Deploying Che with support for Git repositories with self-signed certificates

You can configure Che to support operations on Git providers that use self-signed certificates.

Prerequisites
Procedure

  1. Create a new ConfigMap with details about the Git server:

    $ kubectl create configmap che-git-self-signed-cert \
  --from-file=ca.crt=<path_to_certificate> \  (1)
  --from-literal=githost=<git_server_url> -n eclipse-che  (2)
    1 Path to the self-signed certificate.
    2 Optional parameter to specify the Git server URL e.g. https://git.example.com:8443. When omitted, the self-signed certificate is used for all repositories over HTTPS.

    • Certificate files are typically stored as Base64 ASCII files, such as. .pem, .crt, .ca-bundle. All ConfigMaps that hold certificate files should use the Base64 ASCII certificate rather than the binary data certificate.

    • A certificate chain of trust is required. If the ca.crt is signed by a certificate authority (CA), the CA certificate must be included in the ca.crt file.

  2. Add the required labels to the ConfigMap:

    $ kubectl label configmap che-git-self-signed-cert \
  app.kubernetes.io/part-of=che.eclipse.org -n eclipse-che

  3. Configure Che operand to use self-signed certificates for Git repositories. See Using the CLI to configure the CheCluster Custom Resource.

    spec:
  devEnvironments:
    trustedCerts:
      gitTrustedCertsConfigMapName: che-git-self-signed-cert
Verification steps

  • Create and start a new workspace. Every container used by the workspace mounts a special volume that contains a file with the self-signed certificate. The container’s /etc/gitconfig file contains information about the Git server host (its URL) and the path to the certificate in the http section (see Git documentation about git-config).

    Example 1. Contents of an /etc/gitconfig file
    [http "https://10.33.177.118:3000"]
sslCAInfo = /etc/config/che-git-tls-creds/certificate
Additional resources