-
Notifications
You must be signed in to change notification settings - Fork 83
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement addition CA config maps merge and propagation to Che server #531
Conversation
@l0rd do you have some corrections for label name? |
@mmorhun yes :-) I think that we have agreed using recommended kubernetes labels with platform team. cc @skabashnyuk. See in docs. In this case I would use the following labels:
|
@l0rd do you mean that Che admin should add 2 labels to a config map in order to have it recognized by Che as trusted CA source? |
@mmorhun yes, that's consistent with secrets that we want to be injected in workspaces. |
@l0rd done |
Signed-off-by: Mykola Morhun <mmorhun@redhat.com>
…o Che server Signed-off-by: Mykola Morhun <mmorhun@redhat.com>
…rt-of=che.eclipse.org label Signed-off-by: Mykola Morhun <mmorhun@redhat.com>
Signed-off-by: Mykola Morhun <mmorhun@redhat.com>
pkg/deploy/tls.go
Outdated
return nil, err | ||
} | ||
mergedCAConfigMapSpec.ObjectMeta.Labels[CheMergedCAConfigMapRevisionsLabelKey] = revisions | ||
mergedCAConfigMapSpec.ObjectMeta.Labels["warning"] = "do-not-edit-manually" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
app.kubernetes.io/part-of=che.eclipse.org
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wanted to warn users not to edit the config map. But if you think that it is redundant, then I'll delete the label.
Signed-off-by: Mykola Morhun <mmorhun@redhat.com>
Signed-off-by: Mykola Morhun <mmorhun@redhat.com>
New changes are detected. LGTM label has been removed. |
Signed-off-by: Mykola Morhun mmorhun@redhat.com
What does this PR do?
This PR merged all config maps with CA certificates that marked with
che-ca-certs:true
label into single config and then pass resulting config map to Che server.spec.server.serverTrustStoreConfigMapName
CR field is supported too and the config map, if any, added into resulting one as well.What issues does this PR fix or reference?
eclipse-che/che#17634
How to test
che
namespace with CA certsapp.kubernetes.io/component:ca-bundle
andapp.kubernetes.io/part-of:che.eclipse.org
labels/public-certs
folderTo generate CA certs, one may use the following script:
Then create config maps:
Finally, add the label:
and/or patch CR:
It is expected, then certs from
ca1
,ca23
andca5
will be propagated into a workspace under/public-certs
directory.ca4
should not be propagated.