eclipse-che
diff --git a/‎api/v2/checluster_types.go‎
Lines changed: 29 additions & 0 deletions b/‎api/v2/checluster_types.go‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎api/v2/zz_generated.deepcopy.go‎
Lines changed: 59 additions & 0 deletions b/‎api/v2/zz_generated.deepcopy.go‎
Lines changed: 59 additions & 0 deletions
diff --git a/‎bundle/next/eclipse-che/manifests/che-operator.clusterserviceversion.yaml‎
Lines changed: 3 additions & 3 deletions b/‎bundle/next/eclipse-che/manifests/che-operator.clusterserviceversion.yaml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎bundle/next/eclipse-che/manifests/org.eclipse.che_checlusters.yaml‎
Lines changed: 27 additions & 0 deletions b/‎bundle/next/eclipse-che/manifests/org.eclipse.che_checlusters.yaml‎
Lines changed: 27 additions & 0 deletions
diff --git a/‎config/crd/bases/org.eclipse.che_checlusters.yaml‎
Lines changed: 27 additions & 0 deletions b/‎config/crd/bases/org.eclipse.che_checlusters.yaml‎
Lines changed: 27 additions & 0 deletions
diff --git a/‎controllers/devworkspace/defaults/defaults.go‎
Lines changed: 0 additions & 11 deletions b/‎controllers/devworkspace/defaults/defaults.go‎
Lines changed: 0 additions & 11 deletions
diff --git a/‎controllers/devworkspace/solver/che_routing.go‎
Lines changed: 17 additions & 10 deletions b/‎controllers/devworkspace/solver/che_routing.go‎
Lines changed: 17 additions & 10 deletions
@@ -220,6 +220,9 @@ type CheClusterDevEnvironments struct {
 	// AllowedSources defines the allowed sources on which workspaces can be started.
 	// +optional
 	AllowedSources *AllowedSources `json:"allowedSources,omitempty"`
+	// Configuration settings related to the workspaces networking.
+	// +optional
+	Networking *DevEnvironmentNetworking `json:"networking,omitempty"`
 }
 
 // Che components configuration.
@@ -288,6 +291,26 @@ type CheClusterSpecNetworking struct {
 	Auth Auth `json:"auth"`
 }
 
+type DevEnvironmentNetworking struct {
+	// External TLS configuration.
+	// +optional
+	ExternalTLSConfig *ExternalTLSConfig `json:"externalTLSConfig,omitempty"`
+}
+
+type ExternalTLSConfig struct {
+	// Enabled determines whether external TLS configuration is used.
+	// If set to true, the operator will not set TLS config for ingress/route objects.
+	// Instead, it ensures that any custom TLS configuration will not be reverted on synchronization.
+	// +optional
+	Enabled *bool `json:"enabled"`
+	// Labels to be applied to ingress/route objects when external TLS is enabled.
+	// +optional
+	Labels map[string]string `json:"labels,omitempty"`
+	// Annotations to be applied to ingress/route objects when external TLS is enabled.
+	// +optional
+	Annotations map[string]string `json:"annotations,omitempty"`
+}
+
 // Container registry configuration.
 // +k8s:openapi-gen=true
 type CheClusterContainerRegistry struct {
@@ -1089,3 +1112,9 @@ func (c *CheCluster) IsDisableWorkspaceCaBundleMount() bool {
 		c.Spec.DevEnvironments.TrustedCerts.DisableWorkspaceCaBundleMount != nil &&
 		*c.Spec.DevEnvironments.TrustedCerts.DisableWorkspaceCaBundleMount
 }
+
+func (c *CheCluster) IsDevEnvironmentExternalTLSConfigEnabled() bool {
+	return c.Spec.DevEnvironments.Networking != nil &&
+		c.Spec.DevEnvironments.Networking.ExternalTLSConfig != nil &&
+		*c.Spec.DevEnvironments.Networking.ExternalTLSConfig.Enabled
+}
@@ -86,7 +86,7 @@ metadata:
     categories: Developer Tools
     certified: "false"
     containerImage: quay.io/eclipse/che-operator:next
-    createdAt: "2025-08-12T12:15:28Z"
+    createdAt: "2025-08-13T09:20:10Z"
     description: A Kube-native development solution that delivers portable and collaborative
       developer workspaces.
     features.operators.openshift.io/cnf: "false"
@@ -108,7 +108,7 @@ metadata:
     operatorframework.io/arch.amd64: supported
     operatorframework.io/arch.arm64: supported
     operatorframework.io/os.linux: supported
-  name: eclipse-che.v7.108.0-937.next
+  name: eclipse-che.v7.108.0-939.next
   namespace: placeholder
 spec:
   apiservicedefinitions: {}
@@ -1141,7 +1141,7 @@ spec:
       name: gateway-authorization-sidecar-k8s
     - image: quay.io/che-incubator/header-rewrite-proxy:latest
       name: gateway-header-sidecar
-  version: 7.108.0-937.next
+  version: 7.108.0-939.next
   webhookdefinitions:
     - admissionReviewVersions:
         - v1
 
@@ -7134,6 +7134,33 @@ spec:
                       format: int64
                       minimum: -1
                       type: integer
+                    networking:
+                      description: Configuration settings related to the workspaces
+                        networking.
+                      properties:
+                        externalTLSConfig:
+                          description: External TLS configuration.
+                          properties:
+                            annotations:
+                              additionalProperties:
+                                type: string
+                              description: Annotations to be applied to ingress/route
+                                objects when external TLS is enabled.
+                              type: object
+                            enabled:
+                              description: |-
+                                Enabled determines whether external TLS configuration is used.
+                                If set to true, the operator will not set TLS config for ingress/route objects.
+                                Instead, it ensures that any custom TLS configuration will not be reverted on synchronization.
+                              type: boolean
+                            labels:
+                              additionalProperties:
+                                type: string
+                              description: Labels to be applied to ingress/route objects
+                                when external TLS is enabled.
+                              type: object
+                          type: object
+                      type: object
                     nodeSelector:
                       additionalProperties:
                         type: string
 
@@ -7087,6 +7087,33 @@ spec:
                     format: int64
                     minimum: -1
                     type: integer
+                  networking:
+                    description: Configuration settings related to the workspaces
+                      networking.
+                    properties:
+                      externalTLSConfig:
+                        description: External TLS configuration.
+                        properties:
+                          annotations:
+                            additionalProperties:
+                              type: string
+                            description: Annotations to be applied to ingress/route
+                              objects when external TLS is enabled.
+                            type: object
+                          enabled:
+                            description: |-
+                              Enabled determines whether external TLS configuration is used.
+                              If set to true, the operator will not set TLS config for ingress/route objects.
+                              Instead, it ensures that any custom TLS configuration will not be reverted on synchronization.
+                            type: boolean
+                          labels:
+                            additionalProperties:
+                              type: string
+                            description: Labels to be applied to ingress/route objects
+                              when external TLS is enabled.
+                            type: object
+                        type: object
+                    type: object
                   nodeSelector:
                     additionalProperties:
                       type: string
 
@@ -15,8 +15,6 @@ package defaults
 import (
 	chev2 "github.com/eclipse-che/che-operator/api/v2"
 	"github.com/eclipse-che/che-operator/pkg/common/constants"
-	"github.com/eclipse-che/che-operator/pkg/deploy"
-	ctrl "sigs.k8s.io/controller-runtime"
 )
 
 const (
@@ -30,8 +28,6 @@ const (
 )
 
 var (
-	log = ctrl.Log.WithName("defaults")
-
 	// If this looks weirdly out of place to you from all other labels, then you're completely right!
 	// These labels are the default ones used by che-operator and Che7. Let's keep the defaults
 	// the same for the ease of translation...
@@ -64,13 +60,6 @@ func AddStandardLabelsFromNames(appName string, component string, labels map[str
 	return labels
 }
 
-func GetIngressAnnotations(cluster *chev2.CheCluster) map[string]string {
-	if len(cluster.Spec.Networking.Annotations) > 0 {
-		return cluster.Spec.Networking.Annotations
-	}
-	return deploy.DefaultIngressAnnotations
-}
-
 func GetGatewayWorkspaceConfigMapLabels(cluster *chev2.CheCluster) map[string]string {
 	if len(cluster.Spec.Networking.Auth.Gateway.ConfigLabels) > 0 {
 		return cluster.Spec.Networking.Auth.Gateway.ConfigLabels
 
@@ -1,5 +1,5 @@
 //
-// Copyright (c) 2019-2023 Red Hat, Inc.
+// Copyright (c) 2019-2025 Red Hat, Inc.
 // This program and the accompanying materials are made
 // available under the terms of the Eclipse Public License 2.0
 // which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -444,29 +444,33 @@ func normalize(username string) string {
 	return strings.ToLower(result)
 }
 
-func (c *CheRoutingSolver) getInfraSpecificExposer(cheCluster *chev2.CheCluster, routing *dwo.DevWorkspaceRouting, objs *solvers.RoutingObjects, endpointStrategy EndpointStrategy) (func(info *EndpointInfo), error) {
+func (c *CheRoutingSolver) getInfraSpecificExposer(cheCluster *chev2.CheCluster, routing *dwo.DevWorkspaceRouting, objs *solvers.RoutingObjects, endpointStrategy EndpointStrategy) (func(info *EndpointInfo) error, error) {
 	if infrastructure.IsOpenShift() {
 		exposer := &RouteExposer{}
 		if err := exposer.initFrom(context.TODO(), c.client, cheCluster, routing); err != nil {
 			return nil, err
 		}
-		return func(info *EndpointInfo) {
-			route := exposer.getRouteForService(info, endpointStrategy)
-			objs.Routes = append(objs.Routes, route)
+		return func(info *EndpointInfo) error {
+			route, err := exposer.getRouteForService(context.TODO(), info, endpointStrategy, c.client, cheCluster)
+			if route != nil {
+				objs.Routes = append(objs.Routes, *route)
+			}
+			return err
 		}, nil
 	} else {
 		exposer := &IngressExposer{}
-		if err := exposer.initFrom(context.TODO(), c.client, cheCluster, routing, dwdefaults.GetIngressAnnotations(cheCluster)); err != nil {
+		if err := exposer.initFrom(context.TODO(), c.client, cheCluster, routing); err != nil {
 			return nil, err
 		}
-		return func(info *EndpointInfo) {
-			ingress := exposer.getIngressForService(info, endpointStrategy)
+		return func(info *EndpointInfo) error {
+			ingress := exposer.getIngressForService(info, endpointStrategy, cheCluster)
 			objs.Ingresses = append(objs.Ingresses, ingress)
+			return nil
 		}, nil
 	}
 }
 
-func exposeAllEndpoints(cheCluster *chev2.CheCluster, routing *dwo.DevWorkspaceRouting, objs *solvers.RoutingObjects, ingressExpose func(*EndpointInfo), endpointStrategy EndpointStrategy) (*corev1.ConfigMap, error) {
+func exposeAllEndpoints(cheCluster *chev2.CheCluster, routing *dwo.DevWorkspaceRouting, objs *solvers.RoutingObjects, ingressExpose func(*EndpointInfo) error, endpointStrategy EndpointStrategy) (*corev1.ConfigMap, error) {
 	wsRouteConfig := gateway.CreateEmptyTraefikConfig()
 
 	commonService := getCommonService(objs, routing.Spec.DevWorkspaceId)
@@ -503,7 +507,7 @@ func exposeAllEndpoints(cheCluster *chev2.CheCluster, routing *dwo.DevWorkspaceR
 				if err != nil {
 					return nil, err
 				}
-				ingressExpose(&EndpointInfo{
+				err = ingressExpose(&EndpointInfo{
 					order:         order,
 					componentName: componentName,
 					endpointName:  e.Name,
@@ -512,6 +516,9 @@ func exposeAllEndpoints(cheCluster *chev2.CheCluster, routing *dwo.DevWorkspaceR
 					service:       service,
 					annotations:   e.Annotations,
 				})
+				if err != nil {
+					return nil, err
+				}
 				order = order + 1
 			}
 		}