From 28f4a1d74841cd5975ce365e0b5461853a8c2349 Mon Sep 17 00:00:00 2001 From: Vishal Tak Date: Fri, 18 Oct 2024 17:06:13 +0530 Subject: [PATCH 1/6] Update workspaces setup script --- .../workspaces_kubernetes_setup.sh | 135 +++++++++++++----- 1 file changed, 100 insertions(+), 35 deletions(-) diff --git a/scripts/remote_development/workspaces_kubernetes_setup.sh b/scripts/remote_development/workspaces_kubernetes_setup.sh index 6251f3deb2d53e..60c5615791f917 100755 --- a/scripts/remote_development/workspaces_kubernetes_setup.sh +++ b/scripts/remote_development/workspaces_kubernetes_setup.sh @@ -5,18 +5,37 @@ # # It uses the following environment variables # $CLIENT_ID - OAuth Client ID used in GitLab Workspaces Proxy. -# #CLIENT_SECRET - OAuth Client Secret used in GitLab Workspaces Proxy. +# $CLIENT_SECRET - OAuth Client Secret used in GitLab Workspaces Proxy. if [ -z "${CLIENT_ID}" ]; then - echo "\CLIENT_ID is not set" - exit 1 + echo "\CLIENT_ID is not explicitly set. Trying to fetch the value from existing helm release" + CLIENT_ID=$( + kubectl get secret gitlab-workspaces-proxy-config --namespace="gitlab-workspaces" \ + --output go-template='{{ index .data "auth.client_id" | base64decode }}' + ) + if [ -z "${CLIENT_ID}" ]; then + echo "Unable to fetch the value from existing helm release" + echo "\CLIENT_ID is required to be set." + exit 1 + fi fi if [ -z "${CLIENT_SECRET}" ]; then - echo "\CLIENT_SECRET is not set" - exit 1 + echo "\CLIENT_SECRET is not explicitly set. Trying to fetch the value from existing helm release" + CLIENT_SECRET=$( + kubectl get secret gitlab-workspaces-proxy-config --namespace="gitlab-workspaces" \ + --output go-template='{{ index .data "auth.client_secret" | base64decode }}' + ) + if [ -z "${CLIENT_SECRET}" ]; then + echo "Unable to fetch the value from existing helm release" + echo "\CLIENT_SECRET is required to be set." + exit 1 + fi fi +ROOT_DIR="${HOME}/gitlab-workspaces-proxy" +mkdir -p ${ROOT_DIR} + # install ingress-nginx helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx --force-update helm repo update @@ -35,24 +54,65 @@ kubectl wait pod \ --namespace=ingress-nginx \ --timeout=300s +if [ $? -eq 0 ]; then + echo "Ingress Nginx helm chart upgrade successfully" +else + echo "Ingress Nginx helm chart upgrade failed. Check pod logs for more details." + exit 1 +fi + # install gitlab-workspaces-proxy export GITLAB_WORKSPACES_PROXY_DOMAIN="workspaces.localdev.me" export GITLAB_WORKSPACES_WILDCARD_DOMAIN="*.workspaces.localdev.me" -export WORKSPACES_DOMAIN_CERT="${GDK_ROOT}/workspaces.localdev.me+1.pem" -export WORKSPACES_DOMAIN_KEY="${GDK_ROOT}/workspaces.localdev.me+1-key.pem" -export WILDCARD_DOMAIN_CERT="${GDK_ROOT}/workspaces.localdev.me+1.pem" -export WILDCARD_DOMAIN_KEY="${GDK_ROOT}/workspaces.localdev.me+1-key.pem" export REDIRECT_URI="https://${GITLAB_WORKSPACES_PROXY_DOMAIN}/auth/callback" -export SSH_HOST_KEY="${GDK_ROOT}/gitlab-workspaces-proxy-ssh-host-key" +export SSH_HOST_KEY="${ROOT_DIR}/gitlab-workspaces-proxy-ssh-host-key" export GITLAB_URL="http://gdk.test:3000" export SIGNING_KEY="a_random_key_consisting_of_letters_numbers_and_special_chars" # install self-signed certs +rm "${ROOT_DIR}/workspaces.localdev.me+1.pem" "${ROOT_DIR}/workspaces.localdev.me+1-key.pem" || true mkcert -install -mkcert "${GITLAB_WORKSPACES_PROXY_DOMAIN}" "${GITLAB_WORKSPACES_WILDCARD_DOMAIN}" +mkcert \ + --cert-file="${ROOT_DIR}/workspaces.localdev.me+1.pem" \ + --key-file="${ROOT_DIR}/workspaces.localdev.me+1-key.pem" \ + "${GITLAB_WORKSPACES_PROXY_DOMAIN}" "${GITLAB_WORKSPACES_WILDCARD_DOMAIN}" + +# generate ssh host key rm $SSH_HOST_KEY || true -ssh-keygen -f gitlab-workspaces-proxy-ssh-host-key -N '' -t rsa +ssh-keygen -f "${ROOT_DIR}/gitlab-workspaces-proxy-ssh-host-key" -N '' -t rsa + +# create kubernetes secrets required by the gitlab-workspaces-proxy helm chart +if kubectl get namespace gitlab-workspaces; +then + echo "Namespace 'gitlab-workspaces' already exists." +else + echo "Namespace 'gitlab-workspaces' does not exists. Creating it." + kubectl create namespace gitlab-workspaces +fi + +kubectl delete secret gitlab-workspaces-proxy-config --namespace="gitlab-workspaces" || true +kubectl create secret generic gitlab-workspaces-proxy-config \ + --namespace="gitlab-workspaces" \ + --from-literal="auth.client_id=${CLIENT_ID}" \ + --from-literal="auth.client_secret=${CLIENT_SECRET}" \ + --from-literal="auth.host=${GITLAB_URL}" \ + --from-literal="auth.redirect_uri=${REDIRECT_URI}" \ + --from-literal="auth.signing_key=${SIGNING_KEY}" \ + --from-literal="ssh.host_key=$(cat ${SSH_HOST_KEY})" + +kubectl delete secret gitlab-workspace-proxy-tls --namespace="gitlab-workspaces" || true +kubectl create secret tls gitlab-workspace-proxy-tls \ + --namespace="gitlab-workspaces" \ + --cert="${ROOT_DIR}/workspaces.localdev.me+1.pem" \ + --key="${ROOT_DIR}/workspaces.localdev.me+1-key.pem" +kubectl delete secret gitlab-workspace-proxy-wildcard-tls --namespace="gitlab-workspaces" || true +kubectl create secret tls gitlab-workspace-proxy-wildcard-tls \ + --namespace="gitlab-workspaces" \ + --cert="${ROOT_DIR}/workspaces.localdev.me+1.pem" \ + --key="${ROOT_DIR}/workspaces.localdev.me+1-key.pem" + +# install gitlab-workspaces-proxy helm chart helm repo add gitlab-workspaces-proxy \ https://gitlab.com/api/v4/projects/gitlab-org%2fworkspaces%2fgitlab-workspaces-proxy/packages/helm/devel \ --force-update @@ -62,23 +122,20 @@ helm --namespace gitlab-workspaces uninstall gitlab-workspaces-proxy --ignore-no helm upgrade --install gitlab-workspaces-proxy \ gitlab-workspaces-proxy/gitlab-workspaces-proxy \ - --version 0.1.14 \ - --namespace=gitlab-workspaces \ - --create-namespace \ - --set="auth.client_id=${CLIENT_ID}" \ - --set="auth.client_secret=${CLIENT_SECRET}" \ - --set="auth.host=${GITLAB_URL}" \ - --set="auth.redirect_uri=${REDIRECT_URI}" \ - --set="auth.signing_key=${SIGNING_KEY}" \ - --set="ingress.host.workspaceDomain=${GITLAB_WORKSPACES_PROXY_DOMAIN}" \ - --set="ingress.host.wildcardDomain=${GITLAB_WORKSPACES_WILDCARD_DOMAIN}" \ - --set="ingress.tls.workspaceDomainCert=$(cat ${WORKSPACES_DOMAIN_CERT})" \ - --set="ingress.tls.workspaceDomainKey=$(cat ${WORKSPACES_DOMAIN_KEY})" \ - --set="ingress.tls.wildcardDomainCert=$(cat ${WILDCARD_DOMAIN_CERT})" \ - --set="ingress.tls.wildcardDomainKey=$(cat ${WILDCARD_DOMAIN_KEY})" \ - --set="ssh.host_key=$(cat ${SSH_HOST_KEY})" \ - --set="ingress.className=nginx" \ - --timeout=600s --wait --wait-for-jobs + --version=0.1.16 \ + --namespace="gitlab-workspaces" \ + --set="ingress.enabled=true" \ + --set="ingress.hosts[0].host=${GITLAB_WORKSPACES_PROXY_DOMAIN}" \ + --set="ingress.hosts[0].paths[0].path=/" \ + --set="ingress.hosts[0].paths[0].pathType=ImplementationSpecific" \ + --set="ingress.hosts[1].host=${GITLAB_WORKSPACES_WILDCARD_DOMAIN}" \ + --set="ingress.hosts[1].paths[0].path=/" \ + --set="ingress.hosts[1].paths[0].pathType=ImplementationSpecific" \ + --set="ingress.tls[0].hosts[0]=${GITLAB_WORKSPACES_PROXY_DOMAIN}" \ + --set="ingress.tls[0].secretName=gitlab-workspace-proxy-tls" \ + --set="ingress.tls[1].hosts[0]=${GITLAB_WORKSPACES_WILDCARD_DOMAIN}" \ + --set="ingress.tls[1].secretName=gitlab-workspace-proxy-wildcard-tls" \ + --set="ingress.className=nginx" kubectl wait pod \ --all \ @@ -86,11 +143,19 @@ kubectl wait pod \ --namespace=gitlab-workspaces \ --timeout=300s +if [ $? -eq 0 ]; then + echo "GitLab Workspaces Proxy helm chart upgrade successfully" +else + echo "GitLab Workspaces Proxy helm chart upgrade failed. Check pod logs for more details." + exit 1 +fi + +# print the configuration secret to verify +echo "Printing the contents of the configuration secret to verify" +kubectl get secret gitlab-workspaces-proxy-config --namespace="gitlab-workspaces" \ + --output go-template='{{range $k, $v := .data}}{{printf "%s: " $k}}{{printf "%s" $v | base64decode}}{{"\n"}}{{end}}' + # cleanup rm "${SSH_HOST_KEY}" \ - "${WORKSPACES_DOMAIN_CERT}" \ - "${WORKSPACES_DOMAIN_KEY}" \ - "${WILDCARD_DOMAIN_CERT}" \ - "${WILDCARD_DOMAIN_KEY}" || true - -kubectl -n gitlab-workspaces get secret gitlab-workspaces-proxy -o=go-template='{{index .data "config.yaml"}}' | base64 -d + "${ROOT_DIR}/workspaces.localdev.me+1.pem" \ + "${ROOT_DIR}/workspaces.localdev.me+1-key.pem" || true -- GitLab From 4623e72d7989ad545c7bc0b365810ff24120eafa Mon Sep 17 00:00:00 2001 From: Vishal Tak Date: Fri, 18 Oct 2024 19:33:02 +0530 Subject: [PATCH 2/6] Fix typo --- scripts/remote_development/workspaces_kubernetes_setup.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/scripts/remote_development/workspaces_kubernetes_setup.sh b/scripts/remote_development/workspaces_kubernetes_setup.sh index 60c5615791f917..ba4c12f4b3a932 100755 --- a/scripts/remote_development/workspaces_kubernetes_setup.sh +++ b/scripts/remote_development/workspaces_kubernetes_setup.sh @@ -8,27 +8,27 @@ # $CLIENT_SECRET - OAuth Client Secret used in GitLab Workspaces Proxy. if [ -z "${CLIENT_ID}" ]; then - echo "\CLIENT_ID is not explicitly set. Trying to fetch the value from existing helm release" + echo "CLIENT_ID is not explicitly set. Trying to fetch the value from existing helm release" CLIENT_ID=$( kubectl get secret gitlab-workspaces-proxy-config --namespace="gitlab-workspaces" \ --output go-template='{{ index .data "auth.client_id" | base64decode }}' ) if [ -z "${CLIENT_ID}" ]; then echo "Unable to fetch the value from existing helm release" - echo "\CLIENT_ID is required to be set." + echo "CLIENT_ID is required to be set." exit 1 fi fi if [ -z "${CLIENT_SECRET}" ]; then - echo "\CLIENT_SECRET is not explicitly set. Trying to fetch the value from existing helm release" + echo "CLIENT_SECRET is not explicitly set. Trying to fetch the value from existing helm release" CLIENT_SECRET=$( kubectl get secret gitlab-workspaces-proxy-config --namespace="gitlab-workspaces" \ --output go-template='{{ index .data "auth.client_secret" | base64decode }}' ) if [ -z "${CLIENT_SECRET}" ]; then echo "Unable to fetch the value from existing helm release" - echo "\CLIENT_SECRET is required to be set." + echo "CLIENT_SECRET is required to be set." exit 1 fi fi -- GitLab From 095e04987f4770d1a3add2de2516fd29168ef154 Mon Sep 17 00:00:00 2001 From: Vishal Tak Date: Fri, 18 Oct 2024 22:00:15 +0530 Subject: [PATCH 3/6] Fix identations --- .../workspaces_kubernetes_setup.sh | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/scripts/remote_development/workspaces_kubernetes_setup.sh b/scripts/remote_development/workspaces_kubernetes_setup.sh index ba4c12f4b3a932..00833cb809b8c0 100755 --- a/scripts/remote_development/workspaces_kubernetes_setup.sh +++ b/scripts/remote_development/workspaces_kubernetes_setup.sh @@ -8,28 +8,28 @@ # $CLIENT_SECRET - OAuth Client Secret used in GitLab Workspaces Proxy. if [ -z "${CLIENT_ID}" ]; then - echo "CLIENT_ID is not explicitly set. Trying to fetch the value from existing helm release" - CLIENT_ID=$( - kubectl get secret gitlab-workspaces-proxy-config --namespace="gitlab-workspaces" \ - --output go-template='{{ index .data "auth.client_id" | base64decode }}' - ) + echo "CLIENT_ID is not explicitly set. Trying to fetch the value from existing helm release" + CLIENT_ID=$( + kubectl get secret gitlab-workspaces-proxy-config --namespace="gitlab-workspaces" \ + --output go-template='{{ index .data "auth.client_id" | base64decode }}' + ) if [ -z "${CLIENT_ID}" ]; then echo "Unable to fetch the value from existing helm release" echo "CLIENT_ID is required to be set." - exit 1 + exit 1 fi fi if [ -z "${CLIENT_SECRET}" ]; then - echo "CLIENT_SECRET is not explicitly set. Trying to fetch the value from existing helm release" - CLIENT_SECRET=$( - kubectl get secret gitlab-workspaces-proxy-config --namespace="gitlab-workspaces" \ - --output go-template='{{ index .data "auth.client_secret" | base64decode }}' - ) + echo "CLIENT_SECRET is not explicitly set. Trying to fetch the value from existing helm release" + CLIENT_SECRET=$( + kubectl get secret gitlab-workspaces-proxy-config --namespace="gitlab-workspaces" \ + --output go-template='{{ index .data "auth.client_secret" | base64decode }}' + ) if [ -z "${CLIENT_SECRET}" ]; then echo "Unable to fetch the value from existing helm release" echo "CLIENT_SECRET is required to be set." - exit 1 + exit 1 fi fi -- GitLab From d47264151d74da32e6a56d33e5dead0deba2a065 Mon Sep 17 00:00:00 2001 From: Vishal Tak Date: Fri, 18 Oct 2024 22:24:46 +0530 Subject: [PATCH 4/6] Update directory --- scripts/remote_development/workspaces_kubernetes_setup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/remote_development/workspaces_kubernetes_setup.sh b/scripts/remote_development/workspaces_kubernetes_setup.sh index 00833cb809b8c0..e68ac9db777272 100755 --- a/scripts/remote_development/workspaces_kubernetes_setup.sh +++ b/scripts/remote_development/workspaces_kubernetes_setup.sh @@ -33,7 +33,7 @@ if [ -z "${CLIENT_SECRET}" ]; then fi fi -ROOT_DIR="${HOME}/gitlab-workspaces-proxy" +ROOT_DIR="${HOME}/.gitlab-workspaces-proxy" mkdir -p ${ROOT_DIR} # install ingress-nginx -- GitLab From 9399e9024576ed7921a0aedb009251935705ae15 Mon Sep 17 00:00:00 2001 From: Vishal Tak Date: Sun, 20 Oct 2024 12:38:38 +0530 Subject: [PATCH 5/6] Fix shellcheck warnings --- .../workspaces_kubernetes_setup.sh | 25 ++++++++++++++----- 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/scripts/remote_development/workspaces_kubernetes_setup.sh b/scripts/remote_development/workspaces_kubernetes_setup.sh index e68ac9db777272..98870a49691118 100755 --- a/scripts/remote_development/workspaces_kubernetes_setup.sh +++ b/scripts/remote_development/workspaces_kubernetes_setup.sh @@ -6,6 +6,16 @@ # It uses the following environment variables # $CLIENT_ID - OAuth Client ID used in GitLab Workspaces Proxy. # $CLIENT_SECRET - OAuth Client Secret used in GitLab Workspaces Proxy. +# +# If this is the first time this script in being run in the Kubernetes cluster, you need to export the environment +# variables listed above. Use the following command: +# +# CLIENT_ID="UPDATE_ME" CLIENT_SECRET="UPDATE_ME" ./scripts/remote_development/workspaces_kubernetes_setup.sh +# +# Any subsequent invocation would fetch the value from the previous helm release and thus there is no need to export +# the environment variables listed above. Use the following command: +# +# ./scripts/remote_development/workspaces_kubernetes_setup.sh if [ -z "${CLIENT_ID}" ]; then echo "CLIENT_ID is not explicitly set. Trying to fetch the value from existing helm release" @@ -34,7 +44,7 @@ if [ -z "${CLIENT_SECRET}" ]; then fi ROOT_DIR="${HOME}/.gitlab-workspaces-proxy" -mkdir -p ${ROOT_DIR} +mkdir -p "${ROOT_DIR}" # install ingress-nginx helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx --force-update @@ -54,6 +64,7 @@ kubectl wait pod \ --namespace=ingress-nginx \ --timeout=300s +# shellcheck disable=SC2181 # Better readability by checking exit code indirectly. if [ $? -eq 0 ]; then echo "Ingress Nginx helm chart upgrade successfully" else @@ -70,7 +81,7 @@ export GITLAB_URL="http://gdk.test:3000" export SIGNING_KEY="a_random_key_consisting_of_letters_numbers_and_special_chars" # install self-signed certs -rm "${ROOT_DIR}/workspaces.localdev.me+1.pem" "${ROOT_DIR}/workspaces.localdev.me+1-key.pem" || true +rm -f "${ROOT_DIR}/workspaces.localdev.me+1.pem" "${ROOT_DIR}/workspaces.localdev.me+1-key.pem" mkcert -install mkcert \ --cert-file="${ROOT_DIR}/workspaces.localdev.me+1.pem" \ @@ -78,7 +89,7 @@ mkcert \ "${GITLAB_WORKSPACES_PROXY_DOMAIN}" "${GITLAB_WORKSPACES_WILDCARD_DOMAIN}" # generate ssh host key -rm $SSH_HOST_KEY || true +rm -f "${SSH_HOST_KEY}" ssh-keygen -f "${ROOT_DIR}/gitlab-workspaces-proxy-ssh-host-key" -N '' -t rsa # create kubernetes secrets required by the gitlab-workspaces-proxy helm chart @@ -98,7 +109,7 @@ kubectl create secret generic gitlab-workspaces-proxy-config \ --from-literal="auth.host=${GITLAB_URL}" \ --from-literal="auth.redirect_uri=${REDIRECT_URI}" \ --from-literal="auth.signing_key=${SIGNING_KEY}" \ - --from-literal="ssh.host_key=$(cat ${SSH_HOST_KEY})" + --from-literal="ssh.host_key=$(cat "${SSH_HOST_KEY}")" kubectl delete secret gitlab-workspace-proxy-tls --namespace="gitlab-workspaces" || true kubectl create secret tls gitlab-workspace-proxy-tls \ @@ -143,6 +154,7 @@ kubectl wait pod \ --namespace=gitlab-workspaces \ --timeout=300s +# shellcheck disable=SC2181 # Better readability by checking exit code indirectly. if [ $? -eq 0 ]; then echo "GitLab Workspaces Proxy helm chart upgrade successfully" else @@ -152,10 +164,11 @@ fi # print the configuration secret to verify echo "Printing the contents of the configuration secret to verify" +# shellcheck disable=SC2016 # The expression in the go template do not have to be expanded. kubectl get secret gitlab-workspaces-proxy-config --namespace="gitlab-workspaces" \ --output go-template='{{range $k, $v := .data}}{{printf "%s: " $k}}{{printf "%s" $v | base64decode}}{{"\n"}}{{end}}' # cleanup -rm "${SSH_HOST_KEY}" \ +rm -f "${SSH_HOST_KEY}" \ "${ROOT_DIR}/workspaces.localdev.me+1.pem" \ - "${ROOT_DIR}/workspaces.localdev.me+1-key.pem" || true + "${ROOT_DIR}/workspaces.localdev.me+1-key.pem" -- GitLab From 03121b7c21cb66db05203019f4be6aef39416b00 Mon Sep 17 00:00:00 2001 From: Vishal Tak Date: Mon, 21 Oct 2024 10:39:45 +0530 Subject: [PATCH 6/6] Add helm upgrade timeout which was removed --- scripts/remote_development/workspaces_kubernetes_setup.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/scripts/remote_development/workspaces_kubernetes_setup.sh b/scripts/remote_development/workspaces_kubernetes_setup.sh index 98870a49691118..9c80ee5649d79a 100755 --- a/scripts/remote_development/workspaces_kubernetes_setup.sh +++ b/scripts/remote_development/workspaces_kubernetes_setup.sh @@ -146,7 +146,8 @@ helm upgrade --install gitlab-workspaces-proxy \ --set="ingress.tls[0].secretName=gitlab-workspace-proxy-tls" \ --set="ingress.tls[1].hosts[0]=${GITLAB_WORKSPACES_WILDCARD_DOMAIN}" \ --set="ingress.tls[1].secretName=gitlab-workspace-proxy-wildcard-tls" \ - --set="ingress.className=nginx" + --set="ingress.className=nginx" \ + --timeout=600s --wait --wait-for-jobs kubectl wait pod \ --all \ -- GitLab