Add support for cluster wide self signed cert

[lucferbux]

Closes https://issues.redhat.com/browse/RHOAIENG-3410

Description

Add support for dashboard self signed cert.

How Has This Been Tested?

Tested following the instructions on opendatahub-io/odh-model-controller#166.

I had to manually generate the odh-trusted-ca-bundle in the default namespace and I used:

    dashboard:
      devFlags:
        manifests:
          - contextDir: manifests
            sourcePath: ''
            uri: 'https://github.com/lucferbux/odh-dashboard/tarball/rhoaieng-2380'
      managementState: Managed

For the dsc to get the changes.

Test Impact

No need for test coverage, infra changes

Request review criteria:

Self checklist (all need to be checked):

• The developer has manually tested the changes and verified that the changes work
• Commits have been squashed into descriptive, self-contained units of work (e.g. 'WIP' and 'Implements feedback' style messages have been removed)
• Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
• The developer has added tests or explained why testing cannot be added (unit tests & storybook for related changes)

If you have UI changes:

• Included any necessary screenshots or gifs if it was a UI change.
• Included tags to the UX team if it was a UI/UX change (find relevant UX in the SMEs section).

After the PR is posted & before it merges:

• The developer has tested their solution on a cluster by using the image produced by the PR to main

[shalberd]

this is an exciting development. Basically going beyond how odh notebook controller is currently injecting with its own configmap https://docs.openshift.com/container-platform/4.12/networking/configuring-a-custom-pki.html#certificate-injection-using-operators_configuring-a-custom-pki but this time across all components.

[LaVLaS]

/lgtm

I haven't had a chance to confirm that the mounted certs work in a self-signed environment BUT I can confirm that they are mounted correct AND automatically update within a minute when the ConfigMap state changes.

If the odh-trusted-cabundle ConfigMap does not exist the volumeMount is present in the pod BUT there are no files mounted under /etc/pki/tls/certs. You can create the odh-trusted-cabundle ConfigMap after the dashboard pod is started and the pod will be automatically to create the files files mounted from the ConfigMap. If any of the data fields are empty then the mounted in the file will be empty also

Here are some quick steps to check if the ConfigMap is mounted and the contents of the cert bundle files

# Verify the bundles are mounted
$ oc get pods -l app=odh-dashboard -o yaml | yq '.items[].spec.containers[].volumeMounts[]|select(.name=="trusted-ca-bundle")'

# Dump the contents of the mounted ConfigMap to see if they match the expected content
$ oc rsh (oc get pods -l app=odh-dashboard -o yaml | yq '.items[0].metadata.name') cat /etc/pki/tls/certs/ca-bundle.crt
$ oc rsh (oc get pods -l app=odh-dashboard -o yaml | yq '.items[0].metadata.name') cat /etc/pki/tls/certs/odh-ca-bundle.crt

[lucferbux]

Great, thanks a lot @LaVLaS I'm not gonna approve it right away, I'm gonna wait @andrewballantyne and @dgutride to be up for handing over the PR and merge.

[lucferbux]

this is an exciting development. Basically going beyond how odh notebook controller is currently injecting with its own configmap https://docs.openshift.com/container-platform/4.12/networking/configuring-a-custom-pki.html#certificate-injection-using-operators_configuring-a-custom-pki but this time across all components.

Yes that's right, I think this is going to be a great addition @shalberd

[lucferbux]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: lucferbux

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [lucferbux]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[VaishnaviHire]

/lgtm