Implement TLS by default for Minikube + Helm installer

Signed-off-by: Mykola Morhun <mmorhun@redhat.com>
che-incubator · Jan 30, 2020 · 28e236c · 28e236c
1 parent 9df482b
commit 28e236c
Show file tree

Hide file tree

Showing 19 changed files with 7,083 additions and 67 deletions.
diff --git a/README.md b/README.md
@@ -243,24 +243,24 @@ OPTIONS
       (required) [default: 40000] Che server bootstrap timeout (in milliseconds)
 
   -p, --platform=minikube|minishift|k8s|openshift|microk8s|docker-desktop|crc
-      Type of Kubernetes platform. Valid values are "minikube", "minishift", "k8s (for kubernetes)", "openshift", "crc 
+      Type of Kubernetes platform. Valid values are "minikube", "minishift", "k8s (for kubernetes)", "openshift", "crc
       (for CodeReady Containers)", "microk8s".
 
   -s, --tls
       Enable TLS encryption.
-                           Note that for kubernetes 'che-tls' with TLS certificate must be created in the configured 
+                           Note that for kubernetes 'che-tls' with TLS certificate must be created in the configured
       namespace.
                            For OpenShift, router will use default cluster certificates.
 
   -t, --templates=templates
       [default: templates] Path to the templates folder
 
   --che-operator-cr-yaml=che-operator-cr-yaml
-      Path to a yaml file that defines a CheCluster used by the operator. This parameter is used only when the installer 
+      Path to a yaml file that defines a CheCluster used by the operator. This parameter is used only when the installer
       is the operator.
 
   --che-operator-image=che-operator-image
-      [default: quay.io/eclipse/che-operator:nightly] Container image of the operator. This parameter is used only when 
+      [default: quay.io/eclipse/che-operator:nightly] Container image of the operator. This parameter is used only when
       the installer is the operator
 
   --deployment-name=deployment-name
@@ -288,8 +288,9 @@ OPTIONS
       persistent volume storage class name to use to store Eclipse Che Postgres database
 
   --self-signed-cert
-      Authorize usage of self signed certificates for encryption. Note that `self-signed-cert` secret with CA certificate 
-      must be created in the configured namespace.
+      Indicates that self signed certificates is used for encryption.
+      This is the flag for Che to propagate the certificate to components, so they will trust it.
+      Note that `che-tls` secret with CA certificate must be created in the configured namespace.
 
   --workspace-pvc-storage-class-name=workspace-pvc-storage-class-name
       persistent volume(s) storage class name to use to store Eclipse Che workspaces data

diff --git a/resources/cert-manager/ca-cert-generator-role-binding.yml b/resources/cert-manager/ca-cert-generator-role-binding.yml
@@ -0,0 +1,14 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: ca-cert-generator-role-binding
+  namespace: cert-manager
+subjects:
+- kind: ServiceAccount
+  name: ca-cert-generator
+  apiGroup: ''
+roleRef:
+  kind: Role
+  name: ca-cert-generator-role
+  apiGroup: ''
diff --git a/resources/cert-manager/ca-cert-generator-role.yml b/resources/cert-manager/ca-cert-generator-role.yml
@@ -0,0 +1,13 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: ca-cert-generator-role
+  namespace: cert-manager
+rules:
+- apiGroups:
+    - ''
+  resources:
+    - secrets
+  verbs:
+    - create