Implement ability to use default ingress TLS certificate

[mmorhun]

Signed-off-by: Mykola Morhun mmorhun@redhat.com

What does this PR do

Adds ability to tell Che operator to use default ingress TLS certificate to secure Che endpoints.
To use default ingress certificate, field k8s.tlsSecretName should be empty string or absent.

Which isseus this PR fixes

eclipse-che/che#18079

How to test

1. Create a new Minikube instance.
2. Enable ingress addon: minikube addons enable ingress
3. Change the default ingress certificate

Automation script

#!/bin/bash

MINIKUBE_DOMAIN=$(minikube ip).nip.io

CA_CN='Custom Minikube CA'
CA_KEY_FILE='ca.key'
CA_CERT_FILE='ca.crt'

CN_SERVER='Minikube Ingress'
SERVER_KEY_FILE='domain.key'
SERVER_CERT_REQUEST_FILE='domain.csr'
SERVER_CERT_FILE='domain.crt'

CHAIN_FILE='chain.pem'

# Detect openssl configuration file
OPENSSL_CNF='/etc/pki/tls/openssl.cnf'
if [ ! -f $OPENSSL_CNF ]; then
    OPENSSL_CNF='/etc/ssl/openssl.cnf'
fi

DIR=/tmp/minikube-cert
rm -rf $DIR && mkdir $DIR && cd $DIR

# Generate private key for root CA
openssl genrsa -out $CA_KEY_FILE 4096

# Generate root CA certificate and sign it with previously generated key.
openssl req -batch -new -x509 -nodes -key $CA_KEY_FILE -sha256 -subj /CN="${CA_CN}" -days 1024 -reqexts SAN -extensions SAN -config <(cat ${OPENSSL_CNF} <(printf '[SAN]\nbasicConstraints=critical, CA:TRUE\nkeyUsage=keyCertSign, cRLSign, digitalSignature')) -outform PEM -out $CA_CERT_FILE

# Generate server prvate key
openssl genrsa -out $SERVER_KEY_FILE 2048

# Create certificate request for the ingress
openssl req --batch -new -sha256 -key $SERVER_KEY_FILE -subj "/CN=${CN_SERVER}" -reqexts SAN -config <(cat $OPENSSL_CNF <(printf "\n[SAN]\nsubjectAltName=DNS:${MINIKUBE_DOMAIN},DNS:*.${MINIKUBE_DOMAIN}\nbasicConstraints=critical, CA:FALSE\nkeyUsage=digitalSignature, keyEncipherment, keyAgreement, dataEncipherment\nextendedKeyUsage=serverAuth")) -outform PEM -out $SERVER_CERT_REQUEST_FILE

# Create certificate for ingress domain based on given certificate request.
openssl x509 -req -in $SERVER_CERT_REQUEST_FILE -CA $CA_CERT_FILE -CAkey $CA_KEY_FILE -CAcreateserial -days 365 -sha256 -extfile <(printf "subjectAltName=DNS:${MINIKUBE_DOMAIN},DNS:*.${MINIKUBE_DOMAIN}\nbasicConstraints=critical, CA:FALSE\nkeyUsage=digitalSignature, keyEncipherment, keyAgreement, dataEncipherment\nextendedKeyUsage=serverAuth") -outform PEM -out $SERVER_CERT_FILE

# Create certificate chain file
cat $SERVER_CERT_FILE $CA_CERT_FILE > $CHAIN_FILE

# Create secret
SECRET_NAME='new-ingress-tls'
kubectl create secret tls ${SECRET_NAME} --key ${SERVER_KEY_FILE} --cert ${CHAIN_FILE} --namespace kube-system

# Patch nginix ingress controller
kubectl patch deployment ingress-nginx-controller --namespace kube-system --type=json -p="[{\"op\": \"add\", \"path\": \"/spec/template/spec/containers/0/args/-\", \"value\": \"--default-ssl-certificate=kube-system/${SECRET_NAME}\"}]"

echo "Minikube TLS certificate has been changed. New CA: ${DIR}/${CA_CERT_FILE}"

4. Deploy Eclipse Che with command:

./run server:start --platform=minikube --installer=operator --che-operator-image=<image-built-from-this-PR> --che-operator-cr-patch-yaml default-secret-patch.yaml 

where default-secret-patch.yaml is:

spec:
  k8s:
    tlsSecretName: ''

5. Check that everything works

[tolusha]

Simply.

If err {
 logrus.Error(...)
}
return result, err

[mmorhun]

No, it will cause unexpected return if operator needs to continue

[tolusha]

What about the case when self-signed-certificate secret exists but che-tls does not? How do we handle that ?

[mmorhun]

Operator will delete self-signed-certificate secret and will generate new pair.