Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update the documentation about importing external certificates #1598

Merged
merged 15 commits into from
Dec 2, 2020
Merged

Update the documentation about importing external certificates #1598

merged 15 commits into from
Dec 2, 2020

Conversation

davidfestal
Copy link
Contributor

@davidfestal davidfestal commented Sep 18, 2020
edited
Loading

What does this PR do?

This PR Updates the documentation about importing additional certificates in a Ce installation, to reflect the current status of Che on this Topic.

What issues does this PR fix or reference?

This PR refers to issue https://issues.redhat.com/browse/RHDEVDOCS-2089

Specify the version of the product this PR applies to.

This PR applies to the last Upstream release (7.18.2) and to the 2.4 downstream release.

PR Checklist

As the author of this Pull Request I made sure that:

  • vale has been run successfully against the PR branch
  • Link checker has been run successfully against the PR branch
  • Documentation describes a scenario that is already covered by QE tests, otherwise an issue has been created and acknowledged by Che QE team
  • Changed article references are updated where they are used (or a redirect has been set up on the docs side):

@davidfestal davidfestal requested review from l0rd and tolusha September 18, 2020 18:13
@davidfestal davidfestal changed the title [WIP] Update the documentation about importing external certificates Update the documentation about importing external certificates Sep 18, 2020
@davidfestal davidfestal marked this pull request as ready for review September 18, 2020 20:14
@rkratky rkratky added the need-cherry-pick/7.34.x need cherry-pick to 7.18.x branch label Sep 21, 2020
themr0c
themr0c reviewed Sep 21, 2020
View reviewed changes
...stallation-guide/partials/proc_importing-tls-certificates-to-che-server-java-truststore.adoc Outdated
@@ -1,92 +1,174 @@


[id="importing-tls-certificates-to-{prod-id-short}-server-java-trustore_{context}"]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you also update the id and all xref statements pointing to this id?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

tolusha
tolusha reviewed Sep 21, 2020
View reviewed changes
...stallation-guide/partials/proc_importing-tls-certificates-to-che-server-java-truststore.adoc Outdated
----
+
- Certificates are mounted in folder `/public-certs/` of the {prod-short} server container. This command returns the list of files in that folder:
- {prod-short} mounts certificates in folder `/public-certs/` of the {prod-short} server container. This command returns the list of files in that folder:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that checking /public-certs folder is not enough.
when ca-certs configmap is updated then k8s automatically refreshes /public-certs.
but those certificates won't be added to java trust store of the che-server and keycloak.

@themr0c
Copy link
Contributor

themr0c commented Sep 21, 2020

It seems this procedure is turning into a collection of 2 distinct procedures depending on the method used to install the Che instance.

We have a similar case Upgrading Che. We make there the distinction between these 2 deployment flows: using OperatorHub vs. using the CLI management tool.

For consistency purposes, using the same presentation here would be awesome, but is it relevant?

@rkratky rkratky self-assigned this Sep 21, 2020
@davidfestal
first changes
9899344
@davidfestal
Deeper update
3c35728
@davidfestal
Cleanup
ffaf568
@davidfestal
Add changes proposed by @l0rd
2031a3d
@davidfestal
Split the procedure into 2 sections:
49b4702 
according to whether the certificates are added;
- at installation time
- on an already-running installation.
@davidfestal davidfestal force-pushed the rhdevdocs-2089-reintegrate-external-ca-doc branch from aa64568 to 49b4702 Compare October 12, 2020 17:21
@davidfestal
Copy link
Contributor Author

@themr0c I don't know why the vale tests fail during CI while I have no vale error on my file in the Che workspace. Maybe rules have changed ?

@l0rd Since the PR comes from my fork, the result automatically pushed on netlify is not the right one.
So to ease the review I added the resulting page for preview as a PDF printed from the Web page

@davidfestal
Copy link
Contributor Author

davidfestal commented Oct 13, 2020
edited
Loading

It seems this procedure is turning into a collection of 2 distinct procedures depending on the method used to install the Che instance.

We have a similar case Upgrading Che. We make there the distinction between these 2 deployment flows: using OperatorHub vs. using the CLI management tool.

For consistency purposes, using the same presentation here would be awesome, but is it relevant?

@themr0c

In fact we thought if would be more beneficial to split the documentation into 2 sub-section according to the use-case:

  • Configuration at installation time
  • Configuration on already-running installation.

So I assume we would not also split according to the underlying installation method (operator or helm).

l0rd
l0rd requested changes Oct 15, 2020
View reviewed changes
Copy link
Contributor

@l0rd l0rd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The document is much clearer now. Good job @davidfestal. But there are still some points to review.

modules/installation-guide/partials/proc_importing-external-or-additional-tls-certificates.adoc Outdated Show resolved Hide resolved
modules/installation-guide/partials/proc_importing-external-or-additional-tls-certificates.adoc Outdated Show resolved Hide resolved
modules/installation-guide/partials/proc_importing-external-or-additional-tls-certificates.adoc Outdated Show resolved Hide resolved
modules/installation-guide/partials/proc_importing-external-or-additional-tls-certificates.adoc Outdated Show resolved Hide resolved
modules/installation-guide/partials/proc_importing-external-or-additional-tls-certificates.adoc Outdated
* {prod-short} already uses some reserved file names to automatically inject certificates into the ConfigMap, so you should avoid using the following reserved file names to save your certificates:
** `ca-bundle.crt`
** `ca.crt`
====
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The paragraph above is repeated multiple times in this article. Can we move it to a different doc component and reference it multiple times?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in commit 3f481ae

modules/installation-guide/partials/proc_importing-external-or-additional-tls-certificates.adoc Outdated Show resolved Hide resolved
modules/installation-guide/partials/proc_importing-external-or-additional-tls-certificates.adoc Outdated Show resolved Hide resolved
modules/installation-guide/partials/proc_importing-external-or-additional-tls-certificates.adoc Outdated Show resolved Hide resolved
@themr0c themr0c added the need-cherry-pick/7.32.x need cherry-pick to 7.32.x label Oct 20, 2020
@themr0c
Copy link
Contributor

themr0c commented Oct 27, 2020

@davidfestal Any chance you can include the proposed changes and rebase soon?

@davidfestal
Copy link
Contributor Author

@davidfestal Any chance you can include the proposed changes and rebase soon?

I'll try to work on it tomorrow

@themr0c themr0c added this to the 7.20.x milestone Oct 27, 2020
@davidfestal davidfestal mentioned this pull request Oct 29, 2020
Closed
22 tasks
@yhontyk yhontyk assigned yhontyk and unassigned rkratky Nov 10, 2020
@davidfestal davidfestal requested a review from l0rd November 30, 2020 18:58
@davidfestal
Copy link
Contributor Author

@l0rd Could you please review again after the last commit: 96614f0 ?

l0rd
l0rd approved these changes Dec 1, 2020
View reviewed changes
Copy link
Contributor

@l0rd l0rd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM Great job @davidfestal

yhontyk
yhontyk approved these changes Dec 1, 2020
View reviewed changes
Copy link

@yhontyk yhontyk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@davidfestal davidfestal merged commit c1921c5 into eclipse-che:master Dec 2, 2020
yhontyk pushed a commit that referenced this pull request Dec 2, 2020
@davidfestal @l0rd
Update the documentation about importing untrusted certificates (#1598)
d79b8e9 
* First changes
* Split the procedure into 2 sections according to whether the certificates are added:
  - at installation time
  - on an already-running installation.
* Add changes proposed by @l0rd
* Change the title according to @l0rd review comment
* Fix comment #1598 (review)
* Add verification steps at the workspace level
* Fix some of the vale errors

Co-authored-by: Mario Loriedo <mario.loriedo@gmail.com>
Co-authored-by: Yana Hontyk <yhontyk@redhat.com>
@yhontyk yhontyk added cherry-picked to 7.30.x and removed need-cherry-pick/7.34.x need cherry-pick to 7.18.x branch labels Dec 2, 2020
yhontyk pushed a commit that referenced this pull request Dec 2, 2020
@davidfestal @l0rd
Update the documentation about importing untrusted certificates (#1598)
aff1be8 
* First changes
* Split the procedure into 2 sections according to whether the certificates are added:
  - at installation time
  - on an already-running installation.
* Add changes proposed by @l0rd
* Change the title according to @l0rd review comment
* Fix comment #1598 (review)
* Add verification steps at the workspace level
* Fix some of the vale errors

Co-authored-by: Mario Loriedo <mario.loriedo@gmail.com>
Co-authored-by: Yana Hontyk <yhontyk@redhat.com>
@yhontyk yhontyk added cherry-picked to 7.32.x cherry-picked to 7.32.x and removed need-cherry-pick/7.32.x need cherry-pick to 7.32.x labels Dec 2, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@themr0c themr0c themr0c left review comments

@tolusha tolusha tolusha left review comments

@l0rd l0rd l0rd approved these changes

@yhontyk yhontyk yhontyk approved these changes

@MichalMaler MichalMaler Awaiting requested review from MichalMaler

@rkratky rkratky Awaiting requested review from rkratky

Assignees

@yhontyk yhontyk

Labels
cherry-picked to 7.32.x cherry-picked to 7.32.x kind/enhancement
Projects
None yet
Milestone
7.20.x
Development

Successfully merging this pull request may close these issues.
7 participants
@davidfestal @themr0c @l0rd @tolusha @yhontyk @rkratky @che-bot