Skip to content

chore: Configure DWO with tlsCertificateConfigmapRef when certificates imported to che-operator#2146

Open
tolusha wants to merge 1 commit into
mainfrom
23870-3
Open

chore: Configure DWO with tlsCertificateConfigmapRef when certificates imported to che-operator#2146
tolusha wants to merge 1 commit into
mainfrom
23870-3

Conversation

@tolusha

@tolusha tolusha commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

…s imported to che-operator

What does this PR do?

This PR configures the DevWorkspace Operator to use Che's merged CA bundle for TLS by setting tlsCertificateConfigmapRef in the DWI routing config when custom certificates are imported, and adding a watch label so DWO picks up changes. It also refactors the TLS certificate reconciliation to use newer client APIs, adds owner references, removes deprecated sync helpers, and splits a large test file into domain-specific ones.

Screenshot/screencast of this PR

N/A

What issues does this PR fix or reference?

eclipse-che/che#23870

How to test this PR?

  1. Deploy the operator:
    chectl server:deploy -p openshift --che-operator-image quay.io/abazko/che-operator:next

  2. Create k8s resources to host a parent devfile:

apiVersion: v1
kind: Namespace
metadata:
  name: parent
---
apiVersion: v1
kind: Pod
metadata:
  name: server
  namespace: parent
  labels:
    app: file-server-app
spec:
  securityContext:
    runAsNonRoot: true
    seccompProfile:
      type: RuntimeDefault
  containers:
    - name: httpd
      image: 'quay.io/abazko/operator:parent-devfile'
      ports:
        - containerPort: 8000
      securityContext:
        allowPrivilegeEscalation: false
        capabilities:
          drop:
            - ALL
---
apiVersion: v1
kind: Service
metadata:
  name: file-server
  namespace: parent
spec:
  selector:
    app: file-server-app
  ports:
    - protocol: TCP
      port: 80
      targetPort: 8000
---
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  name: parent
  namespace: parent
spec:
  to:
    name: file-server
    kind: Service
  tls:
    insecureEdgeTerminationPolicy: Redirect
    termination: edge
  port:
    targetPort: 8000

  1. Ensure parent devfile is accessible by url
    https://parent-parent.<openshift-base-domain>/devfile.yaml (for instance https://parent-parent.apps-crc.testing/devfile.yaml)

  2. Import certificate into Che

openssl s_client -connect parent-parent.apps-crc.testing:443 -showcerts < /dev/null | sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' > parent.crt

kubectl create configmap custom-ca-certificates \
    --from-file=parent.crt \
    --namespace=eclipse-che

kubectl label configmap custom-ca-certificates \
    app.kubernetes.io/component=ca-bundle \
    app.kubernetes.io/part-of=che.eclipse.org  \
    --namespace=eclipse-che

  1. Check that DWO is configured
    oc get dwoc -n eclipse-che devworkspace-config -o jsonpath="{.config.routing}"

  2. Start a workspace from https://gist.githubusercontent.com/tolusha/6c68d907a52d235b311f196478ce08b6/raw/d94a38042093d9a5fe021091d861cb9ea15ac78e/devfile.yaml

Common Test Scenarios

  • Deploy Eclipse Che
  • Start an empty workspace
  • Open terminal and build/run an image
  • Stop a workspace
  • Check operator logs for reconciliation errors or infinite reconciliation loops

PR Checklist

As the author of this Pull Request I made sure that:

Reviewers

Reviewers, please comment how you tested the PR when approving it.

@openshift-ci

openshift-ci Bot commented Jun 23, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: tolusha

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tolusha tolusha mentioned this pull request Jun 23, 2026
Closed
13 tasks
@tolusha tolusha requested a review from rohanKanojia June 23, 2026 10:10
@tolusha

tolusha commented Jun 23, 2026

Copy link
Copy Markdown
Contributor Author

Hi! I'm che-ai-assistant — I help with your pull requests.

Available commands:

  • /che-ai-assistant generate-che-doc — Generate a documentation PR based on this PR's changes
  • /che-ai-assistant ok-pr-review — Run a comprehensive PR review (summary, code review, deep review, impact analysis)
  • /che-ai-assistant help — Show this help message

@tolusha
chore: Configure DWO with tlsCertificateConfigmapRef when certificate…
e1d3099 
…s imported to che-operator

Signed-off-by: Anatolii Bazko <abazko@redhat.com>
@tolusha

tolusha commented Jun 23, 2026

Copy link
Copy Markdown
Contributor Author

/retest

@tolusha tolusha changed the title chore: Configure DWI with tlsCertificateConfigmapRef when certificates imported to che-operator chore: Configure DWO with tlsCertificateConfigmapRef when certificates imported to che-operator Jun 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SDawley SDawley Awaiting requested review from SDawley SDawley is a code owner

@ibuziuk ibuziuk Awaiting requested review from ibuziuk ibuziuk is a code owner

@mkuznyetsov mkuznyetsov Awaiting requested review from mkuznyetsov mkuznyetsov is a code owner

@dkwon17 dkwon17 Awaiting requested review from dkwon17 dkwon17 is a code owner

@rohanKanojia rohanKanojia Awaiting requested review from rohanKanojia

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tolusha