fix: Generate correct certificate for dex (#2009)

fix: Generate correct certificate for dex Signed-off-by: Anatolii Bazko <abazko@redhat.com>
che-incubator · Jun 30, 2022 · 921d8ad · 921d8ad
1 parent ff2ca6b
commit 921d8ad
Show file tree

Hide file tree

Showing 9 changed files with 201 additions and 17,306 deletions.
diff --git a/README.md b/README.md
@@ -128,7 +128,7 @@ EXAMPLES
   $ chectl autocomplete --refresh-cache
 ```
 
-_See code: [@oclif/plugin-autocomplete](https://github.com/oclif/plugin-autocomplete/blob/v1.2.0/src/commands/autocomplete/index.ts)_
+_See code: [@oclif/plugin-autocomplete](https://github.com/oclif/plugin-autocomplete/blob/v1.3.0/src/commands/autocomplete/index.ts)_
 
 ## `chectl cacert:export`
 

diff --git a/resources/cert-manager/cert-manager.yml b/resources/cert-manager/cert-manager.yml
diff --git a/resources/dex/certificate.yaml b/resources/dex/certificate.yaml
@@ -0,0 +1,40 @@
+#
+# Copyright (c) 2019-2021 Red Hat, Inc.
+# This program and the accompanying materials are made
+# available under the terms of the Eclipse Public License 2.0
+# which is available at https://www.eclipse.org/legal/epl-2.0/
+#
+# SPDX-License-Identifier: EPL-2.0
+#
+# Contributors:
+#   Red Hat, Inc. - initial API and implementation
+#
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: dex
+  namespace: dex
+  labels:
+    app: dex
+spec:
+  isCA: false
+  commonName: dex
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS1
+    size: 4096
+  issuerRef:
+    kind: Issuer
+    name: dex
+    group: cert-manager.io
+  secretName: dex.tls
+  subject:
+    organizations:
+      - Local Eclipse Che
+  usages:
+    - server auth
+    - digital signature
+    - key encipherment
+    - key agreement
+    - data encipherment
diff --git a/resources/dex/issuer.yaml b/resources/dex/issuer.yaml
@@ -0,0 +1,22 @@
+#
+# Copyright (c) 2019-2021 Red Hat, Inc.
+# This program and the accompanying materials are made
+# available under the terms of the Eclipse Public License 2.0
+# which is available at https://www.eclipse.org/legal/epl-2.0/
+#
+# SPDX-License-Identifier: EPL-2.0
+#
+# Contributors:
+#   Red Hat, Inc. - initial API and implementation
+#
+
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: dex
+  namespace: dex
+  labels:
+    app: dex
+spec:
+  ca:
+    secretName: ca.crt
diff --git a/resources/cert-manager/che-certificate.yml → resources/dex/selfsigned-certificate.yaml b/resources/cert-manager/che-certificate.yml → resources/dex/selfsigned-certificate.yaml
@@ -13,15 +13,18 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: che-certificate
-  namespace: che
+  name: dex-selfsigned
+  namespace: dex
+  labels:
+    app: dex
 spec:
-  secretName: che-tls
+  isCA: true
+  commonName: dex-selfsigned-ca
+  privateKey:
+    algorithm: ECDSA
+    size: 256
   issuerRef:
-    name: che-issuer
+    name: dex-selfsigned
     kind: Issuer
-  # This is a template and it will be set from --domain parameter
-  # For example: '*.192.168.99.100.nip.io'
-  commonName: '*.<domain>'
-  dnsNames:
-    - '*.<domain>'
+    group: cert-manager.io
+  secretName: ca.crt
diff --git a/resources/cert-manager/che-issuer.yml → resources/dex/selfsigned-issuer.yaml b/resources/cert-manager/che-issuer.yml → resources/dex/selfsigned-issuer.yaml
@@ -13,6 +13,9 @@
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
-  name: che-issuer
+  name: dex-selfsigned
+  namespace: dex
+  labels:
+    app: dex
 spec:
   selfSigned: {}
diff --git a/src/tasks/component-installers/cert-manager.ts b/src/tasks/component-installers/cert-manager.ts
@@ -11,15 +11,12 @@
  */
 
 import * as Listr from 'listr'
-import * as path from 'path'
 import { CheHelper } from '../../api/che'
 import { KubeHelper } from '../../api/kube'
-import { V1Certificate } from '../../api/types/cert-manager'
 import { CERT_MANAGER_NAMESPACE_NAME } from '../../constants'
-import { getEmbeddedTemplatesDirectory } from '../../util'
 
 export class CertManagerTasks {
-  private static readonly ISSUER_NAME = 'che-issuer'
+  private static readonly CERT_MANAGER_VERSION = 'v1.8.2'
 
   protected kubeHelper: KubeHelper
   protected cheHelper: CheHelper
@@ -34,7 +31,7 @@ export class CertManagerTasks {
   getDeployCertManagerTasks(): ReadonlyArray<Listr.ListrTask> {
     return [
       {
-        title: 'Cert Manager v1.5.3',
+        title: `Cert Manager ${CertManagerTasks.CERT_MANAGER_VERSION}`,
         skip: () => this.skipCertManager,
         task: async (ctx: any, _task: any) => {
           const tasks = new Listr(undefined, ctx.listrOptions)
@@ -46,8 +43,7 @@ export class CertManagerTasks {
                 if (certManagerCrd) {
                   task.title = `${task.title}...[Exists]`
                 } else {
-                  const yamlPath = path.join(getEmbeddedTemplatesDirectory(), '..', 'resources', 'cert-manager', 'cert-manager.yml')
-                  await this.kubeHelper.applyResource(yamlPath)
+                  await this.kubeHelper.applyResource(`https://github.com/cert-manager/cert-manager/releases/download/${CertManagerTasks.CERT_MANAGER_VERSION}/cert-manager.yaml`)
                   task.title = `${task.title}...[OK]`
                 }
               },
@@ -70,63 +66,4 @@ export class CertManagerTasks {
       },
     ]
   }
-
-  getCreateIssuerTasks(namespace: string): ReadonlyArray<Listr.ListrTask> {
-    return [
-      {
-        title: `Create issuer ${CertManagerTasks.ISSUER_NAME}`,
-        task: async (ctx: any, task: any) => {
-          const issuerExists = await this.kubeHelper.isIssuerExists(CertManagerTasks.ISSUER_NAME, namespace)
-          if (issuerExists) {
-            task.title = `${task.title}...[Exists]`
-            return
-          }
-
-          const cheIssuerPath = path.join(getEmbeddedTemplatesDirectory(), '..', 'resources', 'cert-manager', 'che-issuer.yml')
-          const cheIssuer = this.kubeHelper.safeLoadFromYamlFile(cheIssuerPath)
-          await this.kubeHelper.createIssuer(cheIssuer, namespace)
-          task.title = `${task.title}...[OK]`
-        },
-      },
-    ]
-  }
-
-  getCreateCertificateTasks(
-    flags: any,
-    commonName: string,
-    dnsNames: string[],
-    secretName: string,
-    namespace: string): ReadonlyArray<Listr.ListrTask> {
-    return [
-      {
-        title: `Request certificate for dnsNames: [${dnsNames}]`,
-        task: async (ctx: any, task: any) => {
-          const secretExists = await this.kubeHelper.isSecretExists(secretName, namespace)
-          if (secretExists) {
-            task.title = `${task.title}...[Exists]`
-            return
-          }
-
-          const cheCertificatePath = path.join(getEmbeddedTemplatesDirectory(), '..', 'resources', 'cert-manager', 'che-certificate.yml')
-          const cheCertificate = this.kubeHelper.safeLoadFromYamlFile(cheCertificatePath) as V1Certificate
-          cheCertificate.metadata.namespace = namespace
-          cheCertificate.spec.secretName = secretName
-          cheCertificate.spec.commonName = commonName
-          cheCertificate.spec.dnsNames = dnsNames
-          cheCertificate.spec.issuerRef.name = CertManagerTasks.ISSUER_NAME
-
-          await this.kubeHelper.createCertificate(cheCertificate, namespace)
-
-          task.title = `${task.title}...[OK]`
-        },
-      },
-      {
-        title: `Wait for secret ${secretName}`,
-        task: async (ctx: any, task: any) => {
-          await this.kubeHelper.waitSecret(secretName, namespace, ['tls.key', 'tls.crt', 'ca.crt'])
-          task.title = `${task.title}...[OK]`
-        },
-      },
-    ]
-  }
 }