Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incomplete propagation of the trusted bundle CA certificates to the workspaces #18245

Closed
5 of 22 tasks
davidfestal opened this issue Oct 29, 2020 · 4 comments
Closed
5 of 22 tasks

Incomplete propagation of the trusted bundle CA certificates to the workspaces #18245

davidfestal opened this issue Oct 29, 2020 · 4 comments
Labels
area/che-operator Issues and PRs related to Eclipse Che Kubernetes Operator area/che-server kind/bug Outline of a bug - must adhere to the bug report template. severity/P1 Has a major impact to usage or development of the system.
Milestone
7.20

Comments

@davidfestal
Copy link
Contributor

Describe the bug

With the Che operator the ca-certs config map (mentioned in the spec.server.ServerTrustStoreConfigMapName custom resource field) has a double purpose:

  • First on OpenShift it allows injecting cluster-wide OpenShift trusted certificates inside Che (through the use of the config.openshift.io/inject-trusted-cabundle="true" label)
  • But also it allows manually adding additional untrusted CA certificates as additional key in this Config Map, so that they would be trusted by Che, as described in the Docs PR: https://github.com/eclipse/che-docs/pull/1598/files

The bug is that the manually added certificates are not propagated up to the workspaces when creating the ca-certs config map in the workspace namespace.

Che version

  • latest
  • nightly
  • other: please specify

Steps to reproduce

  • Install Che with applygin the steps defined in this docs PR doc
  • Create a workspace from this Che installation
  • This should create a ca-certs ConfigMap in the namespace of the workspace

Expected behavior

The ca-certs config map in the workspace namespace should contain all the keys you manually added in the Che operator ca-certs ConfigMap at installation, but it doesn't.

Runtime

  • kubernetes (include output of kubectl version)
  • Openshift (include output of oc version)
  • minikube (include output of minikube version and kubectl version)
  • minishift (include output of minishift version and oc version)
  • docker-desktop + K8S (include output of docker version and kubectl version)
  • other: (please specify)

Screenshots

Installation method

  • chectl
    • provide a full command that was used to deploy Eclipse Che (including the output)
    • provide an output of chectl version command
  • OperatorHub
  • I don't know

Environment

  • my computer
    • Windows
    • Linux
    • macOS
  • Cloud
    • Amazon
    • Azure
    • GCE
    • other (please specify)
  • other: please specify

Eclipse Che Logs

Additional context

The error is obviously coming from the fact that the Che server creates a new empty map with the config.openshift.io/inject-trusted-cabundle="true" label in the Workspace namespace, instead of simply creating / updating a config map with the exact same content of the Che Operator ca-certs config map.
@davidfestal davidfestal added the kind/bug Outline of a bug - must adhere to the bug report template. label Oct 29, 2020
@che-bot che-bot added the status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. label Oct 29, 2020
@davidfestal
Copy link
Contributor Author

@tolusha please complete or correct the description of the bug

@davidfestal davidfestal added the severity/P1 Has a major impact to usage or development of the system. label Oct 29, 2020
@davidfestal
Copy link
Contributor Author

If we want the docs about importing untrusted CAs to be consistent and useful for the CRW 2.5.0 release, then we should probably also treat this issue as a blocker for the CRW 2.5.0 release.

cc @l0rd @nickboldt

@amisevsk amisevsk added area/che-operator Issues and PRs related to Eclipse Che Kubernetes Operator and removed status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. labels Oct 30, 2020
@nickboldt nickboldt mentioned this issue Nov 2, 2020
Closed
@davidfestal davidfestal mentioned this issue Nov 2, 2020
Merged
9 tasks
@tolusha tolusha added this to the 7.20 milestone Nov 12, 2020
@davidfestal
Copy link
Contributor Author

@mshaposhnik Has the corresponding fix been cherry-picked to the main branch before closing this issue ?

cf #18264 (comment)

@mshaposhnik
Copy link
Contributor

@davidfestal Yes, here it is 6c03073

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/che-operator Issues and PRs related to Eclipse Che Kubernetes Operator area/che-server kind/bug Outline of a bug - must adhere to the bug report template. severity/P1 Has a major impact to usage or development of the system.
Projects
None yet
Milestone
7.20
Development

No branches or pull requests
5 participants
@davidfestal @tolusha @mshaposhnik @amisevsk @che-bot