Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[HTTPS] Using Che with self-signed-certs on OpenShift is frustrating. #15658

Closed
johnmcollier opened this issue Jan 10, 2020 · 4 comments
Closed

[HTTPS] Using Che with self-signed-certs on OpenShift is frustrating. #15658

johnmcollier opened this issue Jan 10, 2020 · 4 comments
Labels
area/install Issues related to installation, including offline/air gap and initial setup kind/question Questions that haven't been identified as being feature requests or bugs. severity/P1 Has a major impact to usage or development of the system.
Milestone
7.13

Comments

@johnmcollier
Copy link
Contributor

johnmcollier commented Jan 10, 2020
edited
Loading

Describe the bug

I'm running Che 7.6.0 on OCP 4.2, where the cluster's certificates are self-signed. I installed Che from OperatorHub and used the following CheCluster yaml:

apiVersion: org.eclipse.che/v1
kind: CheCluster
metadata:
  name: eclipse-che
  namespace: che
spec:
  server:
    cheImageTag: ''
    devfileRegistryImage: ''
    pluginRegistryImage: ''
    tlsSupport: true
    selfSignedCert: true
  database:
    externalDb: false
    chePostgresHostName: ''
    chePostgresPort: ''
    chePostgresUser: ''
    chePostgresPassword: ''
    chePostgresDb: ''
  auth:
    openShiftoAuth: true
    identityProviderImage: ''
    externalIdentityProvider: false
    identityProviderURL: ''
    identityProviderRealm: ''
    identityProviderClientId: ''
  storage:
    pvcStrategy: per-workspace
    pvcClaimSize: 1Gi
    preCreateSubPaths: true

In order to properly access Che and create/start/use a workspace, I had to do the following:

  1. If I access the Che dashboard immediately after install, I get the following error in my browser:
    Screen Shot 2020-01-10 at 3 19 21 PM

    • To resolve this, I have to go to the Keyloak URL and whitelist its certificate in my browser.

  2. Once Update DTD for GWT-module descriptors #1 has been resolved, I can create an account and log in to Che. However, none of the devfiles from the devfile registry will load:
    Screen Shot 2020-01-10 at 3 21 10 PM

    • As before, the error in the Javascript console indicates that the certificate for the devfile registry is being rejected. So I have to look up the URL of the devfile registry and whitelist it in my browser

  3. Once Package docker runner in Che #2 has been resolved, I can create a workspace, but I cannot access it, as the certificates for the workspace's routes need to be whitelisted too
    Screen Shot 2020-01-10 at 3 36 35 PM

    • As before, the certificates for that route needs to be whitelisted as well.

This continued for each route in Che I encountered. I ended up needing to whitelist over 10 routes just to get a functioning Che workspace

Now that Theia webviews require HTTPS (#15635, eclipse-theia/theia#6465 (comment)), anything that requires WebViews in Che-Theia effectively requires an HTTPS install of Che.

I know that #15298 and eclipse-che/che-docs#1007 should help with some of my concerns. But having to indvidually (and manually) add the certificates for the 5+ routes that Che relies on (Or retrieving my cluster's ca.crt) still creates a bad user experience in my opinion. A lot of on-prem installs of Kube & OpenShift will use self-signed certificates, so I wouldn't consider what I'm trying to do here an edge case either. It also makes setting up Che on a local Kubernetes (Minikube, CRC, etc) much more complicated, and thus harder for newcomers to try out.

If I follow the instructions being prepared in eclipse-che/che-docs#1007, I could generate new certificates and reconfigure the router with those certificates, and add the ca.crt to my browser. But that seems like a ton of work just to use Che with self-signed certs, and I wouldn't necessarily want or be able to change the router's certificates. Furthermore, I would need to share the ca.crt with each user that I wanted to access my Che instance.

Is there any way we can make the setup process for Che with self-signed certs drastically easier on OpenShift? Ideally I would only need to whitelist the certs once in my browser, and wouldn't have to generate custom certificates (unless I wanted to).
@tolusha tolusha added area/install Issues related to installation, including offline/air gap and initial setup kind/question Questions that haven't been identified as being feature requests or bugs. team/deploy labels Jan 11, 2020
@tolusha
Copy link
Contributor

tolusha commented Jan 11, 2020

currently we are trying to ease the process
keep track on #15313

@johnmcollier
Copy link
Contributor Author

@tolusha Thanks! I'll keep an eye on that issue.

@johnmcollier johnmcollier mentioned this issue Feb 13, 2020
Closed
@tolusha tolusha added the severity/P1 Has a major impact to usage or development of the system. label Feb 17, 2020
@tolusha tolusha added this to the Backlog - Deploy milestone Feb 17, 2020
@tolusha tolusha removed the severity/P1 Has a major impact to usage or development of the system. label Feb 17, 2020
@tolusha tolusha removed this from the Backlog - Deploy milestone Feb 17, 2020
@tolusha
Copy link
Contributor

tolusha commented Mar 4, 2020

#16052

@tolusha tolusha added the severity/P1 Has a major impact to usage or development of the system. label Mar 21, 2020
@tolusha tolusha added this to the Backlog - Deploy milestone Mar 21, 2020
@tolusha
Copy link
Contributor

tolusha commented May 6, 2020

@johnmcollier
In recent version we have a better UX of deploying Eclipse Che on OpenShift instance using chectl:
chectl server:start --platform openshift --installer operator --self-signed-cert --os-oauth
The output is the following:

   ✔ Retrieving Eclipse Che server URL... <some url>
    ✔ Eclipse Che status check
  ✔ Retrieving Che self-signed CA certificate... is exported to /home/tolusha/cheCA.crt
  ✔ Show important messages
    ✔ ❗[MANUAL ACTION REQUIRED] Please add Che self-signed CA certificate into your browser: /home/tolusha/cheCA.crt.
   Documentaton how to add a CA certificate into a browser: https://www.eclipse.org/che/docs/che-7/installing-che-in-tls-mode-with-self-signed-certificates/#using-che-with-tls_installing-che-in-tls-mode-with-self-signed-certificates
Command server:start has completed successfully.

so, it is just needed to import the certificate into a browser which is saved into home folder.

@tolusha tolusha closed this as completed May 6, 2020
@tolusha tolusha modified the milestones: Backlog - Deploy, 7.13 May 6, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/install Issues related to installation, including offline/air gap and initial setup kind/question Questions that haven't been identified as being feature requests or bugs. severity/P1 Has a major impact to usage or development of the system.
Projects
None yet
Milestone
7.13
Development

No branches or pull requests
2 participants
@tolusha @johnmcollier