feat: Mount CA bundle certificates into devworkspaces

Signed-off-by: Anatolii Bazko <abazko@redhat.com>

api/v1/checluster_conversion_from.go

@@ -428,10 +428,10 @@ func (dst *CheCluster) convertFrom_Storage(src *chev2.CheCluster) error {
 func findTrustStoreConfigMap(namespace string) (string, error) {
 	k8sHelper := k8shelper.New()
 
-	_, err := k8sHelper.GetClientset().CoreV1().ConfigMaps(namespace).Get(context.TODO(), constants.DefaultServerTrustStoreConfigMapName, metav1.GetOptions{})
+	_, err := k8sHelper.GetClientset().CoreV1().ConfigMaps(namespace).Get(context.TODO(), constants.DefaultCaBundleCertsCMName, metav1.GetOptions{})
 	if err == nil {
 		// TrustStore ConfigMap with a default name exists
-		return constants.DefaultServerTrustStoreConfigMapName, nil
+		return constants.DefaultCaBundleCertsCMName, nil
 	}
 
 	return "", nil

api/v1/checluster_conversion_to.go

@@ -522,17 +522,17 @@ func createCredentialsSecret(username string, password string, secretName string
 // Since we API V2 does not have `server.ServerTrustStoreConfigMapName` field, we need to create
 // the same ConfigMap but with a default name to be correctly handled by a controller.
 func renameTrustStoreConfigMapToDefault(trustStoreConfigMapName string, namespace string) error {
-	if trustStoreConfigMapName == constants.DefaultServerTrustStoreConfigMapName {
+	if trustStoreConfigMapName == constants.DefaultCaBundleCertsCMName {
 		// Already in default name
 		return nil
 	}
 
 	k8sHelper := k8shelper.New()
 
-	_, err := k8sHelper.GetClientset().CoreV1().ConfigMaps(namespace).Get(context.TODO(), constants.DefaultServerTrustStoreConfigMapName, metav1.GetOptions{})
+	_, err := k8sHelper.GetClientset().CoreV1().ConfigMaps(namespace).Get(context.TODO(), constants.DefaultCaBundleCertsCMName, metav1.GetOptions{})
 	if err == nil {
 		// ConfigMap with a default name already exists, we can't proceed
-		return fmt.Errorf("TrustStore ConfigMap %s already exists", constants.DefaultServerTrustStoreConfigMapName)
+		return fmt.Errorf("TrustStore ConfigMap %s already exists", constants.DefaultCaBundleCertsCMName)
 	}
 
 	existedTrustStoreConfigMap, err := k8sHelper.GetClientset().CoreV1().ConfigMaps(namespace).Get(context.TODO(), trustStoreConfigMapName, metav1.GetOptions{})
@@ -556,7 +556,7 @@ func renameTrustStoreConfigMapToDefault(trustStoreConfigMapName string, namespac
 			APIVersion: "v1",
 		},
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      constants.DefaultServerTrustStoreConfigMapName,
+			Name:      constants.DefaultCaBundleCertsCMName,
 			Namespace: namespace,
 			Labels:    labels.Merge(newTrustStoreConfigMapLabels, existedTrustStoreConfigMap.Labels),
 		},
@@ -573,7 +573,7 @@ func renameTrustStoreConfigMapToDefault(trustStoreConfigMapName string, namespac
 		return err
 	}
 
-	logger.Info("TrustStore ConfigMap '" + constants.DefaultServerTrustStoreConfigMapName + "' created.")
+	logger.Info("TrustStore ConfigMap '" + constants.DefaultCaBundleCertsCMName + "' created.")
 	return nil
 }
 

api/v2/checluster_types.go

@@ -110,7 +110,7 @@ type CheClusterDevEnvironments struct {
 	// The URI must start from `http://` or `https://`.
 	// +optional
 	DefaultEditor string `json:"defaultEditor,omitempty"`
-	// Default components applied to DevWorkspaces.
+	// Default components applied to 1spaces.
 	// These default components are meant to be used when a Devfile, that does not contain any components.
 	// +optional
 	DefaultComponents []devfile.Component `json:"defaultComponents,omitempty"`
@@ -453,6 +453,14 @@ type DashboardHeaderMessage struct {
 }
 
 type TrustedCerts struct {
+	// By default, Operator creates and mounts the `ca-certs-merged` ConfigMap containing the CA certificates bundle
+	// into users` workspaces. This option allows to disable this behavior.
+	// +optional
+	DisableMountingCaBundleIntoDevWorkspace *bool `json:"disableMountingCaBundleIntoDevWorkspace,omitempty"`
+	// The CA bundle mount paths in the workspace pods.
+	// If not specified, the default is `/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem`.
+	// +optional
+	CaBundleMountPaths []string `json:"caBundleMountPaths,omitempty"`
 	// The ConfigMap contains certificates to propagate to the Che components and to provide a particular configuration for Git.
 	// See the following page: https://www.eclipse.org/che/docs/stable/administration-guide/deploying-che-with-support-for-git-repositories-with-self-signed-certificates/
 	// The ConfigMap must have a `app.kubernetes.io/part-of=che.eclipse.org` label.

bundle/next/eclipse-che/manifests/che-operator.clusterserviceversion.yaml

@@ -104,7 +104,7 @@ metadata:
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
     repository: https://github.com/eclipse-che/che-operator
     support: Eclipse Foundation
-  name: eclipse-che.v7.92.0-887.next
+  name: eclipse-che.v7.94.0-888.next
   namespace: placeholder
 spec:
   apiservicedefinitions: {}
@@ -1035,7 +1035,7 @@ spec:
   minKubeVersion: 1.19.0
   provider:
     name: Eclipse Foundation
-  version: 7.92.0-887.next
+  version: 7.94.0-888.next
   webhookdefinitions:
     - admissionReviewVersions:
         - v1

bundle/next/eclipse-che/manifests/org.eclipse.che_checlusters.yaml

@@ -5399,7 +5399,7 @@ spec:
                       type: object
                     defaultComponents:
                       description: |-
-                        Default components applied to DevWorkspaces.
+                        Default components applied to 1spaces.
                         These default components are meant to be used when a Devfile, that does not contain any components.
                       items:
                         properties:
@@ -8003,6 +8003,18 @@ spec:
                     trustedCerts:
                       description: Trusted certificate settings.
                       properties:
+                        caBundleMountPaths:
+                          description: |-
+                            The CA bundle mount paths in the workspace pods.
+                            If not specified, the default is `/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem`.
+                          items:
+                            type: string
+                          type: array
+                        disableMountingCaBundleIntoDevWorkspace:
+                          description: |-
+                            By default, Operator creates and mounts the `ca-certs-merged` ConfigMap containing the CA certificates into
+                            a users` workspaces. This option allows to disable this behavior.
+                          type: boolean
                         gitTrustedCertsConfigMapName:
                           description: |-
                             The ConfigMap contains certificates to propagate to the Che components and to provide a particular configuration for Git.

config/crd/bases/org.eclipse.che_checlusters.yaml

@@ -5357,7 +5357,7 @@ spec:
                     type: object
                   defaultComponents:
                     description: |-
-                      Default components applied to DevWorkspaces.
+                      Default components applied to 1spaces.
                       These default components are meant to be used when a Devfile, that does not contain any components.
                     items:
                       properties:
@@ -7954,6 +7954,18 @@ spec:
                   trustedCerts:
                     description: Trusted certificate settings.
                     properties:
+                      caBundleMountPaths:
+                        description: |-
+                          The CA bundle mount paths in the workspace pods.
+                          If not specified, the default is `/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem`.
+                        items:
+                          type: string
+                        type: array
+                      disableMountingCaBundleIntoDevWorkspace:
+                        description: |-
+                          By default, Operator creates and mounts the `ca-certs-merged` ConfigMap containing the CA certificates into
+                          a users` workspaces. This option allows to disable this behavior.
+                        type: boolean
                       gitTrustedCertsConfigMapName:
                         description: |-
                           The ConfigMap contains certificates to propagate to the Che components and to provide a particular configuration for Git.

controllers/che/checluster_controller.go

@@ -15,6 +15,8 @@ package che
 import (
 	"context"
 
+	imagepuller "github.com/eclipse-che/che-operator/pkg/deploy/image-puller"
+
 	editorsdefinitions "github.com/eclipse-che/che-operator/pkg/deploy/editors-definitions"
 
 	"github.com/eclipse-che/che-operator/pkg/common/test"
@@ -30,7 +32,6 @@ import (
 	"github.com/eclipse-che/che-operator/pkg/deploy/devfileregistry"
 	"github.com/eclipse-che/che-operator/pkg/deploy/gateway"
 	identityprovider "github.com/eclipse-che/che-operator/pkg/deploy/identity-provider"
-	imagepuller "github.com/eclipse-che/che-operator/pkg/deploy/image-puller"
 	"github.com/eclipse-che/che-operator/pkg/deploy/migration"
 	"github.com/eclipse-che/che-operator/pkg/deploy/pluginregistry"
 	"github.com/eclipse-che/che-operator/pkg/deploy/postgres"
@@ -96,7 +97,6 @@ func NewReconciler(
 		reconcileManager.RegisterReconciler(migration.NewCheClusterDefaultsCleaner())
 		reconcileManager.RegisterReconciler(NewCheClusterValidator())
 	}
-	reconcileManager.RegisterReconciler(imagepuller.NewImagePuller())
 
 	reconcileManager.RegisterReconciler(tls.NewCertificatesReconciler())
 	reconcileManager.RegisterReconciler(tls.NewTlsSecretReconciler())
@@ -116,6 +116,7 @@ func NewReconciler(
 	reconcileManager.RegisterReconciler(dashboard.NewDashboardReconciler())
 	reconcileManager.RegisterReconciler(gateway.NewGatewayReconciler())
 	reconcileManager.RegisterReconciler(server.NewCheServerReconciler())
+	reconcileManager.RegisterReconciler(imagepuller.NewImagePuller())
 
 	if infrastructure.IsOpenShift() {
 		reconcileManager.RegisterReconciler(containerbuild.NewContainerBuildReconciler())

controllers/che/cheobj_verifier.go

@@ -15,7 +15,6 @@ package che
 import (
 	"github.com/eclipse-che/che-operator/pkg/common/constants"
 	"github.com/eclipse-che/che-operator/pkg/deploy"
-	"github.com/eclipse-che/che-operator/pkg/deploy/tls"
 	"k8s.io/apimachinery/pkg/types"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -39,7 +38,7 @@ func IsTrustedBundleConfigMap(cl client.Client, watchNamespace string, obj clien
 	}
 
 	// Check for component
-	if value, exists := obj.GetLabels()[constants.KubernetesComponentLabelKey]; !exists || value != tls.CheCACertsConfigMapLabelValue {
+	if value, exists := obj.GetLabels()[constants.KubernetesComponentLabelKey]; !exists || value != constants.CheCABundle {
 		// Labels do not match
 		return false, ctrl.Request{}
 	}

controllers/usernamespace/usernamespace_controller.go

@@ -119,7 +119,7 @@ func (r *CheUserNamespaceReconciler) commonRules(ctx context.Context, namesInChe
 }
 
 func (r *CheUserNamespaceReconciler) watchRulesForConfigMaps(ctx context.Context) handler.EventHandler {
-	rules := r.commonRules(ctx, tls.CheAllCACertsConfigMapName)
+	rules := r.commonRules(ctx, tls.CheMergedCABundleCertsCMName)
 	return handler.EnqueueRequestsFromMapFunc(
 		handler.MapFunc(func(obj client.Object) []reconcile.Request {
 			return asReconcileRequestsForNamespaces(obj, rules)
@@ -306,7 +306,7 @@ func (r *CheUserNamespaceReconciler) reconcileTrustedCerts(ctx context.Context,
 	}
 
 	sourceMap := &corev1.ConfigMap{}
-	if err := r.client.Get(ctx, client.ObjectKey{Name: tls.CheAllCACertsConfigMapName, Namespace: checluster.Namespace}, sourceMap); err != nil {
+	if err := r.client.Get(ctx, client.ObjectKey{Name: tls.CheMergedCABundleCertsCMName, Namespace: checluster.Namespace}, sourceMap); err != nil {
 		if !errors.IsNotFound(err) {
 			return err
 		}

controllers/usernamespace/usernamespace_controller_test.go

@@ -114,7 +114,7 @@ func setupCheCluster(t *testing.T, ctx context.Context, cl client.Client, scheme
 
 	caCerts := &corev1.ConfigMap{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      tls.CheAllCACertsConfigMapName,
+			Name:      tls.CheMergedCABundleCertsCMName,
 			Namespace: cheNamespaceName,
 		},
 		Data: map[string]string{
@@ -550,7 +550,7 @@ func TestWatchRulesForConfigMapsInOtherNamespaces(t *testing.T) {
 			APIVersion: "v1",
 		},
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      tls.CheAllCACertsConfigMapName,
+			Name:      tls.CheMergedCABundleCertsCMName,
 			Namespace: "eclipse-che",
 		},
 	}

deploy/deployment/kubernetes/combined.yaml

@@ -5378,7 +5378,7 @@ spec:
                     type: object
                   defaultComponents:
                     description: |-
-                      Default components applied to DevWorkspaces.
+                      Default components applied to 1spaces.
                       These default components are meant to be used when a Devfile, that does not contain any components.
                     items:
                       properties:
@@ -7975,6 +7975,18 @@ spec:
                   trustedCerts:
                     description: Trusted certificate settings.
                     properties:
+                      caBundleMountPaths:
+                        description: |-
+                          The CA bundle mount paths in the workspace pods.
+                          If not specified, the default is `/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem`.
+                        items:
+                          type: string
+                        type: array
+                      disableMountingCaBundleIntoDevWorkspace:
+                        description: |-
+                          By default, Operator creates and mounts the `ca-certs-merged` ConfigMap containing the CA certificates into
+                          a users` workspaces. This option allows to disable this behavior.
+                        type: boolean
                       gitTrustedCertsConfigMapName:
                         description: |-
                           The ConfigMap contains certificates to propagate to the Che components and to provide a particular configuration for Git.

deploy/deployment/kubernetes/objects/checlusters.org.eclipse.che.CustomResourceDefinition.yaml

@@ -5373,7 +5373,7 @@ spec:
                     type: object
                   defaultComponents:
                     description: |-
-                      Default components applied to DevWorkspaces.
+                      Default components applied to 1spaces.
                       These default components are meant to be used when a Devfile, that does not contain any components.
                     items:
                       properties:
@@ -7970,6 +7970,18 @@ spec:
                   trustedCerts:
                     description: Trusted certificate settings.
                     properties:
+                      caBundleMountPaths:
+                        description: |-
+                          The CA bundle mount paths in the workspace pods.
+                          If not specified, the default is `/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem`.
+                        items:
+                          type: string
+                        type: array
+                      disableMountingCaBundleIntoDevWorkspace:
+                        description: |-
+                          By default, Operator creates and mounts the `ca-certs-merged` ConfigMap containing the CA certificates into
+                          a users` workspaces. This option allows to disable this behavior.
+                        type: boolean
                       gitTrustedCertsConfigMapName:
                         description: |-
                           The ConfigMap contains certificates to propagate to the Che components and to provide a particular configuration for Git.

deploy/deployment/openshift/combined.yaml

@@ -5378,7 +5378,7 @@ spec:
                     type: object
                   defaultComponents:
                     description: |-
-                      Default components applied to DevWorkspaces.
+                      Default components applied to 1spaces.
                       These default components are meant to be used when a Devfile, that does not contain any components.
                     items:
                       properties:
@@ -7975,6 +7975,18 @@ spec:
                   trustedCerts:
                     description: Trusted certificate settings.
                     properties:
+                      caBundleMountPaths:
+                        description: |-
+                          The CA bundle mount paths in the workspace pods.
+                          If not specified, the default is `/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem`.
+                        items:
+                          type: string
+                        type: array
+                      disableMountingCaBundleIntoDevWorkspace:
+                        description: |-
+                          By default, Operator creates and mounts the `ca-certs-merged` ConfigMap containing the CA certificates into
+                          a users` workspaces. This option allows to disable this behavior.
+                        type: boolean
                       gitTrustedCertsConfigMapName:
                         description: |-
                           The ConfigMap contains certificates to propagate to the Che components and to provide a particular configuration for Git.

deploy/deployment/openshift/objects/checlusters.org.eclipse.che.CustomResourceDefinition.yaml

@@ -5373,7 +5373,7 @@ spec:
                     type: object
                   defaultComponents:
                     description: |-
-                      Default components applied to DevWorkspaces.
+                      Default components applied to 1spaces.
                       These default components are meant to be used when a Devfile, that does not contain any components.
                     items:
                       properties:
@@ -7970,6 +7970,18 @@ spec:
                   trustedCerts:
                     description: Trusted certificate settings.
                     properties:
+                      caBundleMountPaths:
+                        description: |-
+                          The CA bundle mount paths in the workspace pods.
+                          If not specified, the default is `/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem`.
+                        items:
+                          type: string
+                        type: array
+                      disableMountingCaBundleIntoDevWorkspace:
+                        description: |-
+                          By default, Operator creates and mounts the `ca-certs-merged` ConfigMap containing the CA certificates into
+                          a users` workspaces. This option allows to disable this behavior.
+                        type: boolean
                       gitTrustedCertsConfigMapName:
                         description: |-
                           The ConfigMap contains certificates to propagate to the Che components and to provide a particular configuration for Git.