Inject certificate to http client from a configmap referenced in the config

Signed-off-by: ivinokur <[email protected]>

Author: vinokurig

apis/controller/v1alpha1/devworkspaceoperatorconfig_types.go

@@ -61,6 +61,9 @@ type RoutingConfig struct {
 	// DevWorkspaces. However, changing the proxy configuration for the DevWorkspace Operator itself
 	// requires restarting the controller deployment.
 	ProxyConfig *Proxy `json:"proxyConfig,omitempty"`
+	// TLSCertificateConfigmapRef defines the name and namespace of the configmap with a certificate to inject to http
+	// client.
+	TLSCertificateConfigmapRef *ConfigmapReference `json:"tlsCertificateConfigmapRef,omitempty"`
 }
 
 type WorkspaceConfig struct {
@@ -240,6 +243,13 @@ type ProjectCloneConfig struct {
 	Env []corev1.EnvVar `json:"env,omitempty"`
 }
 
+type ConfigmapReference struct {
+	// Name is the name of the configmap
+	Name string `json:"name"`
+	// Namespace is the namespace of the configmap
+	Namespace string `json:"namespace"`
+}
+
 // DevWorkspaceOperatorConfig is the Schema for the devworkspaceoperatorconfigs API
 // +kubebuilder:object:root=true
 // +kubebuilder:resource:path=devworkspaceoperatorconfigs,scope=Namespaced,shortName=dwoc

controllers/workspace/devworkspace_controller.go

@@ -667,9 +667,8 @@ func (r *DevWorkspaceReconciler) getWorkspaceId(ctx context.Context, workspace *
 	}
 }
 
-func (r *DevWorkspaceReconciler) SetupWithManager(mgr ctrl.Manager) error {
-	setupHttpClients()
-
+func (r *DevWorkspaceReconciler) SetupWithManager(mgr ctrl.Manager, k8s client.Client) error {
+	setupHttpClients(k8s)
 	maxConcurrentReconciles, err := wkspConfig.GetMaxConcurrentReconciles()
 	if err != nil {
 		return err
@@ -681,6 +680,7 @@ func (r *DevWorkspaceReconciler) SetupWithManager(mgr ctrl.Manager) error {
 
 	configWatcher := builder.WithPredicates(wkspConfig.Predicates())
 	automountWatcher := builder.WithPredicates(automountPredicates)
+	certificateWatcher := builder.WithPredicates(certificatePredicates)
 
 	// TODO: Set up indexing https://book.kubebuilder.io/cronjob-tutorial/controller-implementation.html#setup
 	return ctrl.NewControllerManagedBy(mgr).
@@ -700,6 +700,7 @@ func (r *DevWorkspaceReconciler) SetupWithManager(mgr ctrl.Manager) error {
 		Watches(&source.Kind{Type: &corev1.PersistentVolumeClaim{}}, handler.EnqueueRequestsFromMapFunc(r.dwPVCHandler)).
 		Watches(&source.Kind{Type: &corev1.Secret{}}, handler.EnqueueRequestsFromMapFunc(r.runningWorkspacesHandler), automountWatcher).
 		Watches(&source.Kind{Type: &corev1.ConfigMap{}}, handler.EnqueueRequestsFromMapFunc(r.runningWorkspacesHandler), automountWatcher).
+		Watches(&source.Kind{Type: &corev1.ConfigMap{}}, handler.EnqueueRequestsFromMapFunc(r.certificateHandler), certificateWatcher).
 		Watches(&source.Kind{Type: &corev1.PersistentVolumeClaim{}}, handler.EnqueueRequestsFromMapFunc(r.runningWorkspacesHandler), automountWatcher).
 		Watches(&source.Kind{Type: &controllerv1alpha1.DevWorkspaceOperatorConfig{}}, handler.EnqueueRequestsFromMapFunc(emptyMapper), configWatcher).
 		WithEventFilter(devworkspacePredicates).

controllers/workspace/eventhandlers.go

@@ -15,6 +15,8 @@ package controllers
 
 import (
 	"context"
+	corev1 "k8s.io/api/core/v1"
+	"net/http"
 
 	dw "github.com/devfile/api/v2/pkg/apis/workspaces/v1alpha2"
 	wkspConfig "github.com/devfile/devworkspace-operator/pkg/config"
@@ -106,3 +108,11 @@ func (r *DevWorkspaceReconciler) runningWorkspacesHandler(obj client.Object) []r
 	}
 	return reconciles
 }
+
+func (r *DevWorkspaceReconciler) certificateHandler(obj client.Object) []reconcile.Request {
+	certsPem, ok := obj.(*corev1.ConfigMap).Data["custom-ca-certificates.pem"]
+	if ok {
+		injectCertificates([]byte(certsPem), httpClient.Transport.(*http.Transport))
+	}
+	return []reconcile.Request{}
+}

controllers/workspace/http.go

@@ -14,9 +14,14 @@
 package controllers
 
 import (
+	"context"
 	"crypto/tls"
+	"crypto/x509"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/types"
 	"net/http"
 	"net/url"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 	"time"
 
 	"github.com/devfile/devworkspace-operator/pkg/config"
@@ -28,8 +33,12 @@ var (
 	healthCheckHttpClient *http.Client
 )
 
-func setupHttpClients() {
+func setupHttpClients(k8s client.Client) {
 	transport := http.DefaultTransport.(*http.Transport).Clone()
+	certs, ok := readCertificates(k8s)
+	if ok {
+		injectCertificates(certs, transport)
+	}
 	healthCheckTransport := http.DefaultTransport.(*http.Transport).Clone()
 	healthCheckTransport.TLSClientConfig = &tls.Config{
 		InsecureSkipVerify: true,
@@ -64,3 +73,31 @@ func setupHttpClients() {
 		Timeout:   500 * time.Millisecond,
 	}
 }
+
+func readCertificates(k8s client.Client) ([]byte, bool) {
+	configmapRef := config.GetGlobalConfig().Routing.TLSCertificateConfigmapRef
+	if configmapRef == nil {
+		return nil, false
+	}
+	configMap := &corev1.ConfigMap{}
+	namespacedName := &types.NamespacedName{
+		Name:      configmapRef.Name,
+		Namespace: configmapRef.Namespace,
+	}
+	err := k8s.Get(context.Background(), *namespacedName, configMap)
+	if err == nil {
+		certificates, ok := configMap.Data["custom-ca-certificates.pem"]
+		if ok {
+			return []byte(certificates), true
+		}
+	}
+	return []byte{}, false
+}
+
+func injectCertificates(certsPem []byte, transport *http.Transport) {
+	caCertPool := x509.NewCertPool()
+	ok := caCertPool.AppendCertsFromPEM(certsPem)
+	if ok {
+		transport.TLSClientConfig = &tls.Config{RootCAs: caCertPool}
+	}
+}

controllers/workspace/predicates.go

@@ -17,6 +17,7 @@ package controllers
 
 import (
 	dw "github.com/devfile/api/v2/pkg/apis/workspaces/v1alpha2"
+	"github.com/devfile/devworkspace-operator/pkg/config"
 	"github.com/devfile/devworkspace-operator/pkg/constants"
 
 	corev1 "k8s.io/api/core/v1"
@@ -99,6 +100,19 @@ var automountPredicates = predicate.Funcs{
 	GenericFunc: func(_ event.GenericEvent) bool { return false },
 }
 
+var certificatePredicates = predicate.Funcs{
+	CreateFunc: func(ev event.CreateEvent) bool {
+		return objectIsCertificateConfigmap(ev.Object)
+	},
+	DeleteFunc: func(ev event.DeleteEvent) bool {
+		return objectIsCertificateConfigmap(ev.Object)
+	},
+	UpdateFunc: func(ev event.UpdateEvent) bool {
+		return objectIsCertificateConfigmap(ev.ObjectNew)
+	},
+	GenericFunc: func(_ event.GenericEvent) bool { return false },
+}
+
 func objectIsAutomountResource(obj client.Object) bool {
 	labels := obj.GetLabels()
 	switch {
@@ -112,3 +126,12 @@ func objectIsAutomountResource(obj client.Object) bool {
 	}
 
 }
+
+func objectIsCertificateConfigmap(obj client.Object) bool {
+	configmapRef := config.GetGlobalConfig().Routing.TLSCertificateConfigmapRef
+	if configmapRef == nil {
+		return false
+	} else {
+		return configmapRef.Name == obj.GetName() && configmapRef.Namespace == obj.GetNamespace()
+	}
+}

controllers/workspace/suite_test.go

@@ -138,7 +138,7 @@ var _ = BeforeSuite(func() {
 		NonCachingClient: nonCachingClient,
 		Log:              ctrl.Log.WithName("controllers").WithName("DevWorkspace"),
 		Scheme:           mgr.GetScheme(),
-	}).SetupWithManager(mgr)
+	}).SetupWithManager(mgr, nonCachingClient)
 	Expect(err).NotTo(HaveOccurred())
 
 	// Set HTTP client to fail all requests by default; tests that require HTTP must set this up directly

main.go

@@ -165,7 +165,7 @@ func main() {
 		NonCachingClient: nonCachingClient,
 		Log:              ctrl.Log.WithName("controllers").WithName("DevWorkspace"),
 		Scheme:           mgr.GetScheme(),
-	}).SetupWithManager(mgr); err != nil {
+	}).SetupWithManager(mgr, nonCachingClient); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "DevWorkspace")
 		os.Exit(1)
 	}

pkg/config/proxy/openshift.go

@@ -59,6 +59,24 @@ func GetClusterProxyConfig(nonCachedClient crclient.Client) (*controller.Proxy,
 	return proxyConfig, nil
 }
 
+// MergeTLSCertificateConfigmapRef merges tls certificate configmap reference configurations
+// from the operator and the cluster and merges them, with the operator configuration taking precedence.
+func MergeTLSCertificateConfigmapRef(operatorConfig, clusterConfig *controller.ConfigmapReference) *controller.ConfigmapReference {
+	mergedConfigmapReference := &controller.ConfigmapReference{
+		Name:      operatorConfig.Name,
+		Namespace: operatorConfig.Namespace,
+	}
+
+	if mergedConfigmapReference.Name == "" {
+		mergedConfigmapReference.Name = clusterConfig.Name
+	}
+	if mergedConfigmapReference.Namespace == "" {
+		mergedConfigmapReference.Namespace = clusterConfig.Namespace
+	}
+
+	return mergedConfigmapReference
+}
+
 // MergeProxyConfigs merges proxy configurations from the operator and the cluster and merges them, with the
 // operator configuration taking precedence. Accepts nil arguments. If both arguments are nil, returns nil.
 func MergeProxyConfigs(operatorConfig, clusterConfig *controller.Proxy) *controller.Proxy {

pkg/config/sync.go

@@ -269,6 +269,12 @@ func mergeConfig(from, to *controller.OperatorConfiguration) {
 			}
 			to.Routing.ProxyConfig = proxy.MergeProxyConfigs(from.Routing.ProxyConfig, defaultConfig.Routing.ProxyConfig)
 		}
+		if from.Routing.TLSCertificateConfigmapRef != nil {
+			if to.Routing.TLSCertificateConfigmapRef == nil {
+				to.Routing.TLSCertificateConfigmapRef = &controller.ConfigmapReference{}
+			}
+			to.Routing.TLSCertificateConfigmapRef = proxy.MergeTLSCertificateConfigmapRef(from.Routing.TLSCertificateConfigmapRef, defaultConfig.Routing.TLSCertificateConfigmapRef)
+		}
 	}
 	if from.Workspace != nil {
 		if to.Workspace == nil {