Add support for internal ALB and image pull secret

aledbf · aledbf · commit de3715a0539d · 2021-07-27T20:41:58.000-04:00
Signed-off-by: Manuel Alejandro de Brito Fontes &lt;aledbf@gmail.com&gt;
diff --git a/.env.example b/.env.example
@@ -18,3 +18,13 @@ ROUTE53_ZONEID=XXXXXXXXX
 # The name of the S3 bucket where the container images that gitpod creates are stored
 # If there is no value we create a new bucket with the name "container-registry-<cluster name>-<account ID>"
 CONTAINER_REGISTRY_BUCKET=
+
+# Configure the secret name containing the credentials to pull images from private container registries.
+# Please do not forget to create the secret!!!
+# https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+IMAGE_PULL_SECRET=
+
+# Allow to define internal or internet-facing ALB for gitpod proxy component.
+# https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/guide/ingress/annotations/#scheme
+# https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/how-elastic-load-balancing-works.html#load-balancer-scheme
+USE_INTERNAL_ALB=false
diff --git a/lib/charts/assets/ingress.yaml b/lib/charts/assets/ingress.yaml
@@ -18,7 +18,6 @@ metadata:
     alb.ingress.kubernetes.io/target-node-labels: gitpod.io/workload_workspaces=true
     alb.ingress.kubernetes.io/healthcheck-protocol: HTTPS
     alb.ingress.kubernetes.io/backend-protocol: HTTPS
-    alb.ingress.kubernetes.io/scheme: internet-facing
     alb.ingress.kubernetes.io/listen-ports: >-
       [{
         "HTTP": 80
diff --git a/lib/gitpod.ts b/lib/gitpod.ts
@@ -6,6 +6,17 @@ import { Database } from './database';
 import { Registry } from './registry';
 import { importCluster } from './charts/cluster-utils';
 
+var createNestedObject = function (base: any, names: any, value: any) {
+    var lastName = arguments.length === 3 ? names.pop() : false;
+    for (var i = 0; i < names.length; i++) {
+        base = base[names[i]] = base[names[i]] || {};
+    }
+
+    if (lastName) {
+        base = base[lastName] = value;
+    }
+};
+
 // TODO: switch to official gitpod.io build.
 const version = "aledbf-mk3.29";
 
@@ -42,14 +53,22 @@ export class GitpodStack extends cdk.Stack {
 
             replace(/{{issuerName}}/g, 'ca-issuer');
 
+        const values = loadYaml(doc);
+        if (process.env.IMAGE_PULL_SECRET) {
+            createNestedObject(values, ["components", "workspace", "templates", "default", "spec", "imagePullSecrets"], []);
+            createNestedObject(values, ["components", "imageBuilderMk3", "registry"], {});
+            values.components.workspace.templates.default.spec.imagePullSecrets.push({ "name": `${process.env.IMAGE_PULL_SECRET}` });
+            values.components.imageBuilderMk3.registry.secretName = `${process.env.IMAGE_PULL_SECRET}`;
+        }
+
         const helmChart = cluster.addHelmChart('GitpodChart', {
             chart: 'gitpod',
             release: 'gitpod',
             repository: 'https://aledbf.github.io/gitpod-chart-cleanup/',
             namespace: 'default',
-            version: '1.2.14',
+            version: '1.2.15',
             wait: true,
-            values: loadYaml(doc),
+            values,
         });
 
         doc = readYamlDocument(__dirname + '/charts/assets/ingress.yaml');
@@ -61,11 +80,19 @@ export class GitpodStack extends cdk.Stack {
             manifest.metadata.annotations["alb.ingress.kubernetes.io/ssl-policy"] = "ELBSecurityPolicy-FS-1-2-Res-2020-10";
         }
 
+        manifest.metadata.annotations["alb.ingress.kubernetes.io/load-balancer-name"] = `${process.env.CLUSTER_NAME}-${props.env?.region}`;
+
         // if we have a route53 zone ID, enable external-dns.
         if (process.env.ROUTE53_ZONEID) {
             manifest.metadata.annotations["external-dns.alpha.kubernetes.io/hostname"] = `${props.domain}, *.${props.domain}, *.ws.${props.domain}`;
         }
 
+        if (process.env.USE_INTERNAL_ALB && process.env.USE_INTERNAL_ALB.toLowerCase() === 'true') {
+            manifest.metadata.annotations["alb.ingress.kubernetes.io/scheme"] = 'internal';
+        } else {
+            manifest.metadata.annotations["alb.ingress.kubernetes.io/scheme"] = 'internet-facing';
+        }
+
         const gitpodIngress = new KubernetesManifest(this, "gitpod-ingress", {
             cluster,
             overwrite: true,
