Support custom public certificates #824
Conversation
vzhukovs
requested review from
benoitf,
azatsarynnyy,
tolusha and
RomanNikitenko
vzhukovs
requested review from
ericwill,
svor,
tsmaeder,
vinokurig and
vitaliy-guliy
as code owners
|
PR's build can be failed due to separate PR in workspace client library: eclipse-che/che-workspace-client#34 I'll fork workspace-client library with changes and provide custom image for che-theia with changes from current PR and PR from workspace-client repository. |
|
If I understand correctly |
That's correct, |
There was a problem hiding this comment.
I see that /tmp/che/secret/ca.crt is used here https://github.com/eclipse/che-theia/blob/5155d757a7228f55975f53609d8b8a43668787f0/plugins/workspace-plugin/src/theia-commands.ts#L21
Should we have some changes here?
Nice catch! I'll add parameters to the curl call. Thanks! |
According to not sure we should pass every certificate as parameters in this case, so, leave this code as is. |
is it possible that If it's possible, should we pass |
I suppose no, it's impossible. @tolusha is it possible to run che on http environment? |
|
Here is an image for testing purposes: |
|
I believe we can merge this part and the whole flow will be checked once all the other parts are finished within the downstream issue. |
|
@azatsarynnyy |
|
❌ E2E Happy path tests failed ❗
See Details
Tested with Eclipse Che Single User on K8S (minikube v1.1.1) ℹ️ |
|
[ci-build] |
|
crw-ci-test |
|
❌ E2E Happy path tests failed ❗
See Details
Tested with Eclipse Che Single User on K8S (minikube v1.1.1) ℹ️ |
|
Thank you very much @mmorhun for testing it! @vzhukovskii now we can proceed with getting it merged:
|
|
@azatsarynnyy |
Sure. That's the plan. |
|
crw-ci-test |
|
✅ E2E Happy path tests succeed 🎉
See Details
Tested with Eclipse Che Single User on K8S (minikube v1.1.1) |
@tolusha According to our today discussion, I would say it is possible, no ? If the router CA extracted by the Che operator through a dummy route is not seen as self-signed, then the |
| @@ -127,11 +128,11 @@ export class ChePluginServiceImpl implements ChePluginService { | |||
| const httpOverHttpsAgent = tunnel.httpOverHttps({ proxy: httpsProxyOptions }); | |||
There was a problem hiding this comment.
It seems to me that the httpsProxyOptions might need to have the public-certs as well, since this is the bundle that contains the intercepting proxy CA (coming from the cluster-wide-proxy).
Does it make sense @tolusha ?
The same change would have to be done on the corresponding code in the che-workspace-client library.
extensions/che-theia-hosted-plugin-manager-extension/package.json
Outdated
Show resolved
Hide resolved
Yes, it is possible accordingly to our discussion. |
It is hard to answer, I am not familiar with that how it works in theia. |
|
✅ E2E Happy path tests succeed 🎉
See Details
Tested with Eclipse Che Single User on K8S (minikube v1.1.1) |
Signed-off-by: Vladyslav Zhukovskyi <vzhukovs@redhat.com>
I suppose, it would be better to implement this in separate issue/pr. This is out of scope of current issue. @davidfestal, @tolusha wdyt? |
I'm +1 for making a separate issue for that case. |
|
✅ E2E Happy path tests succeed 🎉
See Details
Tested with Eclipse Che Single User on K8S (minikube v1.1.1) |
Accordingly to |
You're right. This logic is in master branch now and in current PR. |
|
Are there any objections, which prevent merging this PR to master? @tolusha @davidfestal @azatsarynnyy |
|
I don't have any. |
I've already approved it. |
…issions (#824) If a sidecar adds any .sh files, check that they are executable to prevent entrypoint errors. Fixes eclipse-che/che#18737 Signed-off-by: Eric Williams <ericwill@redhat.com>
What does this PR do?
This changes proposal adds an ability to provide custom certificates.
Custom certificates should be located in
/public-certs/*.crtSigned-off-by: Vladyslav Zhukovskyi vzhukovs@redhat.com
What issues does this PR fix or reference?
eclipse-che/che#17440
Hapy Path Channel
HAPPY_PATH_CHANNEL=stable