Add a new trust bundle for custom SSL certificates (#18450)

aledbf · nandajavarma · web-flow · commit de4bbbea1c19 · 2023-08-08T16:46:34.000+02:00
* Add a new trust bundle for custom SSL certificates

* Mount the customer certificate in the workspace

* Use the custom certificate in components

* Cleanup

* Set env variables and mount the crt in a different file

* rename custom ca cert file name

* Fix the filename in env vars

* Enable custom SSL certificate conditionally

---------

Co-authored-by: nandajavarma &lt;nandaja.varma@gmail.com&gt;
diff --git a/components/ws-manager-api/go/config/config.go b/components/ws-manager-api/go/config/config.go
@@ -133,6 +133,8 @@ type Configuration struct {
 	TimeoutMaxConcurrentReconciles int `json:"timeoutMaxConcurrentReconciles,omitempty"`
 	// ExperimentalMode controls if experimental features are enabled
 	ExperimentalMode bool `json:"experimentalMode"`
+	// EnableCustomSSLCertificate controls if we need to support custom SSL certificates for git operations
+	EnableCustomSSLCertificate bool `json:"enableCustomSSLCertificate"`
 }
 
 type WorkspaceClass struct {
diff --git a/components/ws-manager-mk2/controllers/create.go b/components/ws-manager-mk2/controllers/create.go
@@ -317,6 +317,17 @@ func createDefiniteWorkspacePod(sctx *startWorkspaceContext) (*corev1.Pod, error
 		},
 	}
 
+	if sctx.Config.EnableCustomSSLCertificate {
+		volumes = append(volumes, corev1.Volume{
+			Name: "gitpod-ca-crt",
+			VolumeSource: corev1.VolumeSource{
+				ConfigMap: &corev1.ConfigMapVolumeSource{
+					LocalObjectReference: corev1.LocalObjectReference{Name: "gitpod-customer-certificate-bundle"},
+				},
+			},
+		})
+	}
+
 	workloadType := "regular"
 	if sctx.Headless {
 		workloadType = "headless"
@@ -463,6 +474,29 @@ func createWorkspaceContainer(sctx *startWorkspaceContext) (*corev1.Container, e
 
 	image := fmt.Sprintf("%s/%s/%s", sctx.Config.RegistryFacadeHost, regapi.ProviderPrefixRemote, sctx.Workspace.Name)
 
+	volumeMounts := []corev1.VolumeMount{
+		{
+			Name:             workspaceVolumeName,
+			MountPath:        workspaceDir,
+			ReadOnly:         false,
+			MountPropagation: &mountPropagation,
+		},
+		{
+			MountPath:        "/.workspace",
+			Name:             "daemon-mount",
+			MountPropagation: &mountPropagation,
+		},
+	}
+
+	if sctx.Config.EnableCustomSSLCertificate {
+		volumeMounts = append(volumeMounts, corev1.VolumeMount{
+			Name:      "gitpod-ca-crt",
+			MountPath: "/etc/ssl/certs/gitpod-ca.crt",
+			SubPath:   "ca-certificates.crt",
+			ReadOnly:  true,
+		})
+	}
+
 	return &corev1.Container{
 		Name:            "workspace",
 		Image:           image,
@@ -475,19 +509,7 @@ func createWorkspaceContainer(sctx *startWorkspaceContext) (*corev1.Container, e
 			Limits:   limits,
 			Requests: requests,
 		},
-		VolumeMounts: []corev1.VolumeMount{
-			{
-				Name:             workspaceVolumeName,
-				MountPath:        workspaceDir,
-				ReadOnly:         false,
-				MountPropagation: &mountPropagation,
-			},
-			{
-				MountPath:        "/.workspace",
-				Name:             "daemon-mount",
-				MountPropagation: &mountPropagation,
-			},
-		},
+		VolumeMounts:             volumeMounts,
 		ReadinessProbe:           readinessProbe,
 		Env:                      env,
 		Command:                  command,
@@ -547,10 +569,21 @@ func createWorkspaceEnvironment(sctx *startWorkspaceContext) ([]corev1.EnvVar, e
 	result = append(result, corev1.EnvVar{Name: "THEIA_WEBVIEW_EXTERNAL_ENDPOINT", Value: "webview-{{hostname}}"})
 	result = append(result, corev1.EnvVar{Name: "THEIA_MINI_BROWSER_HOST_PATTERN", Value: "browser-{{hostname}}"})
 
-	// We don't require that Git be configured for workspaces
-	if sctx.Workspace.Spec.Git != nil {
-		result = append(result, corev1.EnvVar{Name: "GITPOD_GIT_USER_NAME", Value: sctx.Workspace.Spec.Git.Username})
-		result = append(result, corev1.EnvVar{Name: "GITPOD_GIT_USER_EMAIL", Value: sctx.Workspace.Spec.Git.Email})
+	if sctx.Config.EnableCustomSSLCertificate {
+		const (
+			customCAMountPath = "/etc/ssl/certs/gitpod-ca.crt"
+			certsMountPath    = "/etc/ssl/certs/"
+		)
+
+		result = append(result, corev1.EnvVar{Name: "NODE_EXTRA_CA_CERTS", Value: customCAMountPath})
+		result = append(result, corev1.EnvVar{Name: "GIT_SSL_CAPATH", Value: certsMountPath})
+		result = append(result, corev1.EnvVar{Name: "GIT_SSL_CAINFO", Value: customCAMountPath})
+
+		// We don't require that Git be configured for workspaces
+		if sctx.Workspace.Spec.Git != nil {
+			result = append(result, corev1.EnvVar{Name: "GITPOD_GIT_USER_NAME", Value: sctx.Workspace.Spec.Git.Username})
+			result = append(result, corev1.EnvVar{Name: "GITPOD_GIT_USER_EMAIL", Value: sctx.Workspace.Spec.Git.Email})
+		}
 	}
 
 	// System level env vars
diff --git a/install/installer/pkg/components/cluster/certmanager.go b/install/installer/pkg/components/cluster/certmanager.go
@@ -35,13 +35,26 @@ func certmanager(ctx *common.RenderContext) ([]runtime.Object, error) {
 		},
 	}
 
+	gitpodCustomCertificateBundleSource := []trust.BundleSource{
+		{
+			UseDefaultCAs: pointer.Bool(false),
+		},
+	}
+
 	if ctx.Config.CustomCACert != nil {
 		gitpodCaBundleSources = append(gitpodCaBundleSources, trust.BundleSource{
 			Secret: &trust.SourceObjectKeySelector{
 				Name:        ctx.Config.CustomCACert.Name,
 				KeySelector: trust.KeySelector{Key: "ca.crt"},
 			},
 		})
+
+		gitpodCustomCertificateBundleSource = append(gitpodCustomCertificateBundleSource, trust.BundleSource{
+			Secret: &trust.SourceObjectKeySelector{
+				Name:        ctx.Config.CustomCACert.Name,
+				KeySelector: trust.KeySelector{Key: "ca.crt"},
+			},
+		})
 	}
 
 	// TODO (gpl): This is a workaround to untangle the refactoring of existing infrastructure from
@@ -54,7 +67,7 @@ func certmanager(ctx *common.RenderContext) ([]runtime.Object, error) {
 		return nil
 	})
 
-	return []runtime.Object{
+	objects := []runtime.Object{
 		// Define a self-signed issuer so we can generate a CA
 		&v1.ClusterIssuer{
 			TypeMeta: common.TypeMetaCertificateClusterIssuer,
@@ -180,5 +193,26 @@ func certmanager(ctx *common.RenderContext) ([]runtime.Object, error) {
 				},
 			},
 		},
-	}, nil
+	}
+
+	if ctx.Config.CustomCACert != nil {
+		objects = append(objects,
+			// trust Bundle for custom SSL certificates
+			&trust.Bundle{
+				TypeMeta: common.TypeMetaBundle,
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "gitpod-customer-certificate-bundle",
+				},
+				Spec: trust.BundleSpec{
+					Sources: gitpodCustomCertificateBundleSource,
+					Target: trust.BundleTarget{
+						ConfigMap: &trust.KeySelector{
+							Key: "ca-certificates.crt",
+						},
+					},
+				},
+			})
+	}
+
+	return objects, nil
 }
diff --git a/install/installer/pkg/components/ws-manager-mk2/configmap.go b/install/installer/pkg/components/ws-manager-mk2/configmap.go
@@ -262,6 +262,10 @@ func configmap(ctx *common.RenderContext) ([]runtime.Object, error) {
 		}{Addr: fmt.Sprintf(":%d", HealthPort)},
 	}
 
+	if ctx.Config.CustomCACert != nil {
+		wsmcfg.Manager.EnableCustomSSLCertificate = true
+	}
+
 	fc, err := common.ToJSONString(wsmcfg)
 	if err != nil {
 		return nil, fmt.Errorf("failed to marshal ws-manager config: %w", err)

Original file line number	Diff line number	Diff line change
`@@ -133,6 +133,8 @@ type Configuration struct {`
`133`	`133`	TimeoutMaxConcurrentReconciles int `json:"timeoutMaxConcurrentReconciles,omitempty"`
`134`	`134`	`// ExperimentalMode controls if experimental features are enabled`
`135`	`135`	ExperimentalMode bool `json:"experimentalMode"`
	`136`	`+ // EnableCustomSSLCertificate controls if we need to support custom SSL certificates for git operations`
	`137`	+ EnableCustomSSLCertificate bool `json:"enableCustomSSLCertificate"`
`136`	`138`	`}`
`137`	`139`
`138`	`140`	`type WorkspaceClass struct {`