feat: Implement TLS by default for Minikube + Helm installer

[mmorhun]

Signed-off-by: Mykola Morhun mmorhun@redhat.com

What does this PR do?

Implements automatic installation of Che in TLS mode for Minikube infrastructure and Helm installer.
Theoretically should also work on Kubernetes and MicroK8S

How to test

To test, build this PR with changes from eclipse-che/che#15878 into Helm templates (just change in chectl's package.json eclipse-che dependency to point to the che-15810 branch).
Then, just run chectl server:start --platform=minikube --multiuser --installer=helm
To install single-user Che, omit --multiuser flag.

How it works

At the checks stage chectl checks for che-tls secret presence. If it is not present, then the procedure of auto-generation begins. If the secret is pre-created (current scenario) then nothing is changes and everything should work as it was before.
In case of auto-generation, first, chectl installs Cert Manager (using the pre-cached yaml from official site) for managing tls secrets for Che. This involves generation of CA credentials for Cert Manager, which is done via dedicated job. When all requirements are satisfied, chectl requests from Cert Manager tls secret for Che encryption.
The only manual step which is required from end users is to add CA certificate into their browsers.

What issues does this PR fix or reference?

eclipse-che/che#15313
Should be merged together with eclipse-che/che#15878

[sleshchenko]

Man, you did a great job around it 👍

[sleshchenko]

It makes sense to add a note that TLS now is enabled for k8s, minikube... platforms and there is no way to disable it.
Well, maybe it would be better to leave this option for all platforms but with default option true? I mean keeping an ability to run server:start --tls=false

[mmorhun]

My plan was to remove that option at all when TLS by default is finished. In most cases people use default Che-Theia editor which in some cases doesn't work properly without TLS (all webview are broken). And, of course, the security...
We may leave the flag, but make it default to true, I do not mind. However, in such case we should test non-TLS installations as well... I think this should be decided on wider level.

As about note in readme, ok, will write it.

[benoitf]

maybe keep it for backward compliance (but just to add deprecation notice when using it saying that now Eclipse Che is always in secured mode)

[tolusha]

Agree with @benoitf

[mmorhun]

Ok, will do that.

[sleshchenko]

rm -rf ~/.cache/chectl helped to solve my issue with failed Che Server 🎉

[tolusha]

@mmorhun
README.md is automatically generated from sources when you launch yarn pack

[tolusha]

It is not good to return tasks inside task.
It is better to skip unnecessary using enable property. And the flag can be put into ctx

[mmorhun]

@tolusha I think it is a standard way to go. We may organize the sequence of tasks in more clear way: create a separate method which returns subtasks list. And that it will be clear to read (more we'll have displaying of the tasks as subtasks or will not display them at all if they are not needed to be run).
But if you really want to have flattened list of tasks, let it be so...

[mmorhun]

@tolusha thank you, I didn't know that readme is autogenerated... Fix move changes to the source code.

[tomgeorge]

At a high-level, I think it would be good to add a flag for the cert-manager namespace, in case the user already has their own cert-manager deployed that they want to use, in a namespace other than cert-manager.

Without knowing the context that went into deciding on using cert-manager for this, pulling in another cluster-addon component seems a little heavyweight when creating a TLS secret is all we need to do.

[mmorhun]

@tomgeorge thanks for the idea, but having two Cert Managers installed in the cluster would be weird. I think, instead we should request the secret from already existed Cert Manager, if any.
But that is out of scope of this PR.

[tolusha]

Sounds good.
Several remarks which can be fixed in the next PRs.

• move dockerfile to che-dockerfiles
• move templates to che
• create and use const for certmanager docker image

[tomgeorge]

@mmorhun sorry, I meant that if a cert-manager is already installed, che should use that one. But understand that it is out of scope for this PR.

[sleshchenko]

Is not src/constants.ts the right place for it?

[mmorhun]

Yes, that's the plan for next PR. I want to move dockerfile into Che repository and automate the build.

[nickboldt]

Could this be based on UBI instead of Alpine to make it a bit easier to productize? That way you could potentially RUN this build on demand rather than having Yet Another Container To Build, Publish, Maintain, Keep CVE Free, and Productize.

[nickboldt]

Even if you can't build this container on demand (inside Che when needed), moving to UBI would still make downstream easier. Or else I can contribute a rhel.Dockerfile variant that we can use in CRW.

[mmorhun]

@tomgeorge sorry, I probably misunderstood you. Usually, Cert Manager is installed in cert-manager namespace. For some installation methods (for example from yaml file) it is even hardcoded.

[sleshchenko]

Tested and it works for me. Great job 👍

Just one willing for increasing timeout for cert-manager since in my case it started in a few seconds after chectl reached timeout

[mmorhun]

@tomgeorge I've fixed all your remarks. Thanks for spotting.

[mmorhun]

@tomgeorge could you please take a look at this PR again and add more comments or unblock the merge?

[metlos]

So when this is on by default, how do you actually switch it off? Do we have something like --no-tls?

[mmorhun]

No we don't have --no-tls flag, so a user cannot switch it off on Kubernetes-like infrastructures. The same is planned for Openshift soon. Although, we are going to keep the --tls flag for backward compatibility only.
Turning it off not only dangerous from user security point of view, but also some components might not work properly without TLS (as you probably know the story about Theia webviews).

[nickboldt]

so if TLS is on by default and no longer disableable, the flag would effectively do nothing?

Will you also ensure the fields in custom resource.yaml no longer work, so that it's no longer possible to set tlsSupport: false ?

[mmorhun]

@nickboldt yes the flag will do nothing... Please see the thread #476 (comment).

[mmorhun]

As about tlsSupport flag in CRDs... you are right, we have to take a look and prevent breaking stuff with wrong value of the flag.

[mmorhun]

But I think it should be done when I'll be working on operator part.

[nickboldt]

OK as long as this TODO is captured in a GH issue for that task, then +1. Just don't want to forget this part. :D

[metlos]

How are we going to support this file in CRW? Have we checked that the licenses are compatible? https://github.com/jetstack/cert-manager/blob/master/LICENSES

Also, all these definitions (apart from the CRDs) are managed through helm. Would it not be possible to use helm for installing them instead of hardcoding this humongous file into our codebase?

[mmorhun]

Have we checked that the licenses are compatible?

Cert Manager is licensed under Apache License Version 2.0. That mean we can use it.

Would it not be possible to use helm for installing them

Yes, it is possible. But we plan to use the same approach for operator. And there, usage of Helm will be weird.

[nickboldt]

seems strange to join the -L and -O flags but not the -s flag here

[nickboldt]

see comments/questions.

[nickboldt]

So.. .this container is just kubectl + a cert? Instead of new container, could we instead just add this cert into https://github.com/che-dockerfiles/che-sidecar-kubernetes-tooling and keep the proliferation of containers (and therefore things that need to be productized) to a minimum? CRW 1.2 was 8 containers. 2.0 was 20. 2.1 is up to 23 and counting.

Can we try to reuse our existing tiny containers (and their existing builds/infra/sync jobs/productization pipeline) and just add a new kb of new files into them??

[mmorhun]

@nickboldt yes, this container indeed contains kubectl and openssl only, but we cannot reuse Kubernetes tolling sidecar for the Cert Manager job. First, they have different purposes: the job completes its tasks and exists, whereas Kubernetes tooling sidecar is designed to be run as a part of a workspace. Second, they have different aims: generate certificate and serve queries to Kubernetes respectively. Third, chectl (and Che installation process) should not depend on a Che sidecar. That's logically wrong and error prone: if something is changed in Kubernetes Che plugin it could break Che installation.

[nickboldt]

sigh OK, I was hoping for reuse and less proliferation of single-use containers. Your logic is sound, but still makes me sad. :(

[nickboldt]

+1 as is but I'd prefer if the base image was UBI.

Also if we could generate this container from inside Che rather than building it and storing it in Quay, it could be a transient artifact instead of one we maintain and manage.

[mmorhun]

@rhopp FYI: we are going to merge this PR right after 7.9 release. So, if you have any infrastructure which uses Helm Che installer, from that point, it will deploy Che in TLS mode with self-signed certificate.

[rhopp]

👍