From fbbbb0b6ae84dc07f9669c537e3bc2874ef98f2a Mon Sep 17 00:00:00 2001 From: Mykola Morhun Date: Wed, 2 Sep 2020 13:24:57 +0300 Subject: [PATCH] Backport of https://github.com/eclipse/che-operator/pull/424 into 7.18.x branch (#426) Signed-off-by: Mykola Morhun --- pkg/deploy/tls.go | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/pkg/deploy/tls.go b/pkg/deploy/tls.go index 4e4973e1d..aa575fe72 100644 --- a/pkg/deploy/tls.go +++ b/pkg/deploy/tls.go @@ -150,10 +150,26 @@ func GetEndpointTLSCrtChain(instance *orgv1.CheCluster, endpointURL string, prox requestURL = endpointURL } + certificates, err := doRequestForTLSCrtChain(instance, requestURL, proxy, isTestRoute) + if err != nil { + if proxy.HttpProxy != "" && isTestRoute { + // Fetching certificates from the test route without proxy failed. Probably non-proxy connections are blocked. + // Retrying with proxy configuration, however it might cause retreiving of wrong certificate in case of TLS interception by proxy. + logrus.Warn("Failed to get certificate chain of trust of the OpenShift Ingress bypassing the proxy") + + return doRequestForTLSCrtChain(instance, requestURL, proxy, false) + } + + return nil, err + } + return certificates, nil +} + +func doRequestForTLSCrtChain(instance *orgv1.CheCluster, requestURL string, proxy *Proxy, skipProxy bool) ([]*x509.Certificate, error) { transport := &http.Transport{} // Adding the proxy settings to the Transport object. // However, in case of test route we need to reach cluter directly in order to get the right certificate. - if proxy.HttpProxy != "" && !isTestRoute { + if proxy.HttpProxy != "" && !skipProxy { logrus.Infof("Configuring proxy with %s to extract crt from the following URL: %s", proxy.HttpProxy, requestURL) ConfigureProxy(instance, transport, proxy) }