[kots]: configure Gitpod as a KOTS-installable app

Author: Simon Emms

install/kots/README.md

@@ -2,3 +2,47 @@
 
 [Kubernetes Off-The-Shelf(KOTS)](https://kots.io/) is how we deliver
 Gitpod to enterprise customers.
+
+# Getting started
+
+You will need:
+ - a Kubernetes cluster
+ - a [Replicated](https://vendor.replicated.com) license file
+
+Go to [our Replicated channels page](https://vendor.replicated.com/apps/gitpod/channels) and
+follow the installation instructions on screen.
+
+# Terminology
+
+KOTS is the technology which is used to deliver a Replicated installation. Generally,
+KOTS should refer to the underlying open source technology and Replicated is the
+commercially supported project.
+
+# Development
+
+## Authentication
+
+Two environment variables are required to be able to publish to our Replicated account:
+
+ - `REPLICATED_APP`: the unique application slug
+ - `REPLICATED_API_TOKEN`: a [User API Token](https://vendor.replicated.com/account-settings) with `Read/Write` permissions
+
+## Naming conventions
+
+- Starts with `kots` - part of the KOTS configuration. Typically, this will follow the KOTS documentation/conventions
+- Starts with `gitpod` - part of the Gitpod application. Typically, this will be something we define/own
+- Starts with `helm` - a Helm chart
+- Starts with `crd` - a Custom Resource Definition
+
+## Helm charts
+
+KOTS [requires](https://kots.io/reference/v1beta1/helmchart) Helm charts to be uploaded as a `.tgz`
+file. The `make helm` command iterates through everything inside `charts`, installs the dependencies
+and packages them up as a `.tgz` file.
+
+The `.tgz` files should not be committed to the repository.
+
+## Create an unstable release
+
+An unstable release can be created by running `make create_unstable_release`. This builds and publishes
+a new unstable release to the account. This can be then applied to your development cluster.

install/kots/manifests/gitpod-certificate-secret.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: https-certificates
+  annotations:
+    kots.io/when: '{{repl ConfigOptionEquals "cert_manager_enabled" "0" }}'
+type: kubernetes.io/tls
+data:
+  tls.crt: '{{repl ConfigOption "tls_crt" }}'
+  tls.key: '{{repl ConfigOption "tls_key" }}'

install/kots/manifests/gitpod-certificate.yaml

@@ -0,0 +1,15 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: https-certificates
+  annotations:
+    kots.io/when: '{{repl ConfigOptionEquals "cert_manager_enabled" "1" }}'
+spec:
+  secretName: https-certificates
+  issuerRef:
+    name: '{{repl if (ConfigOptionEquals "cert_manager_provider" "incluster" ) }}ca-issuer{{repl else }}gitpod-issuer{{repl end }}'
+    kind: '{{repl if (ConfigOptionEquals "cert_manager_provider" "azure") }}ClusterIssuer{{repl else }}Issuer{{repl end }}'
+  dnsNames:
+    - '{{repl ConfigOption "domain" }}'
+    - '*.{{repl ConfigOption "domain" }}'
+    - '*.ws.{{repl ConfigOption "domain" }}'

install/kots/manifests/gitpod-cloudsql-secret.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cloudsql
+  annotations:
+    kots.io/when: '{{repl and (ConfigOptionEquals "db_incluster" "0") (ConfigOptionEquals "db_cloudsql_enabled" "1") }}'
+data:
+  credentials.json: '{{repl ConfigOption "db_gcp_credentials" }}'
+  encryptionKeys: '{{repl ConfigOption "db_encryption_keys" | Base64Encode }}'
+  password: '{{repl ConfigOption "db_password" | Base64Encode }}'
+  username: '{{repl ConfigOption "db_username" | Base64Encode }}'

install/kots/manifests/gitpod-database-secret.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: database
+  annotations:
+    kots.io/when: '{{repl and (ConfigOptionEquals "db_incluster" "0") (ConfigOptionEquals "db_cloudsql_enabled" "0") }}'
+data:
+  encryptionKeys: '{{repl ConfigOption "db_encryption_keys" | Base64Encode }}'
+  host: '{{repl ConfigOption "db_host" | Base64Encode }}'
+  password: '{{repl ConfigOption "db_password" | Base64Encode }}'
+  port: '{{repl ConfigOption "db_port" | Base64Encode }}'
+  username: '{{repl ConfigOption "db_username" | Base64Encode }}'

install/kots/manifests/gitpod-dns-gcp-secret.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cert-manager-gcp-dns-solver
+  annotations:
+    kots.io/when: '{{repl and (ConfigOptionEquals "cert_manager_enabled" "1") (ConfigOptionEquals "cert_manager_provider" "gcp") }}'
+data:
+  key.json: '{{repl ConfigOption "cert_manager_gcp_credentials" }}'

install/kots/manifests/gitpod-installation.yaml

@@ -0,0 +1,12 @@
+# This exists as debug information for the support bundle
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: gitpod-installation
+data:
+  channelName: '{{repl ChannelName }}'
+  cursor: '{{repl Cursor }}'
+  isAirgap: '{{repl IsAirgap }}'
+  releaseNotes: '{{repl ReleaseNotes }}'
+  sequence: '{{repl Sequence }}'
+  version: '{{repl VersionLabel }}'

install/kots/manifests/gitpod-installer-job.yaml

@@ -1,5 +1,6 @@
 # The installer job is where the magic happens. It generates
-# the config and installs Gitpod
+# the config, installs Gitpod and then deletes itself when
+# it's finished
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -27,22 +28,35 @@ spec:
           args:
             - |
               set -e
+
               echo "Gitpod: Install jq"
               apk add --no-cache jq
+
               echo "Gitpod: Perform the check"
               while [ "$(helm status -n {{repl Namespace }} cert-manager -o json | jq '.info.status == "deployed"')" = "false" ];
               do
                 echo "Gitpod: Release not found - will retry in 10s"
                 sleep 10
               done
+
               echo "Gitpod: Release found - goodbye"
       containers:
         - name: installer
           # This will normally be the release tag - using this tag as need the license evaluator
           image: 'eu.gcr.io/gitpod-core-dev/build/installer:main.2569'
+          volumeMounts:
+            - mountPath: /mnt/node0
+              name: node-fs0
+              readOnly: true
           env:
             - name: CONFIG_FILE
               value: /tmp/gitpod-config.yaml
+            - name: CONTAINERD_DIR_K3S
+              value: /run/k3s/containerd/io.containerd.runtime.v2.task/k8s.io
+            - name: CONTAINERD_SOCKET_K3S
+              value: /run/k3s/containerd/containerd.sock
+            - name: GITPOD_OBJECTS
+              value: /tmp/gitpod
           command:
             - /bin/sh
             - -c
@@ -53,10 +67,102 @@ spec:
               echo "Gitpod: Generate the base Installer config"
               /app/installer init > "${CONFIG_FILE}"
 
+              echo "Gitpod: auto-detecting containerd location on host machine"
+              if [ -d "/mnt/node0${CONTAINERD_DIR_K3S}" ]; then
+                echo "Gitpod: containerd dir detected as k3s"
+
+                yq e -i ".workspace.runtime.containerdRuntimeDir = \"${CONTAINERD_DIR_K3S}\"" "${CONFIG_FILE}"
+              fi
+
+              if [ -S "/mnt/node0${CONTAINERD_SOCKET_K3S}" ]; then
+                echo "Gitpod: containerd socket detected as k3s"
+
+                yq e -i ".workspace.runtime.containerdSocket = \"${CONTAINERD_SOCKET_K3S}\"" "${CONFIG_FILE}"
+              fi
+
               echo "Gitpod: Inject the Replicated variables into the config"
               yq e -i '.domain = "{{repl ConfigOption "domain" }}"' "${CONFIG_FILE}"
+              yq e -i '.license.kind = "secret"' "${CONFIG_FILE}"
+              yq e -i '.license.name = "gitpod-license"' "${CONFIG_FILE}"
+
+              if [ '{{repl and (ConfigOptionEquals "db_incluster" "0") (ConfigOptionEquals "db_cloudsql_enabled" "1") }}' = "true" ];
+              then
+                echo "Gitpod: configuring CloudSQLProxy"
+
+                yq e -i ".database.inCluster = false" "${CONFIG_FILE}"
+                yq e -i ".database.cloudSQL.instance = \"{{repl ConfigOption "db_cloudsql_instance" }}\"" "${CONFIG_FILE}"
+                yq e -i ".database.cloudSQL.serviceAccount.kind = \"secret\"" "${CONFIG_FILE}"
+                yq e -i ".database.cloudSQL.serviceAccount.name = \"cloudsql\"" "${CONFIG_FILE}"
+              fi
+
+              if [ '{{repl and (ConfigOptionEquals "db_incluster" "0") (ConfigOptionEquals "db_cloudsql_enabled" "0") }}' = "true" ];
+              then
+                echo "Gitpod: configuring external database"
+
+                yq e -i ".database.inCluster = false" "${CONFIG_FILE}"
+                yq e -i ".database.external.certificate.kind = \"secret\"" "${CONFIG_FILE}"
+                yq e -i ".database.external.certificate.name = \"database\"" "${CONFIG_FILE}"
+              fi
+
+              if [ '{{repl ConfigOptionEquals "reg_incluster" "0" }}' = "true" ];
+              then
+                echo "Gitpod: configuring external container registry"
+
+                yq e -i ".containerRegistry.inCluster = false" "${CONFIG_FILE}"
+                yq e -i ".containerRegistry.external.url = \"{{repl ConfigOption "reg_url" }}\"" "${CONFIG_FILE}"
+                yq e -i ".containerRegistry.external.certificate.kind = \"secret\"" "${CONFIG_FILE}"
+                yq e -i ".containerRegistry.external.certificate.name = \"container-registry\"" "${CONFIG_FILE}"
+
+              if [ '{{repl ConfigOptionEquals "reg_s3storage" "1" }}' = "true" ];
+                then
+                  echo "Gitpod: configuring container registry S3 backend"
+
+                  yq e -i ".containerRegistry.s3storage.bucket = \"{{repl ConfigOption "reg_bucketname" }}\"" "${CONFIG_FILE}"
+                  yq e -i ".containerRegistry.s3storage.certificate.kind = \"secret\"" "${CONFIG_FILE}"
+                  yq e -i ".containerRegistry.s3storage.certificate.name = \"container-registry-s3-backend\"" "${CONFIG_FILE}"
+                fi
+              fi
+
+              if [ '{{repl ConfigOptionNotEquals "store_provider" "incluster" }}' = "true" ];
+              then
+                echo "Gitpod: configuring the storage"
+
+                yq e -i ".metadata.region = \"{{repl ConfigOption "store_region" }}\"" "${CONFIG_FILE}"
+                yq e -i ".objectStorage.inCluster = false" "${CONFIG_FILE}"
+
+                if [ '{{repl ConfigOptionEquals "store_provider" "azure" }}' = "true" ];
+                then
+                  echo "Gitpod: configuring storage for Azure"
+
+                  yq e -i ".objectStorage.azure.credentials.kind = \"secret\"" "${CONFIG_FILE}"
+                  yq e -i ".objectStorage.azure.credentials.name = \"storage-azure\"" "${CONFIG_FILE}"
+                fi
+
+                if [ '{{repl ConfigOptionEquals "store_provider" "gcp" }}' = "true" ];
+                then
+                  echo "Gitpod: configuring storage for GCP"
+
+                  yq e -i ".objectStorage.cloudStorage.project = \"{{repl ConfigOption "store_gcp_project" }}\"" "${CONFIG_FILE}"
+                  yq e -i ".objectStorage.cloudStorage.serviceAccount.kind = \"secret\"" "${CONFIG_FILE}"
+                  yq e -i ".objectStorage.cloudStorage.serviceAccount.name = \"storage-gcp\"" "${CONFIG_FILE}"
+                fi
+
+                if [ '{{repl ConfigOptionEquals "store_provider" "s3" }}' = "true" ];
+                then
+                  echo "Gitpod: configuring storage for S3"
+
+                  yq e -i ".objectStorage.s3.endpoint = \"{{repl ConfigOption "store_s3_endpoint" }}\"" "${CONFIG_FILE}"
+                  yq e -i ".objectStorage.s3.credentials.secret = \"secret\"" "${CONFIG_FILE}"
+                  yq e -i ".objectStorage.s3.credentials.name = \"storage-s3\"" "${CONFIG_FILE}"
+                fi
+              fi
 
               echo "Gitpod: Generate the Kubernetes objects and apply"
               /app/installer render -c "${CONFIG_FILE}" --namespace {{repl Namespace }} | kubectl apply -f -
 
               echo "Gitpod: Installer job finished - goodbye"
+      volumes:
+        - name: node-fs0
+          hostPath:
+            path: /
+            type: Directory

install/kots/manifests/gitpod-issuer-azure.yaml

@@ -0,0 +1,20 @@
+# Azure doesn't seem to like using an Issuer
+# @link https://github.com/cert-manager/cert-manager/issues/4867c
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: gitpod-issuer
+  annotations:
+    kots.io/when: '{{repl and (ConfigOptionEquals "cert_manager_enabled" "1") (ConfigOptionEquals "cert_manager_provider" "azure") }}'
+spec:
+  acme:
+    email: '{{repl ConfigOption "cert_manager_email" }}'
+    server: '{{repl ConfigOption "cert_manager_acme_url" }}'
+    privateKeySecretRef:
+      name: issuer-account-key
+    solvers:
+      - dns01:
+          azureDNS:
+            subscriptionID: '{{repl ConfigOption "cert_manager_azure_subscription_id" }}'
+            resourceGroupName: '{{repl ConfigOption "cert_manager_azure_resource_group" }}'
+            hostedZoneName: '{{repl ConfigOption "domain" }}'

install/kots/manifests/gitpod-issuer-gcp.yaml

@@ -0,0 +1,19 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: gitpod-issuer
+  annotations:
+    kots.io/when: '{{repl and (ConfigOptionEquals "cert_manager_enabled" "1") (ConfigOptionEquals "cert_manager_provider" "gcp") }}'
+spec:
+  acme:
+    email: '{{repl ConfigOption "cert_manager_email" }}'
+    server: '{{repl ConfigOption "cert_manager_acme_url" }}'
+    privateKeySecretRef:
+      name: issuer-account-key
+    solvers:
+      - dns01:
+          cloudDNS:
+            project: '{{repl ConfigOption "cert_manager_gcp_project" }}'
+            serviceAccountSecretRef:
+              name: cert-manager-gcp-dns-solver
+              key: key.json

install/kots/manifests/gitpod-license.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gitpod-license
+data:
+  license: '{{repl LicenseFieldValue "signature" | Base64Encode }}'
+  type: '{{repl printf "replicated" | Base64Encode }}'

install/kots/manifests/gitpod-registry-s3-backend.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: container-registry-s3-backend
+  annotations:
+    kots.io/when: '{{repl and (ConfigOptionEquals "reg_incluster" "0") (ConfigOptionEquals "reg_s3storage" "1") }}'
+data:
+  s3AccessKey: '{{repl ConfigOption "reg_accesskey" | Base64Encode }}'
+  s3SecretKey: '{{repl ConfigOption "reg_secretkey" | Base64Encode }}'

install/kots/manifests/gitpod-registry-secret.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: container-registry
+  annotations:
+    kots.io/when: '{{repl ConfigOptionEquals "reg_incluster" "0" }}'
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: '{{repl printf "{\"auths\": {\"%s\": {\"username\": \"%s\", \"password\": %s, \"auth\": \"%s\"}}}" (ConfigOption "reg_server" | default (ConfigOption "reg_url")) (ConfigOption "reg_username") (ConfigOption "reg_password" | toJson) (printf "%s:%s" (ConfigOption "reg_username") (ConfigOption "reg_password") | Base64Encode) | Base64Encode }}'

install/kots/manifests/gitpod-storage-azure-secret.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: storage-azure
+  annotations:
+    kots.io/when: '{{repl ConfigOptionEquals "store_provider" "azure" }}'
+data:
+  accountName: '{{repl ConfigOption "store_azure_account_name" | Base64Encode }}'
+  accountKey: '{{repl ConfigOption "store_azure_access_key" | Base64Encode }}'

install/kots/manifests/gitpod-storage-gcp-secret.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: storage-gcp
+  annotations:
+    kots.io/when: '{{repl ConfigOptionEquals "store_provider" "gcp" }}'
+data:
+  service-account.json: '{{repl ConfigOption "store_gcp_credentials" }}'

install/kots/manifests/gitpod-storage-s3-secret.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: storage-azure
+  annotations:
+    kots.io/when: '{{repl ConfigOptionEquals "store_provider" "s3" }}'
+data:
+  accessKeyId: '{{repl ConfigOption "store_s3_access_key_id" | Base64Encode }}'
+  secretAccessKey: '{{repl ConfigOption "store_s3_secret_access_key" | Base64Encode }}'