DodoApp: Use untrusted-external runtime class for app runner
Change-Id: I6beab523e1688fc98c2b6a5b756f46a5fc89f3cb
diff --git a/charts/app-runner/templates/install.yaml b/charts/app-runner/templates/install.yaml
index d05287d..acd0b3d 100644
--- a/charts/app-runner/templates/install.yaml
+++ b/charts/app-runner/templates/install.yaml
@@ -61,6 +61,7 @@
labels:
app: app-app
spec:
+ runtimeClassName: {{ .Values.runtimeClassName }}
volumes:
- name: ssh-key
secret:
diff --git a/charts/app-runner/values.yaml b/charts/app-runner/values.yaml
index 1d21e06..afc9481 100644
--- a/charts/app-runner/values.yaml
+++ b/charts/app-runner/values.yaml
@@ -10,3 +10,4 @@
appPort: 8080
managerAddr: ""
volumes: []
+runtimeClassName: ""
diff --git a/core/installer/app_configs/dodo_app.cue b/core/installer/app_configs/dodo_app.cue
index c5b0554..447e45d 100644
--- a/core/installer/app_configs/dodo_app.cue
+++ b/core/installer/app_configs/dodo_app.cue
@@ -153,6 +153,7 @@
tag: images.app.tag
pullPolicy: images.app.pullPolicy
}
+ runtimeClassName: "untrusted-external" // TODO(gio): make this part of the infra config
appPort: _appPort
appDir: _appDir
appId: input.appId
diff --git a/scripts/hetzner/k3s-install.sh b/scripts/hetzner/k3s-install.sh
index 5f9c3c2..fb2cc95 100755
--- a/scripts/hetzner/k3s-install.sh
+++ b/scripts/hetzner/k3s-install.sh
@@ -43,3 +43,50 @@
--server-ip $MASTER_INIT \
--k3s-version $K3S_VERSION
done
+
+
+# # Install runsc
+# sudo apt-get update && \
+# sudo apt-get install -y \
+# apt-transport-https \
+# ca-certificates \
+# curl \
+# gnupg
+
+# curl -fsSL https://gvisor.dev/archive.key | sudo gpg --dearmor -o /usr/share/keyrings/gvisor-archive-keyring.gpg
+# echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/gvisor-archive-keyring.gpg] https://storage.googleapis.com/gvisor/releases release main" | sudo tee /etc/apt/sources.list.d/gvisor.list > /dev/null
+
+# sudo apt-get update && sudo apt-get install -y runsc
+
+# # Install containerd
+# # Add Docker's official GPG key:
+# sudo apt-get update
+# sudo apt-get install ca-certificates curl
+# sudo install -m 0755 -d /etc/apt/keyrings
+# sudo curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc
+# sudo chmod a+r /etc/apt/keyrings/docker.asc
+
+# # Add the repository to Apt sources:
+# echo \
+# "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian \
+# $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
+# sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
+# sudo apt-get update
+
+# sudo apt-get install containerd.io
+
+# # Configure k3s to use runsc
+# copy into /var/lib/rancher/k3s/agent/etc/containerd/config.toml.tmpl
+
+# [plugins.cri.containerd.runtimes.runsc]
+# runtime_type = "io.containerd.runsc.v1"
+
+# systemctl restart k3s
+
+# cat<<EOF | kubectl apply -f -
+# apiVersion: node.k8s.io/v1beta1
+# kind: RuntimeClass
+# metadata:
+# name: gvisor
+# handler: runsc
+# EOF