Skip to content

Commit

Permalink
Fixup
Browse files Browse the repository at this point in the history 
Signed-off-by: Anatolii Bazko <[email protected]>
  • Loading branch information
@tolusha
tolusha committed Oct 17, 2024
1 parent a65fe17 commit d050415
Show file tree
Hide file tree
Showing 11 changed files with 254 additions and 230 deletions.
21 changes: 15 additions & 6 deletions api/v2/checluster_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -453,12 +453,15 @@ type DashboardHeaderMessage struct {
}

type TrustedCerts struct {
// By default, Operator creates and mounts the `ca-certs-merged` ConfigMap containing the CA certificates bundle
// into users` workspaces. This option allows to disable this behavior.
// The CA bundle mount paths in the workspace pods.
// If not specified, the default is `/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem`.
// +optional
DisableMountingCaBundleIntoDevWorkspace *bool `json:"disableMountingCaBundleIntoDevWorkspace,omitempty"`
// By default, the Operator creates and mounts the 'ca-certs-merged' ConfigMap
// containing the CA certificate bundle in users' workspaces at two locations:
// '/public-certs' and '/etc/pki/ca-trust/extracted/pem'.
// The '/etc/pki/ca-trust/extracted/pem' directory is where the system stores extracted CA certificates
// for trusted certificate authorities on Red Hat (e.g., CentOS, Fedora).
// This option disables mounting the CA bundle to the '/etc/pki/ca-trust/extracted/pem' directory
// while still mounting it to '/public-certs'.
// +optional
DisableWorkspaceCaBundleMount *bool `json:"disableWorkspaceCaBundleMount,omitempty"`
// The ConfigMap contains certificates to propagate to the Che components and to provide a particular configuration for Git.
// See the following page: https://www.eclipse.org/che/docs/stable/administration-guide/deploying-che-with-support-for-git-repositories-with-self-signed-certificates/
// The ConfigMap must have a `app.kubernetes.io/part-of=che.eclipse.org` label.
Expand Down Expand Up @@ -1055,3 +1058,9 @@ func (c *CheCluster) IsInternalPluginRegistryDisabled() bool {
func (c *CheCluster) IsCheBeingInstalled() bool {
return c.Status.CheVersion == ""
}

func (c *CheCluster) IsDisableWorkspaceCaBundleMount() bool {
return c.Spec.DevEnvironments.TrustedCerts != nil &&
c.Spec.DevEnvironments.TrustedCerts.DisableWorkspaceCaBundleMount != nil &&
*c.Spec.DevEnvironments.TrustedCerts.DisableWorkspaceCaBundleMount
}
9 changes: 2 additions & 7 deletions api/v2/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

18 changes: 8 additions & 10 deletions bundle/next/eclipse-che/manifests/org.eclipse.che_checlusters.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8003,17 +8003,15 @@ spec:
trustedCerts:
description: Trusted certificate settings.
properties:
caBundleMountPaths:
disableWorkspaceCaBundleMount:
description: |-
The CA bundle mount paths in the workspace pods.
If not specified, the default is `/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem`.
items:
type: string
type: array
disableMountingCaBundleIntoDevWorkspace:
description: |-
By default, Operator creates and mounts the `ca-certs-merged` ConfigMap containing the CA certificates into
a users` workspaces. This option allows to disable this behavior.
By default, the Operator creates and mounts the 'ca-certs-merged' ConfigMap
containing the CA certificate bundle in users' workspaces at two locations:
'/public-certs' and '/etc/pki/ca-trust/extracted/pem'.
The '/etc/pki/ca-trust/extracted/pem' directory is where the system stores extracted CA certificates
for trusted certificate authorities on Red Hat (e.g., CentOS, Fedora).
This option disables mounting the CA bundle to the '/etc/pki/ca-trust/extracted/pem' directory
while still mounting it to '/public-certs'.
type: boolean
gitTrustedCertsConfigMapName:
description: |-
Expand Down
18 changes: 8 additions & 10 deletions config/crd/bases/org.eclipse.che_checlusters.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7954,17 +7954,15 @@ spec:
trustedCerts:
description: Trusted certificate settings.
properties:
caBundleMountPaths:
disableWorkspaceCaBundleMount:
description: |-
The CA bundle mount paths in the workspace pods.
If not specified, the default is `/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem`.
items:
type: string
type: array
disableMountingCaBundleIntoDevWorkspace:
description: |-
By default, Operator creates and mounts the `ca-certs-merged` ConfigMap containing the CA certificates into
a users` workspaces. This option allows to disable this behavior.
By default, the Operator creates and mounts the 'ca-certs-merged' ConfigMap
containing the CA certificate bundle in users' workspaces at two locations:
'/public-certs' and '/etc/pki/ca-trust/extracted/pem'.
The '/etc/pki/ca-trust/extracted/pem' directory is where the system stores extracted CA certificates
for trusted certificate authorities on Red Hat (e.g., CentOS, Fedora).
This option disables mounting the CA bundle to the '/etc/pki/ca-trust/extracted/pem' directory
while still mounting it to '/public-certs'.
type: boolean
gitTrustedCertsConfigMapName:
description: |-
Expand Down
18 changes: 8 additions & 10 deletions deploy/deployment/kubernetes/combined.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7975,17 +7975,15 @@ spec:
trustedCerts:
description: Trusted certificate settings.
properties:
caBundleMountPaths:
disableWorkspaceCaBundleMount:
description: |-
The CA bundle mount paths in the workspace pods.
If not specified, the default is `/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem`.
items:
type: string
type: array
disableMountingCaBundleIntoDevWorkspace:
description: |-
By default, Operator creates and mounts the `ca-certs-merged` ConfigMap containing the CA certificates into
a users` workspaces. This option allows to disable this behavior.
By default, the Operator creates and mounts the 'ca-certs-merged' ConfigMap
containing the CA certificate bundle in users' workspaces at two locations:
'/public-certs' and '/etc/pki/ca-trust/extracted/pem'.
The '/etc/pki/ca-trust/extracted/pem' directory is where the system stores extracted CA certificates
for trusted certificate authorities on Red Hat (e.g., CentOS, Fedora).
This option disables mounting the CA bundle to the '/etc/pki/ca-trust/extracted/pem' directory
while still mounting it to '/public-certs'.
type: boolean
gitTrustedCertsConfigMapName:
description: |-
Expand Down
18 changes: 8 additions & 10 deletions ...y/deployment/kubernetes/objects/checlusters.org.eclipse.che.CustomResourceDefinition.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7970,17 +7970,15 @@ spec:
trustedCerts:
description: Trusted certificate settings.
properties:
caBundleMountPaths:
disableWorkspaceCaBundleMount:
description: |-
The CA bundle mount paths in the workspace pods.
If not specified, the default is `/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem`.
items:
type: string
type: array
disableMountingCaBundleIntoDevWorkspace:
description: |-
By default, Operator creates and mounts the `ca-certs-merged` ConfigMap containing the CA certificates into
a users` workspaces. This option allows to disable this behavior.
By default, the Operator creates and mounts the 'ca-certs-merged' ConfigMap
containing the CA certificate bundle in users' workspaces at two locations:
'/public-certs' and '/etc/pki/ca-trust/extracted/pem'.
The '/etc/pki/ca-trust/extracted/pem' directory is where the system stores extracted CA certificates
for trusted certificate authorities on Red Hat (e.g., CentOS, Fedora).
This option disables mounting the CA bundle to the '/etc/pki/ca-trust/extracted/pem' directory
while still mounting it to '/public-certs'.
type: boolean
gitTrustedCertsConfigMapName:
description: |-
Expand Down
18 changes: 8 additions & 10 deletions deploy/deployment/openshift/combined.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7975,17 +7975,15 @@ spec:
trustedCerts:
description: Trusted certificate settings.
properties:
caBundleMountPaths:
disableWorkspaceCaBundleMount:
description: |-
The CA bundle mount paths in the workspace pods.
If not specified, the default is `/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem`.
items:
type: string
type: array
disableMountingCaBundleIntoDevWorkspace:
description: |-
By default, Operator creates and mounts the `ca-certs-merged` ConfigMap containing the CA certificates into
a users` workspaces. This option allows to disable this behavior.
By default, the Operator creates and mounts the 'ca-certs-merged' ConfigMap
containing the CA certificate bundle in users' workspaces at two locations:
'/public-certs' and '/etc/pki/ca-trust/extracted/pem'.
The '/etc/pki/ca-trust/extracted/pem' directory is where the system stores extracted CA certificates
for trusted certificate authorities on Red Hat (e.g., CentOS, Fedora).
This option disables mounting the CA bundle to the '/etc/pki/ca-trust/extracted/pem' directory
while still mounting it to '/public-certs'.
type: boolean
gitTrustedCertsConfigMapName:
description: |-
Expand Down
18 changes: 8 additions & 10 deletions ...oy/deployment/openshift/objects/checlusters.org.eclipse.che.CustomResourceDefinition.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7970,17 +7970,15 @@ spec:
trustedCerts:
description: Trusted certificate settings.
properties:
caBundleMountPaths:
disableWorkspaceCaBundleMount:
description: |-
The CA bundle mount paths in the workspace pods.
If not specified, the default is `/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem`.
items:
type: string
type: array
disableMountingCaBundleIntoDevWorkspace:
description: |-
By default, Operator creates and mounts the `ca-certs-merged` ConfigMap containing the CA certificates into
a users` workspaces. This option allows to disable this behavior.
By default, the Operator creates and mounts the 'ca-certs-merged' ConfigMap
containing the CA certificate bundle in users' workspaces at two locations:
'/public-certs' and '/etc/pki/ca-trust/extracted/pem'.
The '/etc/pki/ca-trust/extracted/pem' directory is where the system stores extracted CA certificates
for trusted certificate authorities on Red Hat (e.g., CentOS, Fedora).
This option disables mounting the CA bundle to the '/etc/pki/ca-trust/extracted/pem' directory
while still mounting it to '/public-certs'.
type: boolean
gitTrustedCertsConfigMapName:
description: |-
Expand Down
18 changes: 8 additions & 10 deletions helmcharts/next/crds/checlusters.org.eclipse.che.CustomResourceDefinition.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7970,17 +7970,15 @@ spec:
trustedCerts:
description: Trusted certificate settings.
properties:
caBundleMountPaths:
disableWorkspaceCaBundleMount:
description: |-
The CA bundle mount paths in the workspace pods.
If not specified, the default is `/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem`.
items:
type: string
type: array
disableMountingCaBundleIntoDevWorkspace:
description: |-
By default, Operator creates and mounts the `ca-certs-merged` ConfigMap containing the CA certificates into
a users` workspaces. This option allows to disable this behavior.
By default, the Operator creates and mounts the 'ca-certs-merged' ConfigMap
containing the CA certificate bundle in users' workspaces at two locations:
'/public-certs' and '/etc/pki/ca-trust/extracted/pem'.
The '/etc/pki/ca-trust/extracted/pem' directory is where the system stores extracted CA certificates
for trusted certificate authorities on Red Hat (e.g., CentOS, Fedora).
This option disables mounting the CA bundle to the '/etc/pki/ca-trust/extracted/pem' directory
while still mounting it to '/public-certs'.
type: boolean
gitTrustedCertsConfigMapName:
description: |-
Expand Down
72 changes: 52 additions & 20 deletions pkg/deploy/tls/certificates.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,10 +53,13 @@ const (

type CertificatesReconciler struct {
deploy.Reconcilable
readKubernetesCaBundle func() ([]byte, error)
}

func NewCertificatesReconciler() *CertificatesReconciler {
return &CertificatesReconciler{}
return &CertificatesReconciler{
readKubernetesCaBundle: readKubernetesCaBundle,
}
}

func (c *CertificatesReconciler) Reconcile(ctx *chetypes.DeployContext) (reconcile.Result, bool, error) {
Expand Down Expand Up @@ -96,14 +99,34 @@ func (c *CertificatesReconciler) Finalize(ctx *chetypes.DeployContext) bool {
}

func (c *CertificatesReconciler) syncOpenShiftCABundleCertificates(ctx *chetypes.DeployContext) (bool, error) {
openShiftCaBundleCM := deploy.GetConfigMapSpec(
ctx,
constants.DefaultCaBundleCertsCMName,
map[string]string{},
defaults.GetCheFlavor(),
)
openShiftCaBundleCMKey := types.NamespacedName{
Namespace: ctx.CheCluster.Namespace,
Name: constants.DefaultCaBundleCertsCMName,
}

openShiftCaBundleCM := &corev1.ConfigMap{}
exists, err := deploy.Get(ctx, openShiftCaBundleCMKey, openShiftCaBundleCM)
if err != nil {
return false, err
}

if !exists {
openShiftCaBundleCM = &corev1.ConfigMap{
ObjectMeta: metav1.ObjectMeta{
Name: constants.DefaultCaBundleCertsCMName,
Namespace: ctx.CheCluster.Namespace,
Labels: deploy.GetLabels(constants.CheCABundle),
},
}
}

openShiftCaBundleCM.ObjectMeta.Labels[injectTrustedCaBundle] = "true"
openShiftCaBundleCM.ObjectMeta.Labels[constants.KubernetesPartOfLabelKey] = constants.CheEclipseOrg
openShiftCaBundleCM.ObjectMeta.Labels[constants.KubernetesComponentLabelKey] = constants.CheCABundle
openShiftCaBundleCM.TypeMeta = metav1.TypeMeta{
Kind: "ConfigMap",
APIVersion: "v1",
}

return deploy.Sync(
ctx,
Expand All @@ -120,19 +143,15 @@ func (c *CertificatesReconciler) syncOpenShiftCABundleCertificates(ctx *chetypes
}

func (c *CertificatesReconciler) syncKubernetesCABundleCertificates(ctx *chetypes.DeployContext) (bool, error) {
data, err := os.ReadFile(kubernetesCABundleCertsDir + string(os.PathSeparator) + kubernetesCABundleCertsFile)
data, err := c.readKubernetesCaBundle()
if err != nil {
if errors.Is(err, os.ErrNotExist) {
return true, nil
}

return false, err
}

kubernetesCaBundleCM := deploy.GetConfigMapSpec(
ctx,
constants.DefaultCaBundleCertsCMName,
map[string]string{"ca.crt": string(data)},
map[string]string{kubernetesCABundleCertsFile: string(data)},
constants.CheCABundle,
)

Expand Down Expand Up @@ -163,6 +182,10 @@ func (c *CertificatesReconciler) syncGitTrustedCertificates(ctx *chetypes.Deploy
APIVersion: "v1",
}

if gitTrustedCertsCM.GetLabels() == nil {
gitTrustedCertsCM.Labels = map[string]string{}
}

// Add necessary labels to the ConfigMap
gitTrustedCertsCM.Labels[constants.KubernetesPartOfLabelKey] = constants.CheEclipseOrg
gitTrustedCertsCM.Labels[constants.KubernetesComponentLabelKey] = constants.CheCABundle
Expand Down Expand Up @@ -323,19 +346,28 @@ func (c *CertificatesReconciler) syncCheCABundleCerts(ctx *chetypes.DeployContex
// Add annotations with included config maps revisions
mergedCABundlesCM.ObjectMeta.Annotations[cheCABundleIncludedCMRevisions] = cheCABundlesExpectedRevisionsAsString

if ctx.CheCluster.Spec.DevEnvironments.TrustedCerts == nil ||
(ctx.CheCluster.Spec.DevEnvironments.TrustedCerts.DisableMountingCaBundleIntoDevWorkspace != nil &&
!*ctx.CheCluster.Spec.DevEnvironments.TrustedCerts.DisableMountingCaBundleIntoDevWorkspace) {

if !ctx.CheCluster.IsDisableWorkspaceCaBundleMount() {
// Mark ConfigMap as workspace config (will be mounted in all workspace pods)
mergedCABundlesCM.ObjectMeta.Labels[constants.KubernetesComponentLabelKey] = constants.WorkspacesConfig

// Add annotations to mount certificates in desired path
// Set desired mount location
mergedCABundlesCM.Data = map[string]string{kubernetesCABundleCertsFile: cheCABundlesExpectedContent}
mergedCABundlesCM.ObjectMeta.Annotations["controller.devfile.io/mount-as"] = "subpath"
mergedCABundlesCM.ObjectMeta.Annotations["controller.devfile.io/mount-path"] = kubernetesCABundleCertsDir

mergedCABundlesCM.Data = map[string]string{kubernetesCABundleCertsFile: cheCABundlesExpectedContent}
}

return deploy.Sync(ctx, mergedCABundlesCM, deploy.ConfigMapDiffOpts)
}

func readKubernetesCaBundle() ([]byte, error) {
data, err := os.ReadFile(kubernetesCABundleCertsDir + string(os.PathSeparator) + kubernetesCABundleCertsFile)
if err != nil {
if errors.Is(err, os.ErrNotExist) {
return nil, nil
}

return nil, err
}

return data, nil
}
Loading

0 comments on commit d050415

Please sign in to comment.