[project-clone] Read additional certs from /public-certs at start #1161
Conversation
In order to allow trusting additional certificates in the project clone init container, it now reads any .crt or .pem files in the /public-certs dir of the container, allowing users to trust additional certificates by mounting certificates to that path (e.g. via automount secrets/configmaps) Signed-off-by: Angel Misevski <amisevsk@redhat.com>
Signed-off-by: Angel Misevski <amisevsk@redhat.com>
Codecov ReportPatch coverage:
Additional details and impacted files@@ Coverage Diff @@
## main #1161 +/- ##
==========================================
+ Coverage 52.33% 52.61% +0.27%
==========================================
Files 81 82 +1
Lines 7381 7460 +79
==========================================
+ Hits 3863 3925 +62
- Misses 3237 3255 +18
+ Partials 281 280 -1
☔ View full report in Codecov by Sentry. |
| continue | ||
| } | ||
| ext := filepath.Ext(certFile.Name()) | ||
| if ext == ".crt" || ext == ".pem" { |
There was a problem hiding this comment.
Why do we stick to specific file extensions?
All files in the directory should be certificates in a correct format.
There was a problem hiding this comment.
I did it this way for two reasons:
- While Che only mounts certificates within the directory, other tools might not and this seemed "safer" -- I'm trying to keep the functionality as generic as I can
- When a configmap/secret is mounted to a pod, there's other hidden files that get mounted too and I don't know what effect trying to include those might have:
$ ls -al /public-certs total 0 drwxrwsrwx. 3 root user 91 Aug 8 18:00 . dr-xr-xr-x. 1 root root 153 Aug 8 18:00 .. drwxr-sr-x. 2 root user 37 Aug 8 18:00 ..2023_08_08_18_00_15.3464882180 lrwxrwxrwx. 1 root user 32 Aug 8 18:00 ..data -> ..2023_08_08_18_00_15.3464882180 lrwxrwxrwx. 1 root user 30 Aug 8 18:00 kube-root-ca.crt.ca.crt -> ..data/kube-root-ca.crt.ca.crt
There was a problem hiding this comment.
LGTM. Was able to reproduce the issue in eclipse-che/che#22393 and verify that the project clone container image built from these changes allowed the project to be cloned and the workspace to start up correctly.
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: amisevsk, AObuchow The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Merging this PR to include it in the 0.23 release; @tolusha feel free to continue discussion on how we read certs / open an issue so we can improve this in the future. |
What does this PR do?
Configures the project-clone init container to read any
.crtor.pemfiles stored in/public-certs. These certificates are added to the HTTP client used for preparing zip-based projects in a DevWorkspace, and allows for downloading project zips from default-untrusted sources by e.g. auto-mounting certificates to/public-certsin the container.What issues does this PR fix or reference?
Closes #1160
Related: eclipse-che/che#22393
Is it tested? How?
A project-clone image for this PR is available at
quay.io/amisevsk/project-clone:self-signedIt's easiest to test this PR via the reproducer in eclipse-che/che#22393
PR Checklist
/test v8-devworkspace-operator-e2e, v8-che-happy-pathto trigger)v8-devworkspace-operator-e2e: DevWorkspace e2e testv8-che-happy-path: Happy path for verification integration with Che