Import all certificates from propagated bundle

[mmorhun]

Signed-off-by: Mykola Morhun mmorhun@redhat.com

What does this PR do?

Makes it possible to import several CA certificates from a single file into Che server's java trust store.

Screenshot/screencast of this PR

N/A

What issues does this PR fix or reference?

• keytool imports the only one certificate from the file #18339
• https://issues.redhat.com/projects/CRW-1413 - must remove patches from https://github.com/redhat-developer/codeready-workspaces/blob/crw-2.6-rhel-8/Jenkinsfile#L382-L399
• https://issues.redhat.com/browse/CRW-1381

How to test this PR?

1. Create a *.pem file that contains several root CA certificates
   1.1. Generate a few root CA certificates:

OPENSSL_CNF='/etc/pki/tls/openssl.cnf'
if [ ! -f $OPENSSL_CNF ]; then
    OPENSSL_CNF='/etc/ssl/openssl.cnf'
fi

for ((i=1;i<=4;i++)); do
  openssl genrsa -out ${i}.key 4096
  openssl req -batch -new -x509 -nodes -key ${i}.key -sha256 -subj /CN="TestCA${i}" -days 1024 -reqexts SAN -extensions SAN -config <(cat ${OPENSSL_CNF} <(printf '[SAN]\nbasicConstraints=critical, CA:TRUE\nkeyUsage=keyCertSign, cRLSign, digitalSignature')) -outform PEM -out ${i}.crt

1.2. Join them into a single bundle:

$ cat *.crt > bundle.pem

2. Create a configmap with single data field which contains the *.pem file:

$ kubectl create configmap custom-ca --from-file=bundle.pem -n che

3. Add the configmap as trusted for Che:

$ kubectl label configmap custom-ca app.kubernetes.io/part-of=che.eclipse.org -n che && kubectl label configmap custom-ca app.kubernetes.io/component=ca-bundle -n che

4. Check that all CA certs are added into Che server's trust store
   4.1. Exec into Che server's container and go to /home/user directory
   4.2. Make sure that the certs are imported into cacerts keystore:

$ keytool -list  -keystore cacerts -storepass changeit | grep bundle

PR Checklist

As the author of this Pull Request I made sure that:

• The Eclipse Contributor Agreement is valid
• Code produced is complete
• Code builds without errors
• Tests are covering the bugfix
• The repository devfile is up to date and works
• Sections What issues does this PR fix or reference and How to test this PR completed
• Relevant user documentation updated
• Relevant contributing documentation updated
• CI/CD changes implemented, documented and communicated

Reviewers

Reviewers, please comment how you tested the PR when approving it.

[che-bot]

✅ E2E Happy path tests succeed 🎉

See Details

• Jenkins job

• logs and configs

• Happy path tests DevFile

• image: maxura/che-server:18504

Tested with Eclipse Che Multiuser User on K8S (minikube v1.1.1)

• Use comment "[crw-ci-test]" to rerun happy path E2E test.
• Use comment "[crw-ci-test --rebuild]" to re-build the images and rerun happy path E2E test.

[che-bot]

✅ E2E Happy path tests succeed 🎉

See Details

• Jenkins job

• logs and configs

• Happy path tests DevFile

• image: maxura/che-server:18504

Tested with Eclipse Che Multiuser User on K8S (minikube v1.1.1)

• Use comment "[crw-ci-test]" to rerun happy path E2E test.
• Use comment "[crw-ci-test --rebuild]" to re-build the images and rerun happy path E2E test.

[che-bot]

❌ E2E Happy path tests failed ❗

See Details

• Jenkins job

• test report

• logs and configs

• Happy path tests DevFile

• image: maxura/che-server:18504

Tested with Eclipse Che Multiuser User on K8S (minikube v1.1.1)

• Use comment "[crw-ci-test]" to rerun happy path E2E test.
• Use comment "[crw-ci-test --rebuild]" to re-build the images and rerun happy path E2E test.

[mmorhun]

[crw-ci-test --rebuild]

[che-bot]

✅ E2E Happy path tests succeed 🎉

See Details

• Jenkins job

• logs and configs

• Happy path tests DevFile

• image: maxura/che-server:18504

Tested with Eclipse Che Multiuser User on K8S (minikube v1.1.1)

• Use comment "[crw-ci-test]" to rerun happy path E2E test.
• Use comment "[crw-ci-test --rebuild]" to re-build the images and rerun happy path E2E test.

[skabashnyuk]

looks good to me in general. Please ensure that the necessary documentation has been updated. And it looks similar to https://github.com/eclipse/che/pull/17563/files can you take a look?

[mmorhun]

@skabashnyuk mentioned by you PR solves problem with permissions for java keystore. This PR aimed to improve importing flow to allow importing of whole bundle from a file.

[nickboldt]

While we make this change, we can also improve things in downstream so I don't have to patch entrypoint.sh to work in Openshift on RHEL8.

Key parts to fix are noted here, but there are a couple other improvements we can do in #17563 so that there's more explicit file permissions being set in alpine (required in RHEL, implied in Alpine, but I like being explicit so we don't have to assume things).

I've also added an additional inline test to the Dockerfile here, that will fail the docker build if startup script is in the wrong place or permissions are wrong:

https://github.com/eclipse/che/pull/17563/files#diff-9ebc388c1bd85f875932a2fad60625344927ceee90eaf67de6cbc56482085038R45-R46

[mmorhun]

I've investigated how we deal with keystores in entrypoint.sh and how we create /home/user/cacerts keystore in Che/CRW server. I've seen, that in rhel.Dockerfile we copy keystore from /etc/pki/ca-trust/extracted/java/cacerts into /home/user/cacerts, whereas Debian based image uses certificates from ${JAVA_HOME}/lib/security/cacerts. But I found interesting thing: content of both keystores in RHEL is the same! So, my suggestion is not to copy the keystore in rhel.Dockerfile at all, but do it at runtime in the entrypoint.sh and always use ${JAVA_HOME}/lib/security/cacerts as source. This will resolve permissions issues and make downstream closer to upstream. @nickboldt, do you have any concerns regarding proposed solution?

[mmorhun]

@nickboldt I updated PR and tested it where I could. Please review and, if you have a chance, test.

[che-bot]

✅ E2E Happy path tests succeed 🎉

See Details

• Jenkins job

• logs and configs

• Happy path tests DevFile

• image: maxura/che-server:18504

Tested with Eclipse Che Multiuser User on K8S (minikube v1.1.1)

• Use comment "[crw-ci-test]" to rerun happy path E2E test.
• Use comment "[crw-ci-test --rebuild]" to re-build the images and rerun happy path E2E test.

[nickboldt]

Finally understood what's changed here, and it makes sense. Fairly confident it'll work in CRW too.