chore: sync only custom certificate instead of whole bundle

[tolusha]

What does this PR do?

chore: sync only custom certificate instead of whole bundle

Screenshot/screencast of this PR

N/A

What issues does this PR fix or reference?

https://issues.redhat.com/browse/CRW-8316

How to test this PR?

1. Prepare a patch file if needed:

cat > /tmp/cr-patch.yaml <<EOF
apiVersion: org.eclipse.che/v2
kind: CheCluster
spec: {}
EOF

2. Deploy the operator:

OpenShift

./build/scripts/olm/test-catalog-from-sources.sh --cr-patch-yaml /tmp/cr-patch.yaml

on Minikube

./build/scripts/minikube-tests/test-operator-from-sources.sh --cr-patch-yaml /tmp/cr-patch.yaml

3. Patch subscription (switching to old behavior)
   oc patch subs eclipse-che --patch '{"spec": {"config": {"env": [{"name": "CHE_OPERATOR_CERTIFICATES_SYNC_CUSTOM_OPENSHIFT_CERTIFICATE_ONLY", "value": "false"}]}}}' --type=merge -n eclipse-che

4. Login Eclipse Che (open dashboard)

5. Check size of the ca-certs-merged CM in a user namespace

$ oc get configmaps -n <..> ca-certs-merged -o json | jq '.data."tls-ca-bundle.pem" | length'
238783

6. Add custom certificate to the OpenShift
   https://docs.openshift.com/container-platform/4.17/security/certificates/updating-ca-bundle.html#ca-bundle-replacing_updating-ca-bundle

7. Start sync only custom certificate
   oc patch subs eclipse-che --patch '{"spec": {"config": {"env": [{"name": "CHE_OPERATOR_CERTIFICATES_SYNC_CUSTOM_OPENSHIFT_CERTIFICATE_ONLY", "value": "true"}]}}}' --type=merge -n eclipse-che

8. Check size of the ca-certs-merged CM in a user namespace

$ oc get configmaps -n <..> ca-certs-merged -o json | jq '.data."tls-ca-bundle.pem" | length'
12297

9. The size of the CM should be reduced

PR Checklist

As the author of this Pull Request I made sure that:

• The Eclipse Contributor Agreement is valid
• Code produced is complete
• Code builds without errors
• Tests are covering the bugfix
• Development resource are up to date
• The repository devfile is up to date and works
• Sections What issues does this PR fix or reference and How to test this PR completed
• Relevant user documentation updated
• Relevant contributing documentation updated
• CI/CD changes implemented, documented and communicated

Reviewers

Reviewers, please comment how you tested the PR when approving it.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: tolusha

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@tolusha: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/v14-che-operator-update	291de19	link	true	/test v14-che-operator-update

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.