Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ws-manager] Support custom CA certs #9081

Merged
merged 2 commits into from
Apr 5, 2022
Merged

[ws-manager] Support custom CA certs #9081

merged 2 commits into from
Apr 5, 2022
+339 −12

Conversation

csweichel
Copy link
Contributor

@csweichel csweichel commented Apr 1, 2022
edited
Loading

Description

Adds custom CA cert support to workspaces.

Related Issue(s)

Fixes #9079

How to test

  1. Ensure that ws-manager's config carries caCertSecret entry (done on this branch)
  2. Start a workspace on https://cw-fix-9079.staging.gitpod-dev.com/workspaces
  3. Cat the custom cert from cat /etc/ssl/certs/gitpod-ca.crt

Release Notes

Add custom CA cert support to workspaces

@csweichel csweichel marked this pull request as ready for review April 4, 2022 11:43
@csweichel csweichel requested a review from a team April 4, 2022 11:43
@github-actions github-actions bot added the team: workspace Issue belongs to the Workspace team label Apr 4, 2022
sagor999
sagor999 reviewed Apr 4, 2022
View reviewed changes
Copy link
Contributor

@sagor999 sagor999 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@csweichel code looks good, but when I do cat /etc/ssl/certs/gitpod-ca.crt it shows me BEGIN RSA PRIVATE KEY, which I think is wrong, since crt should be public part of the cert, and gitpod-ca.key should be the private key.
So want to make sure we map this correctly.

@csweichel
Copy link
Contributor Author

@csweichel code looks good, but when I do cat /etc/ssl/certs/gitpod-ca.crt it shows me BEGIN RSA PRIVATE KEY, which I think is wrong, since crt should be public part of the cert, and gitpod-ca.key should be the private key. So want to make sure we map this correctly.

That's right - my bad. I just stuffed the wrong file into the secret. We're just mounting the secret directly into the workspace, irregardless of its content. It's up to the user to ensure there's a valid CA cert (not a key) in there.

We could add validation to the installer to ensure it's a CA cert.

@roboquat roboquat merged commit 01c257f into main Apr 5, 2022
@roboquat roboquat deleted the cw/fix-9079 branch April 5, 2022 15:58
@roboquat roboquat added deployed: workspace Workspace team change is running in production deployed Change is completely running in production labels Apr 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sagor999 sagor999 sagor999 approved these changes

@aledbf aledbf Awaiting requested review from aledbf

Assignees
No one assigned
Labels
deployed: workspace Workspace team change is running in production deployed Change is completely running in production release-note size/XL team: workspace Issue belongs to the Workspace team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add CA cert support to ws-manager
3 participants
@csweichel @sagor999 @roboquat