[initializer] Replace GIT_SSL_CAINFO with GIT_SSL_CAPATH

Pothulapati · roboquat · commit 77279a892e4b · 2022-05-30T14:03:48.000+05:30
Fixes #10173 Using `GIT_SSL_CAPATH` means that we will continue to support publicly signed SCM's even when we have a `customCA` configured. Signed-off-by: Tarun Pothulapati <tarun@gitpod.io>
diff --git a/components/content-service/pkg/git/git.go b/components/content-service/pkg/git/git.go
@@ -181,6 +181,10 @@ func (c *Client) GitWithOutput(ctx context.Context, subcommand string, args ...s
 	if os.Getenv("https_proxy") != "" {
 		env = append(env, fmt.Sprintf("https_proxy=%s", os.Getenv("https_proxy")))
 	}
+	if v := os.Getenv("GIT_SSL_CAPATH"); v != "" {
+		env = append(env, fmt.Sprintf("GIT_SSL_CAPATH=%s", v))
+	}
+
 	if v := os.Getenv("GIT_SSL_CAINFO"); v != "" {
 		env = append(env, fmt.Sprintf("GIT_SSL_CAINFO=%s", v))
 	}
diff --git a/components/ws-daemon/pkg/content/initializer.go b/components/ws-daemon/pkg/content/initializer.go
@@ -202,7 +202,7 @@ func RunInitializer(ctx context.Context, destination string, initializer *csapi.
 	spec.Process.User.GID = opts.GID
 	spec.Process.Args = []string{"/app/content-initializer"}
 	for _, e := range os.Environ() {
-		if strings.HasPrefix(e, "JAEGER_") || strings.HasPrefix(e, "GIT_SSL_CAINFO=") {
+		if strings.HasPrefix(e, "JAEGER_") || strings.HasPrefix(e, "GIT_SSL_CAPATH=") || strings.HasPrefix(e, "GIT_SSL_CAINFO=") {
 			spec.Process.Env = append(spec.Process.Env, e)
 		}
 	}
diff --git a/install/installer/pkg/common/ca.go b/install/installer/pkg/common/ca.go
@@ -63,8 +63,9 @@ func CustomCACertVolume(ctx *RenderContext) (vol *corev1.Volume, mnt *corev1.Vol
 	}
 
 	const (
-		volumeName = "custom-ca-cert"
-		mountPath  = "/etc/ssl/certs/custom-ca.crt"
+		volumeName        = "custom-ca-cert"
+		customCAMountPath = "/etc/ssl/certs/custom-ca.crt"
+		certsMountPath    = "/etc/ssl/certs/"
 	)
 	vol = &corev1.Volume{
 		Name: volumeName,
@@ -83,12 +84,13 @@ func CustomCACertVolume(ctx *RenderContext) (vol *corev1.Volume, mnt *corev1.Vol
 	mnt = &corev1.VolumeMount{
 		Name:      volumeName,
 		ReadOnly:  true,
-		MountPath: mountPath,
+		MountPath: customCAMountPath,
 		SubPath:   "ca.crt",
 	}
 	env = []corev1.EnvVar{
-		{Name: "NODE_EXTRA_CA_CERTS", Value: mountPath},
-		{Name: "GIT_SSL_CAINFO", Value: mountPath},
+		{Name: "NODE_EXTRA_CA_CERTS", Value: customCAMountPath},
+		{Name: "GIT_SSL_CAPATH", Value: certsMountPath},
+		{Name: "GIT_SSL_CAINFO", Value: customCAMountPath},
 	}
 	ok = true
 	return

Original file line number	Diff line number	Diff line change
`@@ -181,6 +181,10 @@ func (c *Client) GitWithOutput(ctx context.Context, subcommand string, args ...s`
`181`	`181`	`if os.Getenv("https_proxy") != "" {`
`182`	`182`	`env = append(env, fmt.Sprintf("https_proxy=%s", os.Getenv("https_proxy")))`
`183`	`183`	`}`
	`184`	`+ if v := os.Getenv("GIT_SSL_CAPATH"); v != "" {`
	`185`	`+ env = append(env, fmt.Sprintf("GIT_SSL_CAPATH=%s", v))`
	`186`	`+ }`
	`187`	`+`
`184`	`188`	`if v := os.Getenv("GIT_SSL_CAINFO"); v != "" {`
`185`	`189`	`env = append(env, fmt.Sprintf("GIT_SSL_CAINFO=%s", v))`
`186`	`190`	`}`
Original file line number	Diff line number	Diff line change
`@@ -202,7 +202,7 @@ func RunInitializer(ctx context.Context, destination string, initializer *csapi.`
`202`	`202`	`spec.Process.User.GID = opts.GID`
`203`	`203`	`spec.Process.Args = []string{"/app/content-initializer"}`
`204`	`204`	`for _, e := range os.Environ() {`
`205`		`- if strings.HasPrefix(e, "JAEGER_") \|\| strings.HasPrefix(e, "GIT_SSL_CAINFO=") {`
	`205`	`+ if strings.HasPrefix(e, "JAEGER_") \|\| strings.HasPrefix(e, "GIT_SSL_CAPATH=") \|\| strings.HasPrefix(e, "GIT_SSL_CAINFO=") {`
`206`	`206`	`spec.Process.Env = append(spec.Process.Env, e)`
`207`	`207`	`}`
`208`	`208`	`}`