Deploying Che with support for Git repositories with self-signed certificates

This procedure describes how to configure Che for deployment with support for Git operations on repositories that use self-signed certificates.

Prerequisites

  • Git version 2 or later

  • Helm version 2.15 or higher

Procedure

Configuring support for self-signed Git repositories.

In the instructions below, substitute kubectl for oc when running Che on Kubernetes.

  1. Create a new configMap with details about the Git server:

    $ oc create configmap che-git-self-signed-cert --from-file=ca.crt \
  --from-literal=githost=<host:port> -n {prod-namespace}

    In the command, substitute <host:port> for the host and port of the HTTPS connection on the Git server (optional).

    • When githost is not specified, the given certificate is used for all HTTPS repositories.

    • The certificate file must be named ca.crt.

    • Certificate files are typically stored as Base64 ASCII files, such as. .pem, .crt, .ca-bundle. Also, they can be encoded as binary data, for example, .cer. All Secrets that hold certificate files should use the Base64 ASCII certificate rather than the binary data certificate.

  2. Configure the workspace exposure strategy:

    For Che deployed using a Helm Chart

    1. Clone the che project

    2. Go to deploy/kubernetes/helm/che directory

    3. Update the global.useGitSelfSignedCerts property. To do that, add the following option to the helm upgrade command:

      $ helm upgrade che -n eclipse-che --set global.useGitSelfSignedCerts=true \
  --set global.ingressDomain=<kubernetes-cluster-domain> .

    On Minikube, substitute <kubernetes-cluster-domain> with $(minikube ip).nip.io.

    For Che deployed using Operators

    Update the gitSelfSignedCert property. To do that, execute:

    $ oc patch checluster eclipse-che -n eclipse-che --type=json \
  -p '[{"op": "replace", "path": "/spec/server/gitSelfSignedCert", "value": true}]'

  3. Create and start a new workspace. Every container used by the workspace mounts a special volume that contains a file with the self-signed certificate. The repository’s .git/config file contains information about the Git server host (its URL) and the path to the certificate in the http section (see Git documentation about git-config). For example:

    [http "https://10.33.177.118:3000"]
        sslCAInfo = /etc/che/git/cert/ca.crt