Deploying Che with support for Git repositories with self-signed certificates

You can configure Che to support operations on Git providers that use self-signed certificates.

  1. Create a new ConfigMap with details about the Git server:

    $ kubectl create configmap che-git-self-signed-cert \
      --from-file=ca.crt=<path_to_certificate> \  (1)
      --from-literal=githost=<host:port> -n eclipse-che  (2)
    1 Path to self-signed certificate
    2 The host and port of the HTTPS connection on the Git server (optional).
    • When githost is not specified, the given certificate is used for all HTTPS repositories.

    • Certificate files are typically stored as Base64 ASCII files, such as. .pem, .crt, .ca-bundle. Also, they can be encoded as binary data, for example, .cer. All Secrets that hold certificate files should use the Base64 ASCII certificate rather than the binary data certificate.

  2. Add the required labels to the ConfigMap:

    $ kubectl label configmap che-git-self-signed-cert \ -n eclipse-che
  3. Configure Che operand to use self-signed certificates for Git repositories. See Using the CLI to configure the CheCluster Custom Resource.

          gitTrustedCertsConfigMapName: che-git-self-signed-cert
Verification steps
  • Create and start a new workspace. Every container used by the workspace mounts a special volume that contains a file with the self-signed certificate. The container’s /etc/gitconfig file contains information about the Git server host (its URL) and the path to the certificate in the http section (see Git documentation about git-config).

    Example 1. Contents of an /etc/gitconfig file
    [http ""]
    sslCAInfo = /etc/config/che-git-tls-creds/certificate