1

Author: iQQBot

components/registry-facade/cmd/setup.go

@@ -16,9 +16,10 @@ import (
 )
 
 var (
-	hostname string
-	hostfs   string
-	port     int
+	hostname            string
+	hostfs              string
+	port                int
+	containerdConfigDir string
 )
 
 var setupCmd = &cobra.Command{
@@ -27,9 +28,9 @@ var setupCmd = &cobra.Command{
 	Run: func(cmd *cobra.Command, args []string) {
 		{
 			log.Info("Creating containerd registry directory...")
-			regDirectory := fmt.Sprintf("/etc/containerd/certs.d/%v:%v", hostname, port)
+			regDirectory := fmt.Sprintf("/certs.d/%v:%v", hostname, port)
 
-			fakeRegPath := filepath.Join(hostfs, regDirectory)
+			fakeRegPath := filepath.Join(hostfs, containerdConfigDir, regDirectory)
 			err := os.MkdirAll(fakeRegPath, 0644)
 			if err != nil {
 				log.Fatalf("cannot create containerd cert directory: %v", err)
@@ -51,7 +52,7 @@ server = "https://%v:%v"
     ca = "%v"
 	# skip verifications of the registry's certificate chain and host name when set to true
     #skip_verify = true
-`, hostname, port, hostname, port, filepath.Join(regDirectory, "ca.crt"))
+`, hostname, port, hostname, port, filepath.Join(containerdConfigDir, regDirectory, "ca.crt"))
 
 			err = os.WriteFile(filepath.Join(fakeRegPath, "hosts.toml"), []byte(hostsToml), 0644)
 			if err != nil {
@@ -78,6 +79,7 @@ func init() {
 	setupCmd.Flags().StringVar(&hostname, "hostname", "", "registry facade host <hostname:port>")
 	setupCmd.Flags().StringVar(&hostfs, "hostfs", "", "Mount point path for the root filesystem")
 	setupCmd.Flags().IntVar(&port, "port", 31750, "Listening port for the new registry hostname")
+	setupCmd.Flags().StringVar(&containerdConfigDir, "containerd-config-dir", "/etc/containerd", "Containerd configuration directory")
 
 	_ = setupCmd.MarkFlagRequired("hostname")
 	_ = setupCmd.MarkFlagRequired("hostfs")

dev/preview/infrastructure/preview.tf

@@ -1,5 +1,5 @@
 module "preview_gce" {
-  count  = 1
+  count  = 0
   source = "./modules/gce"
 
   preview_name  = var.preview_name
@@ -21,9 +21,9 @@ module "dns" {
   preview_name = var.preview_name
 
   # a bit of a hack to choose the correct ip for the dns records, based on whichever module gets created
-  preview_ip = module.preview_gce[0].preview_ip
+  preview_ip = "127.0.0.1"
 
-  workspace_ip = module.preview_gce[0].workspace_ip
+  workspace_ip = "127.0.0.1"
 
   cert_issuer     = var.cert_issuer
   gcp_project_dns = var.gcp_project_dns

dev/preview/workflow/preview/deploy-gitpod.sh

@@ -66,15 +66,18 @@ if ! command -v installer;then
 fi
 
 function copyCachedCertificate {
+  PREVIEW_SORUCE_CERT_NAME="certificate-local"
+
+  GITPOD_PROXY_SECRET_NAME="proxy-config-certificates";
+  PREVIEW_GCP_PROJECT="gitpod-dev-preview"
   DESTINATION_CERT_NAME="$GITPOD_PROXY_SECRET_NAME"
+  PREVIEW_NAMESPACE=default
 
   secret=$(gcloud secrets versions access latest --secret="${PREVIEW_SORUCE_CERT_NAME}" --project=${PREVIEW_GCP_PROJECT})
   kubectl \
     create secret generic "${DESTINATION_CERT_NAME}" --namespace="${PREVIEW_NAMESPACE}" --dry-run=client -oyaml \
     | yq4 eval-all ".data = $secret | .type = \"kubernetes.io/tls\"" \
     | kubectl \
-      --kubeconfig "${PREVIEW_K3S_KUBE_PATH}" \
-      --context "${PREVIEW_K3S_KUBE_CONTEXT}" \
       apply -f -
 }
 
@@ -244,6 +247,9 @@ yq w -i "${INSTALLER_CONFIG_PATH}" experimental.ide.ideMetrics.enabledErrorRepor
 
 if [[ "${GITPOD_WITH_DEDICATED_EMU}" != "true" ]]
 then
+  PREVIEW_GCP_PROJECT="gitpod-dev-preview"
+  PREVIEW_NAMESPACE="default"
+  DOMAIN="local.preview.gitpod-dev.com"
   secret=$(gcloud secrets versions access latest --secret="preview-envs-authproviders" --project=${PREVIEW_GCP_PROJECT})
   for row in $(gcloud secrets versions access latest --secret="preview-envs-authproviders" --project=${PREVIEW_GCP_PROJECT}  | yq r - "authProviders" \
   | base64 -d -w 0 \
@@ -260,11 +266,9 @@ then
 
       kubectl create secret generic "$providerId" \
           --namespace "${PREVIEW_NAMESPACE}" \
-          --kubeconfig "${PREVIEW_K3S_KUBE_PATH}" \
-          --context "${PREVIEW_K3S_KUBE_CONTEXT}" \
           --from-literal=provider="$data" \
           --dry-run=client -o yaml | \
-          kubectl --kubeconfig "${PREVIEW_K3S_KUBE_PATH}" --context "${PREVIEW_K3S_KUBE_CONTEXT}" replace --force -f -
+          kubectl replace --force -f -
   done
 fi
 
@@ -355,6 +359,7 @@ yq w -i "${INSTALLER_CONFIG_PATH}" experimental.webapp.stripe.teamUsagePriceIds[
 # configureConfigCat
 #
 # This key is not a secret, it is a unique identifier of our ConfigCat application
+export INSTALLER_CONFIG_PATH="/workspace/gitpod/gitpod.config.yaml"
 yq w -i "${INSTALLER_CONFIG_PATH}" experimental.webapp.configcatKey "WBLaCPtkjkqKHlHedziE9g/LEAOCNkbuUKiqUZAcVg7dw"
 yq w -i "${INSTALLER_CONFIG_PATH}" experimental.webapp.proxy.configcat.baseUrl "https://cdn-global.configcat.com"
 yq w -i "${INSTALLER_CONFIG_PATH}" experimental.webapp.proxy.configcat.pollInterval "1m"
@@ -425,13 +430,13 @@ yq w -i "${INSTALLER_CONFIG_PATH}" experimental.webapp.spicedb.secretRef "spiced
 #
 # Configure spicedb secret
 #
+export PREVIEW_GCP_PROJECT="gitpod-dev-preview"
+export PREVIEW_NAMESPACE="default"
 secret=$(gcloud secrets versions access latest --secret="spicedb-secret" --project=${PREVIEW_GCP_PROJECT})
 kubectl \
   create secret generic "spicedb-secret" --namespace="${PREVIEW_NAMESPACE}" --dry-run=client -oyaml \
   | yq4 eval-all ".data = $secret" \
   | kubectl \
-    --kubeconfig "${PREVIEW_K3S_KUBE_PATH}" \
-    --context "${PREVIEW_K3S_KUBE_CONTEXT}" \
     apply -n ${PREVIEW_NAMESPACE} -f -
 
 #

install/installer/pkg/components/registry-facade/daemonset.go

@@ -89,6 +89,7 @@ func daemonset(ctx *common.RenderContext) ([]runtime.Object, error) {
 	}
 
 	var envvars []corev1.EnvVar
+	containerdConfigDir := "/etc/containerd"
 	err = ctx.WithExperimental(func(ucfg *experimental.Config) error {
 		if ucfg.Workspace == nil {
 			return nil
@@ -127,6 +128,9 @@ func daemonset(ctx *common.RenderContext) ([]runtime.Object, error) {
 			}
 		}
 
+		if ucfg.Workspace.RegistryFacade.ContainerdConfigDir != "" {
+			containerdConfigDir = ucfg.Workspace.RegistryFacade.ContainerdConfigDir
+		}
 		return nil
 	})
 	if err != nil {
@@ -142,6 +146,7 @@ func daemonset(ctx *common.RenderContext) ([]runtime.Object, error) {
 				"--hostfs=/mnt/dst",
 				fmt.Sprintf("--hostname=reg.%s", ctx.Config.Domain),
 				fmt.Sprintf("--port=%v", ServicePort),
+				fmt.Sprintf("--containerd-config-dir=%s", containerdConfigDir),
 			},
 			SecurityContext: &corev1.SecurityContext{RunAsUser: pointer.Int64(0)},
 			VolumeMounts: []corev1.VolumeMount{

install/installer/pkg/components/spicedb/deployment.go

@@ -141,7 +141,7 @@ func deployment(ctx *common.RenderContext) ([]runtime.Object, error) {
 								},
 								Resources: common.ResourceRequirements(ctx, Component, ContainerName, corev1.ResourceRequirements{
 									Requests: corev1.ResourceList{
-										"cpu":    resource.MustParse("1"),
+										"cpu":    resource.MustParse("10m"),
 										"memory": resource.MustParse("500M"),
 									},
 								}),

install/installer/pkg/components/ws-daemon/daemonset.go

@@ -231,8 +231,8 @@ func daemonset(ctx *common.RenderContext) ([]runtime.Object, error) {
 					common.NodeNameEnv(ctx),
 				)),
 				Resources: common.ResourceRequirements(ctx, Component, Component, corev1.ResourceRequirements{Requests: corev1.ResourceList{
-					"cpu":    resource.MustParse("500m"),
-					"memory": resource.MustParse("4Gi"),
+					"cpu":    resource.MustParse("50m"),
+					"memory": resource.MustParse("2Gi"),
 				}}),
 				VolumeMounts:    volumeMounts,
 				ImagePullPolicy: corev1.PullIfNotPresent,

install/installer/pkg/config/v1/experimental/experimental.go

@@ -99,6 +99,7 @@ type WorkspaceConfig struct {
 			UseTLS             bool   `json:"useTLS"`
 			InsecureSkipVerify bool   `json:"insecureSkipVerify"`
 		} `json:"redisCache"`
+		ContainerdConfigDir string `json:"containerdConfigDir"`
 	} `json:"registryFacade"`
 
 	WSDaemon struct {

local-preview/README.md

@@ -0,0 +1,58 @@
+# one time setup
+
+## download k3d
+```bash
+curl -s https://raw.githubusercontent.com/k3d-io/k3d/main/install.sh | bash
+```
+
+## create cluster
+
+```bash
+k3d cluster create -c ./local-preview/k3d.yaml
+```
+
+## install prereqs
+
+```bash
+TF_VAR_preview_name=local leeway run dev/preview:create-preview
+cd ./local-preview/
+./setup.sh
+```
+
+
+# for dev loop
+
+run `kubectl port-forward svc/proxy 8443:443` in your terminal
+
+```bash
+cd ./local-preview/
+./update.sh
+```
+
+
+# mac local portforward setup
+
+```bash
+echo "rdr pass on lo0 inet proto tcp from any to self port 443 -> 127.0.0.1 port 8443" | sudo tee /etc/pf.anchors/gitpod
+
+sudo vi /etc/pf.conf
+
+## manual add something
+# add `rdr-anchor "gitpod"` below `rdr-anchor "com.apple/*"`
+# add `load anchor "gitpod" from "/etc/pf.anchors/gitpod"` below `load anchor "com.apple" from "/etc/pf.anchors/com.apple"`
+
+# config should looks like
+#
+# ....
+# rdr-anchor "com.apple/*"
+# rdr-anchor "gitpod"
+# ...
+# load anchor "com.apple" from "/etc/pf.anchors/com.apple"
+# load anchor "gitpod" from "/etc/pf.anchors/gitpod"
+
+# apply changes
+sudo pfctl -ef /etc/pf.conf
+```
+
+
+you can view preview env at https://local.preview.gitpod-dev.com

local-preview/coredns-custom.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: coredns-custom
+  namespace: kube-system
+data:
+  rewrite.override: |
+    rewrite name registry.local.preview.gitpod-dev.com proxy.default.svc.cluster.local

local-preview/gitpod.config.yaml

@@ -0,0 +1,60 @@
+apiVersion: v1
+authProviders:
+  - kind: secret
+    name: public-github
+  - kind: secret
+    name: public-gitlab
+  - kind: secret
+    name: public-bitbucket
+blockNewUsers:
+  enabled: true
+  passlist:
+    - gitpod.io
+certificate:
+  kind: secret
+  name: proxy-config-certificates
+containerRegistry:
+  enableAdditionalECRAuth: false
+  inCluster: true
+  privateBaseImageAllowList: []
+  subassemblyBucket: ""
+database:
+  inCluster: true
+disableDefinitelyGp: true
+domain: "local.preview.gitpod-dev.com"
+kind: Full
+metadata:
+  region: local
+  shortname: default
+objectStorage:
+  inCluster: true
+  resources:
+    requests:
+      memory: 2Gi
+observability:
+  logLevel: info
+openVSX:
+  url: https://open-vsx.org
+workspace:
+  maxLifetime: 36h0m0s
+  resources:
+    requests:
+      cpu: "1"
+      memory: 2Gi
+  runtime:
+    containerdRuntimeDir: /var/lib/rancher/k3s/agent/containerd/io.containerd.runtime.v2.task/k8s.io
+    containerdSocketDir: /run/k3s/containerd
+    fsShiftMethod: shiftfs
+experimental:
+  webapp:
+    spicedb:
+      enabled: true
+      secretRef: spicedb-secret
+    configcatKey: WBLaCPtkjkqKHlHedziE9g/LEAOCNkbuUKiqUZAcVg7dw
+    proxy:
+      configcat:
+        baseUrl: https://cdn-global.configcat.com
+        pollInterval: 1m
+  workspace:
+    registryFacade:
+      containerdConfigDir: /var/lib/rancher/k3s/agent/etc/containerd