Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

On Kubernetes we generate an untrusted SSL cert even when the default is a valid one #18079

Closed
l0rd opened this issue Oct 8, 2020 · 3 comments
Closed

On Kubernetes we generate an untrusted SSL cert even when the default is a valid one #18079

l0rd opened this issue Oct 8, 2020 · 3 comments
Labels
area/install Issues related to installation, including offline/air gap and initial setup kind/bug Outline of a bug - must adhere to the bug report template. severity/P1 Has a major impact to usage or development of the system.
Milestone
7.22

Comments

@l0rd
Copy link
Contributor

l0rd commented Oct 8, 2020

Describe the bug

I have setup my Kubernetes Ingress controller to use a certificate signed by a trusted CA (at least my browser trust it).

When I deploy Che on that cluster I figure out that the dashboard is using an untrusted certificate (my browser don't trust it). And then I need to locally install the certificate or I won't be able to use Che at all.

Che version

nightly

Steps to reproduce

On minikube:

  • Generate a valid certificate for you minikube applications (I have used mkcert)
  • Configure nginx controller to use the new certificate (instructions here)
  • Deploy Che using chectl

Expected behavior

Che should use the default SSL certificate instead of generating a new one

Runtime

minikube version: v1.13.1

Screenshots

image

Installation method

chectl server:start -p minikube -n workspaces-server

Environment

macOS
@l0rd l0rd added the kind/bug Outline of a bug - must adhere to the bug report template. label Oct 8, 2020
@che-bot che-bot added the status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. label Oct 8, 2020
@l0rd l0rd mentioned this issue Oct 8, 2020
Closed
@l0rd l0rd added team/deploy severity/P1 Has a major impact to usage or development of the system. and removed status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. labels Oct 8, 2020
@tolusha tolusha added area/install Issues related to installation, including offline/air gap and initial setup and removed team/deploy labels Oct 8, 2020
@tolusha tolusha added this to the 7.22 milestone Oct 21, 2020
@mmorhun
Copy link
Contributor

mmorhun commented Oct 21, 2020

Hello @l0rd. I don't completely understand the DoD of this issue:

Generate a valid certificate for you minikube applications (I have used mkcert)

This certificate created by mkcert has the same level of validity (it is not possible to generate commonly trusted certificate for Minikube) as the certificate generated by our operator. mkcert adds it into users system and/or browser trust store. Just a bit more automations on user's system level.

Che should use the default SSL certificate instead of generating a new one

The problem is that trust is a sort of a bit subjective thing. A certificate might be trusted by one organisation and doesn't by another...
Also, sometimes, Google Chrome (at least) doesn't display 'accept the risk and continue' link. I don't know exact reasons why and when it happens, but I faced that.

Could you elaborate more on how you see the solution?

@l0rd
Copy link
Contributor Author

l0rd commented Oct 21, 2020
edited
Loading

@mmorhun the problem is that we always generate a certificate. If the user wants Che to use the default nginx certificate there is no option for that.

This certificate created by mkcert has the same level of validity (it is not possible to generate commonly trusted certificate for Minikube) as the certificate generated by our operator. mkcert adds it into users system and/or browser trust store. Just a bit more automations on user's system level.

Agree. mkcert just helped me to reproduce the problem locally: I have a trusted certificate and I have configured minikube to use it, but Che uses its own auto-generated certificate that I need to install locally (and repeat the install of the Che certificate every time I redeploy Che).

@tolusha tolusha mentioned this issue Oct 26, 2020
Closed
46 tasks
This was referenced Oct 29, 2020
Merged
Closed
Merged
Closed
Merged
@tolusha
Copy link
Contributor

tolusha commented Nov 10, 2020
edited
Loading

For the time being we can deploy Eclipse Che without generating an untrusted SSL cert in the following way:

  1. helm
cat >/tmp/che-cr-patch.yaml <<EOL
global:
  tls:
    secretName: ''
EOL

chectl server:deploy --installer helm ... --helm-patch-yaml /tmp/che-cr-patch.yaml
  1. operator
cat >/tmp/che-cr-patch.yaml <<EOL
spec:
  k8s:
    tlsSecretName: ''
EOL

chectl server:deploy --installer operator ... --che-operator-cr-patch-yaml /tmp/che-cr-patch.yaml

@tolusha tolusha closed this as completed Nov 10, 2020
@l0rd l0rd mentioned this issue Feb 12, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/install Issues related to installation, including offline/air gap and initial setup kind/bug Outline of a bug - must adhere to the bug report template. severity/P1 Has a major impact to usage or development of the system.
Projects
None yet
Milestone
7.22
Development

No branches or pull requests
4 participants
@l0rd @tolusha @mmorhun @che-bot