devfile · AObuchow · May 24, 2024 · May 14, 2024 · May 14, 2024 · AObuchow
@@ -61,6 +61,9 @@ type RoutingConfig struct {
 	// DevWorkspaces. However, changing the proxy configuration for the DevWorkspace Operator itself
 	// requires restarting the controller deployment.
 	ProxyConfig *Proxy `json:"proxyConfig,omitempty"`
+	// TLSCertificateConfigmapRef defines the name and namespace of the configmap with a certificate to inject into the
+	// HTTP client.
+	TLSCertificateConfigmapRef *ConfigmapReference `json:"tlsCertificateConfigmapRef,omitempty"`
 }
 
 type WorkspaceConfig struct {
@@ -246,6 +249,13 @@ type ProjectCloneConfig struct {
 	Env []corev1.EnvVar `json:"env,omitempty"`
 }
 
+type ConfigmapReference struct {
+	// Name is the name of the configmap
+	Name string `json:"name"`
+	// Namespace is the namespace of the configmap
+	Namespace string `json:"namespace"`
+}
+
 // DevWorkspaceOperatorConfig is the Schema for the devworkspaceoperatorconfigs API
 // +kubebuilder:object:root=true
 // +kubebuilder:resource:path=devworkspaceoperatorconfigs,scope=Namespaced,shortName=dwoc

@@ -142,6 +142,9 @@ func (r *DevWorkspaceReconciler) Reconcile(ctx context.Context, req ctrl.Request
 	reqLogger = reqLogger.WithValues(constants.DevWorkspaceIDLoggerKey, workspace.Status.DevWorkspaceId)
 	reqLogger.Info("Reconciling Workspace", "resolvedConfig", configString)
 
+	// Inject ca certificates to the http client, if the certificates configmap is created and defined in the config.
+	InjectCertificates(r.Client, r.Log)
+
 	// Check if the DevWorkspaceRouting instance is marked to be deleted, which is
 	// indicated by the deletion timestamp being set.
 	if workspace.GetDeletionTimestamp() != nil {
@@ -668,7 +671,7 @@ func (r *DevWorkspaceReconciler) getWorkspaceId(ctx context.Context, workspace *
 }
 
 func (r *DevWorkspaceReconciler) SetupWithManager(mgr ctrl.Manager) error {
-	setupHttpClients()
+	setupHttpClients(mgr.GetClient(), mgr.GetLogger())
 
 	maxConcurrentReconciles, err := wkspConfig.GetMaxConcurrentReconciles()
 	if err != nil {

@@ -14,12 +14,21 @@
 package controllers
 
 import (
+	"context"
 	"crypto/tls"
+	"crypto/x509"
 	"net/http"
 	"net/url"
 	"time"
 
 	"github.com/devfile/devworkspace-operator/pkg/config"
+
+	"k8s.io/apimachinery/pkg/types"
+
+	"github.com/go-logr/logr"
+	corev1 "k8s.io/api/core/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
 	"golang.org/x/net/http/httpproxy"
 )
 
@@ -28,7 +37,7 @@ var (
 	healthCheckHttpClient *http.Client
 )
 
-func setupHttpClients() {
+func setupHttpClients(k8s client.Client, logger logr.Logger) {
 	transport := http.DefaultTransport.(*http.Transport).Clone()
 	healthCheckTransport := http.DefaultTransport.(*http.Transport).Clone()
 	healthCheckTransport.TLSClientConfig = &tls.Config{
@@ -63,4 +72,47 @@ func setupHttpClients() {
 		Transport: healthCheckTransport,
 		Timeout:   500 * time.Millisecond,
 	}
+	InjectCertificates(k8s, logger)
+}
+
+func InjectCertificates(k8s client.Client, logger logr.Logger) {
+	if certs, ok := readCertificates(k8s, logger); ok {
+		for _, certsPem := range certs {
+			injectCertificates([]byte(certsPem), httpClient.Transport.(*http.Transport), logger)
+		}
+	}
+}
+
+func readCertificates(k8s client.Client, logger logr.Logger) (map[string]string, bool) {
+	configmapRef := config.GetGlobalConfig().Routing.TLSCertificateConfigmapRef
+	if configmapRef == nil {
+		return nil, false
+	}
+	configMap := &corev1.ConfigMap{}
+	namespacedName := &types.NamespacedName{
+		Name:      configmapRef.Name,
+		Namespace: configmapRef.Namespace,
+	}
+	err := k8s.Get(context.Background(), *namespacedName, configMap)
+	if err != nil {
+		logger.Error(err, "Failed to read configmap with certificates")
+		return nil, false
+	}
+	return configMap.Data, true
+}
+
+func injectCertificates(certsPem []byte, transport *http.Transport, logger logr.Logger) {
+	caCertPool := transport.TLSClientConfig.RootCAs
+	if caCertPool == nil {
+		systemCertPool, err := x509.SystemCertPool()
+		if err != nil {
+			logger.Error(err, "Failed to load system cert pool")
+			caCertPool = x509.NewCertPool()
+		} else {
+			caCertPool = systemCertPool
+		}
+	}
+	if ok := caCertPool.AppendCertsFromPEM(certsPem); ok {
+		transport.TLSClientConfig = &tls.Config{RootCAs: caCertPool}
+	}
 }
@@ -269,6 +269,12 @@ func mergeConfig(from, to *controller.OperatorConfiguration) {
 			}
 			to.Routing.ProxyConfig = proxy.MergeProxyConfigs(from.Routing.ProxyConfig, defaultConfig.Routing.ProxyConfig)
 		}
+		if from.Routing.TLSCertificateConfigmapRef != nil {
+			if to.Routing.TLSCertificateConfigmapRef == nil {
+				to.Routing.TLSCertificateConfigmapRef = &controller.ConfigmapReference{}
+			}
+			to.Routing.TLSCertificateConfigmapRef = mergeTLSCertificateConfigmapRef(from.Routing.TLSCertificateConfigmapRef, defaultConfig.Routing.TLSCertificateConfigmapRef)
+		}
 	}
 	if from.Workspace != nil {
 		if to.Workspace == nil {
@@ -429,6 +435,28 @@ func mergeContainerSecurityContext(base, patch *corev1.SecurityContext) *corev1.
 	return patched
 }
 
+func mergeTLSCertificateConfigmapRef(operatorConfig, clusterConfig *controller.ConfigmapReference) *controller.ConfigmapReference {
+	if clusterConfig == nil {
+		return operatorConfig
+	}
+	if operatorConfig == nil {
+		return clusterConfig
+	}
+	mergedConfigmapReference := &controller.ConfigmapReference{
+		Name:      operatorConfig.Name,
+		Namespace: operatorConfig.Namespace,
+	}
+
+	if mergedConfigmapReference.Name == "" {
+		mergedConfigmapReference.Name = clusterConfig.Name
+	}
+	if mergedConfigmapReference.Namespace == "" {
+		mergedConfigmapReference.Namespace = clusterConfig.Namespace
+	}
+
+	return mergedConfigmapReference
+}
+
 func mergeResources(from, to *corev1.ResourceRequirements) *corev1.ResourceRequirements {
 	result := to.DeepCopy()
 	if from.Limits != nil {