Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Epic: Allow for Self Signed Certs in Self-Hosted #9074

Closed
4 tasks done
Tracked by #9072
lucasvaltl opened this issue Apr 1, 2022 · 2 comments
Closed
4 tasks done
Tracked by #9072

Epic: Allow for Self Signed Certs in Self-Hosted #9074

lucasvaltl opened this issue Apr 1, 2022 · 2 comments
Assignees
@lucasvaltl
Labels
type: epic

Comments

@lucasvaltl
Copy link
Contributor

lucasvaltl commented Apr 1, 2022
edited
Loading

Summary

We want users to be able to use self-signed certs in their self-hosted Gitpod installation

Context

ℹ️ Defining Self-Signed Certs
There are many ways to define self-signed certs, but this is the definition we are using: self-singed certs are any certs that are not signed by a public certificate authority (ca) that is already known to linux, i.e. the CA’s certs are already shipped with the linux build.

Some users want to use components or run in environments that require self-signed certs. We want to allow for this.

--> This is an epic for #8559 . We think this will require further collaboration between teams, which is why we want to bring it to the epic level.

Value

  • This unlocks a new type of user / customer for us which previously was unable to use self-hosted Gitpod due to the certificates they used. Further, it facilitates installing Gitpod on your local machine.

Acceptance Criteria

Self-signed certs can be propagated into:

  1. server-pod
  2. ws-daemon container
  3. workspace container
  4. on the node to use for containerd
  5. Image builder (assuming the registry it talks to is using self signed certs)

We have basic documentation in place and this feature is tested with at least one user.

Measurement

  • We run nightly tests that use self-signed certs and these run successfully
  • At least one customer has successfully used self-signed certs in their installation

Complexities

On GKE you cannot allow containerd to trust other certificates without restarting containerd. This hinders us from having self-signed certs on GKE right now.

Child Issues
@lucasvaltl lucasvaltl self-assigned this Apr 1, 2022
@lucasvaltl lucasvaltl moved this from 🧊Backlog to 🤝Proposed in 🚚 Security, Infrastructure, and Delivery Team (SID) Apr 1, 2022
This was referenced Apr 1, 2022
Closed
Closed
@Pothulapati Pothulapati mentioned this issue Apr 25, 2022
Merged
@mrsimonemms
Copy link
Contributor

Looks like all the tasks are done so will close.

Reopen if necessary (and add more tasks)

Repository owner moved this from 🤝Proposed to ✨Done in 🚚 Security, Infrastructure, and Delivery Team (SID) May 4, 2022
@lucasvaltl lucasvaltl moved this from ✨Done to 🕶In Review / Measuring in 🚚 Security, Infrastructure, and Delivery Team (SID) May 17, 2022
@tysonrm
Copy link

tysonrm commented Jun 17, 2022

Why not build in an ACME service that provides trusted certs?

@lucasvaltl lucasvaltl moved this from 🕶In Review / Measuring to ✨Done in 🚚 Security, Infrastructure, and Delivery Team (SID) Jul 26, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lucasvaltl lucasvaltl

Labels
type: epic
Projects
No open projects
🚚 Security, Infrastructure, and Delivery Team (SID)
Archived in project
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mrsimonemms @lucasvaltl @tysonrm