got in GITPOD_IMAGE_AUTH
+			result = append(result, corev1.EnvVar{Name: "WORKSPACEKIT_RING2_ENCLAVE", Value: "/.supervisor/supervisor dockerd-proxy"})
+			result = append(result, corev1.EnvVar{Name: "WORKSPACEKIT_GITPOD_IMAGE_AUTH", Value: string(imageAuth)})
+			// Trigger supervisor to configure dockerd to use this proxy
+			result = append(result, corev1.EnvVar{Name: "GITPOD_DOCKERD_PROXY_ENABLED", Value: "true"})
+		}
+	}
+
 	// System level env vars
 	for _, e := range sctx.Workspace.Spec.SysEnvVars {
 		env := corev1.EnvVar{
diff --git a/components/ws-manager-mk2/service/manager.go b/components/ws-manager-mk2/service/manager.go
@@ -225,6 +225,13 @@ func (wsm *WorkspaceManagerServer) StartWorkspace(ctx context.Context, req *wsma
 		}
 	}
 
+	for _, ev := range req.Spec.Envvars {
+		if ev.Name == "GITPOD_DOCKERD_PROXY_ENABLED" {
+			annotations[wsk8s.WorkspaceDockerdProxyAnnotation] = util.BooleanTrueString
+			break
+		}
+	}
+
 	envSecretName := fmt.Sprintf("%s-%s", req.Id, "env")
 	userEnvVars, envData := extractWorkspaceUserEnv(envSecretName, req.Spec.Envvars, req.Spec.SysEnvvars)
 	sysEnvVars := extractWorkspaceSysEnv(req.Spec.SysEnvvars)

Original file line number	Diff line number	Diff line change
`@@ -225,6 +225,13 @@ func (wsm WorkspaceManagerServer) StartWorkspace(ctx context.Context, req wsma`
`225`	`225`	`}`
`226`	`226`	`}`
`227`	`227`
	`228`	`+ for _, ev := range req.Spec.Envvars {`
	`229`	`+ if ev.Name == "GITPOD_DOCKERD_PROXY_ENABLED" {`
	`230`	`+ annotations[wsk8s.WorkspaceDockerdProxyAnnotation] = util.BooleanTrueString`
	`231`	`+ break`
	`232`	`+ }`
	`233`	`+ }`
	`234`	`+`
`228`	`235`	`envSecretName := fmt.Sprintf("%s-%s", req.Id, "env")`
`229`	`236`	`userEnvVars, envData := extractWorkspaceUserEnv(envSecretName, req.Spec.Envvars, req.Spec.SysEnvvars)`
`230`	`237`	`sysEnvVars := extractWorkspaceSysEnv(req.Spec.SysEnvvars)`