improve dev container (#19757)

iQQBot · web-flow · commit a7547c83e562 · 2024-05-20T15:45:01.000+08:00
diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
@@ -323,4 +323,5 @@ ENV PRE_COMMIT_HOME=/workspace/.pre-commit
 
 # Setting the environment variable here so that it will be accessible to all tasks and
 # terminal sessions in Gitpod workspaces.
-ENV PREVIEW_ENV_DEV_SA_KEY_PATH=
+ENV PREVIEW_ENV_DEV_SA_KEY_PATH=/root/.config/gcloud/sa.json
+ENV GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES=1
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -5,8 +5,11 @@
         "dockerfile": "./Dockerfile"
     },
     "workspaceMount": "source=${localWorkspaceFolder},target=/workspace/gitpod,type=bind",
-    "workspaceFolder": "/workspace/gitpod",
-    "updateContentCommand": "dev/install-dependencies.sh",
+    "workspaceFolder": "/workspace/gitpod/",
+    "postCreateCommand": "dev/install-dependencies.sh",
+    "mounts": [
+        "source=/usr/local/gitpod/config/,target=/usr/local/gitpod/config/,type=bind"
+    ],
     "remoteEnv": {
         "GIT_EDITOR": "code --wait",
         "KUBE_EDITOR": "code --wait"
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -5,6 +5,7 @@ repos:
       #- id: check-yaml
       #  args: [--allow-multiple-documents]
       - id: check-json
+        exclude: ^.devcontainer/devcontainer.json$
       - id: end-of-file-fixer
       - id: trailing-whitespace
       - id: check-symlinks
@@ -80,5 +81,10 @@ repos:
         language: system
         pass_filenames: false
         files: ^components/dashboard/
+  - repo: https://gitlab.com/bmares/check-json5
+    rev: v1.0.0
+    hooks:
+    - id: check-json5
+      files: ^.devcontainer/devcontainer.json$
 
 exclude: ^install/installer/.*/.*\.golden$
diff --git a/dev/BUILD.yaml b/dev/BUILD.yaml
@@ -26,7 +26,36 @@ packages:
       image:
         - ${imageRepoBase}/dev-utils:${version}
         - ${imageRepoBase}/dev-utils:commit-${__git_commit}
+  - name: "install"
+    type: "generic"
+    deps:
+      - dev/gpctl:app
+      - dev/kubecdl:app
+      - dev/gp-gcloud:app
+    config:
+      commands:
+        - [ "sh", "-c", "sudo mv dev-gpctl--app/gpctl /usr/local/bin/gpctl" ]
+        - [ "sh", "-c", "sudo mv dev-kubecdl--app/kubecdl /usr/local/bin/kubecdl" ]
+        - [ "sh", "-c", "sudo mv dev-gp-gcloud--app/gp-gcloud /usr/local/bin/gp-gcloud" ]
+
 scripts:
   - name: preview
     description: Build Gitpod, create a preview environment, and deploy to it
     script: ./preview/workflow/preview/preview.sh
+  - name: prepare
+    description: Prepare the repository for development
+    script: |
+      leeway run dev:prepare-go dev:prepare-ts
+  - name: prepare-go
+    description: Prepare go packages
+    script: |
+      ./components/gitpod-protocol/go/scripts/generate-config.sh
+      leeway exec --filter-type go -v -- go mod verify
+  - name: prepare-ts
+    description: Prepare typescript packages
+    script: |
+      yarn --network-timeout 100000 && yarn build
+  - name: install-dev-utils
+    description: Install dev-utils
+    script: |
+      leeway build dev:install --dont-test --cache=remote-pull
diff --git a/dev/install-dependencies.sh b/dev/install-dependencies.sh
@@ -1,4 +1,7 @@
 #!/bin/bash
 
+git config --global alias.lg "log --color --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit"
+leeway run dev/preview:configure-workspace
+leeway run dev:install-dev-utils
 leeway run dev/preview/previewctl:install
 pre-commit install --install-hooks
diff --git a/dev/next-oidc/oidc.js b/dev/next-oidc/oidc.js
@@ -0,0 +1,78 @@
+const fs = require("fs");
+const http2 = require("http2");
+
+const getIDToken = async () => {
+    return new Promise((resolve, reject) => {
+        try {
+            const configPath = "/usr/local/gitpod/config/initial-spec.json";
+            const config = JSON.parse(fs.readFileSync(configPath, "utf8"));
+
+            const controlPlaneApiEndpoint = config.controlPlaneApiEndpoint;
+            const workspaceToken = config.workspaceToken;
+
+            const url = new URL(controlPlaneApiEndpoint);
+            const client = http2.connect(url.origin);
+
+            const req = client.request({
+                ":method": "POST",
+                "content-type": "application/json",
+                authorization: `Bearer ${workspaceToken}`,
+                ":path": `${url.pathname}/gitpod.v1.IdentityService/GetIDToken`,
+            });
+
+            let responseData = "";
+
+            req.on("data", (chunk) => {
+                responseData += chunk;
+            });
+
+            req.on("end", () => {
+                try {
+                    const result = JSON.parse(responseData);
+                    const token = result.token;
+                    resolve(token);
+                } catch (error) {
+                    reject(new Error("Error parsing response: " + error.message));
+                } finally {
+                    client.close();
+                }
+            });
+
+            req.on("error", (error) => {
+                reject(new Error(error.message));
+                client.close();
+            });
+
+            req.end(
+                JSON.stringify({
+                    audience: ["accounts.google.com"],
+                }),
+            );
+        } catch (e) {
+            reject(new Error(e.message));
+        }
+    });
+};
+
+(async () => {
+    try {
+        const token = await getIDToken();
+        console.log(
+            JSON.stringify({
+                version: 1,
+                success: true,
+                token_type: "urn:ietf:params:oauth:token-type:id_token",
+                id_token: token,
+            }),
+        );
+    } catch (error) {
+        console.log(
+            JSON.stringify({
+                version: 1,
+                success: false,
+                code: "401",
+                message: error.message,
+            }),
+        );
+    }
+})();
diff --git a/dev/preview/workflow/preview/configure-workspace.sh b/dev/preview/workflow/preview/configure-workspace.sh
@@ -13,15 +13,28 @@ if { [[ "${auth}" != "(unset)" ]] || [ -n "${auth:-}" ]; } && [ -f "${PREVIEW_EN
   exit 0
 fi
 
-if [[ -z "${PREVIEW_ENV_DEV_CRED:-}" ]] || [[ -z "${PREVIEW_ENV_DEV_SA_KEY_PATH:-}" ]]; then
-  log_warn "Neither PREVIEW_ENV_DEV_CRED, nor PREVIEW_ENV_DEV_SA_KEY_PATH is set. Skipping workspace setup."
+if [ -z "${PREVIEW_ENV_DEV_SA_KEY_PATH:-}" ]; then
+  log_warn "PREVIEW_ENV_DEV_SA_KEY_PATH is not set. Skipping workspace setup."
   exit 0
 fi
 
-if [ ! -f "${PREVIEW_ENV_DEV_SA_KEY_PATH}" ]; then
+if [ -f "/usr/local/gitpod/config/initial-spec.json" ]; then
+  gcloud iam workload-identity-pools create-cred-config \
+    projects/184212049955/locations/global/workloadIdentityPools/gitpod-next/providers/gitpod-next-provider \
+    --service-account=preview-environmnet-dev@gitpod-dev-preview.iam.gserviceaccount.com \
+    --service-account-token-lifetime-seconds=1h \
+    --output-file="${PREVIEW_ENV_DEV_SA_KEY_PATH}" \
+    --executable-command='node /workspace/gitpod/dev/next-oidc/oidc.js' \
+    --executable-timeout-millis=5000
+elif [[ -n "${PREVIEW_ENV_DEV_CRED:-}" ]]; then
   echo "${PREVIEW_ENV_DEV_CRED}" >"${PREVIEW_ENV_DEV_SA_KEY_PATH}"
 fi
 
+if [ ! -f "${PREVIEW_ENV_DEV_SA_KEY_PATH}" ]; then
+  log_warn "Neither PREVIEW_ENV_DEV_CRED, nor PREVIEW_ENV_DEV_SA_KEY_PATH is set. Skipping workspace setup."
+  exit 0
+fi
+
 gcloud auth login --cred-file "${PREVIEW_ENV_DEV_SA_KEY_PATH}" --activate --quiet
 
 if [[ -n "${INSTALL_CONTEXT:-}" ]]; then
