According to Kubernetes doc, a container using a Secret as a
subPath volume mount will not receive Secret updates.
Signed-off-by: JenTing Hsiao <hsiaoairplane@gmail.com>
Workspace image builds
Update golden output
Deploy ws-manager tls secret in webapp
Remove ws-manager secrets
Update golden outputs
Enable movedImageBuilder by default
Add wsmanager tls to server if not meta install
Update output.golden
Install ws-proxy in meta
Update golden
Move wsproxy to IDE objs
Create experimental flag
Move ws-proxy to idecomponents
Remove ws-manager TLS cert from ws-proxy
skipSelf if WithoutWorkspaceComponents enabled
Fix ws-proxy config
This PR manually sets the `allowPrivilegeEscalation` container
config to false where we don't need extra capabilities. This
is needed as not setting this explicitely could mean that
it could still be `true` based on other settings.
This also helps us future proof on any behaviour changes around
this.
Signed-off-by: Tarun Pothulapati <tarun@gitpod.io>
This PR includes temporary fixes to get `Certificate` option working with `self-signed` certificates.
Currently, Whenever the `Certificate` config option is set to a
specific secret, we seem to assume **by default** that they are
publicly signed. This currently has the following issues when they
are `self-signed` :
- Due to the usage of `Certificate` in internal facing services like
`registry-facade`, Internal clients fail to communicate as the
self-signed CA is not in their trust store.
(Fix: Update `registry-facade` to use `builtin-registry-facade-cert`,
generated by `cert-manager`)
- Due to the fact that internal `registry` communication also flows
through the `proxy`, This communication fails as the `proxy` cert is
self-signed as its not available in the trust store.
(Fix: Update the `registry-facade` daemonset to also include `crt` of
`Certificate` in its trust store).
This PR also fixes an issue with `image-builder-mk3` when the
`customCACert` option is set, by removing `InternalVolumeCAMount` as
it makes the `etc/ssl/certs` empty and readOnly (which prevents
from mounting the customCACert cert into `etc/ssl/certs`
This is not needed as the directory probably exists, or we don't need
to mount it specifically. Individually cert files can be attached
directly into the folder while keeping the existing files the
same.
Signed-off-by: Tarun Pothulapati <tarun@gitpod.io>
