Initialize workspaces with additional file content

[svenefftinge]

To allow starting workspaces based on a config that doesn't sit in Git, this PR introduces the possibility to pass file contents when creating a workspace, which overlays/overwrites the file system.

This is going to be used for passing configuration stored in projects. A prefix context additionalcontent (used below) is introduced for testing purposes, only.

Testing

A link that puts a .gitpod.yml and .gitpod.Dockerfile on top: https://se-external-config.staging.gitpod-dev.com/#/additionalcontent/eyIuZ2l0cG9kLnltbCI6ImltYWdlOlxuICBmaWxlOiAuZ2l0cG9kLkRvY2tlcmZpbGVcblxudGFza3M6XG4gIC0gY29tbWFuZDogZWNobyBcInRlc3RcIj5teWZpbGUudHh0IiwiLmdpdHBvZC5Eb2NrZXJmaWxlIjoiRlJPTSBnaXRwb2Qvd29ya3NwYWNlLWZ1bGxcblxuUlVOIC9ob21lL2dpdHBvZC8uY2FyZ28vYmluL2NhcmdvIGluc3RhbGwgbWRib29rIC0tdmVycyAwLjEuN1xuIn0=/https://github.com/gitpod-io/template-sveltejs

Same additional content but different repo, which triggers an image build on its own because the repo is different: https://se-external-config.staging.gitpod-dev.com/#/additionalcontent/eyIuZ2l0cG9kLnltbCI6ImltYWdlOlxuICBmaWxlOiAuZ2l0cG9kLkRvY2tlcmZpbGVcblxudGFza3M6XG4gIC0gY29tbWFuZDogZWNobyBcInRlc3RcIj5teWZpbGUudHh0IiwiLmdpdHBvZC5Eb2NrZXJmaWxlIjoiRlJPTSBnaXRwb2Qvd29ya3NwYWNlLWZ1bGxcblxuUlVOIC9ob21lL2dpdHBvZC8uY2FyZ28vYmluL2NhcmdvIGluc3RhbGwgbWRib29rIC0tdmVycyAwLjEuN1xuIn0=/https://github.com/gitpod-io/spring-petclinic

[svenefftinge]

/werft run

👍 started the job as gitpod-build-se-external-config.9

[svenefftinge]

/werft run

👍 started the job as gitpod-build-se-external-config.17

[svenefftinge]

for the reviewers: section below hasn't changed besides the indent because of the if.

[jankeromnes]

Tip: Adding ?w=1 at the end of the review URL ignores all whitespace changes (i.e. re-indented blocks will appear unchanged).

[svenefftinge]

we need to make two requests for the time being, to support the current resolution of image refs. Once we have rebuilt most images, we can remove the lastChangeRevision part.

[csweichel]

If we resolved the base image here already we could check which case (lastDockerFileSha or this.getContentSHA(dockerFileContent)) resolves to a built image. This behaviour is what I referred to as "move the legacy behaviour to server" above.

[csweichel]

How are we dealing with environment variables and tasks? Right now the env vars assume that the workspace their pattern matches for can be trusted. With this change if I can make someone click on a link I can quite easily get their secrets because I can bring my own tasks.

[svenefftinge]

How are we dealing with environment variables and tasks? Right now the env vars assume that the workspace their pattern matches for can be trusted. With this change if I can make someone click on a link I can quite easily get their secrets because I can bring my own tasks.

I think this is a general problem that exists with all our workspace start URLs. The underlying issue is that supervisor runs processes and it is not obvious what those processes will be from looking at a link. I suggest we introduce something where we ask users if they trust certain sources to allow task execution.

[csweichel]

How are we dealing with environment variables and tasks? Right now the env vars assume that the workspace their pattern matches for can be trusted. With this change if I can make someone click on a link I can quite easily get their secrets because I can bring my own tasks.

I think this is a general problem that exists with all our workspace start URLs. The underlying issue is that supervisor runs processes and it is not obvious what those processes will be from looking at a link. I suggest we introduce something where we ask users if they trust certain sources to allow task execution.

Indeed it does. What the additionalContent context URL does though is to explicitly circumvent the "security model" of environment variables/secrets (namely repository patterns). The assumption underpinning environment variables is that you trust the repository you specify using the repository pattern. There's a chance you trust this repo because you trust everyone who can modify its content, hence its tasks.
If we now allow arbitrary tasks to be executed in arbitrary repositories for arbitrary users (all you need is to click a link), that undermines this - already somewhat weak - idea of "trust in a repo".

Asking users if they want to execute the task might be one way - and is indeed a trade-off between friction and security.
Alternatively we could re-consider the Workspace Secrets RFC which would alleviate this problem also.

[csweichel]

We could re-use the dockerfile_version - I don't think we need to change the protocol here.
The only difference is that before the version was the commit hash, now it's the SHA hash.

If we moved the "legacy" behaviour to server, that is.

[csweichel]

The manifest approach below takes more into account than just the Dockerfile version. Using just the content hash ignores the context entirely - the same Dockerfile from two separate repositories with different context would get the same "build".

This could even leak sensitive details because one user might get the build of another (same Dockerfile content, but different context including repo).

[csweichel]

Note: because GitHub doesn't let me put a comment in line 238 ... you'd have to expand the if to include the CompositeInitializer etc.

[csweichel]

If we resolved the base image here already we could check which case (lastDockerFileSha or this.getContentSHA(dockerFileContent)) resolves to a built image. This behaviour is what I referred to as "move the legacy behaviour to server" above.

[csweichel]

nit:

Suggested change

	//TODO we cannot change this initializer structure now because it is part of how baserefs are computed in image-builder.
	// TODO(se): we cannot change this initializer structure now because it is part of how baserefs are computed in image-builder.

see https://www.notion.so/gitpod/How-we-develop-e8ce7e562478458a9223eb9b797415b2#86e669f8e7df4f1289c9bede0855b5f9

[csweichel]

I'd propose we update the behaviour in image builder to accompany the new initializer. Also, the current change on how the baseRef is computed ignores the initializer entirely.

[csweichel]

This seems to be at odds with the comment above. Either the comment or the code is wrong :)

[svenefftinge]

/werft run

👍 started the job as gitpod-build-se-external-config.26

[svenefftinge]

/werft run

👍 started the job as gitpod-build-se-external-config.28

[svenefftinge]

Thanks, @csweichel! I have updated the PR as discussed, could you have a look again?

[svenefftinge]

/werft run

👍 started the job as gitpod-build-se-external-config.36

[svenefftinge]

/werft run

👍 started the job as gitpod-build-se-external-config.37

[csweichel]

I added unit tests and implemented the digest check in the content initializer. Unfortunately the digest sent by the server does not match what we actually download:

[svenefftinge]

Wouldn't this trigger docker builds on every change in .gitpod.yml (or other files)? I believe this would be too aggressive.

[csweichel]

LGTM

[csweichel]

beware that all initializer are executed relative to a target location themselves, i.e. all paths in an initializer are always relative to that location.

The comment in line 30 implies that target_location can be absolute, when in reality it cannot.

[csweichel]

Is it intentional that when downloading a file fails the content init does not fail?

[csweichel]

downloadFile should write the file to disk immediately and not keep it in RAM first.

[csweichel]

also, we need to respect the digest

[csweichel]

if one initializer fails the others should fail, too