Initial commit

.gitignore

@@ -0,0 +1 @@
+.env

Dockerfile

@@ -0,0 +1,12 @@
+FROM rancher/k3s:v1.18.4-k3s1
+
+ADD https://github.com/krallin/tini/releases/download/v0.19.0/tini-static /tini
+RUN chmod +x /tini
+
+# This does not work because the helm timeout is to tight.
+#COPY gitpod-helm.yaml /var/lib/rancher/k3s/server/manifests/gitpod-helm-installer.yaml
+COPY gitpod-helm-installer.yaml /var/lib/rancher/k3s/server/manifests/
+
+COPY entrypoint.sh /entrypoint
+
+ENTRYPOINT [ "/tini", "--", "/entrypoint" ]

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2020 Dr. Cornelius Ludmann
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,31 @@
+# Gitpod in a Docker container with k3s
+
+## Prerequisites
+
+- `docker`
+- TLS certificates for your domains
+
+## Quick Start
+
+### Docker run:
+
+```shell
+$ docker run \
+    --name gitpod \
+    -v /tmp/workspaces:/var/gitpod/workspaces \
+    -v $(pwd)/values.yaml:/values.yaml \
+    -v $(pwd)/certs:/certs \
+    -e DOMAIN=your.domain.com \
+    -e DNSSERVER=10.0.0.1 \
+    --privileged true \
+    ludmann/gitpod-k3s
+```
+
+### Gitpod + GitLab example
+
+There is a [docker-compose.yaml](examples/gitpod-gitlab/docker-compose.yaml) that creates a pre-configured combination of GitLab and Gitpod. Add you HTTPS certs (`chain.pem`, `dhparams.pem`, `fullchain.pem`, `privkey.pem`) in the [examples/certs](examples/certs) folder, create a `.env` file in [examples/gitpod-gitlab/](examples/gitpod-gitlab/) like this:
+```
+DOMAIN=your.domain.com
+DNSSERVER=10.0.0.1
+```
+and run `docker-compose up`.

entrypoint.sh

@@ -0,0 +1,93 @@
+#!/bin/sh
+
+set -eu
+
+mount --make-shared /sys/fs/cgroup
+mount --make-shared /var/gitpod/workspaces
+
+# prepare Gitpod helm installer
+if [ -f /var/lib/rancher/k3s/server/manifests/gitpod-helm-installer.yaml ]; then
+
+    if [ -z "$DOMAIN" ]; then
+        >&2 echo "Error: Environment variable DOMAIN is missing."
+        exit 1;
+    fi
+
+    if [ -f /values.yaml ]; then
+        sed 's/^/    /' /values.yaml >> /var/lib/rancher/k3s/server/manifests/gitpod-helm-installer.yaml
+    else
+        echo "    hostname: gitpod.{{ DOMAIN }}" >> /var/lib/rancher/k3s/server/manifests/gitpod-helm-installer.yaml
+    fi
+
+    sed -i "s/{{ DOMAIN }}/$DOMAIN/g" /var/lib/rancher/k3s/server/manifests/gitpod-helm-installer.yaml
+
+    # gitpod-helm-installer.yaml needs access to kubernetes by the public host IP.
+    kubeconfig_replacip() {
+        while [ ! -f /etc/rancher/k3s/k3s.yaml ]; do sleep 1; done
+        HOSTIP=$(hostname -i)
+        sed "s+127.0.0.1+$HOSTIP+g" /etc/rancher/k3s/k3s.yaml > /etc/rancher/k3s/k3s_.yaml
+    }
+    kubeconfig_replacip &
+
+    installation_completed_hook() {
+        while [ -z "$(kubectl get pods | grep gitpod-helm-installer | grep Completed)" ]; do sleep 10; done
+
+        echo "Removing network policies ..."
+        kubectl delete networkpolicies.networking.k8s.io --all
+
+        echo "Removing installer manifest ..."
+        rm -f /var/lib/rancher/k3s/server/manifests/gitpod-helm-installer.yaml
+    }
+    installation_completed_hook &
+
+fi
+
+
+# add HTTPS certs secret
+if [ -f /certs/chain.pem ] && [ -f /certs/dhparams.pem ] && [ -f /certs/fullchain.pem ] && [ -f /certs/privkey.pem ]; then
+  CHAIN=$(base64 --wrap=0 < /certs/chain.pem)
+  DHPARAMS=$(base64 --wrap=0 < /certs/dhparams.pem)
+  FULLCHAIN=$(base64 --wrap=0 < /certs/fullchain.pem)
+  PRIVKEY=$(base64 --wrap=0 < /certs/privkey.pem)
+  cat << EOF > /var/lib/rancher/k3s/server/manifests/proxy-config-certificates.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: proxy-config-certificates
+  labels:
+    app: gitpod
+data:
+  chain.pem: $CHAIN
+  dhparams.pem: $DHPARAMS
+  fullchain.pem: $FULLCHAIN
+  privkey.pem: $PRIVKEY
+EOF
+fi
+
+
+# patch DNS config
+if [ -n "$DOMAIN" ] && [ -n "$DNSSERVER" ]; then
+    patchdns() {
+        echo "Waiting for CoreDNS to patch config ..."
+        while [ -z "$(kubectl get pods -n kube-system | grep coredns | grep Running)" ]; do sleep 10; done
+
+        DOMAIN=$1
+        DNSSERVER=$2
+
+        if [ -z "$(kubectl get configmap -n kube-system coredns -o json | grep $DOMAIN)" ]; then
+            echo "Patching CoreDNS config ..."
+
+            kubectl get configmap -n kube-system coredns -o json | \
+                sed -e "s+.:53+$DOMAIN {\\\\n  forward . $DNSSERVER\\\\n}\\\\n.:53+g" | \
+                kubectl apply -f -
+            echo "CoreDNS config patched."
+        else
+            echo "CoreDNS has been patched already."
+        fi
+    }
+    patchdns "$DOMAIN" "$DNSSERVER" &
+fi
+
+
+# start k3s
+/bin/k3s server --disable traefik

examples/certs/.gitignore

@@ -0,0 +1 @@
+*.pem

examples/gitpod-gitlab/docker-compose.yaml

@@ -0,0 +1,38 @@
+version: '3'
+services:
+
+  proxy:
+    image: nginx
+    volumes:
+      - ../certs:/etc/nginx/certs
+      - ./proxy/default.conf:/etc/nginx/conf.d/default.conf
+    ports:
+      - 443:443
+
+  gitpod:
+    image: ludmann/gitpod-k3s
+    # build: ../..
+    privileged: true
+    tmpfs:
+      - /run
+      - /var/run
+      - /var/gitpod/workspaces
+    volumes:
+      - ./values.yaml:/values.yaml
+      - ../certs:/certs
+    environment:
+      - DOMAIN=${DOMAIN}
+      - DNSSERVER=${DNSSERVER}
+
+  gitlab:
+    image: ludmann/gitlab-k3s
+    build: ./gitlab
+    privileged: true
+    tmpfs:
+      - /run
+      - /var/run
+    volumes:
+      - ../certs:/certs
+    environment:
+      - DOMAIN=${DOMAIN}
+      - DNSSERVER=${DNSSERVER}

examples/gitpod-gitlab/gitlab/Dockerfile

@@ -0,0 +1,10 @@
+FROM rancher/k3s:v1.18.4-k3s1
+
+ADD https://github.com/krallin/tini/releases/download/v0.19.0/tini-static /tini
+RUN chmod +x /tini
+
+COPY gitlab-helm.yaml /var/lib/rancher/k3s/server/manifests/
+
+COPY entrypoint.sh /entrypoint
+
+ENTRYPOINT [ "/tini", "--", "/entrypoint" ]

examples/gitpod-gitlab/gitlab/entrypoint.sh

@@ -0,0 +1,90 @@
+#!/bin/sh
+
+set -eu
+
+
+# prepare GitLab helm installer
+if [ -f /var/lib/rancher/k3s/server/manifests/gitlab-helm.yaml ]; then
+
+    if [ -z "$DOMAIN" ]; then
+        >&2 echo "Error: Environment variable DOMAIN is missing."
+        exit 1;
+    fi
+
+    sed -i "s/{{ DOMAIN }}/$DOMAIN/g" /var/lib/rancher/k3s/server/manifests/gitlab-helm.yaml
+
+    cat << EOF > /insert_oauth_application.sql
+INSERT INTO oauth_applications (name, uid, secret, redirect_uri, scopes, created_at, updated_at, owner_id, owner_type)
+VALUES (
+    'Gitpod',
+    '2ce8bfb95d9a1e0ed305427f35e10a6bdd1eef090b1890c68e5f8370782d05ee',
+    'a5447d23643f7e71353d9fc3ad1c15464c983c47f6eb2e80dd37de28152de05e',
+    'https://gitpod.$DOMAIN/auth/gitlab/callback',
+    'api read_user read_repository',
+    now(), now(), 1, 'User'
+);
+EOF
+
+    insertoauth () {
+        echo "Waiting for GitLab DB migrations ..."
+        while [ -z "$(kubectl get pods | grep gitlab-migrations | grep Completed)" ]; do sleep 10; done
+
+        echo "Adding OAuth application to DB ..."
+        SQL=$(cat /insert_oauth_application.sql)
+        DBPASSWD=$(kubectl get secret gitlab-postgresql-password -o jsonpath='{.data.postgresql-postgres-password}' | base64 --decode)
+        kubectl exec -it gitlab-postgresql-0 -- bash -c "PGPASSWORD=$DBPASSWD psql -U postgres -d gitlabhq_production -c \"$SQL\""
+        echo "OAuth application added to DB."
+    }
+    insertoauth &
+
+    installation_completed_hook() {
+        while [ -z "$(kubectl get pods --all-namespaces | grep helm-install-gitlab | grep Completed)" ]; do sleep 10; done
+
+        echo "Removing installer manifest ..."
+        rm -f /var/lib/rancher/k3s/server/manifests/gitlab-helm.yaml
+    }
+    installation_completed_hook &
+fi
+
+
+# add HTTPS certs secret
+FULLCHAIN=$(base64 --wrap=0 < /certs/fullchain.pem)
+PRIVKEY=$(base64 --wrap=0 < /certs/privkey.pem)
+cat << EOF > /var/lib/rancher/k3s/server/manifests/tls-certs.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: tls-certs
+type: tls
+data:
+  cert: $FULLCHAIN
+  key: $PRIVKEY
+EOF
+
+
+# patch DNS config
+if [ -n "$DOMAIN" ] && [ -n "$DNSSERVER" ]; then
+    patchdns() {
+        echo "Waiting for CoreDNS to patch config ..."
+        while [ -z "$(kubectl get pods -n kube-system | grep coredns | grep Running)" ]; do sleep 10; done
+
+        DOMAIN=$1
+        DNSSERVER=$2
+
+        if [ -z "$(kubectl get configmap -n kube-system coredns -o json | grep $DOMAIN)" ]; then
+            echo "Patching CoreDNS config ..."
+
+            kubectl get configmap -n kube-system coredns -o json | \
+                sed -e "s+.:53+$DOMAIN {\\\\n  forward . $DNSSERVER\\\\n}\\\\n.:53+g" | \
+                kubectl apply -f -
+            echo "CoreDNS config patched."
+        else
+            echo "CoreDNS has been patched already."
+        fi
+    }
+    patchdns "$DOMAIN" "$DNSSERVER" &
+fi
+
+
+# start k3s
+/bin/k3s server --disable traefik --cluster-cidr 10.52.0.0/16 --service-cidr 10.53.0.0/16 --cluster-dns 10.53.0.10

examples/gitpod-gitlab/gitlab/gitlab-helm.yaml

@@ -0,0 +1,19 @@
+apiVersion: helm.cattle.io/v1
+kind: HelmChart
+metadata:
+  name: gitlab
+  namespace: kube-system
+spec:
+  chart: gitlab
+  version: 4.0.4
+  repo: https://charts.gitlab.io/
+  targetNamespace: default
+  valuesContent: |-
+    global:
+      hosts:
+        domain: {{ DOMAIN }}
+      ingress:
+        configureCertmanager: false
+        tls:
+          secretName: tls-cert
+    certmanager.install: false

examples/gitpod-gitlab/proxy/default.conf

@@ -0,0 +1,64 @@
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    ''      close;
+}
+map $http_upgrade $vs_connection_header {
+    default upgrade;
+    ''      $default_connection_header;
+}
+
+
+upstream gitlab {
+    server gitlab:443;
+}
+
+server {
+    listen 443 ssl;
+    server_name "~^gitlab.*$" "~^registry.*$" "~^minio.*$";
+
+    ssl_certificate /etc/nginx/certs/fullchain.pem;
+    ssl_certificate_key /etc/nginx/certs/privkey.pem;
+
+    location / {
+        set $default_connection_header close;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $vs_connection_header;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Port $server_port;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        proxy_pass https://gitlab;
+    }
+}
+
+
+upstream gitpod {
+    server gitpod:443;
+}
+
+server {
+    listen 443 ssl default_server;
+    server_name _;
+
+    ssl_certificate /etc/nginx/certs/fullchain.pem;
+    ssl_certificate_key /etc/nginx/certs/privkey.pem;
+
+    location / {
+        client_max_body_size 10g;
+
+        set $default_connection_header close;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $vs_connection_header;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Port $server_port;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        proxy_pass https://gitpod;
+    }
+}