Implement autodetetion for self-signed certificate flag (#301)

Implement autodecetion for self-signed certificate flag Signed-off-by: Mykola Morhun <mmorhun@redhat.com>
eclipse-che · Jun 16, 2020 · 10305c3 · 10305c3
1 parent 7b23670
commit 10305c3
Show file tree

Hide file tree

Showing 24 changed files with 2,710 additions and 548 deletions.
diff --git a/README.md b/README.md
@@ -83,16 +83,18 @@ Make sure your current user has cluster-admin privileges.
 
 ### TLS
 
+TLS is enabled by default.
+Turning it off is not recommended as it will cause malfunction of some components.
+
 #### OpenShift
 
-When using self-signed certificates make sure you set `server.selfSignedCert` to true
-or create a secret called `self-signed-certificate` in a target namespace with ca.crt holding your OpenShift router crt body.
-When `server.selfSignedCert` the operator will create a test TLS route, GET it, extract certificate chain, convert to a secret `self-signed-certificate`,
-and Che/CRW server will automatically add it to Java trust store.
+When the cluster is configured to use self-signed certificates for the router, the certificate will be automatically propogated to Che components as trusted.
+If cluster router uses certificate signed by self-signed one, then parent/root CA certificate should be added into corresponding config map of additional trusted certificates (see `serverTrustStoreConfigMapName` option).
 
 #### K8S
 
-When enabling TLS, make sure you create a secret with crt and key, and let the Operator know about it in `k8s.tlsSecretName`
+By default self-signed certificates for Che will be generated automatically.
+If it is needed to use own certificates, create `che-tls` secret (see `k8s.tlsSecretName` option) with `key.crt` and `tls.crt` fields. In case of self-signed certificate `self-signed-certificate` secret should be created with public part of CA certificate under `ca.crt` key in secret data.
 
 ## How to Configure
 

diff --git a/deploy/crds/org_v1_che_cr.yaml b/deploy/crds/org_v1_che_cr.yaml
@@ -30,15 +30,12 @@ spec:
     # specifies a custom cluster role to user for the Che workspaces
     # Uses the default roles if left blank.
     cheWorkspaceClusterRole: ''
-    # when set to true the operator will attempt to get a secret in OpenShift router namespace
-    # to add it to Java trust store of Che server. Requires cluster-admin privileges for operator service account
-    selfSignedCert: false
     # Name of the config-map with public certificates to add to Java trust store of the Che server.
     serverTrustStoreConfigMapName: ''
     # If enabled then the certificate from `che-git-self-signed-cert` config map
     # will be propagated to the Che components and provide particular configuration for Git.
     gitSelfSignedCert: false
-    # TLS mode for Che. Make sure you either have public cert, or set selfSignedCert to true
+    # TLS mode for Che. It is not recommended to turn this off.
     tlsSupport: true
     # protocol+hostname of a proxy server. Automatically added as JAVA_OPTS and https(s)_proxy
     # to Che server and workspaces containers

diff --git a/deploy/crds/org_v1_che_crd.yaml b/deploy/crds/org_v1_che_crd.yaml
@@ -422,13 +422,9 @@ spec:
                     a proxy is required (see also the `proxyURL` `proxySecret` fields).
                   type: string
                 selfSignedCert:
-                  description: Enables the support of OpenShift clusters whose router
-                    uses self-signed certificates. When enabled, the operator retrieves
-                    the default self-signed certificate of OpenShift routes and adds
-                    it to the Java trust store of the Che server. This is usually
-                    required when activating the `tlsSupport` field on demo OpenShift
-                    clusters that have not been setup with a valid certificate for
-                    the routes. This is disabled by default.
+                  description: Deprecated. The value of this flag is ignored. Che
+                    operator will automatically detect if router certificate is self-signed.
+                    If so it will be propagated to Che server and some other components.
                   type: boolean
                 serverMemoryLimit:
                   description: Overrides the memory limit used in the Che server deployment.
@@ -446,10 +442,9 @@ spec:
                     its CA cert to be able to request it. This is disabled by default.
                   type: string
                 tlsSupport:
-                  description: 'Instructs the operator to deploy Che in TLS mode,
-                    ie with TLS routes or ingresses. This is disabled by default.
-                    WARNING: Enabling TLS might require enabling the `selfSignedCert`
-                    field also in some cases.'
+                  description: Deprecated. Instructs the operator to deploy Che in
+                    TLS mode. This is enabled by default. Disabling TLS may cause
+                    malfunction of some Che components.
                   type: boolean
                 workspaceNamespaceDefault:
                   description: 'Defines Kubernetes default namespace in which user''s

diff --git a/e2e/create.go b/e2e/create.go
@@ -46,7 +46,7 @@ func createOperatorServiceAccountRole(operatorServiceAccountRole *rbac.Role) (er
 func createOperatorServiceAccountClusterRole(operatorServiceAccountClusterRole *rbac.ClusterRole) (err error) {
 
 	operatorServiceAccountClusterRole, err = client.clientset.RbacV1().ClusterRoles().Create(operatorServiceAccountClusterRole)
-	if err != nil && ! errors.IsAlreadyExists(err) {
+	if err != nil && !errors.IsAlreadyExists(err) {
 		logrus.Fatalf("Failed to create role %s: %s", operatorServiceAccountClusterRole.Name, err)
 		return err
 	}
@@ -87,18 +87,16 @@ func deployOperator(deployment *appsv1.Deployment) (err error) {
 
 }
 
-func newNamespace() (ns *corev1.Namespace){
+func newNamespace() (ns *corev1.Namespace) {
 
 	return &corev1.Namespace{
-
 		TypeMeta: metav1.TypeMeta{
-			Kind: "Namespace",
+			Kind:       "Namespace",
 			APIVersion: corev1.SchemeGroupVersion.Version,
 		},
 		ObjectMeta: metav1.ObjectMeta{
-			Name:namespace,
+			Name: namespace,
 		},
-
 	}
 }
 
@@ -110,7 +108,6 @@ func createNamespace(ns *corev1.Namespace) (err error) {
 		return err
 	}
 	return nil
-
 }
 
 func newCheCluster() (cr *orgv1.CheCluster) {
@@ -121,10 +118,8 @@ func newCheCluster() (cr *orgv1.CheCluster) {
 		TypeMeta: metav1.TypeMeta{
 			Kind: kind,
 		},
-		Spec:orgv1.CheClusterSpec{
-			Server:orgv1.CheClusterSpecServer{
-				SelfSignedCert: true,
-			},
+		Spec: orgv1.CheClusterSpec{
+			Server: orgv1.CheClusterSpecServer{},
 		},
 	}
 	return cr