@@ -29,8 +29,15 @@ DNS_SA_EMAIL="${DNS_SA}"@"${PROJECT_NAME}".iam.gserviceaccount.com
29
29
# Name of the node-pools for Gitpod services and workspaces
30
30
SERVICES_POOL=" workload-services"
31
31
WORKSPACES_POOL=" workload-workspaces"
32
+ # Secrets
33
+ SECRET_DATABASE=" gcp-sql-token"
34
+ SECRET_REGISTRY=" gcp-registry-token"
35
+ SECRET_STORAGE=" gcp-storage-token"
32
36
33
- GITPOD_VERSION=${GITPOD_VERSION:= " aledbf-mk3.68" }
37
+ REGISTRY_URL=" gcr.io/${PROJECT_NAME} /gitpod"
38
+ MYSQL_GITPOD_USERNAME=" gitpod"
39
+ MYSQL_GITPOD_ENCRYPTION_KEY=' [{"name":"general","version":1,"primary":true,"material":"4uGh1q8y2DYryJwrVMHs0kWXJlqvHWWt/KJuNi04edI="}]'
40
+ CERT_NAME=" https-certificates"
34
41
35
42
function check_prerequisites() {
36
43
if [ -z " ${PROJECT_NAME} " ]; then
@@ -86,12 +93,39 @@ function create_node_pool() {
86
93
" ${PREEMPTIBLE} "
87
94
}
88
95
96
+ function create_secrets() {
97
+ # Assume that these values can change so create each run time
98
+
99
+ echo " Create database secret..."
100
+ kubectl create secret generic " ${SECRET_DATABASE} " \
101
+ --from-literal=credentials.json=" $( cat ./mysql-credentials.json) " \
102
+ --from-literal=encryptionKeys=" ${MYSQL_GITPOD_ENCRYPTION_KEY} " \
103
+ --from-literal=password=" ${MYSQL_GITPOD_PASSWORD} " \
104
+ --from-literal=username=" ${MYSQL_GITPOD_USERNAME} " \
105
+ --dry-run=client -o yaml | \
106
+ kubectl replace --force -f -
107
+
108
+ echo " Create registry secret..."
109
+ kubectl create secret docker-registry " ${SECRET_REGISTRY} " \
110
+ --docker-server=" ${REGISTRY_URL} " \
111
+ --docker-username=_json_key \
112
+ --docker-password=" $( cat gs-credentials.json) " \
113
+ --dry-run=client -o yaml | \
114
+ kubectl replace --force -f -
115
+
116
+ echo " Create storage secret..."
117
+ kubectl create secret generic " ${SECRET_STORAGE} " \
118
+ --from-file=service-account.json=./gs-credentials.json \
119
+ --dry-run=client -o yaml | \
120
+ kubectl replace --force -f -
121
+ }
122
+
89
123
function setup_mysql_database() {
90
124
if [ " $( gcloud sql instances list --filter=" name:${MYSQL_INSTANCE_NAME} " --format=" value(name)" | grep " ${MYSQL_INSTANCE_NAME} " || echo " empty" ) " == " ${MYSQL_INSTANCE_NAME} " ]; then
91
125
echo " Cloud SQL (MySQL) Instance already exists."
92
126
else
93
127
# https://cloud.google.com/sql/docs/mysql/create-instance
94
- echo " Creating Mysql instance..."
128
+ echo " Creating MySQL instance..."
95
129
gcloud sql instances create " ${MYSQL_INSTANCE_NAME} " \
96
130
--database-version=MYSQL_5_7 \
97
131
--storage-size=20 \
@@ -104,14 +138,14 @@ function setup_mysql_database() {
104
138
gcloud sql instances patch " ${MYSQL_INSTANCE_NAME} " --database-flags \
105
139
explicit_defaults_for_timestamp=off --quiet
106
140
107
- echo " Creating gitpod Mysql database..."
141
+ echo " Creating Gitpod MySQL database..."
108
142
gcloud sql databases create gitpod --instance=" ${MYSQL_INSTANCE_NAME} "
109
143
fi
110
144
111
- echo " Creating gitpod Mysql user and setting a password..."
145
+ echo " Creating Gitpod MySQL user and setting a password..."
112
146
MYSQL_GITPOD_PASSWORD=$( openssl rand -base64 20)
113
147
export MYSQL_GITPOD_PASSWORD
114
- gcloud sql users create gitpod \
148
+ gcloud sql users create " ${MYSQL_GITPOD_USERNAME} " \
115
149
--instance=" ${MYSQL_INSTANCE_NAME} " --password=" ${MYSQL_GITPOD_PASSWORD} "
116
150
}
117
151
@@ -130,27 +164,6 @@ function create_service_account() {
130
164
fi
131
165
}
132
166
133
- function create_namespace() {
134
- local NAMESPACE=$1
135
- if ! kubectl get namespace " ${NAMESPACE} " > /dev/null 2>&1 ; then
136
- kubectl create namespace " ${NAMESPACE} "
137
- fi
138
- }
139
-
140
- function install_jaeger_operator(){
141
- echo " Installing Jaeger operator..."
142
- create_namespace jaeger-operator
143
- kubectl apply -f https://raw.githubusercontent.com/jaegertracing/helm-charts/main/charts/jaeger-operator/crds/crd.yaml
144
- helm upgrade --install --namespace jaeger-operator \
145
- jaegeroperator jaegertracing/jaeger-operator \
146
- --set crd.install=false \
147
- -f " ${DIR} /charts/assets/jaeger-values.yaml"
148
-
149
- kubectl wait --for=condition=available --timeout=300s \
150
- deployment/jaegeroperator-jaeger-operator -n jaeger-operator
151
- kubectl apply -f " ${DIR} /charts/assets/jaeger-gitpod.yaml"
152
- }
153
-
154
167
function setup_managed_dns() {
155
168
if [ -n " ${SETUP_MANAGED_DNS} " ] && [ " ${SETUP_MANAGED_DNS} " == " true" ]; then
156
169
if [ " $( gcloud iam service-accounts list --filter=" displayName:${DNS_SA} " --format=" value(displayName)" | grep " ${DNS_SA} " || echo " empty" ) " == " ${DNS_SA} " ]; then
@@ -173,20 +186,28 @@ function setup_managed_dns() {
173
186
fi
174
187
175
188
echo " Installing external-dns..."
176
- create_namespace external-dns
177
- helm upgrade --install external-dns \
189
+ helm upgrade \
190
+ --atomic \
191
+ --cleanup-on-fail \
192
+ --create-namespace \
193
+ --install \
178
194
--namespace external-dns \
179
- bitnami/external-dns \
195
+ --reset-values \
180
196
--set provider=google \
181
197
--set google.project=" ${PROJECT_NAME} " \
182
198
--set logFormat=json \
183
- --set google.serviceAccountSecretKey=dns-credentials.json
199
+ --set google.serviceAccountSecretKey=dns-credentials.json \
200
+ --wait \
201
+ external-dns \
202
+ bitnami/external-dns
184
203
185
- if ! kubectl get secret --namespace cert-manager clouddns-dns01-solver-svc-acct; then
186
- echo " Creating secret for Cloud DNS Issuer..."
187
- kubectl create secret generic clouddns-dns01-solver-svc-acct \
188
- --namespace cert-manager --from-file=key.json=" ${DIR} /dns-credentials.json"
189
- fi
204
+ echo " Creating secret for Cloud DNS Issuer..."
205
+ export CLOUD_DNS_SECRET=clouddns-dns01-solver
206
+
207
+ kubectl create secret generic " ${CLOUD_DNS_SECRET} " \
208
+ --from-file=key.json=" ${DIR} /dns-credentials.json" \
209
+ --dry-run=client -o yaml | \
210
+ kubectl replace --force -f -
190
211
191
212
echo " Installing cert-manager certificate issuer..."
192
213
envsubst < " ${DIR} /charts/assets/issuer.yaml" | kubectl apply -f -
@@ -195,16 +216,18 @@ function setup_managed_dns() {
195
216
196
217
function install_cert_manager() {
197
218
echo " Installing cert-manager..."
198
- helm upgrade cert-manager jetstack/cert-manager \
199
- --namespace= ' cert-manager ' \
200
- --install \
219
+ helm upgrade \
220
+ --atomic \
221
+ --cleanup-on-fail \
201
222
--create-namespace \
223
+ --install \
224
+ --namespace cert-manager \
225
+ --reset-values \
202
226
--set installCRDs=true \
203
227
--set ' extraArgs={--dns01-recursive-nameservers-only=true,--dns01-recursive-nameservers=8.8.8.8:53\,1.1.1.1:53}' \
204
- --atomic
205
-
206
- # ensure cert-manager and CRDs are installed and running
207
- kubectl wait --for=condition=available --timeout=300s deployment/cert-manager -n cert-manager
228
+ --wait \
229
+ cert-manager \
230
+ jetstack/cert-manager
208
231
}
209
232
210
233
function install_gitpod() {
@@ -214,8 +237,22 @@ function install_gitpod() {
214
237
215
238
gitpod-installer init > " ${CONFIG_FILE} "
216
239
240
+ echo " Updating config..."
241
+ yq e -i " .certificate.name = \" ${CERT_NAME} \" " " ${CONFIG_FILE} "
242
+ yq e -i " .containerRegistry.inCluster = false" " ${CONFIG_FILE} "
243
+ yq e -i " .containerRegistry.external.url = \" ${REGISTRY_URL} \" " " ${CONFIG_FILE} "
244
+ yq e -i " .containerRegistry.external.certificate.kind = \" secret\" " " ${CONFIG_FILE} "
245
+ yq e -i " .containerRegistry.external.certificate.name = \" ${SECRET_REGISTRY} \" " " ${CONFIG_FILE} "
246
+ yq e -i " .database.inCluster = false" " ${CONFIG_FILE} "
247
+ yq e -i " .database.cloudSQL.instance = \" ${PROJECT_NAME} :${REGION} :${MYSQL_INSTANCE_NAME} \" " " ${CONFIG_FILE} "
248
+ yq e -i " .database.cloudSQL.serviceAccount.kind = \" secret\" " " ${CONFIG_FILE} "
249
+ yq e -i " .database.cloudSQL.serviceAccount.name = \" ${SECRET_DATABASE} \" " " ${CONFIG_FILE} "
217
250
yq e -i " .domain = \" ${DOMAIN} \" " " ${CONFIG_FILE} "
218
251
yq e -i " .metadata.region = \" ${REGION} \" " " ${CONFIG_FILE} "
252
+ yq e -i " .objectStorage.inCluster = false" " ${CONFIG_FILE} "
253
+ yq e -i " .objectStorage.cloudStorage.project = \" ${PROJECT_NAME} \" " " ${CONFIG_FILE} "
254
+ yq e -i " .objectStorage.cloudStorage.serviceAccount.kind = \" secret\" " " ${CONFIG_FILE} "
255
+ yq e -i " .objectStorage.cloudStorage.serviceAccount.name = \" ${SECRET_STORAGE} \" " " ${CONFIG_FILE} "
219
256
yq e -i ' .workspace.runtime.containerdRuntimeDir = "/var/lib/containerd/io.containerd.runtime.v2.task/k8s.io"' " ${CONFIG_FILE} "
220
257
221
258
gitpod-installer \
@@ -234,25 +271,6 @@ function service_account_exists() {
234
271
fi
235
272
}
236
273
237
- function wait_for_load_balancer() {
238
- sleep 10
239
-
240
- COUNT=0
241
- LB_IP_ADDRESS=" "
242
- while [ " ${LB_IP_ADDRESS} " == " " ] && [ " ${COUNT} " -lt 5 ]; do
243
- printf " ."
244
- LB_IP_ADDRESS=$( kubectl get service proxy -o=jsonpath=' {.status.loadBalancer.ingress[0].ip}' )
245
- (( COUNT+= 1 ))
246
- sleep 5
247
- done
248
-
249
- if [ -n " ${LB_IP_ADDRESS} " ]; then
250
- printf ' \nLoad balancer IP address: %s\n' " ${LB_IP_ADDRESS} "
251
- else
252
- printf ' \n The load balancer is still being provisioned. Wait a couple of minutes.'
253
- fi
254
- }
255
-
256
274
function install() {
257
275
echo " Gitpod installer version: $( gitpod-installer version | jq -r ' .version' ) "
258
276
@@ -369,20 +387,24 @@ function install() {
369
387
--clusterrole=cluster-admin --user=" $( gcloud config get-value core/account) "
370
388
fi
371
389
390
+ CONTAINER_REGISTRY_BUCKET=" container-registry-${CLUSTER_NAME} -${PROJECT_ID} "
391
+ export CONTAINER_REGISTRY_BUCKET
392
+ # the bucket must exists before installing the docker-registry.
393
+ if ! gsutil acl get " gs://${CONTAINER_REGISTRY_BUCKET} " > /dev/null 2>&1 ; then
394
+ gsutil mb " gs://${CONTAINER_REGISTRY_BUCKET} "
395
+ fi
396
+
372
397
install_cert_manager
373
398
setup_managed_dns
374
- # setup_mysql_database
399
+ setup_mysql_database
400
+ create_secrets
375
401
install_gitpod
376
402
377
- wait_for_load_balancer
378
-
379
- # The load balancer wait clips message - extra line solves that
380
403
cat << EOF
381
-
382
404
==========================
383
405
Gitpod is now installed on your cluster
384
406
385
- Please update your DNS record with the relevant nameserver.
407
+ Please update your DNS records with the relevant nameserver.
386
408
EOF
387
409
}
388
410
0 commit comments