-
Notifications
You must be signed in to change notification settings - Fork 55
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[project-clone] Read additional certs from /public-certs at start #1161
[project-clone] Read additional certs from /public-certs at start #1161
Conversation
In order to allow trusting additional certificates in the project clone init container, it now reads any .crt or .pem files in the /public-certs dir of the container, allowing users to trust additional certificates by mounting certificates to that path (e.g. via automount secrets/configmaps) Signed-off-by: Angel Misevski <amisevsk@redhat.com>
Signed-off-by: Angel Misevski <amisevsk@redhat.com>
Codecov ReportPatch coverage:
Additional details and impacted files@@ Coverage Diff @@
## main #1161 +/- ##
==========================================
+ Coverage 52.33% 52.61% +0.27%
==========================================
Files 81 82 +1
Lines 7381 7460 +79
==========================================
+ Hits 3863 3925 +62
- Misses 3237 3255 +18
+ Partials 281 280 -1
☔ View full report in Codecov by Sentry. |
continue | ||
} | ||
ext := filepath.Ext(certFile.Name()) | ||
if ext == ".crt" || ext == ".pem" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do we stick to specific file extensions?
All files in the directory should be certificates in a correct format.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I did it this way for two reasons:
- While Che only mounts certificates within the directory, other tools might not and this seemed "safer" -- I'm trying to keep the functionality as generic as I can
- When a configmap/secret is mounted to a pod, there's other hidden files that get mounted too and I don't know what effect trying to include those might have:
$ ls -al /public-certs total 0 drwxrwsrwx. 3 root user 91 Aug 8 18:00 . dr-xr-xr-x. 1 root root 153 Aug 8 18:00 .. drwxr-sr-x. 2 root user 37 Aug 8 18:00 ..2023_08_08_18_00_15.3464882180 lrwxrwxrwx. 1 root user 32 Aug 8 18:00 ..data -> ..2023_08_08_18_00_15.3464882180 lrwxrwxrwx. 1 root user 30 Aug 8 18:00 kube-root-ca.crt.ca.crt -> ..data/kube-root-ca.crt.ca.crt
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Was able to reproduce the issue in eclipse-che/che#22393 and verify that the project clone container image built from these changes allowed the project to be cloned and the workspace to start up correctly.
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: amisevsk, AObuchow The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Merging this PR to include it in the 0.23 release; @tolusha feel free to continue discussion on how we read certs / open an issue so we can improve this in the future. |
What does this PR do?
Configures the project-clone init container to read any
.crt
or.pem
files stored in/public-certs
. These certificates are added to the HTTP client used for preparing zip-based projects in a DevWorkspace, and allows for downloading project zips from default-untrusted sources by e.g. auto-mounting certificates to/public-certs
in the container.What issues does this PR fix or reference?
Closes #1160
Related: eclipse-che/che#22393
Is it tested? How?
A project-clone image for this PR is available at
quay.io/amisevsk/project-clone:self-signed
It's easiest to test this PR via the reproducer in eclipse-che/che#22393
PR Checklist
/test v8-devworkspace-operator-e2e, v8-che-happy-path
to trigger)v8-devworkspace-operator-e2e
: DevWorkspace e2e testv8-che-happy-path
: Happy path for verification integration with Che