fix (helm): fix deploying che with helm installer when self-signed-ce…

…rt is specified

Signed-off-by: Sergii Leshchenko <sleshche@redhat.com>

README.md

@@ -196,10 +196,12 @@ OPTIONS
   -p, --platform=platform                      [default: minikube] Type of Kubernetes platform. Valid values are
                                                "minikube", "minishift", "k8s", "openshift", "microk8s".
 
-  -s, --tls                                    Enable TLS encryption. Note that `che-tls` with TLS certificate must be
+  -s, --tls                                    Enable TLS encryption. Note that `che-tls` secret with TLS certificate must be
                                                created in the configured namespace.
 
   --self-signed-cert                           Authorize usage of self signed certificates for encryption.
+                                               Note that `self-signed-cert` secret with CA certificate must be
+                                               created in the configured namespace.
 
   -t, --templates=templates                    [default: templates] Path to the templates folder
 

src/api/kube.ts

@@ -9,7 +9,7 @@
  **********************************************************************/
 // tslint:disable:object-curly-spacing
 
-import { Apiextensions_v1beta1Api, ApisApi, Apps_v1Api, Core_v1Api, Custom_objectsApi, Extensions_v1beta1Api, KubeConfig, RbacAuthorization_v1Api, V1beta1CustomResourceDefinition, V1beta1IngressList, V1ClusterRole, V1ClusterRoleBinding, V1ConfigMap, V1ConfigMapEnvSource, V1Container, V1DeleteOptions, V1Deployment, V1DeploymentList, V1DeploymentSpec, V1EnvFromSource, V1LabelSelector, V1ObjectMeta, V1PersistentVolumeClaimList, V1Pod, V1PodSpec, V1PodTemplateSpec, V1Role, V1RoleBinding, V1RoleRef, V1ServiceAccount, V1ServiceList, V1Subject } from '@kubernetes/client-node'
+import { Apiextensions_v1beta1Api, ApisApi, Apps_v1Api, Core_v1Api, Custom_objectsApi, Extensions_v1beta1Api, KubeConfig, RbacAuthorization_v1Api, V1beta1CustomResourceDefinition, V1beta1IngressList, V1ClusterRole, V1ClusterRoleBinding, V1ConfigMap, V1ConfigMapEnvSource, V1Container, V1DeleteOptions, V1Deployment, V1DeploymentList, V1DeploymentSpec, V1EnvFromSource, V1LabelSelector, V1ObjectMeta, V1PersistentVolumeClaimList, V1Pod, V1PodSpec, V1PodTemplateSpec, V1Role, V1RoleBinding, V1RoleRef, V1ServiceAccount, V1ServiceList, V1Subject, V1Secret } from '@kubernetes/client-node'
 import axios from 'axios'
 import { cli } from 'cli-ux'
 import { readFileSync } from 'fs'
@@ -991,32 +991,14 @@ export class KubeHelper {
     }
   }
 
-  async secretExist(name = '', namespace = 'default'): Promise<boolean> {
-    const k8sCoreApi = this.kc.makeApiClient(Core_v1Api)
-
-   // now get the matching secrets
-    try {
-      const res = await k8sCoreApi.readNamespacedSecret(name, namespace)
-      if (res && res.body && res.body.metadata && res.body.metadata.name) {
-        return res.body.metadata.name === name
-      } else {
-        return false
-      }
-    } catch {
-      return false
-    }
-  }
-
-  async getSecret(name = '', namespace = 'default'): Promise<string | undefined> {
+  async getSecret(name = '', namespace = 'default'): Promise<V1Secret | undefined> {
     const k8sCoreApi = this.kc.makeApiClient(Core_v1Api)
 
     // now get the matching secrets
     try {
       const res = await k8sCoreApi.readNamespacedSecret(name, namespace)
-      if (res && res.body && res.body.metadata && res.body.metadata.name && res.body.data && res.body.data.ACME_EMAIL) {
-        if (res.body.metadata.name === name) {
-          return Buffer.from(res.body.data.ACME_EMAIL, 'base64').toString()
-        }
+      if (res && res.body && res.body) {
+        return res.body;
       } else {
         return
       }

src/commands/server/start.ts

@@ -86,11 +86,11 @@ export default class Start extends Command {
     }),
     tls: flags.boolean({
       char: 's',
-      description: 'Enable TLS encryption. Note that `che-tls` with TLS certificate must be created in the configured namespace.',
+      description: 'Enable TLS encryption. Note that `che-tls` secret with TLS certificate must be created in the configured namespace.',
       default: false
     }),
     'self-signed-cert': flags.boolean({
-      description: 'Authorize usage of self signed certificates for encryption',
+      description: 'Authorize usage of self signed certificates for encryption. Note that `self-signed-cert` secret with CA certificate must be created in the configured namespace.',
       default: false
     }),
     installer: string({

src/installers/helm.ts

@@ -35,10 +35,37 @@ export class HelmHelper {
         },
         task: async (_ctx: any, task: any) => {
           const kh = new KubeHelper()
-          const exists = await kh.secretExist('che-tls', `${flags.chenamespace}`)
-          if (!exists) {
+          const tlsSecret = await kh.getSecret('che-tls', `${flags.chenamespace}`)
+
+          if (!tlsSecret) {
             throw new Error(`TLS option is enabled but che-tls secret does not exist in '${flags.chenamespace}' namespace. Example on how to create the secret with TLS: kubectl create secret tls che-tls --namespace='${flags.chenamespace}' --key=privkey.pem --cert=fullchain.pem`)
           }
+
+          if (!tlsSecret.data["tls.crt"] || !tlsSecret.data["tls.key"]) {
+            throw new Error(`'che-tls' secret is found but 'tls.crt' or 'tls.key' entry is missing. Example on how to create the secret with self-signed CA certificate: kubectl create secret tls che-tls --namespace='${flags.chenamespace}' --key=privkey.pem --cert=fullchain.pem`)
+          }
+
+          task.title = `${task.title}...self-signed-cert secret found.`
+        }
+      },
+      {
+        title: 'Check for self-signed certificate prerequisites',
+        // Check only if self-signed-cert is enabled
+        enabled: () => {
+          return flags['self-signed-cert']
+        },
+        task: async (_ctx: any, task: any) => {
+          const kh = new KubeHelper()
+          const selfSignedCertSecret = await kh.getSecret('self-singed-cert', `${flags.chenamespace}`)
+
+          if (!selfSignedCertSecret) {
+            throw new Error(`Self-signed-cert option is enabled but 'self-signed-cert' secret does not exist in '${flags.chenamespace}' namespace. Example on how to create the secret with self-signed CA certificate: kubectl create secret tls self-signed-cert --namespace='${flags.chenamespace}' --from-file=ca.crt`)
+          }
+
+          if (!selfSignedCertSecret.data["ca.crt"]) {
+            throw new Error(`'self-signed-cert' secret is found but 'ca.crt' entry is missing. Example on how to create the secret with self-signed CA certificate: kubectl create secret tls che-tls --namespace='${flags.chenamespace}' --key=privkey.pem --cert=fullchain.pem`)
+          }
+
           task.title = `${task.title}...che-tls secret found.`
         }
       },
@@ -181,6 +208,10 @@ error: E_COMMAND_FAILED`)
       tlsFlag = `-f ${destDir}values/tls.yaml`
     }
 
+    if (flags['self-signed-cert']) {
+      setOptions.push('--set global.tls.useSelfSignedCerts=true')
+    }
+
     if (flags['plugin-registry-url']) {
       setOptions.push(`--set che.workspace.pluginRegistryUrl=${flags['plugin-registry-url']} --set chePluginRegistry.deploy=false`)
     }