Deploying Che with support for Git repositories with self-signed certificates

You can configure Che to support operations on Git providers that use self-signed certificates.

  1. Create a new ConfigMap with details about the Git server:

    $ kubectl create configmap che-git-self-signed-cert \
      --from-file=ca.crt=<path_to_certificate> \  (1)
      --from-literal=githost=<git_server_url> -n eclipse-che  (2)
    1 Path to the self-signed certificate.
    2 Optional parameter to specify the Git server URL e.g. When omitted, the self-signed certificate is used for all repositories over HTTPS.
    • Certificate files are typically stored as Base64 ASCII files, such as. .pem, .crt, .ca-bundle. All ConfigMaps that hold certificate files should use the Base64 ASCII certificate rather than the binary data certificate.

    • A certificate chain of trust is required. If the ca.crt is signed by a certificate authority (CA), the CA certificate must be included in the ca.crt file.

  2. Add the required labels to the ConfigMap:

    $ kubectl label configmap che-git-self-signed-cert \ -n eclipse-che
  3. Configure Che operand to use self-signed certificates for Git repositories. See Using the CLI to configure the CheCluster Custom Resource.

          gitTrustedCertsConfigMapName: che-git-self-signed-cert
Verification steps
  • Create and start a new workspace. Every container used by the workspace mounts a special volume that contains a file with the self-signed certificate. The container’s /etc/gitconfig file contains information about the Git server host (its URL) and the path to the certificate in the http section (see Git documentation about git-config).

    Example 1. Contents of an /etc/gitconfig file
    [http ""]
    sslCAInfo = /etc/config/che-git-tls-creds/certificate