-
Notifications
You must be signed in to change notification settings - Fork 110
Support custom public certificates #824
Conversation
PR's build can be failed due to separate PR in workspace client library: eclipse-che/che-workspace-client#34 I'll fork workspace-client library with changes and provide custom image for che-theia with changes from current PR and PR from workspace-client repository. |
If I understand correctly |
That's correct, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see that /tmp/che/secret/ca.crt
is used here https://github.com/eclipse/che-theia/blob/5155d757a7228f55975f53609d8b8a43668787f0/plugins/workspace-plugin/src/theia-commands.ts#L21
Should we have some changes here?
Nice catch! I'll add parameters to the curl call. Thanks! |
According to
not sure we should pass every certificate as parameters in this case, so, leave this code as is. |
is it possible that If it's possible, should we pass |
I suppose no, it's impossible. @tolusha is it possible to run che on http environment? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I suppose no, it's impossible.
OK
Here is an image for testing purposes: |
I believe we can merge this part and the whole flow will be checked once all the other parts are finished within the downstream issue. |
@azatsarynnyy |
❌ E2E Happy path tests failed ❗ See Details
Tested with Eclipse Che Single User on K8S (minikube v1.1.1) ℹ️ |
[ci-build] |
crw-ci-test |
❌ E2E Happy path tests failed ❗ See Details
Tested with Eclipse Che Single User on K8S (minikube v1.1.1) ℹ️ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tested this changes on Openshift 4 with institutional (self-signed) certificate and cluster wide proxy which is configured to intercept TLS. Everything works as expected.
Thank you very much @mmorhun for testing it! @vzhukovskii now we can proceed with getting it merged:
|
@azatsarynnyy |
Sure. That's the plan. |
crw-ci-test |
✅ E2E Happy path tests succeed 🎉 See Details
Tested with Eclipse Che Single User on K8S (minikube v1.1.1) |
@tolusha According to our today discussion, I would say it is possible, no ? If the router CA extracted by the Che operator through a dummy route is not seen as self-signed, then the |
@@ -127,11 +128,11 @@ export class ChePluginServiceImpl implements ChePluginService { | |||
const httpOverHttpsAgent = tunnel.httpOverHttps({ proxy: httpsProxyOptions }); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems to me that the httpsProxyOptions
might need to have the public-certs
as well, since this is the bundle that contains the intercepting proxy CA (coming from the cluster-wide-proxy).
Does it make sense @tolusha ?
The same change would have to be done on the corresponding code in the che-workspace-client
library.
extensions/che-theia-hosted-plugin-manager-extension/package.json
Outdated
Show resolved
Hide resolved
Yes, it is possible accordingly to our discussion. |
It is hard to answer, I am not familiar with that how it works in theia. |
✅ E2E Happy path tests succeed 🎉 See Details
Tested with Eclipse Che Single User on K8S (minikube v1.1.1) |
Signed-off-by: Vladyslav Zhukovskyi <vzhukovs@redhat.com>
I suppose, it would be better to implement this in separate issue/pr. This is out of scope of current issue. @davidfestal, @tolusha wdyt? |
I'm +1 for making a separate issue for that case. |
✅ E2E Happy path tests succeed 🎉 See Details
Tested with Eclipse Che Single User on K8S (minikube v1.1.1) |
Accordingly to |
You're right. This logic is in master branch now and in current PR. |
Are there any objections, which prevent merging this PR to master? @tolusha @davidfestal @azatsarynnyy |
I don't have any. |
I've already approved it. |
…issions (#824) If a sidecar adds any .sh files, check that they are executable to prevent entrypoint errors. Fixes eclipse-che/che#18737 Signed-off-by: Eric Williams <ericwill@redhat.com>
What does this PR do?
This changes proposal adds an ability to provide custom certificates.
Custom certificates should be located in
/public-certs/*.crt
Signed-off-by: Vladyslav Zhukovskyi vzhukovs@redhat.com
What issues does this PR fix or reference?
eclipse-che/che#17440
Hapy Path Channel
HAPPY_PATH_CHANNEL=stable