Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Workspace components have to use provided custom certificates #17440

Closed
tolusha opened this issue Jul 20, 2020 · 9 comments
Closed

Workspace components have to use provided custom certificates #17440

tolusha opened this issue Jul 20, 2020 · 9 comments
Assignees
@vzhukovs
Labels
area/editor/theia Issues related to the che-theia IDE of Che kind/enhancement A feature request - must adhere to the feature request template. severity/P1 Has a major impact to usage or development of the system.
Milestone
7.19

Comments

@tolusha
Copy link
Contributor

tolusha commented Jul 20, 2020

Is your enhancement related to a problem? Please describe.

We face the issue when Eclipse Che is deployed behind a proxy with custom certificate
https://issues.redhat.com/browse/CRW-1054

The reason is the following:

Clients that expect to make proxy connections must use the trusted-ca-bundle for all HTTPS requests to the proxy, and may use the trusted-ca-bundle for non-proxy HTTPS requests as well.

https://docs.openshift.com/container-platform/4.4/rest_api/config_apis/proxy-config-openshift-io-v1.html

Describe the solution you'd like

Once is done #17407 Theia (+git) should use the provided certificates.
@tolusha tolusha added kind/enhancement A feature request - must adhere to the feature request template. team/editors labels Jul 20, 2020
@che-bot che-bot added the status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. label Jul 20, 2020
@tolusha tolusha added the area/editor/theia Issues related to the che-theia IDE of Che label Jul 20, 2020
@ibuziuk ibuziuk closed this as completed Jul 20, 2020
@ibuziuk ibuziuk reopened this Jul 20, 2020
@ibuziuk ibuziuk added severity/P1 Has a major impact to usage or development of the system. and removed status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. labels Jul 20, 2020
@ibuziuk
Copy link
Member

ibuziuk commented Jul 20, 2020

Closed accidentally. setting P1 priority

@RickJWagnerTest1
Copy link

This is an important issue. Please see comments on CRW-1054 for more context. Thank you!

@azatsarynnyy
Copy link
Member

Hello,
currently, Che Theia expects a certificate in /tmp/che/secret/ca.crt.
@tolusha am I understand it right that now Che Theia should check a certificate in /public-certs/*.crt first and then in /tmp/che/secret/ca.crt if no certificate in /public-certs folder?

@tolusha
Copy link
Contributor Author

tolusha commented Aug 3, 2020

/plublic-certs folder contains additional certificates
theia should use all of them

/cc @mmorhun

@mmorhun
Copy link
Contributor

mmorhun commented Aug 3, 2020

@azatsarynnyy it should use both. Ideally we should have everything in one place.
Moreover, might happen that /tmp/che/secret/ca.crt is also included into /public-certs/*, however it should not be handled manually by us, but by the corresponding tools/libs (for example axios lib should have ca bundle option).

@azatsarynnyy
Copy link
Member

Thanks, @mmorhun!
Currently, we provide /tmp/che/secret/ca.crt to axios but it also can consume an array of CAs.
https://github.com/eclipse/che-theia/blob/a6dba7bace2ca71046f16737e16a4e27c7efb013/extensions/eclipse-che-theia-plugin-ext/src/node/che-plugin-service.ts#L150

Another question is can we expect that an additional cert file will be named /public-certs/ca.crt?

@tolusha
Copy link
Contributor Author

tolusha commented Aug 4, 2020

@azatsarynnyy
The only fact we can rely on:
/public-certs is a directory with CA files (not necessary the only one).

@azatsarynnyy
Copy link
Member

azatsarynnyy commented Aug 4, 2020
edited
Loading

@azatsarynnyy
The only fact we can rely on:
/public-certs is a directory with CA files (not necessary the only one).

@tolusha /public-certs/*.crt or /public-certs/*?

@tolusha
Copy link
Contributor Author

tolusha commented Aug 4, 2020

/public-certs/*.crt

@vzhukovs vzhukovs self-assigned this Aug 4, 2020
@vzhukovs vzhukovs added the status/in-progress This issue has been taken by an engineer and is under active development. label Aug 4, 2020
@azatsarynnyy azatsarynnyy mentioned this issue Aug 4, 2020
Closed
10 tasks
@azatsarynnyy azatsarynnyy added this to the 7.17 milestone Aug 4, 2020
This was referenced Aug 4, 2020
Merged
Merged
@tolusha tolusha mentioned this issue Aug 4, 2020
Closed
42 tasks
@azatsarynnyy azatsarynnyy mentioned this issue Aug 5, 2020
Closed
11 tasks
@azatsarynnyy azatsarynnyy modified the milestones: 7.17, 7.18 Aug 5, 2020
@tolusha tolusha mentioned this issue Aug 19, 2020
Closed
58 tasks
@azatsarynnyy azatsarynnyy mentioned this issue Aug 26, 2020
Closed
13 tasks
@vzhukovs vzhukovs mentioned this issue Aug 28, 2020
Merged
@azatsarynnyy azatsarynnyy modified the milestones: 7.18, 7.19 Aug 28, 2020
@vzhukovs vzhukovs mentioned this issue Sep 1, 2020
Merged
@vzhukovs vzhukovs closed this as completed Sep 2, 2020
@azatsarynnyy azatsarynnyy removed the status/in-progress This issue has been taken by an engineer and is under active development. label Sep 2, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vzhukovs vzhukovs

Labels
area/editor/theia Issues related to the che-theia IDE of Che kind/enhancement A feature request - must adhere to the feature request template. severity/P1 Has a major impact to usage or development of the system.
Projects
None yet
Milestone
7.19
Development

No branches or pull requests
7 participants
@ibuziuk @azatsarynnyy @tolusha @vzhukovs @mmorhun @che-bot @RickJWagnerTest1