Skip to content

chore: Simplify Importing untrusted TLS certificates to Che doc #2869

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tolusha merged 2 commits into from
Feb 25, 2025
Merged

chore: Simplify Importing untrusted TLS certificates to Che doc #2869

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c9403d0
chore: Simplify Importing untrusted TLS certificates to Che doc
tolusha Feb 20, 2025
69bf7d4
Add https://gdpr.eu to ingoreULRS
tolusha Feb 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .htmltest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,4 +30,5 @@ IgnoreURLs:
- https://git.example.com:8443
- https://stackoverflow.com/questions/tagged/eclipse-che
- https://example.com/
- https://gdpr.eu/

15 changes: 9 additions & 6 deletions modules/administration-guide/pages/importing-untrusted-tls-certificates.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,14 +16,17 @@ Therefore, you must import into {prod-short} all untrusted CA chains in use by a
* A source code repositories provider (Git)

{prod-short} uses labeled ConfigMaps in {prod-short} {orch-namespace} as sources for TLS certificates.
The ConfigMaps can have an arbitrary amount of keys with a random amount of certificates each. Operator merges all ConfigMaps into a single one titled `ca-certs-merged`, and mounts it as a volume in the {prod-short} server, dashboard and workspace pods.
By default, the Operator mounts the `ca-certs-merged` ConfigMap in a user's workspace at two locations: `/public-certs` and `/etc/pki/ca-trust/extracted/pem`. The `/etc/pki/ca-trust/extracted/pem` directory is where the system stores extracted CA certificates for trusted certificate authorities on Red Hat (e.g., CentOS, Fedora). CLI tools automatically use certificates from the system-trusted locations, when the user's workspace is up and running.
The ConfigMaps can have an arbitrary amount of keys with a random amount of certificates each.
All certificates are mounted into:

[NOTE]
* `/public-certs` location of {prod-short} server and dashboard pods
* `/public-certs` and `/etc/pki/ca-trust/extracted/pem` locations of workspaces pods

The `/etc/pki/ca-trust/extracted/pem` directory is where the system stores extracted CA certificates for trusted certificate authorities on Red Hat (e.g., CentOS, Fedora). CLI tools automatically use certificates from the system-trusted locations, when the user's workspace is up and running.

[IMPORTANT]
====
When an OpenShift cluster contains cluster-wide trusted CA certificates added through the link:https://docs.openshift.com/container-platform/latest/networking/configuring-a-custom-pki.html#nw-proxy-configure-object_configuring-a-custom-pki[cluster-wide-proxy configuration],
{prod-short} Operator detects them and automatically injects them into a ConfigMap with the `config.openshift.io/inject-trusted-cabundle="true"` label.
Based on this annotation, OpenShift automatically injects the cluster-wide trusted CA certificates inside the `ca-bundle.crt` key of the ConfigMap.
On OpenShift cluster, {prod-short} operator automatically adds Red Hat Enterprise Linux CoreOS (RHCOS) trust bundle into mounted certificates.
====

.Prerequisites
Expand Down