From ad7df6abbff5afa557e0607b7fdcc5e08273f047 Mon Sep 17 00:00:00 2001 From: flacatus Date: Wed, 8 Jul 2020 15:31:43 +0200 Subject: [PATCH] Add tls support to che operator updates Signed-off-by: flacatus --- .ci/cico_updates_minikube.sh | 14 +++++++++++++ .ci/cico_updates_minishift.sh | 25 +++++++++++++++++++++-- .ci/util/che-cert-generation.sh | 36 +++++++++++++++++++++++++++++++++ .ci/util/ci_common.sh | 2 +- olm/olm.sh | 1 - 5 files changed, 74 insertions(+), 4 deletions(-) create mode 100644 .ci/util/che-cert-generation.sh diff --git a/.ci/cico_updates_minikube.sh b/.ci/cico_updates_minikube.sh index 804f77cc1..5a3fd366f 100644 --- a/.ci/cico_updates_minikube.sh +++ b/.ci/cico_updates_minikube.sh @@ -86,7 +86,21 @@ waitCheUpdateInstall() { fi } +self_signed_minikube() { + export DOMAIN=*.$(minikube ip).nip.io + + source ${OPERATOR_REPO}/.ci/util/che-cert-generation.sh + + kubectl create namespace che + kubectl create secret tls che-tls --key=domain.key --cert=domain.crt -n che + cp rootCA.crt ca.crt + kubectl create secret generic self-signed-certificate --from-file=ca.crt -n che +} + testUpdates() { + # Create certificates for tests purpose + self_signed_minikube + "${OPERATOR_REPO}"/olm/testUpdate.sh ${PLATFORM} ${CHANNEL} ${NAMESPACE} printInfo "Successfully installed Eclipse Che previous version." diff --git a/.ci/cico_updates_minishift.sh b/.ci/cico_updates_minishift.sh index 7d6392ded..4098c4bbd 100644 --- a/.ci/cico_updates_minishift.sh +++ b/.ci/cico_updates_minishift.sh @@ -62,7 +62,6 @@ installLatestCheStable() { export previousPackageVersion=$(echo "${previousCSV}" | sed -e "s/${packageName}.v//") # Add stable Che images and tag to CR - sed -i "s/tlsSupport: true/tlsSupport: false/" ${OPERATOR_REPO}/tmp/che-operator/crds/org_v1_che_cr.yaml sed -i "s/cheImage: ''/cheImage: quay.io\/eclipse\/che-server/" ${OPERATOR_REPO}/tmp/che-operator/crds/org_v1_che_cr.yaml sed -i "s/cheImageTag: ''/cheImageTag: ${previousPackageVersion}/" ${OPERATOR_REPO}/tmp/che-operator/crds/org_v1_che_cr.yaml sed -i "s/devfileRegistryImage: ''/devfileRegistryImage: quay.io\/eclipse\/che-devfile-registry:"${previousPackageVersion}"/" ${OPERATOR_REPO}/tmp/che-operator/crds/org_v1_che_cr.yaml @@ -70,7 +69,7 @@ installLatestCheStable() { sed -i "s/identityProviderImage: ''/identityProviderImage: quay.io\/eclipse\/che-keycloak:"${previousPackageVersion}"/" ${OPERATOR_REPO}/tmp/che-operator/crds/org_v1_che_cr.yaml # Start last stable version of che - chectl server:start --platform=minishift --che-operator-cr-yaml=${OPERATOR_REPO}/tmp/che-operator/crds/org_v1_che_cr.yaml \ + chectl server:start --platform=minishift --skip-kubernetes-health-check --che-operator-cr-yaml=${OPERATOR_REPO}/tmp/che-operator/crds/org_v1_che_cr.yaml \ --che-operator-image=quay.io/eclipse/che-operator:${previousPackageVersion} --installer=operator } @@ -98,8 +97,30 @@ waitForNewCheVersion() { fi } +self_signed_minishift() { + export DOMAIN=*.$(minishift ip).nip.io + + source ${OPERATOR_REPO}/.ci/util/che-cert-generation.sh + + #Configure Router with generated certificate: + + oc login -u system:admin --insecure-skip-tls-verify=true + oc project default + oc delete secret router-certs + + cat domain.crt domain.key > minishift.crt + oc create secret tls router-certs --key=domain.key --cert=minishift.crt + oc rollout latest router + + oc create namespace che + + cp rootCA.crt ca.crt + oc create secret generic self-signed-certificate --from-file=ca.crt -n=che +} + testUpdates() { # Install previous stable version of Eclipse Che + self_signed_minishift installLatestCheStable # Create an workspace diff --git a/.ci/util/che-cert-generation.sh b/.ci/util/che-cert-generation.sh new file mode 100644 index 000000000..40f9d3a78 --- /dev/null +++ b/.ci/util/che-cert-generation.sh @@ -0,0 +1,36 @@ +#!/bin/bash + +# +# Copyright (c) 2012-2020 Red Hat, Inc. +# This program and the accompanying materials are made +# available under the terms of the Eclipse Public License 2.0 +# which is available at https://www.eclipse.org/legal/epl-2.0/ +# +# SPDX-License-Identifier: EPL-2.0 +# +# Contributors: +# Red Hat, Inc. - initial API and implementation + +#Declare CN +export CA_CN=eclipse-che-signer + +#Create Root Key +openssl genrsa -out rootCA.key 4096 + +#Create and self sign the Root Certificate +openssl req -x509 -new -nodes -key rootCA.key -subj /CN=${CA_CN} -sha256 -days 1024 -out rootCA.crt + +#Create the certificate key +openssl genrsa -out domain.key 2048 + +#Create the signing (csr) +openssl req -new -sha256 -key domain.key -subj "/C=US/ST=CK/O=RedHat/CN=${DOMAIN}" -out domain.csr + +#Verify Csr +openssl req -in domain.csr -noout -text + +#Generate the certificate using the domain csr and key along with the CA Root key +openssl x509 -req -in domain.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out domain.crt -days 500 -sha256 + +#Verify the certificate's content +openssl x509 -in domain.crt -text -noout diff --git a/.ci/util/ci_common.sh b/.ci/util/ci_common.sh index acc0e5b5d..a071d4b07 100644 --- a/.ci/util/ci_common.sh +++ b/.ci/util/ci_common.sh @@ -151,7 +151,7 @@ getCheAcessToken() { if [[ ${PLATFORM} == "openshift" ]] then KEYCLOAK_HOSTNAME=$(oc get route -n ${NAMESPACE} keycloak --template={{.spec.host}}) - TOKEN_ENDPOINT="http://${KEYCLOAK_HOSTNAME}/auth/realms/che/protocol/openid-connect/token" + TOKEN_ENDPOINT="https://${KEYCLOAK_HOSTNAME}/auth/realms/che/protocol/openid-connect/token" export CHE_ACCESS_TOKEN=$(curl --data "grant_type=password&client_id=che-public&username=admin&password=admin" -k ${TOKEN_ENDPOINT} | jq -r .access_token) else KEYCLOAK_HOSTNAME=keycloak-che.$(minikube ip).nip.io diff --git a/olm/olm.sh b/olm/olm.sh index 12de4849e..33169ee40 100755 --- a/olm/olm.sh +++ b/olm/olm.sh @@ -202,7 +202,6 @@ applyCRCheCluster() { CRs=$(yq -r '.metadata.annotations["alm-examples"]' "${packageFolderPath}/${PACKAGE_VERSION}/${packageName}.v${PACKAGE_VERSION}.clusterserviceversion.yaml") CR=$(echo "$CRs" | yq -r ".[0]") - CR=$(echo "$CR" | yq -r ".spec.server.tlsSupport = false") if [ "${platform}" == "kubernetes" ] then CR=$(echo "$CR" | yq -r ".spec.k8s.ingressDomain = \"$(minikube ip).nip.io\"")