Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure we use certificates of the OpenShift Ingress even if self-signed-certificate secret isn't created #17826

Closed
tolusha opened this issue Sep 10, 2020 · 2 comments
Closed

Ensure we use certificates of the OpenShift Ingress even if self-signed-certificate secret isn't created #17826

tolusha opened this issue Sep 10, 2020 · 2 comments
Labels
area/che-operator Issues and PRs related to Eclipse Che Kubernetes Operator kind/task Internal things, technical debt, and to-do tasks to be performed. severity/P1 Has a major impact to usage or development of the system.

Comments

@tolusha
Copy link
Contributor

tolusha commented Sep 10, 2020
edited
Loading

Is your task related to a problem? Please describe.

For the time being operator analyze the certificate chain of trust of the OpenShift Ingess and tries to guess if self-signed certificate is used. In the most cases it works fine. But if root CA is absent in the chain then self-signed-certificate secret won't be created and communication between che components might fail.

Describe the solution you'd like

Put certificate chain of trust of the OpenShift Ingess into ca-certs configmap when self-signed certificate is not detected.

Additional context

Is related to: #17825
Depends on #17938
@tolusha tolusha added kind/task Internal things, technical debt, and to-do tasks to be performed. area/che-operator Issues and PRs related to Eclipse Che Kubernetes Operator severity/P1 Has a major impact to usage or development of the system. labels Sep 10, 2020
@tolusha tolusha changed the title Ensure certificate chain of trust is stored into ca-certs config map Ensure we don't miss certificate chain of trust even if self-signed-certificate secret isn't created Sep 10, 2020
@tolusha tolusha added this to the Backlog - Deploy milestone Sep 10, 2020
@tolusha tolusha mentioned this issue Sep 10, 2020
Closed
48 tasks
@tolusha tolusha modified the milestones: Backlog - Deploy, 7.20 Sep 11, 2020
@tolusha tolusha changed the title Ensure we don't miss certificate chain of trust even if self-signed-certificate secret isn't created Ensure we don't miss certificates of the OpenShift Ingress if self-signed-certificate secret isn't created Sep 23, 2020
@tolusha
Copy link
Contributor Author

tolusha commented Sep 23, 2020

The workaround:

  1. Create the ca-certs config map (if not exists)
  2. Put the complete (including root CA) certificate chain of trust of the OpenShift ingress into ca-certs configmap as ca.crt key
  3. Update CR spec.server.ServerTrustStoreConfigMapName: ca-certs (if needed)
  4. Restart che-server and keycloak pods

@tolusha tolusha changed the title Ensure we don't miss certificates of the OpenShift Ingress if self-signed-certificate secret isn't created Ensure we use certificates of the OpenShift Ingress if self-signed-certificate secret isn't created Sep 23, 2020
@tolusha tolusha changed the title Ensure we use certificates of the OpenShift Ingress if self-signed-certificate secret isn't created Ensure we use certificates of the OpenShift Ingress even if self-signed-certificate secret isn't created Sep 23, 2020
@tolusha tolusha removed this from the 7.20 milestone Sep 28, 2020
@tolusha tolusha modified the milestone: 7.24 Dec 2, 2020
@tolusha tolusha modified the milestone: 7.25 Dec 16, 2020
@tolusha tolusha modified the milestones: 7.25, 7.26 Jan 13, 2021
@tolusha tolusha modified the milestone: 7.27 Feb 2, 2021
@tolusha tolusha modified the milestone: 7.28 Feb 19, 2021
@tolusha tolusha mentioned this issue May 5, 2021
Closed
41 tasks
@tolusha tolusha mentioned this issue May 24, 2021
Closed
47 tasks
@tolusha
Copy link
Contributor Author

tolusha commented May 26, 2021

Since Theia requires complete certificate chain of trust [1] there is no benefits in this issue anymore.

#17938

@tolusha tolusha closed this as completed May 26, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/che-operator Issues and PRs related to Eclipse Che Kubernetes Operator kind/task Internal things, technical debt, and to-do tasks to be performed. severity/P1 Has a major impact to usage or development of the system.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tolusha