fixup! Inject certificate to http client from a configmap referenced in the config

vinokurig · vinokurig · commit dea48cc469e5 · 2024-05-23T18:02:35.000+03:00
Signed-off-by: ivinokur &lt;ivinokur@redhat.com&gt;
diff --git a/controllers/workspace/devworkspace_controller.go b/controllers/workspace/devworkspace_controller.go
@@ -18,7 +18,6 @@ package controllers
 import (
 	"context"
 	"fmt"
-	"net/http"
 	"strconv"
 	"strings"
 	"time"
@@ -28,7 +27,6 @@ import (
 	"github.com/devfile/devworkspace-operator/controllers/workspace/metrics"
 	"github.com/devfile/devworkspace-operator/pkg/common"
 	"github.com/devfile/devworkspace-operator/pkg/conditions"
-	"github.com/devfile/devworkspace-operator/pkg/config"
 	wkspConfig "github.com/devfile/devworkspace-operator/pkg/config"
 	"github.com/devfile/devworkspace-operator/pkg/constants"
 	"github.com/devfile/devworkspace-operator/pkg/dwerrors"
@@ -144,12 +142,8 @@ func (r *DevWorkspaceReconciler) Reconcile(ctx context.Context, req ctrl.Request
 	reqLogger = reqLogger.WithValues(constants.DevWorkspaceIDLoggerKey, workspace.Status.DevWorkspaceId)
 	reqLogger.Info("Reconciling Workspace", "resolvedConfig", configString)
 
-	// Inject ca certificates to the http clint if the certificates configmap is created and defined in the config.
-	if certs, ok := readCertificates(r.Client, config, r.Log); ok {
-		for _, certsPem := range certs {
-			injectCertificates([]byte(certsPem), httpClient.Transport.(*http.Transport))
-		}
-	}
+	// Inject ca certificates to the http client, if the certificates configmap is created and defined in the config.
+	InjectCertificates(r.Client, r.Log)
 
 	// Check if the DevWorkspaceRouting instance is marked to be deleted, which is
 	// indicated by the deletion timestamp being set.
@@ -677,7 +671,7 @@ func (r *DevWorkspaceReconciler) getWorkspaceId(ctx context.Context, workspace *
 }
 
 func (r *DevWorkspaceReconciler) SetupWithManager(mgr ctrl.Manager) error {
-	setupHttpClients(mgr.GetClient(), config.GetGlobalConfig(), mgr.GetLogger())
+	setupHttpClients(mgr.GetClient(), mgr.GetLogger())
 
 	maxConcurrentReconciles, err := wkspConfig.GetMaxConcurrentReconciles()
 	if err != nil {
diff --git a/controllers/workspace/http.go b/controllers/workspace/http.go
@@ -21,9 +21,9 @@ import (
 	"net/url"
 	"time"
 
-	"k8s.io/apimachinery/pkg/types"
+	"github.com/devfile/devworkspace-operator/pkg/config"
 
-	controller "github.com/devfile/devworkspace-operator/apis/controller/v1alpha1"
+	"k8s.io/apimachinery/pkg/types"
 
 	"github.com/go-logr/logr"
 	corev1 "k8s.io/api/core/v1"
@@ -37,28 +37,25 @@ var (
 	healthCheckHttpClient *http.Client
 )
 
-func setupHttpClients(k8s client.Client, config *controller.OperatorConfiguration, logger logr.Logger) {
+func setupHttpClients(k8s client.Client, logger logr.Logger) {
 	transport := http.DefaultTransport.(*http.Transport).Clone()
-	if certs, ok := readCertificates(k8s, config, logger); ok {
-		for _, certsPem := range certs {
-			injectCertificates([]byte(certsPem), transport)
-		}
-	}
 	healthCheckTransport := http.DefaultTransport.(*http.Transport).Clone()
 	healthCheckTransport.TLSClientConfig = &tls.Config{
 		InsecureSkipVerify: true,
 	}
 
-	if config.Routing != nil && config.Routing.ProxyConfig != nil {
+	globalConfig := config.GetGlobalConfig()
+
+	if globalConfig.Routing != nil && globalConfig.Routing.ProxyConfig != nil {
 		proxyConf := httpproxy.Config{}
-		if config.Routing.ProxyConfig.HttpProxy != nil {
-			proxyConf.HTTPProxy = *config.Routing.ProxyConfig.HttpProxy
+		if globalConfig.Routing.ProxyConfig.HttpProxy != nil {
+			proxyConf.HTTPProxy = *globalConfig.Routing.ProxyConfig.HttpProxy
 		}
-		if config.Routing.ProxyConfig.HttpsProxy != nil {
-			proxyConf.HTTPSProxy = *config.Routing.ProxyConfig.HttpsProxy
+		if globalConfig.Routing.ProxyConfig.HttpsProxy != nil {
+			proxyConf.HTTPSProxy = *globalConfig.Routing.ProxyConfig.HttpsProxy
 		}
-		if config.Routing.ProxyConfig.NoProxy != nil {
-			proxyConf.NoProxy = *config.Routing.ProxyConfig.NoProxy
+		if globalConfig.Routing.ProxyConfig.NoProxy != nil {
+			proxyConf.NoProxy = *globalConfig.Routing.ProxyConfig.NoProxy
 		}
 
 		proxyFunc := func(req *http.Request) (*url.URL, error) {
@@ -75,10 +72,19 @@ func setupHttpClients(k8s client.Client, config *controller.OperatorConfiguratio
 		Transport: healthCheckTransport,
 		Timeout:   500 * time.Millisecond,
 	}
+	InjectCertificates(k8s, logger)
 }
 
-func readCertificates(k8s client.Client, config *controller.OperatorConfiguration, logger logr.Logger) (map[string]string, bool) {
-	configmapRef := config.Routing.TLSCertificateConfigmapRef
+func InjectCertificates(k8s client.Client, logger logr.Logger) {
+	if certs, ok := readCertificates(k8s, logger); ok {
+		for _, certsPem := range certs {
+			injectCertificates([]byte(certsPem), httpClient.Transport.(*http.Transport), logger)
+		}
+	}
+}
+
+func readCertificates(k8s client.Client, logger logr.Logger) (map[string]string, bool) {
+	configmapRef := config.GetGlobalConfig().Routing.TLSCertificateConfigmapRef
 	if configmapRef == nil {
 		return nil, false
 	}
@@ -95,10 +101,16 @@ func readCertificates(k8s client.Client, config *controller.OperatorConfiguratio
 	return configMap.Data, true
 }
 
-func injectCertificates(certsPem []byte, transport *http.Transport) {
+func injectCertificates(certsPem []byte, transport *http.Transport, logger logr.Logger) {
 	caCertPool := transport.TLSClientConfig.RootCAs
 	if caCertPool == nil {
-		caCertPool = x509.NewCertPool()
+		systemCertPool, err := x509.SystemCertPool()
+		if err != nil {
+			logger.Error(err, "Failed to load system cert pool")
+			caCertPool = x509.NewCertPool()
+		} else {
+			caCertPool = systemCertPool
+		}
 	}
 	if ok := caCertPool.AppendCertsFromPEM(certsPem); ok {
 		transport.TLSClientConfig = &tls.Config{RootCAs: caCertPool}
