Merge pull request #627 from harshad16/include-service-ca

harshad16 · web-flow · commit 22c635d09c9d · 2025-06-20T09:09:57.000-04:00
[RHOAIENG-363] Include service-ca cert bundle to workbench-ca bundle
diff --git a/components/odh-notebook-controller/controllers/notebook_controller.go b/components/odh-notebook-controller/controllers/notebook_controller.go
@@ -56,6 +56,12 @@ const (
 	AnnotationLogoutUrl               = "notebooks.opendatahub.io/oauth-logout-url"
 )
 
+const (
+	OdhConfigMapName        = "odh-trusted-ca-bundle"    // Use ODH Trusted CA Bundle Contains ca-bundle.crt and odh-ca-bundle.crt
+	SelfSignedConfigMapName = "kube-root-ca.crt"         // Self-Signed Certs Contains ca.crt
+	ServiceCAConfigMapName  = "openshift-service-ca.crt" // Service CA Bundle Contains service-ca.crt
+)
+
 // OpenshiftNotebookReconciler holds the controller configuration.
 type OpenshiftNotebookReconciler struct {
 	client.Client
@@ -285,14 +291,13 @@ func (r *OpenshiftNotebookReconciler) CreateNotebookCertConfigMap(notebook *nbv1
 	// Initialize logger format
 	log := r.Log.WithValues("notebook", notebook.Name, "namespace", notebook.Namespace)
 
-	rootCertPool := [][]byte{}                    // Root certificate pool
-	odhConfigMapName := "odh-trusted-ca-bundle"   // Use ODH Trusted CA Bundle Contains ca-bundle.crt and odh-ca-bundle.crt
-	selfSignedConfigMapName := "kube-root-ca.crt" // Self-Signed Certs Contains ca.crt
+	rootCertPool := [][]byte{} // Root certificate pool
 
-	configMapList := []string{odhConfigMapName, selfSignedConfigMapName}
+	configMapList := []string{OdhConfigMapName, SelfSignedConfigMapName, ServiceCAConfigMapName}
 	configMapFileNames := map[string][]string{
-		odhConfigMapName:        {"ca-bundle.crt", "odh-ca-bundle.crt"},
-		selfSignedConfigMapName: {"ca.crt"},
+		OdhConfigMapName:        {"ca-bundle.crt", "odh-ca-bundle.crt"},
+		SelfSignedConfigMapName: {"ca.crt"},
+		ServiceCAConfigMapName:  {"service-ca.crt"},
 	}
 
 	for _, configMapName := range configMapList {
@@ -301,7 +306,7 @@ func (r *OpenshiftNotebookReconciler) CreateNotebookCertConfigMap(notebook *nbv1
 		if err := r.Get(ctx, client.ObjectKey{Namespace: notebook.Namespace, Name: configMapName}, configMap); err != nil {
 			// if configmap odh-trusted-ca-bundle is not found,
 			// no need to create the workbench-trusted-ca-bundle
-			if apierrs.IsNotFound(err) && configMapName == odhConfigMapName {
+			if apierrs.IsNotFound(err) && configMapName == OdhConfigMapName {
 				return nil
 			}
 			log.Info("Unable to fetch ConfigMap", "configMap", configMapName)
@@ -500,9 +505,9 @@ func (r *OpenshiftNotebookReconciler) SetupWithManager(mgr ctrl.Manager) error {
 			handler.EnqueueRequestsFromMapFunc(func(ctx context.Context, o client.Object) []reconcile.Request {
 				log := r.Log.WithValues("namespace", o.GetNamespace(), "name", o.GetName())
 
-				// If the ConfigMap is odh-trusted-ca-bundle or kube-root-ca.crt
+				// If the ConfigMap name matches on of our interested ConfigMaps
 				// trigger a reconcile event for first notebook in the namespace
-				if o.GetName() == "odh-trusted-ca-bundle" {
+				if o.GetName() == OdhConfigMapName || o.GetName() == SelfSignedConfigMapName || o.GetName() == ServiceCAConfigMapName {
 					// List all the notebooks in the namespace and trigger a reconcile event
 					var nbList nbv1.NotebookList
 					if err := r.List(ctx, &nbList, client.InNamespace(o.GetNamespace())); err != nil {
diff --git a/components/odh-notebook-controller/controllers/notebook_controller_test.go b/components/odh-notebook-controller/controllers/notebook_controller_test.go
@@ -263,14 +263,32 @@ var _ = Describe("The Openshift Notebook controller", func() {
 					"odh-ca-bundle.crt": "-----BEGIN CERTIFICATE-----\nMIGrMF+gAwIBAgIBATAFBgMrZXAwADAeFw0yNDExMTMyMzI2NTlaFw0yNTExMTMy\nMzI2NTlaMAAwKjAFBgMrZXADIQB/v02zcoIIcuan/8bd7cvrBuCGTuVZBrYr1RdA\n0k58yzAFBgMrZXADQQBKsL1tkpOZ6NW+zEX3mD7bhmhxtODQHnANMXEXs0aljWrm\nAxDrLdmzsRRYFYxe23OdXhWqPs8SfO8EZWEvXoME\n-----END CERTIFICATE-----",
 				})
 
+			serviceCACertBundle := &corev1.ConfigMap{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "openshift-service-ca.crt",
+					Namespace: "default",
+					// Annotations: map[string]string{
+					// 	"service.beta.openshift.io/inject-cabundle": "true",
+					// },
+				},
+				Data: map[string]string{
+					"service-ca.crt": "-----BEGIN CERTIFICATE-----\nMIIBATCBtKADAgECAgEBMAUGAytlcDAAMB4XDTI1MDYxNjE2MTg0MVoXDTI2MDYx\nNjE2MTg0MVowADAqMAUGAytlcAMhAP7g8UxhoFPZXQiy4sSbOsLrlXq2RgFTzQOD\nj8O8e9qmo1MwUTAdBgNVHQ4EFgQUTCWpJDtMDVadBlVpkVTiLnCihqMwHwYDVR0j\nBBgwFoAUTCWpJDtMDVadBlVpkVTiLnCihqMwDwYDVR0TAQH/BAUwAwEB/zAFBgMr\nZXADQQDKpiapbn7ub7/hT7Whad9wbvIY8wXrWojgZXXbWaMQFV8i8GW7QN4w/C1p\nB8i0efvecoLP/mqmXNyl7KgTnC4D\n-----END CERTIFICATE-----",
+				},
+			}
+
 			// Create the ConfigMap
 			Expect(cli.Create(ctx, trustedCACertBundle)).Should(Succeed())
+			Expect(cli.Create(ctx, serviceCACertBundle)).Should(Succeed())
 			defer func() {
 				// Clean up the ConfigMap after the test
 				if err := cli.Delete(ctx, trustedCACertBundle); err != nil {
 					// Log the error without failing the test
 					logger.Info("Error occurred during deletion of ConfigMap: %v", err)
 				}
+				if err := cli.Delete(ctx, serviceCACertBundle); err != nil {
+					// Log the error without failing the test
+					logger.Info("Error occurred during deletion of ConfigMap: %v", err)
+				}
 			}()
 
 			By("By creating a new Notebook")
@@ -308,12 +326,12 @@ var _ = Describe("The Openshift Notebook controller", func() {
 			Expect(notebook.Spec.Template.Spec.Volumes).To(ContainElement(expectedVolume))
 
 			// Check the content in workbench-trusted-ca-bundle matches what we expect:
-			//   - have 2 certificates there in ca-bundle.crt
-			//   - both certificates are valid
+			//   - have 3 certificates there in ca-bundle.crt
+			//   - all certificates are valid
 			// TODO(RHOAIENG-15907): adding sleep to reduce flakiness
 			time.Sleep(2 * time.Second)
 			configMapName := "workbench-trusted-ca-bundle"
-			checkCertConfigMap(ctx, notebook.Namespace, configMapName, "ca-bundle.crt", 2)
+			checkCertConfigMap(ctx, notebook.Namespace, configMapName, "ca-bundle.crt", 3)
 		})
 
 	})
@@ -537,12 +555,12 @@ var _ = Describe("The Openshift Notebook controller", func() {
 			Expect(notebook.Spec.Template.Spec.Volumes).To(ContainElement(expectedVolume))
 
 			// Check the content in workbench-trusted-ca-bundle matches what we expect:
-			//   - have 2 certificates there in ca-bundle.crt
-			//   - both certificates are valid
+			//   - have 3 certificates there in ca-bundle.crt
+			//   - all certificates are valid
 			// TODO(RHOAIENG-15907): adding sleep to reduce flakiness
 			time.Sleep(2 * time.Second)
 			configMapName := "workbench-trusted-ca-bundle"
-			checkCertConfigMap(ctx, notebook.Namespace, configMapName, "ca-bundle.crt", 2)
+			checkCertConfigMap(ctx, notebook.Namespace, configMapName, "ca-bundle.crt", 3)
 		})
 	})
 
