Skip to content

Don't use go-git to list remote branches to avoid a certificates issue #1115

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jun 2, 2023
Merged

Don't use go-git to list remote branches to avoid a certificates issue #1115

merged 2 commits into from
Jun 2, 2023

Conversation

amisevsk
Copy link
Collaborator

@amisevsk amisevsk commented Jun 1, 2023
edited
Loading

What does this PR do?

Update project-clone to use git for determining whether a project's checkoutFrom.revision is a remote/local branch, tag, or hash instead of relying on go-git.

This avoids issues where e.g. a git repository is behind a self-signed cert, where it is not easy to configure additional CA bundles for use in go-git.

What issues does this PR fix or reference?

Closes #1114

Is it tested? How?

Changes are pushed to image quay.io/amisevsk/project-clone:dev

To test this image with DWO:

  • On Kubernetes, update the controller deployment to set the RELATED_IMAGE_project_clone environment variable to quay.io/amisevsk/project-clone:dev
  • On OpenShift (installed via Operator), update the DevWorkspace Operator CSV to set the RELATED_IMAGE_project_clone environment variable to quay.io/amisevsk/project-clone:dev. Can be reset by using the value from the CSV's relatedImages field.

To test that basic functionality is not changed, you can use the following devworkspace:

kind: DevWorkspace
apiVersion: workspace.devfile.io/v1alpha2
metadata:
  name: git-clone-sample-devworkspace
spec:
  started: true
  template:
    attributes:
      controller.devfile.io/storage-type: ephemeral
    projects:
      - name: web-nodejs-sample
        git:
          remotes:
            origin: "https://github.com/che-samples/web-nodejs-sample.git"
      - name: devworkspace-operator
        git:
          checkoutFrom:
            remote: origin
            revision: 0.21.x
          remotes:
            origin: "https://github.com/devfile/devworkspace-operator.git"
            amisevsk: "https://github.com/amisevsk/devworkspace-operator.git"
      - name: devworkspace-operator-tag
        git:
          checkoutFrom:
            remote: amisevsk
            revision: v0.21.0
          remotes:
            origin: "https://github.com/devfile/devworkspace-operator.git"
            amisevsk: "https://github.com/amisevsk/devworkspace-operator.git"
      - name: devworkspace-operator-hash
        git:
          checkoutFrom:
            remote: amisevsk
            revision: e17b2754
          remotes:
            origin: "https://github.com/devfile/devworkspace-operator.git"
            amisevsk: "https://github.com/amisevsk/devworkspace-operator.git"
  contributions:
    - name: che-code
      uri: https://eclipse-che.github.io/che-plugin-registry/main/v3/plugins/che-incubator/che-code/latest/devfile.yaml
      components:
        - name: che-code-runtime-description
          container:
            env:
              - name: CODE_HOST
                value: 0.0.0.0

(There are likely additional edge cases worth testing)

To test that #1114 is resolved, specify a project that refers to a repository with self-signed certificates.

PR Checklist

  • E2E tests pass (when PR is ready, comment /test v8-devworkspace-operator-e2e, v8-che-happy-path to trigger)
    • v8-devworkspace-operator-e2e: DevWorkspace e2e test
    • v8-che-happy-path: Happy path for verification integration with Che

amisevsk added 2 commits June 1, 2023 15:16
@amisevsk
Rework project-clone checkout refernce to not rely on go-git
e17b275 
To avoid issues with self-signed certificates on git repositories, avoid
use of go-git (which would require configuring additional CA bundles)
and instead delegate to the git binary, which respects additional
bundles automatically.

The main cause for failure is go-git attempting to list references in a
remote, which can fail due to untrusted certificates. Instead, we rely
on the git binary to determine if a checkoutFrom.revision is a
local/remote branch, tag, or hash.

Signed-off-by: Angel Misevski <amisevsk@redhat.com>
@amisevsk
Fixup git clone sample to use existing branch for checkout
25123f6 
Fix the git-clone-sample.yaml sample to reference an existing branch for
checkout, as the previous branch has since been deleted. This uses a
release branch (0.21.x) which should not be deleted in the future.

Signed-off-by: Angel Misevski <amisevsk@redhat.com>
@amisevsk amisevsk requested review from AObuchow and l0rd as code owners June 1, 2023 19:21
@openshift-ci openshift-ci bot added the approved label Jun 1, 2023
AObuchow
AObuchow approved these changes Jun 1, 2023
View reviewed changes
Copy link
Collaborator

@AObuchow AObuchow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can verify that this fixes the issue 😎 🙏.

Tested on OpenShift 4.12.

To reproduce, I used the following devworkspace that reference a repo with a self-signed cert:

kind: DevWorkspace
apiVersion: workspace.devfile.io/v1alpha2
metadata:
  name: git-clone-sample-devworkspace
spec:
  started: true
  template:
    attributes:
      controller.devfile.io/storage-type: ephemeral
    projects:
      - name: public-bb-repo
        git:
          checkoutFrom:
            remote: origin
            revision: master
          remotes:
            origin: "https://bitbucket-bitbucket-oauth2.apps.ds-airgap-v13.crw-qe.com/scm/~admin/public-bb-repo.git"
  contributions:
    - name: che-code
      uri: https://eclipse-che.github.io/che-plugin-registry/main/v3/plugins/che-incubator/che-code/latest/devfile.yaml
      components:
        - name: che-code-runtime-description
          container:
            env:
              - name: CODE_HOST
                value: 0.0.0.0

I then applied the cert as a configmap:

apiVersion: v1
kind: ConfigMap
metadata:
  labels:
    controller.devfile.io/git-tls-credential: "true"
    controller.devfile.io/mount-to-devworkspace: "true"
    controller.devfile.io/watch-configmap: "true"
  name: selfsigned-cert
  namespace: self-signed-cert-test
data:
  certificate: |
    -----BEGIN CERTIFICATE-----
	(...)

On DWO 0.20.0 using the project-clone image that's currently on master, the revision checkout failed. The following are the project-clone container logs:

2023/06/01 21:57:38 Using temporary directory /projects/project-clone-4283443309
2023/06/01 21:57:38 Read DevWorkspace at /devworkspace-metadata/flattened.devworkspace.yaml
2023/06/01 21:57:38 Processing project public-bb-repo
2023/06/01 21:57:38 Cloning project public-bb-repo to /projects/project-clone-4283443309/public-bb-repo
Cloning into '/projects/project-clone-4283443309/public-bb-repo'...
2023/06/01 21:57:39 Cloned project public-bb-repo to /projects/project-clone-4283443309/public-bb-repo
2023/06/01 21:57:39 Setting up remotes for project public-bb-repo
2023/06/01 21:57:39 Fetched remote origin at https://bitbucket-bitbucket-oauth2.apps.ds-airgap-v13.crw-qe.com/scm/~admin/public-bb-repo.git
2023/06/01 21:57:39 No personal access token found for URL https://bitbucket-bitbucket-oauth2.apps.ds-airgap-v13.crw-qe.com/scm/~admin/public-bb-repo.git
2023/06/01 21:57:39 Encountered error while setting up project public-bb-repo: failed to checkout revision: failed to read remote origin: Get "https://bitbucket-bitbucket-oauth2.apps.ds-airgap-v13.crw-qe.com/scm/~admin/public-bb-repo.git/info/refs?service=git-upload-pack": x509: certificate signed by unknown authority

I then switched to the provided project clone image from quay.io/amisevsk/project-clone:dev and restarted the workspace. Here are the project clone container logs:

2023/06/01 22:01:27 Using temporary directory /projects/project-clone-2011656776
2023/06/01 22:01:27 Read DevWorkspace at /devworkspace-metadata/flattened.devworkspace.yaml
2023/06/01 22:01:27 Processing project public-bb-repo
2023/06/01 22:01:27 Cloning project public-bb-repo to /projects/project-clone-2011656776/public-bb-repo
Cloning into '/projects/project-clone-2011656776/public-bb-repo'...
2023/06/01 22:01:28 Cloned project public-bb-repo to /projects/project-clone-2011656776/public-bb-repo
2023/06/01 22:01:28 Setting up remotes for project public-bb-repo
2023/06/01 22:01:28 Fetched remote origin at https://bitbucket-bitbucket-oauth2.apps.ds-airgap-v13.crw-qe.com/scm/~admin/public-bb-repo.git
2023/06/01 22:01:28 Checking out local branch master
Already on 'master'
Your branch is up to date with 'origin/master'.
2023/06/01 22:01:28 Setting tracking remote for branch master to origin
branch 'master' set up to track 'origin/master'.
2023/06/01 22:01:28 Moving cloned project public-bb-repo from temporary dir /projects/project-clone-2011656776/public-bb-repo to /projects/public-bb-repo

Awesome work @amisevsk 🥳

@openshift-ci openshift-ci bot added the lgtm label Jun 1, 2023
@openshift-ci
Copy link

openshift-ci bot commented Jun 1, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: amisevsk, AObuchow

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@AObuchow
Copy link
Collaborator

AObuchow commented Jun 2, 2023

/retest

@codecov
Copy link

codecov bot commented Jun 2, 2023

Codecov Report

Patch and project coverage have no change.

Comparison is base (a6c022a) 51.60% compared to head (25123f6) 51.60%.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #1115   +/-   ##
=======================================
  Coverage   51.60%   51.60%           
=======================================
  Files          79       79           
  Lines        7299     7299           
=======================================
  Hits         3767     3767           
  Misses       3244     3244           
  Partials      288      288

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

@amisevsk amisevsk merged commit 4215da5 into devfile:main Jun 2, 2023
@amisevsk amisevsk deleted the project-clone-self-signed-cert branch June 2, 2023 15:18
@amisevsk amisevsk mentioned this pull request Jun 2, 2023
Merged
3 tasks
@l0rd
Copy link
Collaborator

l0rd commented Jun 2, 2023

I have tested with Che next: I have configured the CM with the cert, updated CheCluster. I reproduced the original issue. Then I updated the project clone image in the CSV and tested with the devfiles in this gist. Things worked as expected 👍

@amisevsk
Copy link
Collaborator Author

amisevsk commented Jun 2, 2023
edited
Loading

Thanks for the convenient samples @l0rd -- I'll share with QE for helping verify changes downstream as well

@amisevsk amisevsk mentioned this pull request Jun 12, 2023
Merged
3 tasks
@amisevsk amisevsk mentioned this pull request Jul 5, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AObuchow AObuchow AObuchow approved these changes

@l0rd l0rd Awaiting requested review from l0rd

Assignees

@AObuchow AObuchow

Labels

approved lgtm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Project clone does not respect additional certificates when querying remotes

3 participants

@amisevsk @AObuchow @l0rd