Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support git clone for repos with self-signed SSL certs #14527

Closed
nickboldt opened this issue Sep 12, 2019 · 22 comments
Closed

Support git clone for repos with self-signed SSL certs #14527

nickboldt opened this issue Sep 12, 2019 · 22 comments
Labels
area/install Issues related to installation, including offline/air gap and initial setup kind/epic A long-lived, PM-driven feature request. Must include a checklist of items that must be completed. severity/P1 Has a major impact to usage or development of the system. status/in-progress This issue has been taken by an engineer and is under active development.
Milestone

Comments

@nickboldt
Copy link
Contributor

nickboldt commented Sep 12, 2019

Is your enhancement related to a problem? Please describe.

Say I'm a customer behind a firewall (air gap).

I have company wide certs for connecting my local laptop to company internal git repos.

But when I fire up Che 7, launch a workspace from a devfile...

projects:
  - name: java-maven-helloworld
    source:
      type: git
      location: "https://git.mycorp.com/projects-r-us/java-maven-helloworld.git"

... and try to clone from the repo, I can't connect:

The only workaround is to open a console in the Che 7 workspace, and do this:

git config --global http.sslverify “false”
git clone https://git.mycorp.com/projects-r-us/java-maven-helloworld.git

So... how can I get those certs into my che 7 workspace OOTB via the devfile, so I can clone from those repos as part of workspace creation, rather than via a manual step?

Describe the solution you'd like

We can do it in same way how it works for Keycloak at the moment, here helm template and Java code in Che repository. Also need to configure git trust store.

Workflow will be:

  • admin put somewhere correct SSL certificate for internal Git server (with name like CHE_GIT_SSL_CERT);
  • during start workspace we will:
    • mount this certificate on each container as k8s secret, in specified path;
    • modify git config git config --global http.sslCAInfo /home/some-path/git-certs/cert.pem;
@nickboldt nickboldt added the kind/enhancement A feature request - must adhere to the feature request template. label Sep 12, 2019
@che-bot che-bot added the status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. label Sep 12, 2019
@nickboldt nickboldt added the area/install Issues related to installation, including offline/air gap and initial setup label Sep 12, 2019
@tsmaeder tsmaeder added the status/info-needed More information is needed before the issue can move into the “analyzing” state for engineering. label Sep 12, 2019
@tsmaeder
Copy link
Contributor

@nickboldt having trouble assessing a priority here: is this some esoteric case or mainstream? Also, does it tie into an epic about airgapped operations?

@tsmaeder tsmaeder added severity/P1 Has a major impact to usage or development of the system. and removed status/info-needed More information is needed before the issue can move into the “analyzing” state for engineering. status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. labels Sep 13, 2019
@tsmaeder
Copy link
Contributor

Airgapped seems to be important and short term: p1

@nickboldt
Copy link
Contributor Author

If we could somehow embed a cert inside a devfile, could we then use that cert when starting the workspace?

Or what about some sort of tiny cert-hosting container that a customer would create, which could be mounted into the theia container like https://stackoverflow.com/questions/26028971/docker-container-ssl-certificates ?

@skabashnyuk
Copy link
Contributor

What I can suggest: we need to provide the ability of additional configuration for git plugin such as.

projects:
  - name: java-maven-helloworld
    source:
      type: git
      location: "https://git.mycorp.com/projects-r-us/java-maven-helloworld.git"
      config:
            http.sslverify: false
            user.name: Scott Chacon
            user.email:  schacon@gmail.com
            color.status:  auto
            color.branch: auto
            color.interactive:  auto
            color.diff: auto
      

wdyt @l0rd @sunix @metlos @nickboldt @benoitf ?

@skabashnyuk skabashnyuk added the status/info-needed More information is needed before the issue can move into the “analyzing” state for engineering. label Sep 19, 2019
@skabashnyuk skabashnyuk added this to the 7.x milestone Sep 19, 2019
@l0rd
Copy link
Contributor

l0rd commented Sep 27, 2019

Another option: since in user preferences we already persist git.username and git.email it may make sense to persist git.http.sslverify as well. I mean user config should probably not live in a devfile.

@l0rd
Copy link
Contributor

l0rd commented Oct 7, 2019

After discussions disabling the SSL verification at the user level is a security exposure hence not ideal, not even as a workaround.

We still need to find out how we could address this issue in the right way:

  • How can we add a CA among git trusted CAs? Mounting the CA public certificate in the container?
  • How could an admin specify, when installing Che, the list of CAs certificates to trust?

@vparfonov Once we have a plan for that we should provide an estimation.

@nickboldt in the meantime it would be useful to understand if using a git + ssh address (like git@github.com:eclipse/che.git) would fix the specific user problem. That would make this issue of lower priority.

@RickJWagner
Copy link
Contributor

The problem is also noted by Che 6 (CRW 1.x) users. Here's a note from a user discussion:

"Users want to have a private git server with it's own SSL certificate. To use it, CodeReady Workspaces must allow the use of a user-provided CA certificate in the workspace."

@ghost
Copy link

ghost commented Oct 8, 2019

I am on 7.2.0 and I am trying to add the config tag under git in the workspace "create&modify". The auto save kicks in and remove the git config away.

@slemeur slemeur added kind/epic A long-lived, PM-driven feature request. Must include a checklist of items that must be completed. and removed kind/enhancement A feature request - must adhere to the feature request template. labels Oct 9, 2019
@l0rd l0rd changed the title Improve support for preloading certs and keys when creating a workspace from devfile Support git clone for repositories with self-signed SSL certificate Oct 9, 2019
@l0rd l0rd changed the title Support git clone for repositories with self-signed SSL certificate Support git clone for repos with self-signed SSL certs Oct 9, 2019
@nickboldt
Copy link
Contributor Author

If the dashboard is fighting you, you can create a devfile offline, put it into a gist or fpaste or other hosting solution, then:

https://che-che.your.openshift.com/f?url=http://path/to/devfile.yaml

eg., https://che.openshift.io/f?url=https://github.com/eclipse/che/devfile.yaml

@nickboldt
Copy link
Contributor Author

nickboldt commented Oct 9, 2019

FWIW I was able to do this:

But then in a console these didn't work to pull code from a private GH repo:

  • git clone https://github.com/redhat-developer/codeready-workspaces-productization/ or
  • git clone git@github.com:redhat-developer/codeready-workspaces-productization.git

Neither one worked. Then I tried to restart the workspace to see if that would help... and #14830 happened. :(

@l0rd
Copy link
Contributor

l0rd commented Oct 10, 2019

@nickboldt I have tested this scenario on 7.3-SNAPSHOT and it worked fine. There are a few recent fixes in the GIT+SSH scenario that are not yet on che.openshift.io.

@l0rd
Copy link
Contributor

l0rd commented Oct 10, 2019

I have updated the "solution" part in the issue description to match @vparfonov proposal.

@nickboldt
Copy link
Contributor Author

Latest details from @rbcminghou suggests that even with 7.2.0, neither of these work with internal GH repo:

git clone git@mygithub.bigcorp.com:minghou/java-maven-helloworld.git

and

bash-4.4 /projects $ git clone ssh://minghou@mygithub.bigcorp.com/java-maven-helloworld.git
Cloning into 'java-maven-helloworld'...
The authenticity of host 'mygithub.bigcorp.com (10.101.xy)' can't be established.
ECDSA key fingerprint is ******
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'mygithub.bigcorp.com,10.101.x.y' (ECDSA) to the list of known hosts.
Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.

So we'll need to test with 7.3.0-SNAPSHOT/latest/next. Can you list ALL the images he'll need to pull to get a full 7.3.0 install set up?

@l0rd
Copy link
Contributor

l0rd commented Oct 10, 2019

@nickboldt the problem seems to be that the public SSH key hasn't been uploaded to the user account:

@l0rd l0rd modified the milestones: 7.x, Backlog - IDE 1 Oct 11, 2019
@ghost
Copy link

ghost commented Oct 12, 2019

@nickboldt I have tested the git access with ssh-kegen on my mac and uploaded the public key into my profile at my corporate github, and it works fine.

Tried the 7.2.0 "generate ssh key pair..." and uploaded the public key into my profile (same steps at the above), and it did not work and complained:

Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

The next question, do I have to generate the ssh key pair for a new workspace?

@l0rd
Copy link
Contributor

l0rd commented Oct 12, 2019

@rbcminghou in 7.2, after the generation of the key pair, you had to stop and restart your workspace otherwise the key was not mounted in the container (that's something we fixed in7.3)

@ghost
Copy link

ghost commented Oct 12, 2019

@l0rd Thanks and it works after restart the workspace.

Do I have to upload the new public key for every new workspace?

@l0rd
Copy link
Contributor

l0rd commented Oct 12, 2019 via email

@ghost
Copy link

ghost commented Oct 12, 2019

Thanks, and it does work of killing the existing workspace and creating new workspace.

Does the key information store in the Postgres database with the che login profile?

@l0rd
Copy link
Contributor

l0rd commented Oct 12, 2019 via email

@vparfonov vparfonov added status/in-progress This issue has been taken by an engineer and is under active development. and removed status/info-needed More information is needed before the issue can move into the “analyzing” state for engineering. labels Oct 15, 2019
@vparfonov vparfonov modified the milestones: Backlog - IDE 1, 7.4.0 Oct 23, 2019
@vparfonov vparfonov modified the milestones: 7.4.0, 7.5.0 Nov 20, 2019
@vparfonov
Copy link
Contributor

vparfonov commented Dec 5, 2019

Sub issue:

@vparfonov vparfonov reopened this Dec 5, 2019
@ibuziuk ibuziuk mentioned this issue Dec 17, 2019
15 tasks
@nickboldt nickboldt modified the milestones: 7.5.0, 7.7.0 Dec 19, 2019
@vinokurig
Copy link
Contributor

Sub issue is resolved: eclipse-che/che-operator#142

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/install Issues related to installation, including offline/air gap and initial setup kind/epic A long-lived, PM-driven feature request. Must include a checklist of items that must be completed. severity/P1 Has a major impact to usage or development of the system. status/in-progress This issue has been taken by an engineer and is under active development.
Projects
None yet
Development

No branches or pull requests

9 participants