Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS by default #14742

Closed
6 of 7 tasks
l0rd opened this issue Oct 2, 2019 · 7 comments
Closed
6 of 7 tasks

TLS by default #14742

l0rd opened this issue Oct 2, 2019 · 7 comments
Labels
area/install Issues related to installation, including offline/air gap and initial setup kind/epic A long-lived, PM-driven feature request. Must include a checklist of items that must be completed. severity/P1 Has a major impact to usage or development of the system.

Comments

@l0rd
Copy link
Contributor

l0rd commented Oct 2, 2019
edited by sleshchenko
Loading

Is your enhancement related to a problem?

I don't see any scenario where users would want to use unsecured http communications.

Describe the solution you'd like

TLS should be activated by default. It should not be something that the user should bother with.
@l0rd l0rd added the kind/enhancement A feature request - must adhere to the feature request template. label Oct 2, 2019
@che-bot che-bot added the status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. label Oct 2, 2019
@l0rd l0rd mentioned this issue Oct 2, 2019
Closed
6 tasks
@sleshchenko
Copy link
Member

I'm afraid we are not able to provide every user normal certificate.
And if we go with a self-signed certificate (in the same way as minikube/minishift) it might bother user since:

  1. they need to import CA certificate into the browser
  2. add every Che endpoint to exclusion, like after workspace start, open each of workspace endpoint and mark them as trusted, otherwise, Iframes won't be loaded properly even without a clear message.

I don't say that it's not possible, just sharing thoughts that might be not detailed enough.
So, this issue is not only about changing values of the default value of the parameter and about the investigation of how we can handle it and what is UX.

@benoitf benoitf added this to the Backlog - Platform milestone Oct 2, 2019
@benoitf benoitf added severity/P1 Has a major impact to usage or development of the system. and removed status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. labels Oct 2, 2019
@l0rd l0rd mentioned this issue Oct 23, 2019
Closed
@davidfestal
Copy link
Contributor

I'm also a bit worried about the fact that, in the current state of the Che operator, successfully enabling TLS required correctly setting the related selfsignedcerts field. And this can be a risky thing, since it has to be consistent with the status of the Openshift router certificate, else it will fail with non-obvious errors.

So providing a TLS-enabled default that will work in all cases is tricky today.

@l0rd
Copy link
Contributor Author

l0rd commented Nov 25, 2019

@sleshchenko yes we should support self signed certs of course. That may be tricky but we have already lost a lot of time because we are not testing with TLS enabled locally. We should automate as much as we can and guide user to accept the self signed certs.

@davidfestal it should not be "risky" otherwise users that enable TLS will always "risk" to have problems. We want to make TLS the default because we want to put those kind of problems in evidence so that we will fix them.

This was referenced Nov 26, 2019
Closed
Closed
@mmorhun
Copy link
Contributor

mmorhun commented Nov 27, 2019

This issue is required for new webview plugin API implementation to work. Without it webviews are broken.

@apupier apupier mentioned this issue Dec 10, 2019
Closed
@tolusha tolusha added the kind/epic A long-lived, PM-driven feature request. Must include a checklist of items that must be completed. label Dec 18, 2019
@tolusha tolusha added area/install Issues related to installation, including offline/air gap and initial setup and removed kind/enhancement A feature request - must adhere to the feature request template. labels Dec 18, 2019
@tolusha tolusha removed this from the Backlog - Deploy milestone Jan 23, 2020
@johnmcollier johnmcollier mentioned this issue Feb 13, 2020
Closed
@mmorhun mmorhun mentioned this issue Feb 17, 2020
Closed
@sleshchenko
Copy link
Member

It seems to be completed. @tolusha Could you revise it?

@tolusha
Copy link
Contributor

tolusha commented May 6, 2020

@sleshchenko
We are going to add a couple of preflight checks

@tolusha
Copy link
Contributor

tolusha commented May 22, 2020

The following issues will be done out of the TLS epic:
#16762
#16764
#15301

@tolusha tolusha closed this as completed May 22, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/install Issues related to installation, including offline/air gap and initial setup kind/epic A long-lived, PM-driven feature request. Must include a checklist of items that must be completed. severity/P1 Has a major impact to usage or development of the system.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@benoitf @l0rd @davidfestal @tolusha @sleshchenko @mmorhun @che-bot