diff --git a/controllers/workspace/devworkspace_controller.go b/controllers/workspace/devworkspace_controller.go index 9573e741c..f0c8600ed 100644 --- a/controllers/workspace/devworkspace_controller.go +++ b/controllers/workspace/devworkspace_controller.go @@ -18,7 +18,6 @@ package controllers import ( "context" "fmt" - "net/http" "strconv" "strings" "time" @@ -28,7 +27,6 @@ import ( "github.com/devfile/devworkspace-operator/controllers/workspace/metrics" "github.com/devfile/devworkspace-operator/pkg/common" "github.com/devfile/devworkspace-operator/pkg/conditions" - "github.com/devfile/devworkspace-operator/pkg/config" wkspConfig "github.com/devfile/devworkspace-operator/pkg/config" "github.com/devfile/devworkspace-operator/pkg/constants" "github.com/devfile/devworkspace-operator/pkg/dwerrors" @@ -144,12 +142,8 @@ func (r *DevWorkspaceReconciler) Reconcile(ctx context.Context, req ctrl.Request reqLogger = reqLogger.WithValues(constants.DevWorkspaceIDLoggerKey, workspace.Status.DevWorkspaceId) reqLogger.Info("Reconciling Workspace", "resolvedConfig", configString) - // Inject ca certificates to the http clint if the certificates configmap is created and defined in the config. - if certs, ok := readCertificates(r.Client, config, r.Log); ok { - for _, certsPem := range certs { - injectCertificates([]byte(certsPem), httpClient.Transport.(*http.Transport)) - } - } + // Inject ca certificates to the http client, if the certificates configmap is created and defined in the config. + InjectCertificates(r.Client, r.Log) // Check if the DevWorkspaceRouting instance is marked to be deleted, which is // indicated by the deletion timestamp being set. @@ -677,7 +671,7 @@ func (r *DevWorkspaceReconciler) getWorkspaceId(ctx context.Context, workspace * } func (r *DevWorkspaceReconciler) SetupWithManager(mgr ctrl.Manager) error { - setupHttpClients(mgr.GetClient(), config.GetGlobalConfig(), mgr.GetLogger()) + setupHttpClients(mgr.GetClient(), mgr.GetLogger()) maxConcurrentReconciles, err := wkspConfig.GetMaxConcurrentReconciles() if err != nil { diff --git a/controllers/workspace/http.go b/controllers/workspace/http.go index 4736905ae..5268fcc1c 100644 --- a/controllers/workspace/http.go +++ b/controllers/workspace/http.go @@ -21,9 +21,9 @@ import ( "net/url" "time" - "k8s.io/apimachinery/pkg/types" + "github.com/devfile/devworkspace-operator/pkg/config" - controller "github.com/devfile/devworkspace-operator/apis/controller/v1alpha1" + "k8s.io/apimachinery/pkg/types" "github.com/go-logr/logr" corev1 "k8s.io/api/core/v1" @@ -37,28 +37,25 @@ var ( healthCheckHttpClient *http.Client ) -func setupHttpClients(k8s client.Client, config *controller.OperatorConfiguration, logger logr.Logger) { +func setupHttpClients(k8s client.Client, logger logr.Logger) { transport := http.DefaultTransport.(*http.Transport).Clone() - if certs, ok := readCertificates(k8s, config, logger); ok { - for _, certsPem := range certs { - injectCertificates([]byte(certsPem), transport) - } - } healthCheckTransport := http.DefaultTransport.(*http.Transport).Clone() healthCheckTransport.TLSClientConfig = &tls.Config{ InsecureSkipVerify: true, } - if config.Routing != nil && config.Routing.ProxyConfig != nil { + globalConfig := config.GetGlobalConfig() + + if globalConfig.Routing != nil && globalConfig.Routing.ProxyConfig != nil { proxyConf := httpproxy.Config{} - if config.Routing.ProxyConfig.HttpProxy != nil { - proxyConf.HTTPProxy = *config.Routing.ProxyConfig.HttpProxy + if globalConfig.Routing.ProxyConfig.HttpProxy != nil { + proxyConf.HTTPProxy = *globalConfig.Routing.ProxyConfig.HttpProxy } - if config.Routing.ProxyConfig.HttpsProxy != nil { - proxyConf.HTTPSProxy = *config.Routing.ProxyConfig.HttpsProxy + if globalConfig.Routing.ProxyConfig.HttpsProxy != nil { + proxyConf.HTTPSProxy = *globalConfig.Routing.ProxyConfig.HttpsProxy } - if config.Routing.ProxyConfig.NoProxy != nil { - proxyConf.NoProxy = *config.Routing.ProxyConfig.NoProxy + if globalConfig.Routing.ProxyConfig.NoProxy != nil { + proxyConf.NoProxy = *globalConfig.Routing.ProxyConfig.NoProxy } proxyFunc := func(req *http.Request) (*url.URL, error) { @@ -75,10 +72,19 @@ func setupHttpClients(k8s client.Client, config *controller.OperatorConfiguratio Transport: healthCheckTransport, Timeout: 500 * time.Millisecond, } + InjectCertificates(k8s, logger) } -func readCertificates(k8s client.Client, config *controller.OperatorConfiguration, logger logr.Logger) (map[string]string, bool) { - configmapRef := config.Routing.TLSCertificateConfigmapRef +func InjectCertificates(k8s client.Client, logger logr.Logger) { + if certs, ok := readCertificates(k8s, logger); ok { + for _, certsPem := range certs { + injectCertificates([]byte(certsPem), httpClient.Transport.(*http.Transport), logger) + } + } +} + +func readCertificates(k8s client.Client, logger logr.Logger) (map[string]string, bool) { + configmapRef := config.GetGlobalConfig().Routing.TLSCertificateConfigmapRef if configmapRef == nil { return nil, false } @@ -95,10 +101,16 @@ func readCertificates(k8s client.Client, config *controller.OperatorConfiguratio return configMap.Data, true } -func injectCertificates(certsPem []byte, transport *http.Transport) { +func injectCertificates(certsPem []byte, transport *http.Transport, logger logr.Logger) { caCertPool := transport.TLSClientConfig.RootCAs if caCertPool == nil { - caCertPool = x509.NewCertPool() + systemCertPool, err := x509.SystemCertPool() + if err != nil { + logger.Error(err, "Failed to load system cert pool") + caCertPool = x509.NewCertPool() + } else { + caCertPool = systemCertPool + } } if ok := caCertPool.AppendCertsFromPEM(certsPem); ok { transport.TLSClientConfig = &tls.Config{RootCAs: caCertPool}