feat: Mount CA bundle certificates into devworkspaces (#1920)

* feat: Mount CA bundle certificates into devworkspaces Signed-off-by: Anatolii Bazko <[email protected]>
eclipse-che · Oct 22, 2024 · 1efa1f4 · 1efa1f4
1 parent 6ea255b
commit 1efa1f4
Show file tree

Hide file tree

Showing 27 changed files with 538 additions and 282 deletions.
diff --git a/api/v1/checluster_conversion_from.go b/api/v1/checluster_conversion_from.go
@@ -428,10 +428,10 @@ func (dst *CheCluster) convertFrom_Storage(src *chev2.CheCluster) error {
 func findTrustStoreConfigMap(namespace string) (string, error) {
 	k8sHelper := k8shelper.New()
 
-	_, err := k8sHelper.GetClientset().CoreV1().ConfigMaps(namespace).Get(context.TODO(), constants.DefaultServerTrustStoreConfigMapName, metav1.GetOptions{})
+	_, err := k8sHelper.GetClientset().CoreV1().ConfigMaps(namespace).Get(context.TODO(), constants.DefaultCaBundleCertsCMName, metav1.GetOptions{})
 	if err == nil {
 		// TrustStore ConfigMap with a default name exists
-		return constants.DefaultServerTrustStoreConfigMapName, nil
+		return constants.DefaultCaBundleCertsCMName, nil
 	}
 
 	return "", nil

diff --git a/api/v1/checluster_conversion_to.go b/api/v1/checluster_conversion_to.go
@@ -522,17 +522,17 @@ func createCredentialsSecret(username string, password string, secretName string
 // Since we API V2 does not have `server.ServerTrustStoreConfigMapName` field, we need to create
 // the same ConfigMap but with a default name to be correctly handled by a controller.
 func renameTrustStoreConfigMapToDefault(trustStoreConfigMapName string, namespace string) error {
-	if trustStoreConfigMapName == constants.DefaultServerTrustStoreConfigMapName {
+	if trustStoreConfigMapName == constants.DefaultCaBundleCertsCMName {
 		// Already in default name
 		return nil
 	}
 
 	k8sHelper := k8shelper.New()
 
-	_, err := k8sHelper.GetClientset().CoreV1().ConfigMaps(namespace).Get(context.TODO(), constants.DefaultServerTrustStoreConfigMapName, metav1.GetOptions{})
+	_, err := k8sHelper.GetClientset().CoreV1().ConfigMaps(namespace).Get(context.TODO(), constants.DefaultCaBundleCertsCMName, metav1.GetOptions{})
 	if err == nil {
 		// ConfigMap with a default name already exists, we can't proceed
-		return fmt.Errorf("TrustStore ConfigMap %s already exists", constants.DefaultServerTrustStoreConfigMapName)
+		return fmt.Errorf("TrustStore ConfigMap %s already exists", constants.DefaultCaBundleCertsCMName)
 	}
 
 	existedTrustStoreConfigMap, err := k8sHelper.GetClientset().CoreV1().ConfigMaps(namespace).Get(context.TODO(), trustStoreConfigMapName, metav1.GetOptions{})
@@ -556,7 +556,7 @@ func renameTrustStoreConfigMapToDefault(trustStoreConfigMapName string, namespac
 			APIVersion: "v1",
 		},
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      constants.DefaultServerTrustStoreConfigMapName,
+			Name:      constants.DefaultCaBundleCertsCMName,
 			Namespace: namespace,
 			Labels:    labels.Merge(newTrustStoreConfigMapLabels, existedTrustStoreConfigMap.Labels),
 		},
@@ -573,7 +573,7 @@ func renameTrustStoreConfigMapToDefault(trustStoreConfigMapName string, namespac
 		return err
 	}
 
-	logger.Info("TrustStore ConfigMap '" + constants.DefaultServerTrustStoreConfigMapName + "' created.")
+	logger.Info("TrustStore ConfigMap '" + constants.DefaultCaBundleCertsCMName + "' created.")
 	return nil
 }
 

diff --git a/api/v2/checluster_types.go b/api/v2/checluster_types.go
@@ -453,6 +453,15 @@ type DashboardHeaderMessage struct {
 }
 
 type TrustedCerts struct {
+	// By default, the Operator creates and mounts the 'ca-certs-merged' ConfigMap
+	// containing the CA certificate bundle in users' workspaces at two locations:
+	// '/public-certs' and '/etc/pki/ca-trust/extracted/pem'.
+	// The '/etc/pki/ca-trust/extracted/pem' directory is where the system stores extracted CA certificates
+	// for trusted certificate authorities on Red Hat (e.g., CentOS, Fedora).
+	// This option disables mounting the CA bundle to the '/etc/pki/ca-trust/extracted/pem' directory
+	// while still mounting it to '/public-certs'.
+	// +optional
+	DisableWorkspaceCaBundleMount *bool `json:"disableWorkspaceCaBundleMount,omitempty"`
 	// The ConfigMap contains certificates to propagate to the Che components and to provide a particular configuration for Git.
 	// See the following page: https://www.eclipse.org/che/docs/stable/administration-guide/deploying-che-with-support-for-git-repositories-with-self-signed-certificates/
 	// The ConfigMap must have a `app.kubernetes.io/part-of=che.eclipse.org` label.
@@ -1049,3 +1058,9 @@ func (c *CheCluster) IsInternalPluginRegistryDisabled() bool {
 func (c *CheCluster) IsCheBeingInstalled() bool {
 	return c.Status.CheVersion == ""
 }
+
+func (c *CheCluster) IsDisableWorkspaceCaBundleMount() bool {
+	return c.Spec.DevEnvironments.TrustedCerts != nil &&
+		c.Spec.DevEnvironments.TrustedCerts.DisableWorkspaceCaBundleMount != nil &&
+		*c.Spec.DevEnvironments.TrustedCerts.DisableWorkspaceCaBundleMount
+}
diff --git a/api/v2/zz_generated.deepcopy.go b/api/v2/zz_generated.deepcopy.go
diff --git a/bundle/next/eclipse-che/manifests/che-operator.clusterserviceversion.yaml b/bundle/next/eclipse-che/manifests/che-operator.clusterserviceversion.yaml
@@ -104,7 +104,7 @@ metadata:
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
     repository: https://github.com/eclipse-che/che-operator
     support: Eclipse Foundation
-  name: eclipse-che.v7.94.0-889.next
+  name: eclipse-che.v7.94.0-890.next
   namespace: placeholder
 spec:
   apiservicedefinitions: {}
@@ -1035,7 +1035,7 @@ spec:
   minKubeVersion: 1.19.0
   provider:
     name: Eclipse Foundation
-  version: 7.94.0-889.next
+  version: 7.94.0-890.next
   webhookdefinitions:
     - admissionReviewVersions:
         - v1

diff --git a/bundle/next/eclipse-che/manifests/org.eclipse.che_checlusters.yaml b/bundle/next/eclipse-che/manifests/org.eclipse.che_checlusters.yaml
@@ -8003,6 +8003,16 @@ spec:
                     trustedCerts:
                       description: Trusted certificate settings.
                       properties:
+                        disableWorkspaceCaBundleMount:
+                          description: |-
+                            By default, the Operator creates and mounts the 'ca-certs-merged' ConfigMap
+                            containing the CA certificate bundle in users' workspaces at two locations:
+                            '/public-certs' and '/etc/pki/ca-trust/extracted/pem'.
+                            The '/etc/pki/ca-trust/extracted/pem' directory is where the system stores extracted CA certificates
+                            for trusted certificate authorities on Red Hat (e.g., CentOS, Fedora).
+                            This option disables mounting the CA bundle to the '/etc/pki/ca-trust/extracted/pem' directory
+                            while still mounting it to '/public-certs'.
+                          type: boolean
                         gitTrustedCertsConfigMapName:
                           description: |-
                             The ConfigMap contains certificates to propagate to the Che components and to provide a particular configuration for Git.

diff --git a/config/crd/bases/org.eclipse.che_checlusters.yaml b/config/crd/bases/org.eclipse.che_checlusters.yaml
@@ -7954,6 +7954,16 @@ spec:
                   trustedCerts:
                     description: Trusted certificate settings.
                     properties:
+                      disableWorkspaceCaBundleMount:
+                        description: |-
+                          By default, the Operator creates and mounts the 'ca-certs-merged' ConfigMap
+                          containing the CA certificate bundle in users' workspaces at two locations:
+                          '/public-certs' and '/etc/pki/ca-trust/extracted/pem'.
+                          The '/etc/pki/ca-trust/extracted/pem' directory is where the system stores extracted CA certificates
+                          for trusted certificate authorities on Red Hat (e.g., CentOS, Fedora).
+                          This option disables mounting the CA bundle to the '/etc/pki/ca-trust/extracted/pem' directory
+                          while still mounting it to '/public-certs'.
+                        type: boolean
                       gitTrustedCertsConfigMapName:
                         description: |-
                           The ConfigMap contains certificates to propagate to the Che components and to provide a particular configuration for Git.

diff --git a/controllers/che/checluster_controller.go b/controllers/che/checluster_controller.go
@@ -15,6 +15,8 @@ package che
 import (
 	"context"
 
+	imagepuller "github.com/eclipse-che/che-operator/pkg/deploy/image-puller"
+
 	editorsdefinitions "github.com/eclipse-che/che-operator/pkg/deploy/editors-definitions"
 
 	"github.com/eclipse-che/che-operator/pkg/common/test"
@@ -30,7 +32,6 @@ import (
 	"github.com/eclipse-che/che-operator/pkg/deploy/devfileregistry"
 	"github.com/eclipse-che/che-operator/pkg/deploy/gateway"
 	identityprovider "github.com/eclipse-che/che-operator/pkg/deploy/identity-provider"
-	imagepuller "github.com/eclipse-che/che-operator/pkg/deploy/image-puller"
 	"github.com/eclipse-che/che-operator/pkg/deploy/migration"
 	"github.com/eclipse-che/che-operator/pkg/deploy/pluginregistry"
 	"github.com/eclipse-che/che-operator/pkg/deploy/postgres"
@@ -96,7 +97,6 @@ func NewReconciler(
 		reconcileManager.RegisterReconciler(migration.NewCheClusterDefaultsCleaner())
 		reconcileManager.RegisterReconciler(NewCheClusterValidator())
 	}
-	reconcileManager.RegisterReconciler(imagepuller.NewImagePuller())
 
 	reconcileManager.RegisterReconciler(tls.NewCertificatesReconciler())
 	reconcileManager.RegisterReconciler(tls.NewTlsSecretReconciler())
@@ -116,6 +116,7 @@ func NewReconciler(
 	reconcileManager.RegisterReconciler(dashboard.NewDashboardReconciler())
 	reconcileManager.RegisterReconciler(gateway.NewGatewayReconciler())
 	reconcileManager.RegisterReconciler(server.NewCheServerReconciler())
+	reconcileManager.RegisterReconciler(imagepuller.NewImagePuller())
 
 	if infrastructure.IsOpenShift() {
 		reconcileManager.RegisterReconciler(containerbuild.NewContainerBuildReconciler())

diff --git a/controllers/che/cheobj_verifier.go b/controllers/che/cheobj_verifier.go
@@ -15,7 +15,6 @@ package che
 import (
 	"github.com/eclipse-che/che-operator/pkg/common/constants"
 	"github.com/eclipse-che/che-operator/pkg/deploy"
-	"github.com/eclipse-che/che-operator/pkg/deploy/tls"
 	"k8s.io/apimachinery/pkg/types"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -39,7 +38,7 @@ func IsTrustedBundleConfigMap(cl client.Client, watchNamespace string, obj clien
 	}
 
 	// Check for component
-	if value, exists := obj.GetLabels()[constants.KubernetesComponentLabelKey]; !exists || value != tls.CheCACertsConfigMapLabelValue {
+	if value, exists := obj.GetLabels()[constants.KubernetesComponentLabelKey]; !exists || value != constants.CheCABundle {
 		// Labels do not match
 		return false, ctrl.Request{}
 	}

diff --git a/controllers/usernamespace/usernamespace_controller.go b/controllers/usernamespace/usernamespace_controller.go
@@ -119,7 +119,7 @@ func (r *CheUserNamespaceReconciler) commonRules(ctx context.Context, namesInChe
 }
 
 func (r *CheUserNamespaceReconciler) watchRulesForConfigMaps(ctx context.Context) handler.EventHandler {
-	rules := r.commonRules(ctx, tls.CheAllCACertsConfigMapName)
+	rules := r.commonRules(ctx, tls.CheMergedCABundleCertsCMName)
 	return handler.EnqueueRequestsFromMapFunc(
 		handler.MapFunc(func(obj client.Object) []reconcile.Request {
 			return asReconcileRequestsForNamespaces(obj, rules)
@@ -203,11 +203,19 @@ func (r *CheUserNamespaceReconciler) Reconcile(ctx context.Context, req ctrl.Req
 		},
 	}
 
+	// Deprecated [CRW-6792].
+	// All certificates are mounted into /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+	// and automatically added to the system trust store.
+	// TODO remove in the future.
 	if err = r.reconcileSelfSignedCert(ctx, deployContext, req.Name, checluster); err != nil {
 		logrus.Errorf("Failed to reconcile self-signed certificate into namespace '%s': %v", req.Name, err)
 		return ctrl.Result{}, err
 	}
 
+	// Deprecated [CRW-6792].
+	// All certificates are mounted into /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+	// and automatically added to the system trust store.
+	// TODO remove in the future.
 	if err = r.reconcileTrustedCerts(ctx, deployContext, req.Name, checluster); err != nil {
 		logrus.Errorf("Failed to reconcile trusted certificates into namespace '%s': %v", req.Name, err)
 		return ctrl.Result{}, err
@@ -218,6 +226,10 @@ func (r *CheUserNamespaceReconciler) Reconcile(ctx context.Context, req ctrl.Req
 		return ctrl.Result{}, err
 	}
 
+	// Deprecated [CRW-6792].
+	// All certificates are mounted into /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+	// and automatically added to the system trust store.
+	// TODO remove in the future.
 	if err = r.reconcileGitTlsCertificate(ctx, req.Name, checluster, deployContext); err != nil {
 		logrus.Errorf("Failed to reconcile Che git TLS certificate  into namespace '%s': %v", req.Name, err)
 		return ctrl.Result{}, err
@@ -306,7 +318,7 @@ func (r *CheUserNamespaceReconciler) reconcileTrustedCerts(ctx context.Context,
 	}
 
 	sourceMap := &corev1.ConfigMap{}
-	if err := r.client.Get(ctx, client.ObjectKey{Name: tls.CheAllCACertsConfigMapName, Namespace: checluster.Namespace}, sourceMap); err != nil {
+	if err := r.client.Get(ctx, client.ObjectKey{Name: tls.CheMergedCABundleCertsCMName, Namespace: checluster.Namespace}, sourceMap); err != nil {
 		if !errors.IsNotFound(err) {
 			return err
 		}

diff --git a/controllers/usernamespace/usernamespace_controller_test.go b/controllers/usernamespace/usernamespace_controller_test.go
@@ -114,7 +114,7 @@ func setupCheCluster(t *testing.T, ctx context.Context, cl client.Client, scheme
 
 	caCerts := &corev1.ConfigMap{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      tls.CheAllCACertsConfigMapName,
+			Name:      tls.CheMergedCABundleCertsCMName,
 			Namespace: cheNamespaceName,
 		},
 		Data: map[string]string{
@@ -550,7 +550,7 @@ func TestWatchRulesForConfigMapsInOtherNamespaces(t *testing.T) {
 			APIVersion: "v1",
 		},
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      tls.CheAllCACertsConfigMapName,
+			Name:      tls.CheMergedCABundleCertsCMName,
 			Namespace: "eclipse-che",
 		},
 	}

diff --git a/deploy/deployment/kubernetes/combined.yaml b/deploy/deployment/kubernetes/combined.yaml
@@ -7975,6 +7975,16 @@ spec:
                   trustedCerts:
                     description: Trusted certificate settings.
                     properties:
+                      disableWorkspaceCaBundleMount:
+                        description: |-
+                          By default, the Operator creates and mounts the 'ca-certs-merged' ConfigMap
+                          containing the CA certificate bundle in users' workspaces at two locations:
+                          '/public-certs' and '/etc/pki/ca-trust/extracted/pem'.
+                          The '/etc/pki/ca-trust/extracted/pem' directory is where the system stores extracted CA certificates
+                          for trusted certificate authorities on Red Hat (e.g., CentOS, Fedora).
+                          This option disables mounting the CA bundle to the '/etc/pki/ca-trust/extracted/pem' directory
+                          while still mounting it to '/public-certs'.
+                        type: boolean
                       gitTrustedCertsConfigMapName:
                         description: |-
                           The ConfigMap contains certificates to propagate to the Che components and to provide a particular configuration for Git.

diff --git a/...y/deployment/kubernetes/objects/checlusters.org.eclipse.che.CustomResourceDefinition.yaml b/...y/deployment/kubernetes/objects/checlusters.org.eclipse.che.CustomResourceDefinition.yaml
@@ -7970,6 +7970,16 @@ spec:
                   trustedCerts:
                     description: Trusted certificate settings.
                     properties:
+                      disableWorkspaceCaBundleMount:
+                        description: |-
+                          By default, the Operator creates and mounts the 'ca-certs-merged' ConfigMap
+                          containing the CA certificate bundle in users' workspaces at two locations:
+                          '/public-certs' and '/etc/pki/ca-trust/extracted/pem'.
+                          The '/etc/pki/ca-trust/extracted/pem' directory is where the system stores extracted CA certificates
+                          for trusted certificate authorities on Red Hat (e.g., CentOS, Fedora).
+                          This option disables mounting the CA bundle to the '/etc/pki/ca-trust/extracted/pem' directory
+                          while still mounting it to '/public-certs'.
+                        type: boolean
                       gitTrustedCertsConfigMapName:
                         description: |-
                           The ConfigMap contains certificates to propagate to the Che components and to provide a particular configuration for Git.

diff --git a/deploy/deployment/openshift/combined.yaml b/deploy/deployment/openshift/combined.yaml
@@ -7975,6 +7975,16 @@ spec:
                   trustedCerts:
                     description: Trusted certificate settings.
                     properties:
+                      disableWorkspaceCaBundleMount:
+                        description: |-
+                          By default, the Operator creates and mounts the 'ca-certs-merged' ConfigMap
+                          containing the CA certificate bundle in users' workspaces at two locations:
+                          '/public-certs' and '/etc/pki/ca-trust/extracted/pem'.
+                          The '/etc/pki/ca-trust/extracted/pem' directory is where the system stores extracted CA certificates
+                          for trusted certificate authorities on Red Hat (e.g., CentOS, Fedora).
+                          This option disables mounting the CA bundle to the '/etc/pki/ca-trust/extracted/pem' directory
+                          while still mounting it to '/public-certs'.
+                        type: boolean
                       gitTrustedCertsConfigMapName:
                         description: |-
                           The ConfigMap contains certificates to propagate to the Che components and to provide a particular configuration for Git.

diff --git a/...oy/deployment/openshift/objects/checlusters.org.eclipse.che.CustomResourceDefinition.yaml b/...oy/deployment/openshift/objects/checlusters.org.eclipse.che.CustomResourceDefinition.yaml
@@ -7970,6 +7970,16 @@ spec:
                   trustedCerts:
                     description: Trusted certificate settings.
                     properties:
+                      disableWorkspaceCaBundleMount:
+                        description: |-
+                          By default, the Operator creates and mounts the 'ca-certs-merged' ConfigMap
+                          containing the CA certificate bundle in users' workspaces at two locations:
+                          '/public-certs' and '/etc/pki/ca-trust/extracted/pem'.
+                          The '/etc/pki/ca-trust/extracted/pem' directory is where the system stores extracted CA certificates
+                          for trusted certificate authorities on Red Hat (e.g., CentOS, Fedora).
+                          This option disables mounting the CA bundle to the '/etc/pki/ca-trust/extracted/pem' directory
+                          while still mounting it to '/public-certs'.
+                        type: boolean
                       gitTrustedCertsConfigMapName:
                         description: |-
                           The ConfigMap contains certificates to propagate to the Che components and to provide a particular configuration for Git.

diff --git a/helmcharts/next/crds/checlusters.org.eclipse.che.CustomResourceDefinition.yaml b/helmcharts/next/crds/checlusters.org.eclipse.che.CustomResourceDefinition.yaml
@@ -7970,6 +7970,16 @@ spec:
                   trustedCerts:
                     description: Trusted certificate settings.
                     properties:
+                      disableWorkspaceCaBundleMount:
+                        description: |-
+                          By default, the Operator creates and mounts the 'ca-certs-merged' ConfigMap
+                          containing the CA certificate bundle in users' workspaces at two locations:
+                          '/public-certs' and '/etc/pki/ca-trust/extracted/pem'.
+                          The '/etc/pki/ca-trust/extracted/pem' directory is where the system stores extracted CA certificates
+                          for trusted certificate authorities on Red Hat (e.g., CentOS, Fedora).
+                          This option disables mounting the CA bundle to the '/etc/pki/ca-trust/extracted/pem' directory
+                          while still mounting it to '/public-certs'.
+                        type: boolean
                       gitTrustedCertsConfigMapName:
                         description: |-
                           The ConfigMap contains certificates to propagate to the Che components and to provide a particular configuration for Git.