Skip to content

fix: ensure ca-certs-merged CM is resynced when disableWorkspaceCaBundleMount changed #2041

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
tolusha merged 1 commit into from
Sep 16, 2025
Merged

fix: ensure ca-certs-merged CM is resynced when disableWorkspaceCaBundleMount changed #2041

tolusha merged 1 commit into from
Sep 16, 2025

Conversation

@tolusha
Copy link
Contributor

@tolusha tolusha commented Sep 9, 2025
edited
Loading

What does this PR do?

  • Ensure ca-certs-merged CM is resynced when disableWorkspaceCaBundleMount updated
  • Set 0444 permissions for mounted tls-ca-bundle.pem file
  • Refactoring

Screenshot/screencast of this PR

N/A

What issues does this PR fix or reference?

eclipse-che/che#23533

How to test this PR?

  1. Prepare a patch file if needed:
cat > /tmp/cr-patch.yaml <<EOF
apiVersion: org.eclipse.che/v2
kind: CheCluster
spec: {}
EOF
  1. Deploy the operator:

on Minikube

./build/scripts/minikube-tests/test-operator-from-sources.sh --cr-patch-yaml /tmp/cr-patch.yaml
  1. Update disableWorkspaceCaBundleMount field
spec:
  devEnvironments:
    trustedCerts:
      disableWorkspaceCaBundleMount: true|false

Ensure that ca-certs-merged CM annotations updated as accordingly.

PR Checklist

As the author of this Pull Request I made sure that:

Reviewers

Reviewers, please comment how you tested the PR when approving it.

@openshift-ci
Copy link

openshift-ci bot commented Sep 9, 2025

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@tolusha tolusha changed the title fix: Resync ca-certs-merged CM after annotations/labels changed fix: Ensure ca-certs-merged CM is resynced when annotations updated Sep 10, 2025
@codecov
Copy link

codecov bot commented Sep 11, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 95.34884% with 6 lines in your changes missing coverage. Please review.
✅ Project coverage is 58.32%. Comparing base (f1d91dc) to head (d43da37).
⚠️ Report is 3 commits behind head on main.

Files with missing lines Patch % Lines
pkg/common/diffs/diffs.go 77.77% 6 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2041      +/-   ##
==========================================
+ Coverage   58.22%   58.32%   +0.10%     
==========================================
  Files          90       90              
  Lines       12401    12312      -89     
==========================================
- Hits         7220     7181      -39     
+ Misses       4679     4634      -45     
+ Partials      502      497       -5

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@tolusha tolusha marked this pull request as ready for review September 11, 2025 08:27
@tolusha tolusha changed the title fix: Ensure ca-certs-merged CM is resynced when annotations updated fix: Ensure ca-certs-merged CM is resynced when disableWorkspaceCaBundleMount updated Sep 11, 2025
@tolusha tolusha changed the title fix: Ensure ca-certs-merged CM is resynced when disableWorkspaceCaBundleMount updated fix: ensure ca-certs-merged CM is resynced when disableWorkspaceCaBundleMount updated Sep 11, 2025
@tolusha tolusha changed the title fix: ensure ca-certs-merged CM is resynced when disableWorkspaceCaBundleMount updated fix: ensure ca-certs-merged CM is resynced when disableWorkspaceCaBundleMount changed Sep 11, 2025
akurinnoy
akurinnoy reviewed Sep 11, 2025
View reviewed changes
Copy link

@akurinnoy akurinnoy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@rohanKanojia
Copy link
Contributor

rohanKanojia commented Sep 15, 2025
edited
Loading

Tested it with following steps and it worked as expected ✔️ :

  1. Start minikube
  2. Create Patch file with no trustedCerts field:
cat > /tmp/cr-patch.yaml <<EOF
apiVersion: org.eclipse.che/v2
kind: CheCluster
spec: {}
EOF
  1. Checkout this branch and install che-operator ./build/scripts/minikube-tests/test-operator-from-sources.sh --cr-patch-yaml /tmp/cr-patch.yaml
  2. After che-operator is installed, verify annotations of ca-certs-merged ConfigMap in namespace eclipse-che:
kubectl get cm ca-certs-merged -neclipse-che -o yaml

...
kind: ConfigMap
metadata:
  annotations:
    controller.devfile.io/mount-as: subpath
    controller.devfile.io/mount-path: /etc/pki/ca-trust/extracted/pem
  1. Edit CheCluster custom resource in eclipse-che namespace to add this field:
kubectl edit checluster -n eclipse-che

# Add the following to devEnvironments
    trustedCerts:
      disableWorkspaceCaBundleMount: true
  1. Check ca-certs-managed ConfigMap again to see if annotations are updated:
kubectl get cm ca-certs-merged -neclipse-che -o yaml
...
kind: ConfigMap
metadata:
  annotations:
    controller.devfile.io/mount-access-mode: "0444"
    controller.devfile.io/mount-as: file
    controller.devfile.io/mount-path: /public-certs

@openshift-ci openshift-ci bot added the lgtm label Sep 15, 2025
@openshift-ci
Copy link

openshift-ci bot commented Sep 15, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: rohanKanojia, tolusha

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tolusha tolusha merged commit b6cce2d into main Sep 16, 2025
23 checks passed
@tolusha tolusha deleted the 23533 branch September 16, 2025 07:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@akurinnoy akurinnoy akurinnoy left review comments

@rohanKanojia rohanKanojia rohanKanojia approved these changes

@SDawley SDawley Awaiting requested review from SDawley SDawley is a code owner

@ibuziuk ibuziuk Awaiting requested review from ibuziuk ibuziuk is a code owner

@mkuznyetsov mkuznyetsov Awaiting requested review from mkuznyetsov mkuznyetsov is a code owner

@dkwon17 dkwon17 Awaiting requested review from dkwon17 dkwon17 is a code owner

@vinokurig vinokurig Awaiting requested review from vinokurig

Assignees

@rohanKanojia rohanKanojia

Labels

lgtm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@tolusha @rohanKanojia @akurinnoy