Deploying Che with support for Git repositories with self-signed certificates
You can configure Che to support operations on Git providers that use self-signed certificates.
-
An active
oc
session with administrative permissions to the OpenShift cluster. See Getting started with the OpenShift CLI. -
Git version 2 or later
-
Create a new ConfigMap with details about the Git server:
$ kubectl create configmap che-git-self-signed-cert \ --from-file=ca.crt=<path_to_certificate> \ (1) --from-literal=githost=<host:port> -n eclipse-che (2)
1 Path to self-signed certificate 2 The host and port of the HTTPS connection on the Git server (optional). -
When
githost
is not specified, the given certificate is used for all HTTPS repositories. -
Certificate files are typically stored as Base64 ASCII files, such as.
.pem
,.crt
,.ca-bundle
. Also, they can be encoded as binary data, for example,.cer
. AllSecrets
that hold certificate files should use the Base64 ASCII certificate rather than the binary data certificate.
-
-
Add the required labels to the ConfigMap:
$ kubectl label configmap che-git-self-signed-cert \ app.kubernetes.io/part-of=che.eclipse.org -n eclipse-che
-
Configure Che operand to use self-signed certificates for Git repositories. See Using the CLI to configure the CheCluster Custom Resource.
spec: devEnvironments: trustedCerts: gitTrustedCertsConfigMapName: che-git-self-signed-cert
-
Create and start a new workspace. Every container used by the workspace mounts a special volume that contains a file with the self-signed certificate. The container’s
/etc/gitconfig
file contains information about the Git server host (its URL) and the path to the certificate in thehttp
section (see Git documentation about git-config).Example 1. Contents of an/etc/gitconfig
file[http "https://10.33.177.118:3000"] sslCAInfo = /etc/config/che-git-tls-creds/certificate