Deploying Che with support for Git repositories with self-signed certificates

This procedure describes how to configure Che for deployment with support for Git operations on repositories that use self-signed certificates.

Prerequisites
  • Git version 2 or later

Procedure

Configuring support for self-signed Git repositories.

  1. Create a new ConfigMap with details about the Git server:

    $ kubectl create configmap che-git-self-signed-cert \
      --from-file=ca.crt=<path_to_certificate> \  (1)
      --from-literal=githost=<host:port> -n eclipse-che  (2)
    1 Path to self-signed certificate
    2 The host and port of the HTTPS connection on the Git server (optional).
    • When githost is not specified, the given certificate is used for all HTTPS repositories.

    • Certificate files are typically stored as Base64 ASCII files, such as. .pem, .crt, .ca-bundle. Also, they can be encoded as binary data, for example, .cer. All Secrets that hold certificate files should use the Base64 ASCII certificate rather than the binary data certificate.

  2. Add the required labels to the ConfigMap:

    $ kubectl label configmap che-git-self-signed-cert \
    app.kubernetes.io/part-of=che.eclipse.org -n eclipse-che
  3. Configure Che to use self-signed certificates for Git repositories:

    Update the gitSelfSignedCert property. To do that, execute:

    $ kubectl patch checluster/eclipse-che -n eclipse-che --type=json \
      -p '[{"op": "replace", "path": "/spec/server/gitSelfSignedCert", \
      "value": true}]'
  4. Create and start a new workspace. Every container used by the workspace mounts a special volume that contains a file with the self-signed certificate. The repository’s .git/config file contains information about the Git server host (its URL) and the path to the certificate in the http section (see Git documentation about git-config). For example:

[http "https://10.33.177.118:3000"]
sslCAInfo = /etc/che/git/cert/ca.crt