Conversation
Signed-off-by: Anatolii Bazko <abazko@redhat.com>
|
Skipping CI for Draft Pull Request. |
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #1980 +/- ##
==========================================
- Coverage 60.08% 60.07% -0.02%
==========================================
Files 76 76
Lines 9824 9895 +71
==========================================
+ Hits 5903 5944 +41
- Misses 3517 3547 +30
Partials 404 404 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
@tolusha : thank you for detailed test scenario! Could you please explain where to get a valid custom-ca for the next step ? :
And it's not clear how long to wait—minutes, ten minutes, or more—when executing the followup step: |
|
The file appears |
|
@tolusha: I ran test scenario expressed in the PR description against Eclipse Che deployed to test OCP 4.17. At the same time I faced different behavior after disabling workspace mounting certs at step 16.
Actually, workspace hadn't restarted within 10 minutes, then I restarted it manually.
The actual creation date of
There was the same size of
There were no any certs in the ca-certs ConfigMap: Then I deleted CheCluster and created it again from scratch with property But che-operator failed to install Eclipse Che. In the "che-operator" pod logs I found the next text: che-operator.logs.txt I would appreciate it if you could take a look at the test results. |
|
From what I can see, step 16 wasn't completed successfully. |
|
@tolusha : thanks for the comment. |
api/v2/zz_generated.deepcopy.go
Outdated
| "github.com/devfile/api/v2/pkg/apis/workspaces/v1alpha2" | ||
| "github.com/devfile/devworkspace-operator/apis/controller/v1alpha1" | ||
| v1 "k8s.io/api/core/v1" | ||
| "k8s.io/api/core/v1" |
There was a problem hiding this comment.
if I remember correctly, this change needs to be reverted every time after update-dev-resources
| // Remove trusted-ca-certs ConfigMap from the target namespace to reduce the number of ConfigMaps | ||
| // and avoid mounting the same certificates under different paths. | ||
| // See cerificates#syncCheCABundleCerts | ||
| trustedCACertsCMKey := client.ObjectKey{Name: prefixedName("trusted-ca-certs"), Namespace: targetNs} |
There was a problem hiding this comment.
on dogfooding, I see there is che-trusted-ca-certs, is it going to be removed by prefix?
There was a problem hiding this comment.
Also, testing configuration of 3.19, am I correct that che-trusted-ca-certs and ca-certs-merged are pretty much identical?
There was a problem hiding this comment.
- che-trusted-ca-certs will be removed completedly
- yes, those CMs are identical
pkg/common/utils/utils.go
Outdated
| //if m == nil { | ||
| // continue | ||
| //} |
|
@dmytro-ndp |
There was a problem hiding this comment.
The test scenario from the PR description passed when run using Eclipse Che Next with the dashboard image quay.io/abazko/operator@sha256:265f6fb39412b5a4df067bba95baf24ca121a5f580927603d63843483b40747b
Test details:
-
workspace was restarted automatically at step 17, after setting up "devEnvironments.trustedCerts.disableWorkspaceCaBundleMount: true"
-
result of step "18. Step 10 is not correct anymore, all files have the same creation date":
$ oc exec -n admin-che workspace30fc90bb823e42dd-d79b5f65d-rj585 -c universal-developer-image -- ls /etc/pki/ca-trust/extracted/pem -l
total 884
-rw-rw-r--. 1 root root 898 Jul 24 2024 README
-r--r--r--. 1 root root 165521 Oct 31 00:03 email-ca-bundle.pem
-r--r--r--. 1 root root 502506 Oct 31 00:03 objsign-ca-bundle.pem
-r--r--r--. 1 root root 226489 Oct 31 00:03 tls-ca-bundle.pem
- result of step "19. The size of ca-certs-merged is pretty small":
$ oc get configmaps -n admin-che ca-certs-merged -o json | jq '.data."tls-ca-bundle.pem" | length'
10888
$ oc get configmaps -n admin-che che-trusted-ca-certs -o json | jq '.data."tls-ca-bundle.pem" | length'
Error from server (NotFound): configmaps "che-trusted-ca-certs" not found
- "Step 22. Do any editor tests"
A few sample workspaces - .NET 5.0, React - started successfully. VS Code Editors opened, and I was able to start the React application and open it in a separate tab.
Well done, @tolusha !
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: dmytro-ndp, tolusha The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
Build 3.21 :: operator_3.x/450: Console, Changes, Git Data |
|
Build 3.21 :: get-sources-rhpkg-container-build_3.x/9127: devspaces-operator-bundle : 3.x :: Failed in 67114466 : BREW:BUILD/STATUS:UNKNOWN |
|
Build 3.21 :: operator-bundle_3.x/4639: Console, Changes, Git Data |
|
Build 3.21 :: sync-to-downstream_3.x/9008: Console, Changes, Git Data |
|
Build 3.21 :: get-sources-rhpkg-container-build_3.x/9128: devspaces-operator-bundle : 3.x :: Failed in 67116633 : BREW:BUILD/STATUS:UNKNOWN |
|
Build 3.21 :: operator-bundle_3.x/4640: Console, Changes, Git Data |
|
Build 3.21 :: sync-to-downstream_3.x/9009: Console, Changes, Git Data |
|
Build 3.21 :: get-sources-rhpkg-container-build_3.x/9129: devspaces-operator-bundle : 3.x :: Failed in 67119459 : BREW:BUILD/STATUS:UNKNOWN |
|
Build 3.21 :: operator-bundle_3.x/4641: Console, Changes, Git Data |
|
Build 3.21 :: sync-to-downstream_3.x/9010: Console, Changes, Git Data |
|
Build 3.21 :: get-sources-rhpkg-container-build_3.x/9131: devspaces-operator-bundle : 3.x :: Failed in 67123288 : BREW:BUILD/STATUS:UNKNOWN |
|
Build 3.21 :: operator-bundle_3.x/4644: Console, Changes, Git Data |
|
Build 3.21 :: sync-to-downstream_3.x/9013: Console, Changes, Git Data |
|
Build 3.21 :: get-sources-rhpkg-container-build_3.x/9135: devspaces-operator-bundle : 3.x :: Failed in 67126362 : BREW:BUILD/STATUS:UNKNOWN |
|
Build 3.21 :: operator-bundle_3.x/4645: Console, Changes, Git Data |
|
Build 3.21 :: sync-to-downstream_3.x/9014: Console, Changes, Git Data |
|
Build 3.21 :: get-sources-rhpkg-container-build_3.x/9136: devspaces-operator-bundle : 3.x :: Failed in 67128187 : BREW:BUILD/STATUS:UNKNOWN |
|
Build 3.21 :: operator-bundle_3.x/4646: Console, Changes, Git Data |
|
Build 3.21 :: sync-to-downstream_3.x/9015: Console, Changes, Git Data |
|
Build 3.21 :: get-sources-rhpkg-container-build_3.x/9137: devspaces-operator-bundle : 3.x :: Failed in 67130972 : BREW:BUILD/STATUS:UNKNOWN |
|
Build 3.21 :: operator-bundle_3.x/4648: Console, Changes, Git Data |
|
Build 3.21 :: sync-to-downstream_3.x/9020: Console, Changes, Git Data |
|
Build 3.21 :: get-sources-rhpkg-container-build_3.x/9142: devspaces-operator-bundle : 3.x :: Failed in 67131361 : BREW:BUILD/STATUS:UNKNOWN |
4 participants
What does this PR do?
che-trusted-ca-certsConfigMap from user namespaces. These ConfigMaps were used to mount certificates into the /public-certs directory.ca-certs-mergedConfigMap is created in the user namespace and is merged either into the/public-certsdirectory or/etc/pki/ca-trust/extracted/pem, depending on the value ofspec.devEnvironments.trustedCerts.disableWorkspaceCaBundleMountScreenshot/screencast of this PR
N/A
What issues does this PR fix or reference?
https://issues.redhat.com/browse/CRW-8316
How to test this PR?
Login Eclipse Che (open dashboard)
Observe a size of two ConfigMaps in a user namespace (pretty big)
Wait until operator completes reconciliation
Check that
che-trusted-ca-certsdoesn't exist in a user namespaceStart an empty workspace
Ensure there is no anymore
/public-certsdirectory mountedtls-ca-bundle.pemfile is a new file in the directorykube-root-ca.crt,self-signed-certificateandca-certsConfigMapsStop a user workspace
Add custom certificate into OpenShift following the doc:
https://docs.openshift.com/container-platform/4.17/security/certificates/updating-ca-bundle.html#ca-bundle-replacing_updating-ca-bundle
After a while start a user workspace again
Recheck step 11, ensure
tls-ca-bundle.pemcontains recently added certificate from step 13Disable workspace mounting certs
oc patch checluster eclipse-che -n eclipse-che --patch '{"spec": {"devEnvironments": {"trustedCerts": {"disableWorkspaceCaBundleMount": true}}}}' --type=mergeWait workspace is restarted
Step 10 is not correct anymore, all files have the same creation date
The size of
ca-certs-mergedis pretty small:tls-ca-bundle.pemin/public-certsdir. Ensure it contains content fromkube-root-ca.crt,self-signed-certificateandca-certsConfigMapsca-certsConfigMap contains only certs from step 3PR Checklist
As the author of this Pull Request I made sure that:
What issues does this PR fix or referenceandHow to test this PRcompletedReviewers
Reviewers, please comment how you tested the PR when approving it.