fix: Ignore certificate check on fetch devworkspace template #1247
Conversation
|
Hi @vinokurig. Thanks for your PR. I'm waiting for a devfile member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: vinokurig The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Signed-off-by: ivinokur <[email protected]>
|
/ok-to-test |
|
I've opened #1248 as the related issue to this PR. |
| transport := http.DefaultTransport.(*http.Transport).Clone() | ||
| healthCheckTransport := http.DefaultTransport.(*http.Transport).Clone() | ||
| healthCheckTransport.TLSClientConfig = &tls.Config{ | ||
| tlsConfig := &tls.Config{ | ||
| InsecureSkipVerify: true, |
There was a problem hiding this comment.
@vinokurig but this means that we are skipping verification of TLS for every single request, no?
There was a problem hiding this comment.
@ibuziuk this is my understanding as well. Previously, we were only skipping TLS verification for the health check
There was a problem hiding this comment.
It might make more sense to add a DevWorkspace Operator Config field to allow disabling the TLS verification which users on an air-gapped cluster would toggle on.
There was a problem hiding this comment.
Added the property, @AObuchow please take a look.
There was a problem hiding this comment.
Overall looks good to me if we're going with the approach of enabling/disabling TLS verification (one small note in my next comment below about modifying the DevWorkspace Operator Config though). I do think @tolusha's suggestion of using certificates retrieved from a secret is more optimal than my suggestion, though.
Additionally, we have to commit to any changes made to the DevWorkspace Operator Config since these are considered API changes, and we unfortunately can't easily remove any fields we add. So taking my simpler approach first, and then implementing @tolusha's suggestion later on would mean we'd have to keep DisableTLSVerification in the DevWorkspace Operator Config.
Thankfully, though both my suggestion and @tolusha's suggestion would resolve #1248, they both provide different functionality and would not necessarily be redundantly overlapping each other if we were to support both fields in the DevWorkspace Operator Config. So implementing both approaches would not be redundant. @ibuziuk @tolusha @dkwon17 if any of you have any input on whether we should take a simpler approach first or not, please feel free to share.
There was a problem hiding this comment.
Regarding adding a new DevWorkspace Operator Config field, two areas need to be addressed:
- Modifications need to be made to
mergeConfig()andGetCurrentConfigString()in sync.go.
In mergeConfig() we need to copy over the values of the new DisableTLSVerification field, something like:
if from.Routing != nil {
if to.Routing == nil {
to.Routing = &controller.RoutingConfig{}
}
if from.Routing.DefaultRoutingClass != "" {
to.Routing.DefaultRoutingClass = from.Routing.DefaultRoutingClass
}
if from.Routing.ClusterHostSuffix != "" {
to.Routing.ClusterHostSuffix = from.Routing.ClusterHostSuffix
}
if from.Routing.ProxyConfig != nil {
if to.Routing.ProxyConfig == nil {
to.Routing.ProxyConfig = &controller.Proxy{}
}
to.Routing.ProxyConfig = proxy.MergeProxyConfigs(from.Routing.ProxyConfig, defaultConfig.Routing.ProxyConfig)
}
+ if from.Routing.DisableTLSVerification != nil {
+ to.Routing.DisableTLSVerification = from.Routing.DisableTLSVerification
+ }
}And in GetCurrentConfigString() we need to declare if DisableTLSVerification is enabled. Something like:
if routing != nil {
if routing.ClusterHostSuffix != "" && routing.ClusterHostSuffix != defaultConfig.Routing.ClusterHostSuffix {
config = append(config, fmt.Sprintf("routing.clusterHostSuffix=%s", routing.ClusterHostSuffix))
}
if routing.DefaultRoutingClass != defaultConfig.Routing.DefaultRoutingClass {
config = append(config, fmt.Sprintf("routing.defaultRoutingClass=%s", routing.DefaultRoutingClass))
}
+ if routing.DisableTLSVerification != nil && *routing.DisableTLSVerification {
+ config = append(config, "routing.DisableTLSVerification=true")
+ }
}You can run make test to make sure everything's working as expected. In particular, this test should be passing.
- The CRDs need to be re-generated since a new field was added to the DevWorkspace Operator Config. Run the following, and add the resulting changes into a separate commit:
make generate manifests fmt generate_default_deployment generate_olm_bundle_yaml
|
@tolusha could you please review? |
|
Why not to add configuration with a secret storing extra certificates? |
+1, maybe something along the lines of adding into the DWOC If this approach is taken, we'd have to also modify the DWO controller to watch for Secrets that were created by the Che-Operator. The secrets could maybe contain a label (e.g. I can help out with this process further or even add extra commits if desired. |
|
My suggestion: |
|
Working on an approach with injecting tls certificate |
What does this PR do?
In order to fix the
x509: certificate signed by unknown authority errorignore certificate check on fetch devworkspace template.What issues does this PR fix or reference?
#1248
Is it tested? How?
Apply a workspace, from a devfile that has a nested parent devfile which is hosted on a service with self signed certificate:
parent devfile:
PR Checklist
/test v8-devworkspace-operator-e2e, v8-che-happy-pathto trigger)v8-devworkspace-operator-e2e: DevWorkspace e2e testv8-che-happy-path: Happy path for verification integration with Che