Uploaded image for project: 'Red Hat OpenShift Dev Spaces (formerly CodeReady Workspaces) '
  1. Red Hat OpenShift Dev Spaces (formerly CodeReady Workspaces)
  2. CRW-4508

Cloning projects from repositories with self-signed certificates fails

XMLWordPrintable

    • False
    • None
    • False

      Description of problem:

      Attempting to clone a project from a git repository served with self-signed certificates fails in the project-clone container when attempting to resolve a branch on the remote even though the project is successfully cloned and fetched. This occurs only when the project's checkoutFrom field is specified, and does not occur if the field is blank.

      The project clone container logs are similar to:

      2023/05/19 14:14:31 Read DevWorkspace at /devworkspace-metadata/flattened.devworkspace.yaml
2023/05/19 14:14:31 Processing project <PROJECT>
2023/05/19 14:14:31 Cloning project <PROJECT> to /projects/project-clone-2277794524/<PROJECT>
Cloning into '/projects/project-clone-2277794524/<PROJECT>'...
2023/05/19 14:14:32 Cloned project <PROJECT> to /projects/project-clone-2277794524/<PROJECT>
2023/05/19 14:14:32 Setting up remotes for project <PROJECT>
2023/05/19 14:14:32 Fetched remote origin at <REPO>/<PROJECT>.git
2023/05/19 14:14:32 No personal access token found for URL <REPO>/<PROJECT>.git
2023/05/19 14:14:32 Encountered error while setting up project <PROJECT>: failed to checkout revision: failed to read remote origin: Get "<REPO>/<PROJECT>.git/info/refs?service=git-upload-pack": x509: certificate signed by unknown authority

      Workaround:

      Issue can be worked around by specifying the SSL_CERT_FILE environment variable for project clone, which is used by the go-git library to configure additional CA bundles. This can be done via an automount configmap, mounted as environment variables:

      kind: ConfigMap
apiVersion: v1
metadata: 
  name: clone-ca-certs-workaround
  namespace: <WORKSPACE_NAMESPACE>
  labels: 
    app.kubernetes.io/component: user-settings
    app.kubernetes.io/name: devspaces
    app.kubernetes.io/part-of: che.eclipse.org
    controller.devfile.io/mount-to-devworkspace: 'true'
    controller.devfile.io/watch-configmap: 'true'
  annotations: 
    controller.devfile.io/mount-as: env
data: 
  SSL_CERT_FILE: /<path-to-mounted-certs>

      Prerequisites (if any, like setup, operators/versions):

      N/A

      Steps to Reproduce

      1. Set up self-signed certificate as documented: https://access.redhat.com/documentation/en-us/red_hat_openshift_dev_spaces/3.5/html-single/administration_guide/index#deploying-devspaces-with-support-for-git-repositories-with-self-signed-certificates
      2. Create a workspace from a project that is served from a server with self-signed certificates and specify checkoutFrom field 
            projects: 
      - name: selfsigned
        git: 
          remotes: 
            origin: "<selfsigned-repository>"
          checkoutFrom: 
            revision: main

         

        Actual results:

      Project setup fails as described above

      Expected results:

      Project setup should succeed without additional configuration. Certificates are available as repository was cloned successfully.

      Reproducibility (Always/Intermittent/Only Once):

      Always

      Acceptance criteria: 

       

      Definition of Done:

      Build Details:

      Additional info (Such as Logs, Screenshots, etc):

       

       *

              amisevsk Angel Misevski (Inactive)
              amisevsk Angel Misevski (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: