fix: add cert manager resources (#1831)

* fix: add cert manager resources

Signed-off-by: Anatolii Bazko <abazko@redhat.com>

resources/cert-manager/ca-cert-generator-role-binding.yml

@@ -0,0 +1,25 @@
+#
+# Copyright (c) 2019-2021 Red Hat, Inc.
+# This program and the accompanying materials are made
+# available under the terms of the Eclipse Public License 2.0
+# which is available at https://www.eclipse.org/legal/epl-2.0/
+#
+# SPDX-License-Identifier: EPL-2.0
+#
+# Contributors:
+#   Red Hat, Inc. - initial API and implementation
+#
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: ca-cert-generator-role-binding
+  namespace: cert-manager
+subjects:
+- kind: ServiceAccount
+  name: ca-cert-generator
+  apiGroup: ''
+roleRef:
+  kind: Role
+  name: ca-cert-generator-role
+  apiGroup: ''

resources/cert-manager/ca-cert-generator-role.yml

@@ -0,0 +1,24 @@
+#
+# Copyright (c) 2019-2021 Red Hat, Inc.
+# This program and the accompanying materials are made
+# available under the terms of the Eclipse Public License 2.0
+# which is available at https://www.eclipse.org/legal/epl-2.0/
+#
+# SPDX-License-Identifier: EPL-2.0
+#
+# Contributors:
+#   Red Hat, Inc. - initial API and implementation
+#
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: ca-cert-generator-role
+  namespace: cert-manager
+rules:
+- apiGroups:
+    - ''
+  resources:
+    - secrets
+  verbs:
+    - create

resources/cert-manager/che-certificate.yml

@@ -0,0 +1,27 @@
+#
+# Copyright (c) 2019-2021 Red Hat, Inc.
+# This program and the accompanying materials are made
+# available under the terms of the Eclipse Public License 2.0
+# which is available at https://www.eclipse.org/legal/epl-2.0/
+#
+# SPDX-License-Identifier: EPL-2.0
+#
+# Contributors:
+#   Red Hat, Inc. - initial API and implementation
+#
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: che-certificate
+  namespace: che
+spec:
+  secretName: che-tls
+  issuerRef:
+    name: che-cluster-issuer
+    kind: ClusterIssuer
+  # This is a template and it will be set from --domain parameter
+  # For example: '*.192.168.99.100.nip.io'
+  commonName: '*.<domain>'
+  dnsNames:
+    - '*.<domain>'

resources/cert-manager/che-cluster-issuer.yml

@@ -0,0 +1,20 @@
+#
+# Copyright (c) 2019-2021 Red Hat, Inc.
+# This program and the accompanying materials are made
+# available under the terms of the Eclipse Public License 2.0
+# which is available at https://www.eclipse.org/legal/epl-2.0/
+#
+# SPDX-License-Identifier: EPL-2.0
+#
+# Contributors:
+#   Red Hat, Inc. - initial API and implementation
+#
+
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: che-cluster-issuer
+  namespace: cert-manager
+spec:
+  ca:
+    secretName: ca

src/commands/server/deploy.ts

@@ -345,12 +345,6 @@ export default class Deploy extends Command {
       }
     }
 
-    if (!flags.batch && isKubernetesPlatformFamily(flags.platform) && (isDevWorkspaceEnabled(ctx) || flags['workspace-engine'] === 'dev-workspace')) {
-      if (!await cli.confirm('DevWorkspace is experimental feature. It requires direct access to the underlying infrastructure REST API.\nThis results in huge privilege escalation. Do you want to proceed? [y/n]')) {
-        cli.exit(0)
-      }
-    }
-
     const dexTasks = new DexTasks(flags)
     const cheTasks = new CheTasks(flags)
     const platformTasks = new PlatformTasks(flags)

src/tasks/component-installers/cert-manager.ts

@@ -55,7 +55,7 @@ export class CertManagerTasks {
         title: 'Deploy Cert Manager',
         enabled: ctx => !ctx.certManagerInstalled,
         task: async (ctx: any, task: any) => {
-          const yamlPath = path.join(getEmbeddedTemplatesDirectory(), '..', 'resources', 'cert-manager.yml')
+          const yamlPath = path.join(getEmbeddedTemplatesDirectory(), '..', 'resources', 'cert-manager', 'cert-manager.yml')
 
           // Apply additional --validate=false flag to be able to deploy Cert Manager on Kubernetes v1.15.4 or below
           await this.kubeHelper.applyResource(yamlPath, '--validate=false')
@@ -85,7 +85,7 @@ export class CertManagerTasks {
     ]
   }
 
-  getGenerateCertManagerCACertificateTasks(flags: any): ReadonlyArray<Listr.ListrTask> {
+  getGenerateCertManagerCACertificateTasks(): ReadonlyArray<Listr.ListrTask> {
     return [
       {
         title: 'Check Cert Manager CA certificate',
@@ -105,8 +105,8 @@ export class CertManagerTasks {
             try {
               // Configure permissions for CA key pair generation job
               await this.kubeHelper.createServiceAccount(CA_CERT_GENERATION_SERVICE_ACCOUNT_NAME, CERT_MANAGER_NAMESPACE_NAME)
-              await this.kubeHelper.createRoleFromFile(path.join(flags.templates, 'cert-manager', 'ca-cert-generator-role.yml'), CERT_MANAGER_NAMESPACE_NAME)
-              await this.kubeHelper.createRoleBindingFromFile(path.join(flags.templates, 'cert-manager', 'ca-cert-generator-role-binding.yml'), CERT_MANAGER_NAMESPACE_NAME)
+              await this.kubeHelper.createRoleFromFile(path.join(getEmbeddedTemplatesDirectory(), '..', 'resources', 'cert-manager', 'ca-cert-generator-role.yml'), CERT_MANAGER_NAMESPACE_NAME)
+              await this.kubeHelper.createRoleBindingFromFile(path.join(getEmbeddedTemplatesDirectory(), '..', 'resources', 'cert-manager', 'ca-cert-generator-role-binding.yml'), CERT_MANAGER_NAMESPACE_NAME)
 
               // Await created resources to be available
               await this.kubeHelper.waitServiceAccount(CA_CERT_GENERATION_SERVICE_ACCOUNT_NAME, CERT_MANAGER_NAMESPACE_NAME)
@@ -144,7 +144,7 @@ export class CertManagerTasks {
     ]
   }
 
-  getCreateCertificateIssuerTasks(flags: any): ReadonlyArray<Listr.ListrTask> {
+  getCreateCertificateIssuerTasks(): ReadonlyArray<Listr.ListrTask> {
     return [
       {
         title: 'Set up Eclipse Che certificates issuer',
@@ -171,7 +171,7 @@ export class CertManagerTasks {
           ctx.clusterIssuersName = DEFAULT_CHE_CLUSTER_ISSUER_NAME
           const cheClusterIssuerExists = await this.kubeHelper.clusterIssuerExists(DEFAULT_CHE_CLUSTER_ISSUER_NAME, ctx.certManagerK8sApiVersion)
           if (!cheClusterIssuerExists) {
-            const cheCertificateClusterIssuerTemplatePath = path.join(flags.templates, '/cert-manager/che-cluster-issuer.yml')
+            const cheCertificateClusterIssuerTemplatePath = path.join(getEmbeddedTemplatesDirectory(), '..', 'resources', 'cert-manager', 'che-cluster-issuer.yml')
             await this.kubeHelper.createCheClusterIssuer(cheCertificateClusterIssuerTemplatePath, ctx.certManagerK8sApiVersion)
 
             task.title = `${task.title}...done`
@@ -200,7 +200,7 @@ export class CertManagerTasks {
             task.title = 'Request self-signed certificate'
           }
 
-          const certificateTemplatePath = path.join(flags.templates, '/cert-manager/che-certificate.yml')
+          const certificateTemplatePath = path.join(getEmbeddedTemplatesDirectory(), '..', 'resources', 'cert-manager', 'che-certificate.yml')
           const certificate = this.kubeHelper.safeLoadFromYamlFile(certificateTemplatePath) as V1Certificate
           certificate.metadata.namespace = namespace
           certificate.spec.secretName = secretName

src/tasks/component-installers/dex.ts

@@ -111,8 +111,8 @@ export class DexTasks {
                 if (!await this.kube.getSecret(DexTasks.TLS_SECRET_NAME, DexTasks.NAMESPACE_NAME)) {
                   const certManager = new CertManagerTasks(this.flags)
                   certs.add(certManager.getDeployCertManagerTasks())
-                  certs.add(certManager.getGenerateCertManagerCACertificateTasks(this.flags))
-                  certs.add(certManager.getCreateCertificateIssuerTasks(this.flags))
+                  certs.add(certManager.getGenerateCertManagerCACertificateTasks())
+                  certs.add(certManager.getCreateCertificateIssuerTasks())
 
                   const domain = 'dex.' + this.flags.domain
                   const commonName = '*.' + domain