Hello.
I am working on TLS by default in Che issue [1]
We've decided to use Cert Manager for providing certificates for Che. But in case of self-signed certificate we should provide CA certificate to Cert Manager first. To not to bother users with TLS stuff, I generate CA certificate automatically using Kubernetes job. Obviously, the job has its own container with all the necessary tools in it. And at this point I have a question to which I am not sure I have the right answer.
The question is: Where should we store dockerfile of this job container and when we should rebuild it.
Also I should say, that this image will not be changed often.
We have a few possible solutions:
1. Add the dockerfile into Che repository under dockerfiles folder and build it each time when Che builds. The image tag will be the same as Che version tag.
2. Add the dockerfile into `che-dockerfiles` organization [2] and build it manually, when needed. The image will have its own versioning.
3. Add the dockerfile in chectl repository, but build it manually on demand and have independent from Che versioning.
Personally, I prefer the 3-rd item, let me briefly explain.
As we use the job image only when installing Che with self-signed certificate, putting the dockerfile into Che would look weird for me as it will never be used in running Che. In case of che-dockerfiles we just decouple chectl components which (in my opinion) could only make issues while trying to find the source code of the component.
About build of the image. Taking into account that the image will be changed hardly ever, it would be better to build it separately, on demand to reduce the workload of the CI. Build process it very straightforward: we have simple build script and a constant in chectl which points to the image to use.
Maybe I miss some possible cases, so if someone has an idea where else we may store the dockerfile, I would be glad to hear another options.
Opinions are welcomed!
--
Mykola Morhun
Software engineer
Red Hat
