chore: Improve mounting certs into users containers (#1980)

[tolusha]

• chore: Improve mounting certs into users containers

What does this PR do?

chore: Improve mounting certs into users containers (#1980)

Screenshot/screencast of this PR

N/A

What issues does this PR fix or reference?

How to test this PR?

1. Deploy the operator:

chectl update stable
chectl server:deploy --che-operator-image=quay.io/abazko/operator:CRW-8316-7.100

PR Checklist

As the author of this Pull Request I made sure that:

• The Eclipse Contributor Agreement is valid
• Code produced is complete
• Code builds without errors
• Tests are covering the bugfix
• Development resource are up to date
• The repository devfile is up to date and works
• Sections What issues does this PR fix or reference and How to test this PR completed
• Relevant user documentation updated
• Relevant contributing documentation updated
• CI/CD changes implemented, documented and communicated

Reviewers

Reviewers, please comment how you tested the PR when approving it.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ibuziuk, tolusha

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[dmytro-ndp]

@tolusha : PR has been tested using Eclipse Che 7.100 with operator container quay.io/abazko/operator:CRW-8316-7.100 installed on OpenShift v7.100.

Test results based on test scenario from PR #1980:

1. che-trusted-ca-certs dind't exist in a user namespace

$ oc get configmaps -n admin-che che-trusted-ca-certs
Error from server (NotFound): configmaps "che-trusted-ca-certs" not found

2. empty workspace didn't have /public-certs directory mounted

$ oc exec -n admin-che workspaced47c385b8232443e-d8584b7d8-gqwr2 -c universal-developer-image -- ls /public-certs
ls: cannot access '/public-certs': No such file or directory

3. tls-ca-bundle.pem file was a new file in the workspace directory

$ oc exec -n admin-che workspacefe9042f2a64a42a3-58d9d877cb-9gw7r -c tools -- ls /etc/pki/ca-trust/extracted/pem -l
total 888
-rw-r--r--. 1 root root          898 Aug 29  2023 README
-r--r--r--. 1 root root       170226 May 23  2024 email-ca-bundle.pem
-r--r--r--. 1 root root       495529 May 23  2024 objsign-ca-bundle.pem
-rw-r-----. 1 root 1000770000 236259 Mar 24 21:14 tls-ca-bundle.pem

4. after disabling workspace mounting certs the size of ca-certs-merged was pretty small:, and tls-ca-bundle.pem file wasn't a new file in the workspace directory.

$ oc get configmaps -n admin-che ca-certs-merged -o json | jq '.data."tls-ca-bundle.pem" | length'
10888

$ oc exec -n admin-che workspacefe9042f2a64a42a3-d9b656c55-ck658 -c tools -- ls /etc/pki/ca-trust/extracted/pem -l
total 876
-rw-r--r--. 1 root root    898 Aug 29  2023 README
-r--r--r--. 1 root root 170226 May 23  2024 email-ca-bundle.pem
-r--r--r--. 1 root root 495529 May 23  2024 objsign-ca-bundle.pem
-r--r--r--. 1 root root 222082 May 23  2024 tls-ca-bundle.pem

At the same time I noticed that ca-certs ConfigMap contained only "ca-bundle.crt" cert (step 21 from PR #1980):

$ oc get configmaps -n eclipse-che ca-certs -o yaml
apiVersion: v1
data:
  ca-bundle.crt: |-
    -----BEGIN CERTIFICATE-----
    MIIDDDCCAfSgAwIBAgIBATANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDDBtpbmdy
    ZXNzLW9wZXJhdG9yQDE3MzQxMjI5ODAwHhcNMjQxMjEzMjA0OTM5WhcNMjYxMjEz
    MjA0OTQwWjAmMSQwIgYDVQQDDBtpbmdyZXNzLW9wZXJhdG9yQDE3MzQxMjI5ODAw
    ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDWEAb8145gN8ojriSqQgNF
    pbuFtP/FsOAgGKZarc5SE/ULNgSQNhTNFx/LopsVuw8JVoz+17SsIuDCTDW9GWYu
    5xgJjHrZNPMO3uktripdvvc9vyS1X6e8NO1+US7/5D/oYOHaBkJ2LayExIMdRR3w
    z+0hlLLJc/bayzgQZxpbmlHNrNWZfqFq+T5GLlCYlyF1iEMNgzWkuBPpn6M8/99m
    zsosGuoWN19hY70ktEPV9vAOZYeWf/PoNVFw7yhpNF6N5W1ssRtX4Mm/8f/01Gp4
    Tc0ZV4emsNxzJBZ3Pznyg4NXj4C+YObQwxLIhLsLxD4MiVIMd59c+7lD8XOGnEyp
    AgMBAAGjRTBDMA4GA1UdDwEB/wQEAwICpDASBgNVHRMBAf8ECDAGAQH/AgEAMB0G
    A1UdDgQWBBSnfzKpQc6FfekcTK2GNySaAKiKMzANBgkqhkiG9w0BAQsFAAOCAQEA
    W7/8ZctGyNVw/4WgyNs9MOs6I4h/MPMIX71V0o//CxnHqZeZZMxZP+ImdiL4mFXh
    S/x6cRqMXgkJ2yaUF96fzRSL0C3KePT9+SuhwwEsuVogzAJP7nhzMjq6dX2t2YoP
    1caH/wqtaPQB4S1jCo2IJR8HIiKV6duflJh7CFWsPwiz2freDalwTZoW4WBDcQBF
    WMTP4HsIpqYs9zIpp6/sRkoaS7PuurZPJj02G7g54TeaMBsof61QxQU6iVJ47J04
    s+xZ9A09iON7efumFQOCemV6TKfHLO4hlbDhKFM43dbLtssSJZfdesXLju7HSngG
    uyr8ILatOKOydxsu0BoLSg==
    -----END CERTIFICATE-----
kind: ConfigMap
metadata:
  creationTimestamp: "2025-03-24T17:40:17Z"
  labels:
    app.kubernetes.io/component: ca-bundle
    app.kubernetes.io/instance: che
    app.kubernetes.io/managed-by: che-operator
    app.kubernetes.io/name: che
    app.kubernetes.io/part-of: che.eclipse.org
  name: ca-certs
  namespace: eclipse-che
  ownerReferences:
  - apiVersion: org.eclipse.che/v2
    blockOwnerDeletion: true
    controller: true
    kind: CheCluster
    name: eclipse-che
    uid: 6b1a12c9-a4c5-4e9c-b15d-34d922927fc4
  resourceVersion: "1261903"
  uid: 535c2f63-2379-4e42-9c95-83a1d27fa802

And I observed the same result when tested PR into the main branch.

If it was a correct behavior, feel free to merge the PR.

[tolusha]

@dmytro-ndp
Thank you for testing, the tested results are correct.

[devspacesbuild]

Build 3.20 :: operator_3.20/2: Console, Changes, Git Data

[devspacesbuild]

Build 3.20 :: sync-to-downstream_3.20/68: Console, Changes, Git Data

[devspacesbuild]

Build 3.20 :: get-sources-rhpkg-container-build_3.20/94: Console, Changes, Git Data

[devspacesbuild]

Build 3.20 :: push-latest-container-to-quay_3.20/14: Console, Changes, Git Data

[devspacesbuild]

Build 3.20 :: get-sources-rhpkg-container-build_3.20/94:

devspaces-operator : 3.20 :: Build 67099512 : quay.io/devspaces/devspaces-rhel9-operator:3.20-10
SUCCESS; copied to quay; /DS_CI/push-latest-container-to-quay_3.20/14 triggered

[devspacesbuild]

Build 3.20 :: update-digests_3.20/53: Console, Changes, Git Data

[devspacesbuild]

Build 3.20 :: operator_3.20/2:

Upstream sync done; /DS_CI/sync-to-downstream_3.20/68 triggered

[devspacesbuild]

Build 3.20 :: operator-bundle_3.20/50: Console, Changes, Git Data

[devspacesbuild]

Build 3.20 :: sync-to-downstream_3.20/69: Console, Changes, Git Data

[devspacesbuild]

Build 3.20 :: get-sources-rhpkg-container-build_3.20/95: Console, Changes, Git Data

[devspacesbuild]

Build 3.20 :: push-latest-container-to-quay_3.20/15: Console, Changes, Git Data

[devspacesbuild]

Build 3.20 :: copyIIBsToQuay/2938: Console, Changes, Git Data

[devspacesbuild]

Build 3.20 :: get-sources-rhpkg-container-build_3.20/95:

devspaces-operator-bundle : 3.20 :: Build 67099874 : quay.io/devspaces/devspaces-operator-bundle:3.20-2
SUCCESS; copied to quay; /DS_CI/push-latest-container-to-quay_3.20/15 triggered;

Bundle CSV related images:
- quay.io/devspaces-tech-preview/idea-rhel9:
- quay.io/devspaces-tech-preview/jetbrains-ide-rhel9:
- quay.io/devspaces/code-rhel9:3.20-1
- quay.io/devspaces/configbump-rhel9:3.20-5
- quay.io/devspaces/dashboard-rhel9:3.20-6
- quay.io/devspaces/devspaces-rhel9-operator:3.20-10
- quay.io/devspaces/pluginregistry-rhel9:3.20-3
- quay.io/devspaces/server-rhel9:3.20-11
- quay.io/devspaces/traefik-rhel9:3.20-1
- quay.io/devspaces/udi-rhel9:3.20-3
- quay.io/openshift4/ose-kube-rbac-proxy:3.20-3
- quay.io/openshift4/ose-oauth-proxy:3.20-3
- quay.io/ubi8/ubi-minimal:3.20-3

[devspacesbuild]

Build 3.20 :: operator-bundle_3.20/65: Console, Changes, Git Data

[devspacesbuild]

Build 3.20 :: sync-to-downstream_3.20/99: Console, Changes, Git Data

[devspacesbuild]

Build 3.20 :: get-sources-rhpkg-container-build_3.20/152: Console, Changes, Git Data

[devspacesbuild]

Build 3.20 :: push-latest-container-to-quay_3.20/42: Console, Changes, Git Data

[devspacesbuild]

Build 3.20 :: get-sources-rhpkg-container-build_3.20/152:

devspaces-operator-bundle : 3.20 :: Build 67255776 : quay.io/devspaces/devspaces-operator-bundle:3.20-16
SUCCESS; copied to quay; Warning: /DS_CI/push-latest-container-to-quay_3.20;

Bundle CSV related images:
- quay.io/devspaces-tech-preview/idea-rhel9:
- quay.io/devspaces-tech-preview/jetbrains-ide-rhel9:
- quay.io/devspaces/code-rhel9:3.20-5
- quay.io/devspaces/configbump-rhel9:3.20-5
- quay.io/devspaces/dashboard-rhel9:3.20-7
- quay.io/devspaces/devspaces-rhel9-operator:3.20-10
- quay.io/devspaces/pluginregistry-rhel9:3.20-10
- quay.io/devspaces/server-rhel9:3.20-13
- quay.io/devspaces/traefik-rhel9:3.20-1
- quay.io/devspaces/udi-rhel9:3.20-8
= registry.redhat.io/openshift4/ose-kube-rbac-proxy:v4.14.0-202502191335.p0.gb8b8259.assembly.stream.el8
= registry.redhat.io/openshift4/ose-oauth-proxy:v4.14.0-202502171705.p0.ga4a2f27.assembly.stream.el8
= registry.redhat.io/ubi8/ubi-minimal:8.8-1072.1697626218

[devspacesbuild]

Build 3.20 :: operator-bundle_3.20/66: Console, Changes, Git Data

[devspacesbuild]

Build 3.20 :: sync-to-downstream_3.20/100: Console, Changes, Git Data

[devspacesbuild]

Build 3.20 :: get-sources-rhpkg-container-build_3.20/153: Console, Changes, Git Data

[devspacesbuild]

Build 3.20 :: get-sources-rhpkg-container-build_3.20/153:

devspaces-operator-bundle : 3.20 ::
; copied to quay

[devspacesbuild]

Build 3.20 :: operator-bundle_3.20/67: Console, Changes, Git Data

[devspacesbuild]

Build 3.20 :: sync-to-downstream_3.20/101: Console, Changes, Git Data

[devspacesbuild]

Build 3.20 :: get-sources-rhpkg-container-build_3.20/154: Console, Changes, Git Data

[devspacesbuild]

Build 3.20 :: push-latest-container-to-quay_3.20/43: Console, Changes, Git Data

[devspacesbuild]

Build 3.20 :: get-sources-rhpkg-container-build_3.20/154:

devspaces-operator-bundle : 3.20 :: Build 67257746 : quay.io/devspaces/devspaces-operator-bundle:3.20-18
SUCCESS; copied to quay; /DS_CI/push-latest-container-to-quay_3.20/43 triggered;

Bundle CSV related images:
- quay.io/devspaces-tech-preview/idea-rhel9:
- quay.io/devspaces-tech-preview/jetbrains-ide-rhel9:
- quay.io/devspaces/code-rhel9:3.20-5
- quay.io/devspaces/configbump-rhel9:3.20-5
- quay.io/devspaces/dashboard-rhel9:3.20-7
- quay.io/devspaces/devspaces-rhel9-operator:3.20-10
- quay.io/devspaces/pluginregistry-rhel9:3.20-6
- quay.io/devspaces/server-rhel9:3.20-13
- quay.io/devspaces/traefik-rhel9:3.20-1
- quay.io/devspaces/udi-rhel9:3.20-8
= registry.redhat.io/openshift4/ose-kube-rbac-proxy:v4.14.0-202502191335.p0.gb8b8259.assembly.stream.el8
= registry.redhat.io/openshift4/ose-oauth-proxy:v4.14.0-202502171705.p0.ga4a2f27.assembly.stream.el8
= registry.redhat.io/ubi8/ubi-minimal:8.8-1072.1697626218

[devspacesbuild]

Build 3.20 :: sync-to-downstream_3.20/101:

Build container: devspaces-operator-bundle synced; /DS_CI/get-sources-rhpkg-container-build_3.20/154 triggered; /job/DS_CI/job/dsc_3.20 triggered;

[devspacesbuild]

Build 3.20 :: operator-bundle_3.20/67:

Upstream sync done; /DS_CI/sync-to-downstream_3.20/101 triggered

[devspacesbuild]

Build 3.20 :: copyIIBsToQuay/2952: Console, Changes, Git Data

[devspacesbuild]

Build 3.20 :: dsc_3.20/14: Console, Changes, Git Data

[devspacesbuild]

Build 3.20 :: dsc_3.20/14:

3.20.0-CI

[devspacesbuild]

Build 3.20 :: operator-bundle_3.20/68: Console, Changes, Git Data

[devspacesbuild]

Build 3.20 :: operator-bundle_3.20/69: Console, Changes, Git Data

[devspacesbuild]

Build 3.20 :: sync-to-downstream_3.20/102: Console, Changes, Git Data

[devspacesbuild]

Build 3.20 :: get-sources-rhpkg-container-build_3.20/155: Console, Changes, Git Data

[devspacesbuild]

Build 3.20 :: push-latest-container-to-quay_3.20/44: Console, Changes, Git Data

[devspacesbuild]

Build 3.20 :: copyIIBsToQuay/2953: Console, Changes, Git Data

[devspacesbuild]

Build 3.20 :: get-sources-rhpkg-container-build_3.20/155:

devspaces-operator-bundle : 3.20 :: Build 67265100 : quay.io/devspaces/devspaces-operator-bundle:3.20-19
SUCCESS; copied to quay; /DS_CI/push-latest-container-to-quay_3.20/44 triggered;

Bundle CSV related images:
- quay.io/devspaces-tech-preview/idea-rhel9:
- quay.io/devspaces-tech-preview/jetbrains-ide-rhel9:
- quay.io/devspaces/code-rhel9:3.20-5
- quay.io/devspaces/configbump-rhel9:3.20-5
- quay.io/devspaces/dashboard-rhel9:3.20-7
- quay.io/devspaces/devspaces-rhel9-operator:3.20-10
- quay.io/devspaces/pluginregistry-rhel9:3.20-6
- quay.io/devspaces/server-rhel9:3.20-13
- quay.io/devspaces/traefik-rhel9:3.20-1
- quay.io/devspaces/udi-rhel9:3.20-8
= registry.redhat.io/openshift4/ose-kube-rbac-proxy:v4.14.0-202502191335.p0.gb8b8259.assembly.stream.el8
= registry.redhat.io/openshift4/ose-oauth-proxy:v4.14.0-202502171705.p0.ga4a2f27.assembly.stream.el8
= registry.redhat.io/ubi8/ubi-minimal:8.8-1072.1697626218

[devspacesbuild]

Build 3.20 :: sync-to-downstream_3.20/102:

Build container: devspaces-operator-bundle synced; /DS_CI/get-sources-rhpkg-container-build_3.20/155 triggered; /job/DS_CI/job/dsc_3.20 triggered;

[devspacesbuild]

Build 3.20 :: operator-bundle_3.20/69:

Upstream sync done; /DS_CI/sync-to-downstream_3.20/102 triggered

[devspacesbuild]

Build 3.20 :: dsc_3.20/15: Console, Changes, Git Data

[devspacesbuild]

Build 3.20 :: dsc_3.20/15:

3.20.0-CI