From 9f8fea7ffa4f20335d6f8ce6771fd8f874183517 Mon Sep 17 00:00:00 2001 From: Vishal Tak Date: Mon, 28 Apr 2025 16:55:59 +0530 Subject: [PATCH 1/2] Update workspaces config to apply when shared_namespace is set When shared namespace is set in the associated agent config, - Use explicily pod selectors to target the workspace pods for network policy - Do not generate resource quota as it applies to an entire namespace --- .../output/config_values_extractor.rb | 15 ++-- .../output/desired_config_generator.rb | 20 +++++- .../output/config_values_extractor_spec.rb | 68 +++++++++++++++++-- .../output/desired_config_generator_spec.rb | 33 ++++++++- .../remote_development_shared_contexts.rb | 27 ++++++-- 5 files changed, 140 insertions(+), 23 deletions(-) diff --git a/ee/lib/remote_development/workspace_operations/reconcile/output/config_values_extractor.rb b/ee/lib/remote_development/workspace_operations/reconcile/output/config_values_extractor.rb index 39735a3ee777e2..9cfe4d60aa6fff 100644 --- a/ee/lib/remote_development/workspace_operations/reconcile/output/config_values_extractor.rb +++ b/ee/lib/remote_development/workspace_operations/reconcile/output/config_values_extractor.rb @@ -32,6 +32,8 @@ def self.extract(workspace:) default_resources_per_workspace_container = deep_sort_and_symbolize_hashes(workspaces_agent_config.default_resources_per_workspace_container) + shared_namespace = workspaces_agent_config.shared_namespace + extra_annotations = { "workspaces.gitlab.com/host-template": domain_template.to_s, "workspaces.gitlab.com/id": workspace.id.to_s, @@ -42,6 +44,11 @@ def self.extract(workspace:) agent_annotations = workspaces_agent_config.annotations common_annotations = agent_annotations.merge(extra_annotations) + agent_labels = workspaces_agent_config.labels + labels = agent_labels.merge({ "agent.gitlab.com/id": workspace.agent.id.to_s }) + # TODO: Unconditionally add this label in https://gitlab.com/gitlab-org/gitlab/-/issues/535197 + labels["workspaces.gitlab.com/id"] = workspace.id.to_s if shared_namespace.present? + workspace_inventory_name = "#{workspace_name}-workspace-inventory" secrets_inventory_name = "#{workspace_name}-secrets-inventory" scripts_configmap_name = "#{workspace_name}-scripts-configmap" @@ -59,12 +66,9 @@ def self.extract(workspace:) # Update this when a new desired config generator is created for some other reason. env_secret_name: "#{workspace_name}-env-var", file_secret_name: "#{workspace_name}-file", - image_pull_secrets: deep_sort_and_symbolize_hashes(workspaces_agent_config.image_pull_secrets), gitlab_workspaces_proxy_namespace: workspaces_agent_config.gitlab_workspaces_proxy_namespace, - labels: - deep_sort_and_symbolize_hashes( - workspaces_agent_config.labels.merge({ "agent.gitlab.com/id": workspace.agent.id.to_s }) - ), + image_pull_secrets: deep_sort_and_symbolize_hashes(workspaces_agent_config.image_pull_secrets), + labels: deep_sort_and_symbolize_hashes(labels), max_resources_per_workspace: max_resources_per_workspace, network_policy_enabled: workspaces_agent_config.network_policy_enabled, network_policy_egress: deep_sort_and_symbolize_hashes(workspaces_agent_config.network_policy_egress), @@ -76,6 +80,7 @@ def self.extract(workspace:) common_annotations.merge("config.k8s.io/owning-inventory": secrets_inventory_name) ), secrets_inventory_name: secrets_inventory_name, + shared_namespace: shared_namespace, use_kubernetes_user_namespaces: workspaces_agent_config.use_kubernetes_user_namespaces, workspace_inventory_annotations: deep_sort_and_symbolize_hashes( diff --git a/ee/lib/remote_development/workspace_operations/reconcile/output/desired_config_generator.rb b/ee/lib/remote_development/workspace_operations/reconcile/output/desired_config_generator.rb index c0193527feab9e..d05c6edac15000 100644 --- a/ee/lib/remote_development/workspace_operations/reconcile/output/desired_config_generator.rb +++ b/ee/lib/remote_development/workspace_operations/reconcile/output/desired_config_generator.rb @@ -32,6 +32,7 @@ def self.generate_desired_config(workspace:, include_all_resources:, logger:) scripts_configmap_name: scripts_configmap_name, secrets_inventory_annotations: Hash => secrets_inventory_annotations, secrets_inventory_name: String => secrets_inventory_name, + shared_namespace: String => shared_namespace, use_kubernetes_user_namespaces: TrueClass | FalseClass => use_kubernetes_user_namespaces, workspace_inventory_annotations: Hash => workspace_inventory_annotations, workspace_inventory_name: String => workspace_inventory_name, @@ -134,7 +135,8 @@ def self.generate_desired_config(workspace:, include_all_resources:, logger:) namespace: workspace.namespace, labels: labels, annotations: workspace_inventory_annotations, - max_resources_per_workspace: max_resources_per_workspace + max_resources_per_workspace: max_resources_per_workspace, + shared_namespace: shared_namespace ) append_secret( @@ -325,6 +327,16 @@ def self.append_network_policy( ) end + # Use the workspace_id as a pod selector if it is present + workspace_id = labels.fetch(:"workspaces.gitlab.com/id", nil) + pod_selector = {} + # TODO: Unconditionally add this pod selector in https://gitlab.com/gitlab-org/gitlab/-/issues/535197 + if workspace_id.present? + pod_selector[:matchLabels] = { + "workspaces.gitlab.com/id": workspace_id + } + end + network_policy = { apiVersion: "networking.k8s.io/v1", kind: "NetworkPolicy", @@ -337,7 +349,7 @@ def self.append_network_policy( spec: { egress: egress, ingress: ingress, - podSelector: {}, + podSelector: pod_selector, policyTypes: policy_types } } @@ -427,9 +439,11 @@ def self.append_resource_quota( namespace:, labels:, annotations:, - max_resources_per_workspace: + max_resources_per_workspace:, + shared_namespace: ) return unless max_resources_per_workspace.present? + return if shared_namespace.present? max_resources_per_workspace => { limits: { diff --git a/ee/spec/lib/remote_development/workspace_operations/reconcile/output/config_values_extractor_spec.rb b/ee/spec/lib/remote_development/workspace_operations/reconcile/output/config_values_extractor_spec.rb index db35f2f478f0da..836148371493dc 100644 --- a/ee/spec/lib/remote_development/workspace_operations/reconcile/output/config_values_extractor_spec.rb +++ b/ee/spec/lib/remote_development/workspace_operations/reconcile/output/config_values_extractor_spec.rb @@ -17,8 +17,9 @@ let_it_be(:include_all_resources) { false } let_it_be(:network_policy_enabled) { true } let_it_be(:gitlab_workspaces_proxy_namespace) { "gitlab-workspaces" } - let_it_be(:image_pull_secrets) { [{ namespace: "secret-namespace", name: "secret-name" }] } + let_it_be(:image_pull_secrets) { [{ namespace: "default", name: "secret-name" }] } let_it_be(:agent_annotations) { { "some/annotation": "value" } } + let_it_be(:shared_namespace) { "" } let_it_be(:network_policy_egress) do [ { @@ -37,7 +38,6 @@ limits: { memory: "786Mi", cpu: "1.5" - } } end @@ -51,7 +51,6 @@ limits: { memory: "700Mi", cpu: "1.0" - } } end @@ -68,7 +67,8 @@ max_resources_per_workspace: max_resources_per_workspace.deep_stringify_keys, labels: labels.deep_stringify_keys, annotations: agent_annotations.deep_stringify_keys, - network_policy_egress: network_policy_egress.map(&:deep_stringify_keys) + network_policy_egress: network_policy_egress.map(&:deep_stringify_keys), + shared_namespace: shared_namespace ) agent.reload config @@ -106,8 +106,8 @@ domain_template env_secret_name file_secret_name - image_pull_secrets gitlab_workspaces_proxy_namespace + image_pull_secrets labels max_resources_per_workspace network_policy_enabled @@ -117,6 +117,7 @@ scripts_configmap_name secrets_inventory_annotations secrets_inventory_name + shared_namespace use_kubernetes_user_namespaces workspace_inventory_annotations workspace_inventory_name @@ -143,7 +144,7 @@ expect(extracted_values[:file_secret_name]).to eq("#{workspace.name}-file") - expect(extracted_values[:image_pull_secrets]).to eq([{ name: "secret-name", namespace: "secret-namespace" }]) + expect(extracted_values[:image_pull_secrets]).to eq([{ name: "secret-name", namespace: "default" }]) expect(extracted_values[:gitlab_workspaces_proxy_namespace]).to eq("gitlab-workspaces") @@ -210,4 +211,59 @@ it { is_expected.to eq(expected_replicas) } end end + + describe "devfile_parser_params[:labels]" do + subject(:actual_labels) { extractor.extract(workspace: workspace).fetch(:labels) } + + context "when shared_namespace is not set" do + let(:expected_labels) do + { + "agent.gitlab.com/id": agent.id.to_s, + "other-label": "other-value", + "some-label": "value" + } + end + + it { is_expected.to eq(expected_labels) } + end + + context "when shared_namespace is set" do + let_it_be(:shared_namespace) { "default" } + let_it_be(:workspace_name) { "workspace-name-shared-namespace" } + let_it_be(:agent, reload: true) { create(:ee_cluster_agent) } + let_it_be(:workspaces_agent_config) do + config = create( + :workspaces_agent_config, + agent: agent, + dns_zone: dns_zone, + labels: labels.deep_stringify_keys, + shared_namespace: shared_namespace + ) + agent.reload + config + end + + let_it_be(:workspace) do + workspaces_agent_config + create( + :workspace, + name: workspace_name, + agent: agent, + user: user, + actual_state: actual_state + ) + end + + let(:expected_labels) do + { + "agent.gitlab.com/id": agent.id.to_s, + "other-label": "other-value", + "some-label": "value", + "workspaces.gitlab.com/id": workspace.id.to_s + } + end + + it { is_expected.to eq(expected_labels) } + end + end end diff --git a/ee/spec/lib/remote_development/workspace_operations/reconcile/output/desired_config_generator_spec.rb b/ee/spec/lib/remote_development/workspace_operations/reconcile/output/desired_config_generator_spec.rb index 6268f8b8b4e024..ee6e6b582a72c2 100644 --- a/ee/spec/lib/remote_development/workspace_operations/reconcile/output/desired_config_generator_spec.rb +++ b/ee/spec/lib/remote_development/workspace_operations/reconcile/output/desired_config_generator_spec.rb @@ -24,6 +24,7 @@ let(:default_resources_per_workspace_container) { {} } let(:image_pull_secrets) { [] } let(:processed_devfile_yaml) { example_processed_devfile_yaml } + let(:shared_namespace) { "" } let(:workspaces_agent_config) do config = create( :workspaces_agent_config, @@ -31,7 +32,8 @@ image_pull_secrets: image_pull_secrets, default_resources_per_workspace_container: default_resources_per_workspace_container, max_resources_per_workspace: max_resources_per_workspace, - network_policy_enabled: network_policy_enabled + network_policy_enabled: network_policy_enabled, + shared_namespace: shared_namespace ) agent.reload config @@ -66,7 +68,8 @@ default_runtime_class: workspace.workspaces_agent_config.default_runtime_class, agent_labels: workspace.workspaces_agent_config.labels.deep_symbolize_keys, agent_annotations: workspace.workspaces_agent_config.annotations.deep_symbolize_keys, - image_pull_secrets: image_pull_secrets.map(&:deep_symbolize_keys) + image_pull_secrets: image_pull_secrets.map(&:deep_symbolize_keys), + shared_namespace: shared_namespace ) end @@ -201,6 +204,32 @@ end end + context 'when shared_namespace is not empty' do + let(:shared_namespace) { "secret-namespace" } + let(:expected_pod_selector_labels) do + { "workspaces.gitlab.com/id": workspace.id.to_s } + end + + it 'returns expected config with no resource quota and explicit pod selector in network policy' do + expect(workspace_resources).to eq(expected_config) + resource_quota = workspace_resources.find { |resource| resource.fetch(:kind) == "ResourceQuota" } + expect(resource_quota).to be_nil + workspace_resources => [ + *_, + { + kind: "NetworkPolicy", + spec: { + podSelector: { + matchLabels: pod_selector_labels, + } + } + }, + *_ + ] + expect(pod_selector_labels).to eq(expected_pod_selector_labels) + end + end + context 'when include_all_resources is true' do let(:include_all_resources) { true } diff --git a/ee/spec/support/shared_contexts/remote_development/remote_development_shared_contexts.rb b/ee/spec/support/shared_contexts/remote_development/remote_development_shared_contexts.rb index 8295e28be85fa4..0292c267881d81 100644 --- a/ee/spec/support/shared_contexts/remote_development/remote_development_shared_contexts.rb +++ b/ee/spec/support/shared_contexts/remote_development/remote_development_shared_contexts.rb @@ -355,6 +355,7 @@ def create_config_to_apply(workspace:, **args) # @param [Array] image_pull_secrets # @param [Boolean] include_scripts_resources # @param [Boolean] legacy_scripts_in_container_command + # @param [String] shared_namespace # @param [Boolean] core_resources_only # @return [Array] def create_config_to_apply_v3( @@ -384,6 +385,7 @@ def create_config_to_apply_v3( image_pull_secrets: [], include_scripts_resources: true, legacy_scripts_in_container_command: false, + shared_namespace: "", core_resources_only: false ) spec_replicas = started ? 1 : 0 @@ -406,10 +408,11 @@ def create_config_to_apply_v3( Gitlab::Utils.deep_sort_hashes( common_annotations.merge({ "config.k8s.io/owning-inventory": "#{workspace.name}-workspace-inventory" }) ).to_h - labels = - Gitlab::Utils.deep_sort_hashes( - agent_labels.merge({ "agent.gitlab.com/id": workspace.agent.id.to_s }) - ).to_h + + labels = agent_labels.merge({ "agent.gitlab.com/id": workspace.agent.id.to_s }) + labels["workspaces.gitlab.com/id"] = workspace.id.to_s if shared_namespace.present? + labels = Gitlab::Utils.deep_sort_hashes(labels).to_h + secrets_inventory_annotations = Gitlab::Utils.deep_sort_hashes( common_annotations.merge({ "config.k8s.io/owning-inventory": "#{workspace.name}-secrets-inventory" }) @@ -504,7 +507,7 @@ def create_config_to_apply_v3( } ) - if max_resources_per_workspace.present? + if max_resources_per_workspace.present? && shared_namespace.empty? workspace_resource_quota = workspace_resource_quota( workspace_name: workspace.name, workspace_namespace: workspace.namespace, @@ -533,7 +536,7 @@ def create_config_to_apply_v3( if include_all_resources resources << secrets_inventory_config_map if include_inventory - resources << workspace_resource_quota unless max_resources_per_workspace.blank? + resources << workspace_resource_quota unless max_resources_per_workspace.blank? && shared_namespace.empty? resources << secret_environment resources << secret_file end @@ -1075,6 +1078,16 @@ def workspace_network_policy( { to: [{ ipBlock: { cidr: symbolized_egress_rule[:allow], except: symbolized_egress_rule[:except] } }] } ) end + + # Use the workspace_id as a pod selector if it is present + workspace_id = labels.fetch("workspaces.gitlab.com/id", nil) + pod_selector = {} + if workspace_id.present? + pod_selector[:matchLabels] = { + "workspaces.gitlab.com/id": workspace_id + } + end + { apiVersion: "networking.k8s.io/v1", kind: "NetworkPolicy", @@ -1104,7 +1117,7 @@ def workspace_network_policy( ] } ], - podSelector: {}, + podSelector: pod_selector, policyTypes: %w[Ingress Egress] } } -- GitLab From dfe34f4fedfa7392c3cafb742cf5f1d292a98591 Mon Sep 17 00:00:00 2001 From: Vishal Tak Date: Tue, 29 Apr 2025 14:09:08 +0530 Subject: [PATCH 2/2] Add golden master spec when shared namespace is set --- ...red_config_generator_golden_master_spec.rb | 1137 ++++++++++++++++- 1 file changed, 1135 insertions(+), 2 deletions(-) diff --git a/ee/spec/lib/remote_development/workspace_operations/reconcile/output/desired_config_generator_golden_master_spec.rb b/ee/spec/lib/remote_development/workspace_operations/reconcile/output/desired_config_generator_golden_master_spec.rb index cb3a90391bd846..395bb577d52f72 100644 --- a/ee/spec/lib/remote_development/workspace_operations/reconcile/output/desired_config_generator_golden_master_spec.rb +++ b/ee/spec/lib/remote_development/workspace_operations/reconcile/output/desired_config_generator_golden_master_spec.rb @@ -48,6 +48,8 @@ let(:image_pull_secret_stringified) { { "name" => "registry-secret", "namespace" => "default" } } let(:image_pull_secret_symbolized) { { name: "registry-secret", namespace: "default" } } let(:image_pull_secret) { image_pull_secret_stringified } + let(:shared_namespace) { "" } + let(:workspace_namespace) { "gl-rd-ns-991-990-fedcba" } let(:workspaces_agent_config) do instance_double( @@ -73,7 +75,8 @@ } ], gitlab_workspaces_proxy_namespace: "gitlab-workspaces", - dns_zone: "workspaces.localdev.me" + dns_zone: "workspaces.localdev.me", + shared_namespace: shared_namespace ) end @@ -86,7 +89,7 @@ agent: agent, workspaces_agent_config: workspaces_agent_config, name: "workspace-991-990-fedcba", - namespace: "gl-rd-ns-991-990-fedcba", + namespace: workspace_namespace, desired_state_running?: desired_state_running, desired_state_terminated?: desired_state_terminated, actual_state: 'Running', @@ -142,6 +145,16 @@ let(:golden_master_desired_config) { golden_master_desired_config_with_desired_state_terminated } it_behaves_like "generated desired_config golden master checks" + + context "with shared namespace set" do + let(:shared_namespace) { "default" } + let(:workspace_namespace) { shared_namespace } + let(:golden_master_desired_config) do + golden_master_desired_config_for_shared_namespace_with_desired_state_terminated + end + + it_behaves_like "generated desired_config golden master checks" + end end context "when include_all_resources is true" do @@ -160,6 +173,16 @@ it_behaves_like "generated desired_config golden master checks" end + + context "with shared namespace set" do + let(:shared_namespace) { "default" } + let(:workspace_namespace) { shared_namespace } + let(:golden_master_desired_config) do + golden_master_desired_config_for_shared_namespace_with_include_all_resources_true + end + + it_behaves_like "generated desired_config golden master checks" + end end context "when include_all_resources is false" do @@ -169,6 +192,16 @@ let(:golden_master_desired_config) { golden_master_desired_config_with_include_all_resources_false } it_behaves_like "generated desired_config golden master checks" + + context "with shared namespace set" do + let(:shared_namespace) { "default" } + let(:workspace_namespace) { shared_namespace } + let(:golden_master_desired_config) do + golden_master_desired_config_for_shared_namespace_with_include_all_resources_false + end + + it_behaves_like "generated desired_config golden master checks" + end end # @return [String] @@ -1917,5 +1950,1105 @@ def golden_master_desired_config_from_legacy_devfile_with_no_poststart_and_with_ ] end + # @return [Array] + def golden_master_desired_config_for_shared_namespace_with_desired_state_terminated + [ + { + apiVersion: "v1", + kind: "ConfigMap", + metadata: { + annotations: { + environment: "production", + team: "engineering", + "workspaces.gitlab.com/host-template": "{{.port}}-workspace-991-990-fedcba.workspaces.localdev.me", + "workspaces.gitlab.com/id": "993", + "workspaces.gitlab.com/max-resources-per-workspace-sha256": "24aefc317e11db538ede450d1773e273966b9801b988d49e1219f2a9bf8e7f66" + }, + labels: { + app: "workspace", + tier: "development", + "agent.gitlab.com/id": "991", + "cli-utils.sigs.k8s.io/inventory-id": "workspace-991-990-fedcba-workspace-inventory", + "workspaces.gitlab.com/id": "993" + }, + name: "workspace-991-990-fedcba-workspace-inventory", + namespace: "default" + } + }, + { + apiVersion: "v1", + kind: "ConfigMap", + metadata: { + annotations: { + environment: "production", + team: "engineering", + "workspaces.gitlab.com/host-template": "{{.port}}-workspace-991-990-fedcba.workspaces.localdev.me", + "workspaces.gitlab.com/id": "993", + "workspaces.gitlab.com/max-resources-per-workspace-sha256": "24aefc317e11db538ede450d1773e273966b9801b988d49e1219f2a9bf8e7f66" + }, + labels: { + app: "workspace", + tier: "development", + "agent.gitlab.com/id": "991", + "cli-utils.sigs.k8s.io/inventory-id": "workspace-991-990-fedcba-secrets-inventory", + "workspaces.gitlab.com/id": "993" + }, + name: "workspace-991-990-fedcba-secrets-inventory", + namespace: "default" + } + } + ] + end + + # @return [Array] + def golden_master_desired_config_for_shared_namespace_with_include_all_resources_true + [ + { + apiVersion: "v1", + kind: "ConfigMap", + metadata: { + annotations: { + environment: "production", + team: "engineering", + "workspaces.gitlab.com/host-template": "{{.port}}-workspace-991-990-fedcba.workspaces.localdev.me", + "workspaces.gitlab.com/id": "993", + "workspaces.gitlab.com/max-resources-per-workspace-sha256": "24aefc317e11db538ede450d1773e273966b9801b988d49e1219f2a9bf8e7f66" + }, + labels: { + app: "workspace", + tier: "development", + "agent.gitlab.com/id": "991", + "cli-utils.sigs.k8s.io/inventory-id": "workspace-991-990-fedcba-workspace-inventory", + "workspaces.gitlab.com/id": "993" + }, + name: "workspace-991-990-fedcba-workspace-inventory", + namespace: "default" + } + }, + { + apiVersion: "apps/v1", + kind: "Deployment", + metadata: { + annotations: { + environment: "production", + team: "engineering", + "config.k8s.io/owning-inventory": "workspace-991-990-fedcba-workspace-inventory", + "workspaces.gitlab.com/host-template": "{{.port}}-workspace-991-990-fedcba.workspaces.localdev.me", + "workspaces.gitlab.com/id": "993", + "workspaces.gitlab.com/max-resources-per-workspace-sha256": "24aefc317e11db538ede450d1773e273966b9801b988d49e1219f2a9bf8e7f66" + }, + creationTimestamp: nil, + labels: { + app: "workspace", + tier: "development", + "agent.gitlab.com/id": "991", + "workspaces.gitlab.com/id": "993" + }, + name: "workspace-991-990-fedcba", + namespace: "default" + }, + spec: { + replicas: 1, + selector: { + matchLabels: { + app: "workspace", + tier: "development", + "agent.gitlab.com/id": "991", + "workspaces.gitlab.com/id": "993" + } + }, + strategy: { + type: "Recreate" + }, + template: { + metadata: { + annotations: { + environment: "production", + team: "engineering", + "config.k8s.io/owning-inventory": "workspace-991-990-fedcba-workspace-inventory", + "workspaces.gitlab.com/host-template": "{{.port}}-workspace-991-990-fedcba.workspaces.localdev.me", + "workspaces.gitlab.com/id": "993", + "workspaces.gitlab.com/max-resources-per-workspace-sha256": "24aefc317e11db538ede450d1773e273966b9801b988d49e1219f2a9bf8e7f66" + }, + creationTimestamp: nil, + labels: { + app: "workspace", + tier: "development", + "agent.gitlab.com/id": "991", + "workspaces.gitlab.com/id": "993" + }, + name: "workspace-991-990-fedcba", + namespace: "default" + }, + spec: + { + containers: [ + { + args: [ + "echo 'tooling container args'" + ], + command: [ + "/bin/sh", + "-c" + ], + env: [ + { + name: "GL_ENV_NAME", + value: "gl-env-value" + }, + { + name: "PROJECTS_ROOT", + value: "/projects" + }, + { + name: "PROJECT_SOURCE", + value: "/projects" + } + ], + envFrom: [ + { + secretRef: { + name: "workspace-991-990-fedcba-env-var" + } + } + ], + image: "quay.io/mloriedo/universal-developer-image:ubi8-dw-demo", + imagePullPolicy: "Always", + name: "tooling-container", + ports: [ + { + containerPort: 60001, + name: "server", + protocol: "TCP" + } + ], + resources: { + limits: { + cpu: "1", + memory: "1Gi" + }, + requests: { + cpu: "0.5", + memory: "512Mi" + } + }, + securityContext: { + allowPrivilegeEscalation: false, + privileged: false, + runAsNonRoot: true, + runAsUser: 5001 + }, + volumeMounts: [ + { + mountPath: "/projects", + name: "gl-workspace-data" + }, + { + mountPath: "/.workspace-data/variables/file", + name: "gl-workspace-variables" + }, + { + name: "gl-workspace-scripts", + mountPath: "/workspace-scripts" + } + ], + lifecycle: { + postStart: { + exec: { + command: [ + "/bin/sh", + "-c", + "mkdir -p \"${GL_WORKSPACE_LOGS_DIR}\"\nln -sf \"${GL_WORKSPACE_LOGS_DIR}\" /tmp\n\"/workspace-scripts/gl-run-poststart-commands.sh\" 1>>\"${GL_WORKSPACE_LOGS_DIR}/poststart-stdout.log\" 2>>\"${GL_WORKSPACE_LOGS_DIR}/poststart-stderr.log\" &\n" + ] + } + } + } + } + ], + initContainers: [ + { + args: [ + "echo 'project cloner container args'" + ], + command: [ + "/bin/sh", + "-c" + ], + env: [ + { + name: "PROJECTS_ROOT", + value: "/projects" + }, + { + name: "PROJECT_SOURCE", + value: "/projects" + } + ], + envFrom: [ + { + secretRef: { + name: "workspace-991-990-fedcba-env-var" + } + } + ], + image: "alpine/git:2.45.2", + imagePullPolicy: "Always", + name: "gl-project-cloner-gl-project-cloner-command-1", + resources: { + limits: { + cpu: "500m", + memory: "1000Mi" + }, + requests: { + cpu: "100m", + memory: "500Mi" + } + }, + securityContext: { + allowPrivilegeEscalation: false, + privileged: false, + runAsNonRoot: true, + runAsUser: 5001 + }, + volumeMounts: [ + { + mountPath: "/projects", + name: "gl-workspace-data" + }, + { + mountPath: "/.workspace-data/variables/file", + name: "gl-workspace-variables" + } + ] + } + ], + runtimeClassName: "standard", + securityContext: { + fsGroup: 0, + fsGroupChangePolicy: "OnRootMismatch", + runAsNonRoot: true, + runAsUser: 5001 + }, + serviceAccountName: "workspace-991-990-fedcba", + volumes: [ + { + name: "gl-workspace-data", + persistentVolumeClaim: { + claimName: "workspace-991-990-fedcba-gl-workspace-data" + } + }, + { + name: "gl-workspace-variables", + projected: { + defaultMode: 0o774, + sources: [ + { + secret: { + name: "workspace-991-990-fedcba-file" + } + } + ] + } + }, + { + name: "gl-workspace-scripts", + projected: { + defaultMode: 0o555, + sources: [ + { + configMap: { + name: "workspace-991-990-fedcba-scripts-configmap" + } + } + ] + } + } + ] + } + } + }, + status: {} + }, + { + apiVersion: "v1", + kind: "Service", + metadata: { + annotations: { + environment: "production", + team: "engineering", + "config.k8s.io/owning-inventory": "workspace-991-990-fedcba-workspace-inventory", + "workspaces.gitlab.com/host-template": "{{.port}}-workspace-991-990-fedcba.workspaces.localdev.me", + "workspaces.gitlab.com/id": "993", + "workspaces.gitlab.com/max-resources-per-workspace-sha256": "24aefc317e11db538ede450d1773e273966b9801b988d49e1219f2a9bf8e7f66" + }, + creationTimestamp: nil, + labels: { + app: "workspace", + tier: "development", + "agent.gitlab.com/id": "991", + "workspaces.gitlab.com/id": "993" + }, + name: "workspace-991-990-fedcba", + namespace: "default" + }, + spec: { + ports: [ + { + name: "server", + port: 60001, + targetPort: 60001 + } + ], + selector: { + app: "workspace", + tier: "development", + "agent.gitlab.com/id": "991", + "workspaces.gitlab.com/id": "993" + } + }, + status: { + loadBalancer: {} + } + }, + { + apiVersion: "v1", + kind: "PersistentVolumeClaim", + metadata: { + annotations: { + environment: "production", + team: "engineering", + "config.k8s.io/owning-inventory": "workspace-991-990-fedcba-workspace-inventory", + "workspaces.gitlab.com/host-template": "{{.port}}-workspace-991-990-fedcba.workspaces.localdev.me", + "workspaces.gitlab.com/id": "993", + "workspaces.gitlab.com/max-resources-per-workspace-sha256": "24aefc317e11db538ede450d1773e273966b9801b988d49e1219f2a9bf8e7f66" + }, + creationTimestamp: nil, + labels: { + app: "workspace", + tier: "development", + "agent.gitlab.com/id": "991", + "workspaces.gitlab.com/id": "993" + }, + name: "workspace-991-990-fedcba-gl-workspace-data", + namespace: "default" + }, + spec: { + accessModes: [ + "ReadWriteOnce" + ], + resources: { + requests: { + storage: "50Gi" + } + } + }, + status: {} + }, + { + apiVersion: "v1", + automountServiceAccountToken: false, + imagePullSecrets: [ + { + name: "registry-secret" + } + ], + kind: "ServiceAccount", + metadata: { + annotations: { + environment: "production", + team: "engineering", + "config.k8s.io/owning-inventory": "workspace-991-990-fedcba-workspace-inventory", + "workspaces.gitlab.com/host-template": "{{.port}}-workspace-991-990-fedcba.workspaces.localdev.me", + "workspaces.gitlab.com/id": "993", + "workspaces.gitlab.com/max-resources-per-workspace-sha256": "24aefc317e11db538ede450d1773e273966b9801b988d49e1219f2a9bf8e7f66" + }, + labels: { + app: "workspace", + tier: "development", + "agent.gitlab.com/id": "991", + "workspaces.gitlab.com/id": "993" + }, + name: "workspace-991-990-fedcba", + namespace: "default" + } + }, + { + apiVersion: "networking.k8s.io/v1", + kind: "NetworkPolicy", + metadata: { + annotations: { + environment: "production", + team: "engineering", + "config.k8s.io/owning-inventory": "workspace-991-990-fedcba-workspace-inventory", + "workspaces.gitlab.com/host-template": "{{.port}}-workspace-991-990-fedcba.workspaces.localdev.me", + "workspaces.gitlab.com/id": "993", + "workspaces.gitlab.com/max-resources-per-workspace-sha256": "24aefc317e11db538ede450d1773e273966b9801b988d49e1219f2a9bf8e7f66" + }, + labels: { + app: "workspace", + tier: "development", + "agent.gitlab.com/id": "991", + "workspaces.gitlab.com/id": "993" + }, + name: "workspace-991-990-fedcba", + namespace: "default" + }, + spec: { + egress: [ + { + ports: [ + { + port: 53, + protocol: "TCP" + }, + { + port: 53, + protocol: "UDP" + } + ], + to: [ + { + namespaceSelector: { + matchLabels: { + "kubernetes.io/metadata.name": "kube-system" + } + } + } + ] + }, + { + to: [ + { + ipBlock: { + cidr: "0.0.0.0/0", + except: [ + "10.0.0.0/8", + "172.16.0.0/12", + "192.168.0.0/16" + ] + } + } + ] + } + ], + ingress: [ + { + from: [ + { + namespaceSelector: { + matchLabels: { + "kubernetes.io/metadata.name": "gitlab-workspaces" + } + }, + podSelector: { + matchLabels: { + "app.kubernetes.io/name": "gitlab-workspaces-proxy" + } + } + } + ] + } + ], + podSelector: { + matchLabels: { + "workspaces.gitlab.com/id": "993" + } + }, + policyTypes: [ + "Ingress", + "Egress" + ] + } + }, + { + apiVersion: "v1", + kind: "ConfigMap", + metadata: { + annotations: { + environment: "production", + team: "engineering", + "config.k8s.io/owning-inventory": "workspace-991-990-fedcba-workspace-inventory", + "workspaces.gitlab.com/host-template": "{{.port}}-workspace-991-990-fedcba.workspaces.localdev.me", + "workspaces.gitlab.com/id": "993", + "workspaces.gitlab.com/max-resources-per-workspace-sha256": "24aefc317e11db538ede450d1773e273966b9801b988d49e1219f2a9bf8e7f66" + }, + labels: { + app: "workspace", + tier: "development", + "agent.gitlab.com/id": "991", + "workspaces.gitlab.com/id": "993" + }, + name: "workspace-991-990-fedcba-scripts-configmap", + namespace: "default" + }, + data: { + "gl-run-poststart-commands.sh": "#!/bin/sh\necho \"$(date -Iseconds): Running /workspace-scripts/gl-example-tooling-container-internal-command...\"\n/workspace-scripts/gl-example-tooling-container-internal-command || true\n", + "gl-example-tooling-container-internal-command": "echo 'example tooling container internal command'" + } + }, + { + apiVersion: "v1", + kind: "ConfigMap", + metadata: { + annotations: { + environment: "production", + team: "engineering", + "workspaces.gitlab.com/host-template": "{{.port}}-workspace-991-990-fedcba.workspaces.localdev.me", + "workspaces.gitlab.com/id": "993", + "workspaces.gitlab.com/max-resources-per-workspace-sha256": "24aefc317e11db538ede450d1773e273966b9801b988d49e1219f2a9bf8e7f66" + }, + labels: { + app: "workspace", + tier: "development", + "agent.gitlab.com/id": "991", + "cli-utils.sigs.k8s.io/inventory-id": "workspace-991-990-fedcba-secrets-inventory", + "workspaces.gitlab.com/id": "993" + }, + name: "workspace-991-990-fedcba-secrets-inventory", + namespace: "default" + } + }, + { + apiVersion: "v1", + data: { + ENV_VAR1: "ZW52LXZhci12YWx1ZTE=" + }, + kind: "Secret", + metadata: { + annotations: { + environment: "production", + team: "engineering", + "config.k8s.io/owning-inventory": "workspace-991-990-fedcba-secrets-inventory", + "workspaces.gitlab.com/host-template": "{{.port}}-workspace-991-990-fedcba.workspaces.localdev.me", + "workspaces.gitlab.com/id": "993", + "workspaces.gitlab.com/max-resources-per-workspace-sha256": "24aefc317e11db538ede450d1773e273966b9801b988d49e1219f2a9bf8e7f66" + }, + labels: { + app: "workspace", + tier: "development", + "agent.gitlab.com/id": "991", + "workspaces.gitlab.com/id": "993" + }, + name: "workspace-991-990-fedcba-env-var", + namespace: "default" + } + }, + { + apiVersion: "v1", + data: { + FILE_VAR1: "ZmlsZS12YXItdmFsdWUx", + "gl_workspace_reconciled_actual_state.txt": "UnVubmluZw==" + }, + kind: "Secret", + metadata: { + annotations: { + environment: "production", + team: "engineering", + "config.k8s.io/owning-inventory": "workspace-991-990-fedcba-secrets-inventory", + "workspaces.gitlab.com/host-template": "{{.port}}-workspace-991-990-fedcba.workspaces.localdev.me", + "workspaces.gitlab.com/id": "993", + "workspaces.gitlab.com/max-resources-per-workspace-sha256": "24aefc317e11db538ede450d1773e273966b9801b988d49e1219f2a9bf8e7f66" + }, + labels: { + app: "workspace", + tier: "development", + "agent.gitlab.com/id": "991", + "workspaces.gitlab.com/id": "993" + }, + name: "workspace-991-990-fedcba-file", + namespace: "default" + } + } + ] + end + + # @return [Array] + def golden_master_desired_config_for_shared_namespace_with_include_all_resources_false + [ + { + apiVersion: "v1", + kind: "ConfigMap", + metadata: { + annotations: { + environment: "production", + team: "engineering", + "workspaces.gitlab.com/host-template": "{{.port}}-workspace-991-990-fedcba.workspaces.localdev.me", + "workspaces.gitlab.com/id": "993", + "workspaces.gitlab.com/max-resources-per-workspace-sha256": "24aefc317e11db538ede450d1773e273966b9801b988d49e1219f2a9bf8e7f66" + }, + labels: { + app: "workspace", + tier: "development", + "agent.gitlab.com/id": "991", + "cli-utils.sigs.k8s.io/inventory-id": "workspace-991-990-fedcba-workspace-inventory", + "workspaces.gitlab.com/id": "993" + }, + name: "workspace-991-990-fedcba-workspace-inventory", + namespace: "default" + } + }, + { + apiVersion: "apps/v1", + kind: "Deployment", + metadata: { + annotations: { + environment: "production", + team: "engineering", + "config.k8s.io/owning-inventory": "workspace-991-990-fedcba-workspace-inventory", + "workspaces.gitlab.com/host-template": "{{.port}}-workspace-991-990-fedcba.workspaces.localdev.me", + "workspaces.gitlab.com/id": "993", + "workspaces.gitlab.com/max-resources-per-workspace-sha256": "24aefc317e11db538ede450d1773e273966b9801b988d49e1219f2a9bf8e7f66" + }, + creationTimestamp: nil, + labels: { + app: "workspace", + tier: "development", + "agent.gitlab.com/id": "991", + "workspaces.gitlab.com/id": "993" + }, + name: "workspace-991-990-fedcba", + namespace: "default" + }, + spec: { + replicas: 1, + selector: { + matchLabels: { + app: "workspace", + tier: "development", + "agent.gitlab.com/id": "991", + "workspaces.gitlab.com/id": "993" + } + }, + strategy: { + type: "Recreate" + }, + template: { + metadata: { + annotations: { + environment: "production", + team: "engineering", + "config.k8s.io/owning-inventory": "workspace-991-990-fedcba-workspace-inventory", + "workspaces.gitlab.com/host-template": "{{.port}}-workspace-991-990-fedcba.workspaces.localdev.me", + "workspaces.gitlab.com/id": "993", + "workspaces.gitlab.com/max-resources-per-workspace-sha256": "24aefc317e11db538ede450d1773e273966b9801b988d49e1219f2a9bf8e7f66" + }, + creationTimestamp: nil, + labels: { + app: "workspace", + tier: "development", + "agent.gitlab.com/id": "991", + "workspaces.gitlab.com/id": "993" + }, + name: "workspace-991-990-fedcba", + namespace: "default" + }, + spec: + { + containers: [ + { + args: [ + "echo 'tooling container args'" + ], + command: [ + "/bin/sh", + "-c" + ], + env: [ + { + name: "GL_ENV_NAME", + value: "gl-env-value" + }, + { + name: "PROJECTS_ROOT", + value: "/projects" + }, + { + name: "PROJECT_SOURCE", + value: "/projects" + } + ], + envFrom: [ + { + secretRef: { + name: "workspace-991-990-fedcba-env-var" + } + } + ], + image: "quay.io/mloriedo/universal-developer-image:ubi8-dw-demo", + imagePullPolicy: "Always", + name: "tooling-container", + ports: [ + { + containerPort: 60001, + name: "server", + protocol: "TCP" + } + ], + resources: { + limits: { + cpu: "1", + memory: "1Gi" + }, + requests: { + cpu: "0.5", + memory: "512Mi" + } + }, + securityContext: { + allowPrivilegeEscalation: false, + privileged: false, + runAsNonRoot: true, + runAsUser: 5001 + }, + volumeMounts: [ + { + mountPath: "/projects", + name: "gl-workspace-data" + }, + { + mountPath: "/.workspace-data/variables/file", + name: "gl-workspace-variables" + }, + { + name: "gl-workspace-scripts", + mountPath: "/workspace-scripts" + } + ], + lifecycle: { + postStart: { + exec: { + command: [ + "/bin/sh", + "-c", + "mkdir -p \"${GL_WORKSPACE_LOGS_DIR}\"\nln -sf \"${GL_WORKSPACE_LOGS_DIR}\" /tmp\n\"/workspace-scripts/gl-run-poststart-commands.sh\" 1>>\"${GL_WORKSPACE_LOGS_DIR}/poststart-stdout.log\" 2>>\"${GL_WORKSPACE_LOGS_DIR}/poststart-stderr.log\" &\n" + ] + } + } + } + } + ], + initContainers: [ + { + args: [ + "echo 'project cloner container args'" + ], + command: [ + "/bin/sh", + "-c" + ], + env: [ + { + name: "PROJECTS_ROOT", + value: "/projects" + }, + { + name: "PROJECT_SOURCE", + value: "/projects" + } + ], + envFrom: [ + { + secretRef: { + name: "workspace-991-990-fedcba-env-var" + } + } + ], + image: "alpine/git:2.45.2", + imagePullPolicy: "Always", + name: "gl-project-cloner-gl-project-cloner-command-1", + resources: { + limits: { + cpu: "500m", + memory: "1000Mi" + }, + requests: { + cpu: "100m", + memory: "500Mi" + } + }, + securityContext: { + allowPrivilegeEscalation: false, + privileged: false, + runAsNonRoot: true, + runAsUser: 5001 + }, + volumeMounts: [ + { + mountPath: "/projects", + name: "gl-workspace-data" + }, + { + mountPath: "/.workspace-data/variables/file", + name: "gl-workspace-variables" + } + ] + } + ], + runtimeClassName: "standard", + securityContext: { + fsGroup: 0, + fsGroupChangePolicy: "OnRootMismatch", + runAsNonRoot: true, + runAsUser: 5001 + }, + serviceAccountName: "workspace-991-990-fedcba", + volumes: [ + { + name: "gl-workspace-data", + persistentVolumeClaim: { + claimName: "workspace-991-990-fedcba-gl-workspace-data" + } + }, + { + name: "gl-workspace-variables", + projected: { + defaultMode: 0o774, + sources: [ + { + secret: { + name: "workspace-991-990-fedcba-file" + } + } + ] + } + }, + { + name: "gl-workspace-scripts", + projected: { + defaultMode: 0o555, + sources: [ + { + configMap: { + name: "workspace-991-990-fedcba-scripts-configmap" + } + } + ] + } + } + ] + } + } + }, + status: {} + }, + { + apiVersion: "v1", + kind: "Service", + metadata: { + annotations: { + environment: "production", + team: "engineering", + "config.k8s.io/owning-inventory": "workspace-991-990-fedcba-workspace-inventory", + "workspaces.gitlab.com/host-template": "{{.port}}-workspace-991-990-fedcba.workspaces.localdev.me", + "workspaces.gitlab.com/id": "993", + "workspaces.gitlab.com/max-resources-per-workspace-sha256": "24aefc317e11db538ede450d1773e273966b9801b988d49e1219f2a9bf8e7f66" + }, + creationTimestamp: nil, + labels: { + app: "workspace", + tier: "development", + "agent.gitlab.com/id": "991", + "workspaces.gitlab.com/id": "993" + }, + name: "workspace-991-990-fedcba", + namespace: "default" + }, + spec: { + ports: [ + { + name: "server", + port: 60001, + targetPort: 60001 + } + ], + selector: { + app: "workspace", + tier: "development", + "agent.gitlab.com/id": "991", + "workspaces.gitlab.com/id": "993" + } + }, + status: { + loadBalancer: {} + } + }, + { + apiVersion: "v1", + kind: "PersistentVolumeClaim", + metadata: { + annotations: { + environment: "production", + team: "engineering", + "config.k8s.io/owning-inventory": "workspace-991-990-fedcba-workspace-inventory", + "workspaces.gitlab.com/host-template": "{{.port}}-workspace-991-990-fedcba.workspaces.localdev.me", + "workspaces.gitlab.com/id": "993", + "workspaces.gitlab.com/max-resources-per-workspace-sha256": "24aefc317e11db538ede450d1773e273966b9801b988d49e1219f2a9bf8e7f66" + }, + creationTimestamp: nil, + labels: { + app: "workspace", + tier: "development", + "agent.gitlab.com/id": "991", + "workspaces.gitlab.com/id": "993" + }, + name: "workspace-991-990-fedcba-gl-workspace-data", + namespace: "default" + }, + spec: { + accessModes: [ + "ReadWriteOnce" + ], + resources: { + requests: { + storage: "50Gi" + } + } + }, + status: {} + }, + { + apiVersion: "v1", + automountServiceAccountToken: false, + imagePullSecrets: [ + { + name: "registry-secret" + } + ], + kind: "ServiceAccount", + metadata: { + annotations: { + environment: "production", + team: "engineering", + "config.k8s.io/owning-inventory": "workspace-991-990-fedcba-workspace-inventory", + "workspaces.gitlab.com/host-template": "{{.port}}-workspace-991-990-fedcba.workspaces.localdev.me", + "workspaces.gitlab.com/id": "993", + "workspaces.gitlab.com/max-resources-per-workspace-sha256": "24aefc317e11db538ede450d1773e273966b9801b988d49e1219f2a9bf8e7f66" + }, + labels: { + app: "workspace", + tier: "development", + "agent.gitlab.com/id": "991", + "workspaces.gitlab.com/id": "993" + }, + name: "workspace-991-990-fedcba", + namespace: "default" + } + }, + { + apiVersion: "networking.k8s.io/v1", + kind: "NetworkPolicy", + metadata: { + annotations: { + environment: "production", + team: "engineering", + "config.k8s.io/owning-inventory": "workspace-991-990-fedcba-workspace-inventory", + "workspaces.gitlab.com/host-template": "{{.port}}-workspace-991-990-fedcba.workspaces.localdev.me", + "workspaces.gitlab.com/id": "993", + "workspaces.gitlab.com/max-resources-per-workspace-sha256": "24aefc317e11db538ede450d1773e273966b9801b988d49e1219f2a9bf8e7f66" + }, + labels: { + app: "workspace", + tier: "development", + "agent.gitlab.com/id": "991", + "workspaces.gitlab.com/id": "993" + }, + name: "workspace-991-990-fedcba", + namespace: "default" + }, + spec: { + egress: [ + { + ports: [ + { + port: 53, + protocol: "TCP" + }, + { + port: 53, + protocol: "UDP" + } + ], + to: [ + { + namespaceSelector: { + matchLabels: { + "kubernetes.io/metadata.name": "kube-system" + } + } + } + ] + }, + { + to: [ + { + ipBlock: { + cidr: "0.0.0.0/0", + except: [ + "10.0.0.0/8", + "172.16.0.0/12", + "192.168.0.0/16" + ] + } + } + ] + } + ], + ingress: [ + { + from: [ + { + namespaceSelector: { + matchLabels: { + "kubernetes.io/metadata.name": "gitlab-workspaces" + } + }, + podSelector: { + matchLabels: { + "app.kubernetes.io/name": "gitlab-workspaces-proxy" + } + } + } + ] + } + ], + podSelector: { + matchLabels: { + "workspaces.gitlab.com/id": "993" + } + }, + policyTypes: [ + "Ingress", + "Egress" + ] + } + }, + { + apiVersion: "v1", + kind: "ConfigMap", + metadata: { + annotations: { + environment: "production", + team: "engineering", + "config.k8s.io/owning-inventory": "workspace-991-990-fedcba-workspace-inventory", + "workspaces.gitlab.com/host-template": "{{.port}}-workspace-991-990-fedcba.workspaces.localdev.me", + "workspaces.gitlab.com/id": "993", + "workspaces.gitlab.com/max-resources-per-workspace-sha256": "24aefc317e11db538ede450d1773e273966b9801b988d49e1219f2a9bf8e7f66" + }, + labels: { + app: "workspace", + tier: "development", + "agent.gitlab.com/id": "991", + "workspaces.gitlab.com/id": "993" + }, + name: "workspace-991-990-fedcba-scripts-configmap", + namespace: "default" + }, + data: { + "gl-run-poststart-commands.sh": "#!/bin/sh\necho \"$(date -Iseconds): Running /workspace-scripts/gl-example-tooling-container-internal-command...\"\n/workspace-scripts/gl-example-tooling-container-internal-command || true\n", + "gl-example-tooling-container-internal-command": "echo 'example tooling container internal command'" + } + } + ] + end # rubocop:enable Layout/LineLength, Style/WordArray end -- GitLab