[installer]: fix incorrectly configured pod security policies #7106
Conversation
roboquat
added
do-not-merge/work-in-progress
do-not-merge/release-note-label-needed
team: webapp
mrsimonemms
force-pushed
the
sje/installer-psps
branch
2 times, most recently
from
294124f
to
cd1b30a
Compare
| @@ -34,7 +34,7 @@ const ( | |||
| RegistryAuthSecret = "builtin-registry-auth" | |||
| RegistryTLSCertSecret = "builtin-registry-certs" | |||
| RegistryFacadeComponent = "registry-facade" | |||
| RegistryFacadeServicePort = 3000 | |||
| RegistryFacadeServicePort = 30000 | |||
There was a problem hiding this comment.
Changed value as registry-facade/podsecuritypolicy.go set to 30000-33000. It seems that this is post-processed in SaaS/Core Dev to be in that range
There was a problem hiding this comment.
Yes, that is done with Helm now like so.
This now makes Gitpod work in a cluster with pod security policies enabled.
mrsimonemms
force-pushed
the
sje/installer-psps
branch
from
cd1b30a
to
8d34bd9
Compare
roboquat
added
release-note
and removed
do-not-merge/work-in-progress
do-not-merge/release-note-label-needed
labels
mrsimonemms
changed the title
Codecov Report
@@ Coverage Diff @@
## main #7106 +/- ##
==========================================
- Coverage 30.52% 5.76% -24.76%
==========================================
Files 34 13 -21
Lines 5917 1162 -4755
==========================================
- Hits 1806 67 -1739
+ Misses 3974 1094 -2880
+ Partials 137 1 -136
Flags with carried forward coverage won't be shown. Click here to find out more. Continue to review full report at Codecov.
|
| @@ -277,6 +277,7 @@ var Helm = common.CompositeHelmFunc( | |||
| helm.KeyValue("rabbitmq.auth.password", password), | |||
| helm.KeyValue("rabbitmq.auth.existingErlangSecret", CookieSecret), | |||
| helm.KeyValue("rabbitmq.auth.tls.existingSecret", TLSSecret), | |||
| helm.KeyValue("rabbitmq.serviceAccount.name", Component), | |||
There was a problem hiding this comment.
I like this, this is much better than changing the component!
|
/approve |
There was a problem hiding this comment.
Have not tested, but change LGTM
Please feel free to ignore this comment; I assume you already considerd that.
|
LGTM label has been added. Git tree hash: 1ddb68ae75214623e26b1c34775485aee0c717e5
|
|
LGTM |
It's always worthwhile checking I've not done something daft. Thanks |
| @@ -34,7 +34,7 @@ const ( | |||
| RegistryAuthSecret = "builtin-registry-auth" | |||
| RegistryTLSCertSecret = "builtin-registry-certs" | |||
| RegistryFacadeComponent = "registry-facade" | |||
| RegistryFacadeServicePort = 3000 | |||
| RegistryFacadeServicePort = 30000 | |||
There was a problem hiding this comment.
that value could produce some collision (default initial value for node ports)
There was a problem hiding this comment.
Yes it could. @kylos101 has done some post-processing for Core Dev on daemonsets to avoid collisions as part of his Werft job. Is that the collision you're talking about?
There was a problem hiding this comment.
The range core-dev uses for registry-facade is 30000-31000. @aledbf is that the potential collision you were referring? If yes, I think we'll be okay, because this is referring registry-facade.
There was a problem hiding this comment.
Yes. Are we doing the same post-processing on user clusters?
There was a problem hiding this comment.
No we're not. The general principle that we're working on is one deployment of Gitpod per cluster. It's not explicitly noted at the moment, but it's one that will be documented when we do the public introductory docs
|
/hold |
|
/lgtm |
|
/werft run 👍 started the job as gitpod-build-sje-installer-psps.5 |
|
/unhold |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: geropl, kylos101, MrSimonEmms Associated issue: #7107 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
roboquat
added
deployed: webapp
Description
This now makes Gitpod work in a cluster with pod security policies enabled. Seems there was some missed configurations.
This does not include the work for InCluster Docker registry, see #7107
Related Issue(s)
Fixes #7095
How to test
Deploy to a cluster with Pod Security Policies enabled. Have tested with all combinations of incluster and external dependencies
Release Notes
Documentation