gitpod-io
diff --git a/‎components/gitpod-cli/cmd/env.go
+16-10 b/‎components/gitpod-cli/cmd/env.go
+16-10
diff --git a/‎components/gitpod-protocol/go/gitpod-service.go
+31-3 b/‎components/gitpod-protocol/go/gitpod-service.go
+31-3
diff --git a/‎components/gitpod-protocol/go/mock.go
+9 b/‎components/gitpod-protocol/go/mock.go
+9
diff --git a/‎components/gitpod-protocol/src/gitpod-service.ts
+4 b/‎components/gitpod-protocol/src/gitpod-service.ts
+4
diff --git a/‎components/gitpod-protocol/src/protocol.ts
+2 b/‎components/gitpod-protocol/src/protocol.ts
+2
diff --git a/‎components/server/ee/src/prebuilds/prebuild-manager.ts
+17-10 b/‎components/server/ee/src/prebuilds/prebuild-manager.ts
+17-10
diff --git a/‎components/server/src/auth/rate-limiter.ts
+1 b/‎components/server/src/auth/rate-limiter.ts
+1
diff --git a/‎components/server/src/container-module.ts
+3 b/‎components/server/src/container-module.ts
+3
@@ -78,6 +78,7 @@ delete environment variables with a repository pattern of */foo, foo/* or */*.
 
 type connectToServerResult struct {
 	repositoryPattern string
+	wsInfo            *supervisor.WorkspaceInfoResponse
 	client            *serverapi.APIoverJSONRPC
 }
 
@@ -97,14 +98,15 @@ func connectToServer(ctx context.Context) (*connectToServerResult, error) {
 		return nil, xerrors.New("repository info is missing owner")
 	}
 	if wsinfo.Repository.Name == "" {
-		return nil, xerrors.New("repository info is missing name")
+		xerrors.New("repository info is missing name")
 	}
 	repositoryPattern := wsinfo.Repository.Owner + "/" + wsinfo.Repository.Name
 	clientToken, err := supervisor.NewTokenServiceClient(supervisorConn).GetToken(ctx, &supervisor.GetTokenRequest{
 		Host: wsinfo.GitpodApi.Host,
 		Kind: "gitpod",
 		Scope: []string{
-			"function:getEnvVars",
+			"function:getWorkspaceEnvVars",
+			"function:getEnvVars", // TODO remove then getWorkspaceEnvVars is deployed
 			"function:setEnvVar",
 			"function:deleteEnvVar",
 			"resource:envVar::" + repositoryPattern + "::create/get/update/delete",
@@ -121,7 +123,7 @@ func connectToServer(ctx context.Context) (*connectToServerResult, error) {
 	if err != nil {
 		return nil, xerrors.Errorf("failed connecting to server: %w", err)
 	}
-	return &connectToServerResult{repositoryPattern, client}, nil
+	return &connectToServerResult{repositoryPattern, wsinfo, client}, nil
 }
 
 func getEnvs(ctx context.Context) error {
@@ -131,13 +133,17 @@ func getEnvs(ctx context.Context) error {
 	}
 	defer result.client.Close()
 
-	vars, err := result.client.GetEnvVars(ctx)
+	vars, err := result.client.GetWorkspaceEnvVars(ctx, result.wsInfo.WorkspaceId)
+	if err != nil {
+		// TODO remove then GetWorkspaceEnvVars is deployed
+		vars, err = result.client.GetEnvVars(ctx)
+	}
 	if err != nil {
 		return xerrors.Errorf("failed to fetch env vars from server: %w", err)
 	}
 
 	for _, v := range vars {
-		printVar(v, exportEnvs)
+		printVar(v.Name, v.Value, exportEnvs)
 	}
 
 	return nil
@@ -163,7 +169,7 @@ func setEnvs(ctx context.Context, args []string) error {
 			if err != nil {
 				return err
 			}
-			printVar(v, exportEnvs)
+			printVar(v.Name, v.Value, exportEnvs)
 			return nil
 		})
 	}
@@ -189,12 +195,12 @@ func deleteEnvs(ctx context.Context, args []string) error {
 	return g.Wait()
 }
 
-func printVar(v *serverapi.UserEnvVarValue, export bool) {
-	val := strings.Replace(v.Value, "\"", "\\\"", -1)
+func printVar(name string, value string, export bool) {
+	val := strings.Replace(value, "\"", "\\\"", -1)
 	if export {
-		fmt.Printf("export %s=\"%s\"\n", v.Name, val)
+		fmt.Printf("export %s=\"%s\"\n", name, val)
 	} else {
-		fmt.Printf("%s=%s\n", v.Name, val)
+		fmt.Printf("%s=%s\n", name, val)
 	}
 }
 
 
@@ -65,7 +65,8 @@ type APIInterface interface {
 	ClosePort(ctx context.Context, workspaceID string, port float32) (err error)
 	GetUserStorageResource(ctx context.Context, options *GetUserStorageResourceOptions) (res string, err error)
 	UpdateUserStorageResource(ctx context.Context, options *UpdateUserStorageResourceOptions) (err error)
-	GetEnvVars(ctx context.Context) (res []*UserEnvVarValue, err error)
+	GetWorkspaceEnvVars(ctx context.Context, workspaceID string) (res []*EnvVar, err error)
+	GetEnvVars(ctx context.Context) (res []*EnvVar, err error)
 	SetEnvVar(ctx context.Context, variable *UserEnvVarValue) (err error)
 	DeleteEnvVar(ctx context.Context, variable *UserEnvVarValue) (err error)
 	HasSSHPublicKey(ctx context.Context) (res bool, err error)
@@ -1128,15 +1129,35 @@ func (gp *APIoverJSONRPC) UpdateUserStorageResource(ctx context.Context, options
 	return
 }
 
+// GetWorkspaceEnvVars calls GetWorkspaceEnvVars on the server
+func (gp *APIoverJSONRPC) GetWorkspaceEnvVars(ctx context.Context, workspaceID string) (res []*EnvVar, err error) {
+	if gp == nil {
+		err = errNotConnected
+		return
+	}
+	var _params []interface{}
+
+	_params = append(_params, workspaceID)
+
+	var result []*EnvVar
+	err = gp.C.Call(ctx, "GetWorkspaceEnvVars", _params, &result)
+	if err != nil {
+		return
+	}
+	res = result
+
+	return
+}
+
 // GetEnvVars calls getEnvVars on the server
-func (gp *APIoverJSONRPC) GetEnvVars(ctx context.Context) (res []*UserEnvVarValue, err error) {
+func (gp *APIoverJSONRPC) GetEnvVars(ctx context.Context) (res []*EnvVar, err error) {
 	if gp == nil {
 		err = errNotConnected
 		return
 	}
 	var _params []interface{}
 
-	var result []*UserEnvVarValue
+	var result []*EnvVar
 	err = gp.C.Call(ctx, "getEnvVars", _params, &result)
 	if err != nil {
 		return
@@ -1978,6 +1999,13 @@ type WhitelistedRepository struct {
 	URL         string `json:"url,omitempty"`
 }
 
+// EnvVar is the EnvVar message type
+type EnvVar struct {
+	ID    string `json:"id,omitempty"`
+	Name  string `json:"name,omitempty"`
+	Value string `json:"value,omitempty"`
+}
+
 // UserEnvVarValue is the UserEnvVarValue message type
 type UserEnvVarValue struct {
 	ID                string `json:"id,omitempty"`
 
@@ -27,6 +27,7 @@ import {
     UserSSHPublicKeyValue,
     SSHPublicKeyValue,
     IDESettings,
+    EnvVarWithValue,
 } from "./protocol";
 import {
     Team,
@@ -152,6 +153,9 @@ export interface GitpodServer extends JsonRpcServer<GitpodClient>, AdminServer,
     getUserStorageResource(options: GitpodServer.GetUserStorageResourceOptions): Promise<string>;
     updateUserStorageResource(options: GitpodServer.UpdateUserStorageResourceOptions): Promise<void>;
 
+    // Workspace env vars
+    getWorkspaceEnvVars(workspaceId: string): Promise<EnvVarWithValue[]>;
+
     // User env vars
     getEnvVars(): Promise<UserEnvVarValue[]>;
     getAllEnvVars(): Promise<UserEnvVarValue[]>;
 
@@ -311,6 +311,8 @@ export namespace NamedWorkspaceFeatureFlag {
     }
 }
 
+export type EnvVar = UserEnvVar | ProjectEnvVarWithValue | EnvVarWithValue;
+
 export interface EnvVarWithValue {
     name: string;
     value: string;
 
@@ -10,7 +10,6 @@ import {
     CommitInfo,
     PrebuiltWorkspace,
     Project,
-    ProjectEnvVar,
     StartPrebuildContext,
     StartPrebuildResult,
     TaskConfig,
@@ -39,6 +38,7 @@ import { ResponseError } from "vscode-ws-jsonrpc";
 import { ErrorCodes } from "@gitpod/gitpod-protocol/lib/messaging/error";
 import { UserService } from "../../../src/user/user-service";
 import { EntitlementService, MayStartWorkspaceResult } from "../../../src/billing/entitlement-service";
+import { EnvVarService, ResolvedEnvVars } from "../../../src/workspace/env-var-service";
 
 export class WorkspaceRunningError extends Error {
     constructor(msg: string, public instance: WorkspaceInstance) {
@@ -67,6 +67,7 @@ export class PrebuildManager {
     @inject(UserService) protected readonly userService: UserService;
     @inject(TeamDB) protected readonly teamDB: TeamDB;
     @inject(EntitlementService) protected readonly entitlementService: EntitlementService;
+    @inject(EnvVarService) private readonly envVarService: EnvVarService;
 
     async abortPrebuildsForBranch(ctx: TraceContext, project: Project, user: User, branch: string): Promise<void> {
         const span = TraceContext.startSpan("abortPrebuildsForBranch", ctx);
@@ -221,8 +222,6 @@ export class PrebuildManager {
                 }
             }
 
-            const projectEnvVarsPromise = project ? this.projectService.getProjectEnvironmentVariables(project.id) : [];
-
             let organizationId = (await this.teamDB.findTeamById(project.id))?.id;
             if (!user.additionalData?.isMigratedToTeamOnlyAttribution) {
                 // If the user is not migrated to team-only attribution, we retrieve the organization from the attribution logic.
@@ -238,6 +237,9 @@ export class PrebuildManager {
                 prebuildContext,
                 context.normalizedContextURL!,
             );
+
+            const envVarsPromise = this.resolveEvnVars(workspace);
+
             const prebuild = await this.workspaceDB.trace({ span }).findPrebuildByWorkspaceID(workspace.id)!;
             if (!prebuild) {
                 throw new Error(`Failed to create a prebuild for: ${context.normalizedContextURL}`);
@@ -281,8 +283,8 @@ export class PrebuildManager {
                 await this.workspaceDB.trace({ span }).storePrebuiltWorkspace(prebuild);
             } else {
                 span.setTag("starting", true);
-                const projectEnvVars = await projectEnvVarsPromise;
-                await this.workspaceStarter.startWorkspace({ span }, workspace, user, project, [], projectEnvVars, {
+                const envVars = await envVarsPromise;
+                await this.workspaceStarter.startWorkspace({ span }, workspace, user, project, envVars, {
                     excludeFeatureFlags: ["full_workspace_backup"],
                 });
             }
@@ -341,11 +343,8 @@ export class PrebuildManager {
             if (!prebuild) {
                 throw new Error("No prebuild found for workspace " + workspaceId);
             }
-            let projectEnvVars: ProjectEnvVar[] = [];
-            if (workspace.projectId) {
-                projectEnvVars = await this.projectService.getProjectEnvironmentVariables(workspace.projectId);
-            }
-            await this.workspaceStarter.startWorkspace({ span }, workspace, user, project, [], projectEnvVars);
+            const envVars = await this.resolveEvnVars(workspace);
+            await this.workspaceStarter.startWorkspace({ span }, workspace, user, project, envVars);
             return { prebuildId: prebuild.id, wsid: workspace.id, done: false };
         } catch (err) {
             TraceContext.setError({ span }, err);
@@ -477,4 +476,12 @@ export class PrebuildManager {
             span.finish();
         }
     }
+
+    private resolveEvnVars(workspace: Workspace): Promise<ResolvedEnvVars> {
+        return this.envVarService.resolve({
+            user: undefined, // no user specific in prebuild
+            workspace,
+            includeCensored: true,
+        });
+    }
 }
@@ -89,6 +89,7 @@ const defaultFunctions: FunctionsConfig = {
     closePort: { group: "default", points: 1 },
     getUserStorageResource: { group: "default", points: 1 },
     updateUserStorageResource: { group: "default", points: 1 },
+    getWorkspaceEnvVars: { group: "default", points: 1 },
     getEnvVars: { group: "default", points: 1 },
     getAllEnvVars: { group: "default", points: 1 },
     setEnvVar: { group: "default", points: 1 },
 
@@ -114,6 +114,7 @@ import { retryMiddleware } from "nice-grpc-client-middleware-retry";
 import { IamSessionApp } from "./iam/iam-session-app";
 import { spicedbClientFromEnv, SpiceDBClient } from "./authorization/spicedb";
 import { Authorizer, PermissionChecker } from "./authorization/perms";
+import { EnvVarService } from "./workspace/env-var-service";
 
 export const productionContainerModule = new ContainerModule((bind, unbind, isBound, rebind) => {
     bind(Config).toConstantValue(ConfigFile.fromFile());
@@ -256,6 +257,8 @@ export const productionContainerModule = new ContainerModule((bind, unbind, isBo
 
     bind(ProjectsService).toSelf().inSingletonScope();
 
+    bind(EnvVarService).toSelf().inSingletonScope();
+
     bind(NewsletterSubscriptionController).toSelf().inSingletonScope();
 
     bind<UsageServiceClient>(UsageServiceDefinition.name)
Original file line number	Diff line number	Diff line change
`@@ -78,6 +78,7 @@ delete environment variables with a repository pattern of /foo, foo/ or /.`
`78`	`78`
`79`	`79`	`type connectToServerResult struct {`
`80`	`80`	`repositoryPattern string`
	`81`	`+ wsInfo *supervisor.WorkspaceInfoResponse`
`81`	`82`	`client *serverapi.APIoverJSONRPC`
`82`	`83`	`}`
`83`	`84`
`@@ -97,14 +98,15 @@ func connectToServer(ctx context.Context) (*connectToServerResult, error) {`
`97`	`98`	`return nil, xerrors.New("repository info is missing owner")`
`98`	`99`	`}`
`99`	`100`	`if wsinfo.Repository.Name == "" {`
`100`		`- return nil, xerrors.New("repository info is missing name")`
	`101`	`+ xerrors.New("repository info is missing name")`
`101`	`102`	`}`
`102`	`103`	`repositoryPattern := wsinfo.Repository.Owner + "/" + wsinfo.Repository.Name`
`103`	`104`	`clientToken, err := supervisor.NewTokenServiceClient(supervisorConn).GetToken(ctx, &supervisor.GetTokenRequest{`
`104`	`105`	`Host: wsinfo.GitpodApi.Host,`
`105`	`106`	`Kind: "gitpod",`
`106`	`107`	`Scope: []string{`
`107`		`- "function:getEnvVars",`
	`108`	`+ "function:getWorkspaceEnvVars",`
	`109`	`+ "function:getEnvVars", // TODO remove then getWorkspaceEnvVars is deployed`
`108`	`110`	`"function:setEnvVar",`
`109`	`111`	`"function:deleteEnvVar",`
`110`	`112`	`"resource:envVar::" + repositoryPattern + "::create/get/update/delete",`
`@@ -121,7 +123,7 @@ func connectToServer(ctx context.Context) (*connectToServerResult, error) {`
`121`	`123`	`if err != nil {`
`122`	`124`	`return nil, xerrors.Errorf("failed connecting to server: %w", err)`
`123`	`125`	`}`
`124`		`- return &connectToServerResult{repositoryPattern, client}, nil`
	`126`	`+ return &connectToServerResult{repositoryPattern, wsinfo, client}, nil`
`125`	`127`	`}`
`126`	`128`
`127`	`129`	`func getEnvs(ctx context.Context) error {`
`@@ -131,13 +133,17 @@ func getEnvs(ctx context.Context) error {`
`131`	`133`	`}`
`132`	`134`	`defer result.client.Close()`
`133`	`135`
`134`		`- vars, err := result.client.GetEnvVars(ctx)`
	`136`	`+ vars, err := result.client.GetWorkspaceEnvVars(ctx, result.wsInfo.WorkspaceId)`
	`137`	`+ if err != nil {`
	`138`	`+ // TODO remove then GetWorkspaceEnvVars is deployed`
	`139`	`+ vars, err = result.client.GetEnvVars(ctx)`
	`140`	`+ }`
`135`	`141`	`if err != nil {`
`136`	`142`	`return xerrors.Errorf("failed to fetch env vars from server: %w", err)`
`137`	`143`	`}`
`138`	`144`
`139`	`145`	`for _, v := range vars {`
`140`		`- printVar(v, exportEnvs)`
	`146`	`+ printVar(v.Name, v.Value, exportEnvs)`
`141`	`147`	`}`
`142`	`148`
`143`	`149`	`return nil`
`@@ -163,7 +169,7 @@ func setEnvs(ctx context.Context, args []string) error {`
`163`	`169`	`if err != nil {`
`164`	`170`	`return err`
`165`	`171`	`}`
`166`		`- printVar(v, exportEnvs)`
	`172`	`+ printVar(v.Name, v.Value, exportEnvs)`
`167`	`173`	`return nil`
`168`	`174`	`})`
`169`	`175`	`}`
`@@ -189,12 +195,12 @@ func deleteEnvs(ctx context.Context, args []string) error {`
`189`	`195`	`return g.Wait()`
`190`	`196`	`}`
`191`	`197`
`192`		`-func printVar(v *serverapi.UserEnvVarValue, export bool) {`
`193`		`- val := strings.Replace(v.Value, "\"", "\\\"", -1)`
	`198`	`+func printVar(name string, value string, export bool) {`
	`199`	`+ val := strings.Replace(value, "\"", "\\\"", -1)`
`194`	`200`	`if export {`
`195`		`- fmt.Printf("export %s=\"%s\"\n", v.Name, val)`
	`201`	`+ fmt.Printf("export %s=\"%s\"\n", name, val)`
`196`	`202`	`} else {`
`197`		`- fmt.Printf("%s=%s\n", v.Name, val)`
	`203`	`+ fmt.Printf("%s=%s\n", name, val)`
`198`	`204`	`}`
`199`	`205`	`}`
`200`	`206`
Original file line number	Diff line number	Diff line change
`@@ -311,6 +311,8 @@ export namespace NamedWorkspaceFeatureFlag {`
`311`	`311`	`}`
`312`	`312`	`}`
`313`	`313`
	`314`	`+export type EnvVar = UserEnvVar \| ProjectEnvVarWithValue \| EnvVarWithValue;`
	`315`	`+`
`314`	`316`	`export interface EnvVarWithValue {`
`315`	`317`	`name: string;`
`316`	`318`	`value: string;`