Skip to content

[self-signed] workspace creation fails in release-2022.09.0 #13735

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Pothulapati opened this issue Oct 10, 2022 · 7 comments · Fixed by #13821
Closed

[self-signed] workspace creation fails in release-2022.09.0 #13735

Pothulapati opened this issue Oct 10, 2022 · 7 comments · Fixed by #13821
Assignees
@utam0k
Labels
priority: high type: bug Something isn't working

Comments

@Pothulapati
Copy link
Contributor

Pothulapati commented Oct 10, 2022
edited by kylos101
Loading

Bug description

On a self-signed instance of GItpod (for example local-preview), The workspace creation fails with a CreateConfigError in Kubernetes. Digging more on that we see the following error in Kubernetes

/ # kubectl describe pod  | grep 2148
      NODE_EXTRA_CA_CERTS:              <set to the key 'f0f9c6ddcfb588904de6982b658e17a8cf7b9e3c108fd1380aa2f5d5dfed2148' in secret 'ws-9deee364-eedc-4361-b6b0-90daaa29e0a5'>  Optional: false
  Warning  Failed     7m46s (x12 over 10m)  kubelet            Error: couldn't find key f0f9c6ddcfb588904de6982b658e17a8cf7b9e3c108fd1380aa2f5d5dfed2148 in Secret default/ws-9deee364-eedc-4361-b6b0-90daaa29e0a5

This seems to because of NODE_EXTRA_CA_CERTS being marked as a protected secret but still not rightly loaded into the workspace secret as a key. The same can be confirmed by comparing the secret vs the workspace

Workspace ENV Var

      - name: VSX_REGISTRY_URL
        valueFrom:
          secretKeyRef:
            key: 6271376496bf05a98eb6f9231ef39c87d25a936de821916483e5755bf4dfbe1a
            name: ws-9deee364-eedc-4361-b6b0-90daaa29e0a5
      - name: THEIA_SUPERVISOR_TOKENS
        valueFrom:
          secretKeyRef:
            key: 3a3b612491764cccf7a5bccafc73031bb965cad1592bf600f2c3edca7c6e41bb
            name: ws-9deee364-eedc-4361-b6b0-90daaa29e0a5
      - name: GITPOD_INTERVAL
        value: "30000"
      - name: GITPOD_MEMORY
        value: "524"
      - name: NODE_EXTRA_CA_CERTS
        valueFrom:
          secretKeyRef:
            key: f0f9c6ddcfb588904de6982b658e17a8cf7b9e3c108fd1380aa2f5d5dfed2148
            name: ws-9deee364-eedc-4361-b6b0-90daaa29e0a5
      image: reg.preview.gitpod-self-hosted.com:20000/remote/9deee364-eedc-4361-b6b0-90daaa29e0a5

Secret

Name:         ws-9deee364-eedc-4361-b6b0-90daaa29e0a5
Namespace:    default
Labels:       app=gitpod
              component=workspace
              gitpod.io/workspaceClass=default
              gpwsman=true
              headless=false
              metaID=gitpodio-gitpodmicrosof-uzxl3qjx9yk
              owner=98885113-240a-4499-9923-85cad4ab64a9
              project=
              team=
              workspaceID=9deee364-eedc-4361-b6b0-90daaa29e0a5
              workspaceType=regular
Annotations:  <none>

Type:  Opaque

Data
====
6271376496bf05a98eb6f9231ef39c87d25a936de821916483e5755bf4dfbe1a:  47 bytes
initializer.composite.0.git:                                       40 bytes
3a3b612491764cccf7a5bccafc73031bb965cad1592bf600f2c3edca7c6e41bb:  1596 bytes

Steps to reproduce

Run

docker run -p 443:443 --privileged --name gitpod -it  --mount type=volume,source=gitpod,destination=/var/gitpod eu.gcr.io/gitpod-core-dev/build/local-preview:release-2022.09.0-lp.3

and see that workspace creation fails (while the image builds work)

Workspace affected

No response

Expected behavior

No response

Example repository

No response

Anything else?
@Pothulapati Pothulapati added the type: bug Something isn't working label Oct 10, 2022
@kylos101
Copy link
Contributor

Hi @Pothulapati thank you for the report!

Customers can workaround this by disabling the feature at install time with a patch like so:

experimental:
  workspace:
    enableProtectedSecrets: false

However that does carry some risk (outlined here).

As background, we enabled protected secrets by default here.

@kylos101
Copy link
Contributor

@Pothulapati it looks like this is blocking local-preview. Have you been able to confirm if it is blocking a single cluster ref arch that is using self-signed certs?

@Pothulapati
Copy link
Contributor Author

Pothulapati commented Oct 11, 2022
edited
Loading

👋 Good Morning, @kylos101 !

Currently, I can only confirm that it fails in local-preview which is a self-signed instance, but I am verifying the same in self-signed AWS now. Will update once I get this up! 👀

from what I can tell, this is blocking local-preview, but so far, no customers have bumped into this issue.

Correct. Because we haven't done a local-preview release yet so no user effect yet. We should add the configuration that you specified if we plan to do a release.

@Pothulapati
Copy link
Contributor Author

@kylos101 Can confirm that the issue also happens with self-signed EKS instance. I have one at https://3c759-aws.tests.gitpod-self-hosted.com/workspaces, but you can get the same by running

werft run github -a skipTests=true -a selfSigned=true -a preview=true -j .werft/eks-installer-tests.yaml

@kylos101
Copy link
Contributor

kylos101 commented Oct 12, 2022
edited
Loading

Okay, thanks @Pothulapati . 😬 For the meantime, I think we'll need to recommend the ☝️ workaround till a fix is pushed. Would it be appropriate to add a comment in the September Upgrade instructions?

I've added to our groundwork, but, it may not land till the next self-hosted release. Let us know your thoughts? The trade-off of using the workaround (disabling protected_secrets) is the related security risks.

@kylos101 kylos101 moved this to Breakdown in 🌌 Workspace Team Oct 12, 2022
@kylos101 kylos101 moved this from Breakdown to In Progress in 🌌 Workspace Team Oct 13, 2022
@kylos101
Copy link
Contributor

Hi there, @utam0k is going to take a look at this issue, to see if we can patch the September release.

cc: @lucasvaltl @corneliusludmann @Pothulapati

@utam0k utam0k mentioned this issue Oct 13, 2022
Merged
3 tasks
Repository owner moved this from In Progress to Awaiting Deployment in 🌌 Workspace Team Oct 13, 2022
@kylos101
Copy link
Contributor

Thanks for the solve @utam0k and for the teamwork @Furisto and @Pothulapati !!! 🤝

@utam0k utam0k moved this from Awaiting Deployment to Done in 🌌 Workspace Team Oct 18, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@utam0k utam0k

Labels
priority: high type: bug Something isn't working
Projects
No open projects
🌌 Workspace Team
Status: Done
🚚 Security, Infrastructure, and Delivery Team (SID)
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

ws-manager: NODE_EXTRA_CA_CERTS is the value of the gitpod internals gitpod-io/gitpod
3 participants
@kylos101 @Pothulapati @utam0k