Respect openshift cluster wide proxy (#272)

* Respect OpenShift cluster wide proxy

Signed-off-by: Anatoliy Bazko <abazko@redhat.com>

.vscode/launch.json

@@ -50,7 +50,8 @@
         "CONSOLE_LINK_IMAGE": "/dashboard/assets/branding/loader.svg",
         "CHE_IDENTITY_SECRET": "che-identity-secret",
         "CHE_IDENTITY_POSTGRES_SECRET": "che-identity-postgres-secret",
-        "CHE_POSTGRES_SECRET": "che-postgres-secret"
+        "CHE_POSTGRES_SECRET": "che-postgres-secret",
+        "CHE_SERVER_TRUST_STORE_CONFIGMAP_NAME": "ca-certs"
       },
       "cwd": "${workspaceFolder}",
       "args": [

deploy/cluster_role.yaml

@@ -30,8 +30,11 @@ rules:
     resources:
       - infrastructures
       - oauths
+      - proxies
     verbs:
       - get
+      - list
+      - watch
   - apiGroups:
       - user.openshift.io
     resources:

deploy/operator-local.yaml

@@ -81,3 +81,5 @@ spec:
               value: che-identity-postgres-secret
             - name: CHE_POSTGRES_SECRET
               value: che-postgres-secret
+            - name: CHE_SERVER_TRUST_STORE_CONFIGMAP_NAME
+              value: ca-certs

deploy/operator.yaml

@@ -80,6 +80,8 @@ spec:
               value: che-identity-postgres-secret
             - name: CHE_POSTGRES_SECRET
               value: che-postgres-secret
+            - name: CHE_SERVER_TRUST_STORE_CONFIGMAP_NAME
+              value: ca-certs
       restartPolicy: Always
       serviceAccountName: che-operator
       terminationGracePeriodSeconds: 5

olm/eclipse-che-preview-kubernetes/deploy/olm-catalog/eclipse-che-preview-kubernetes/9.9.9-nightly.1594209360/eclipse-che-preview-kubernetes.v9.9.9-nightly.1594209360.clusterserviceversion.yaml.diff

@@ -0,0 +1,34 @@
+--- /home/tolusha/gocode/src/github.com/eclipse/che-operator/olm/eclipse-che-preview-kubernetes/deploy/olm-catalog/eclipse-che-preview-kubernetes/9.9.9-nightly.1594133420/eclipse-che-preview-kubernetes.v9.9.9-nightly.1594133420.clusterserviceversion.yaml	2020-07-08 14:55:47.702990053 +0300
++++ /home/tolusha/gocode/src/github.com/eclipse/che-operator/olm/eclipse-che-preview-kubernetes/deploy/olm-catalog/eclipse-che-preview-kubernetes/9.9.9-nightly.1594209360/eclipse-che-preview-kubernetes.v9.9.9-nightly.1594209360.clusterserviceversion.yaml	2020-07-08 14:56:01.247006488 +0300
+@@ -52,12 +52,12 @@
+     categories: Developer Tools
+     certified: "false"
+     containerImage: quay.io/eclipse/che-operator:nightly
+-    createdAt: "2020-07-07T14:50:21Z"
++    createdAt: "2020-07-08T11:56:01Z"
+     description: A Kube-native development solution that delivers portable and collaborative
+       developer workspaces.
+     repository: https://github.com/eclipse/che-operator
+     support: Eclipse Foundation
+-  name: eclipse-che-preview-kubernetes.v9.9.9-nightly.1594133420
++  name: eclipse-che-preview-kubernetes.v9.9.9-nightly.1594209360
+   namespace: placeholder
+ spec:
+   apiservicedefinitions: {}
+@@ -288,6 +288,8 @@
+                   value: che-identity-postgres-secret
+                 - name: CHE_POSTGRES_SECRET
+                   value: che-postgres-secret
++                - name: CHE_SERVER_TRUST_STORE_CONFIGMAP_NAME
++                  value: ca-certs
+                 image: quay.io/eclipse/che-operator:nightly
+                 imagePullPolicy: Always
+                 name: che-operator
+@@ -397,5 +399,5 @@
+   maturity: stable
+   provider:
+     name: Eclipse Foundation
+-  replaces: eclipse-che-preview-kubernetes.v9.9.9-nightly.1594019197
+-  version: 9.9.9-nightly.1594133420
++  replaces: eclipse-che-preview-kubernetes.v9.9.9-nightly.1594133420
++  version: 9.9.9-nightly.1594209360

olm/eclipse-che-preview-kubernetes/deploy/olm-catalog/eclipse-che-preview-kubernetes/eclipse-che-preview-kubernetes.package.yaml

@@ -1,5 +1,5 @@
 channels:
-- currentCSV: eclipse-che-preview-kubernetes.v9.9.9-nightly.1594133420
+- currentCSV: eclipse-che-preview-kubernetes.v9.9.9-nightly.1594209360
   name: nightly
 - currentCSV: eclipse-che-preview-kubernetes.v7.15.1
   name: stable

olm/eclipse-che-preview-openshift/deploy/olm-catalog/eclipse-che-preview-openshift/9.9.9-nightly.1594209361/eclipse-che-preview-openshift.v9.9.9-nightly.1594209361.clusterserviceversion.yaml.diff

@@ -0,0 +1,46 @@
+--- /home/tolusha/gocode/src/github.com/eclipse/che-operator/olm/eclipse-che-preview-openshift/deploy/olm-catalog/eclipse-che-preview-openshift/9.9.9-nightly.1594133421/eclipse-che-preview-openshift.v9.9.9-nightly.1594133421.clusterserviceversion.yaml	2020-07-08 14:55:47.710990063 +0300
++++ /home/tolusha/gocode/src/github.com/eclipse/che-operator/olm/eclipse-che-preview-openshift/deploy/olm-catalog/eclipse-che-preview-openshift/9.9.9-nightly.1594209361/eclipse-che-preview-openshift.v9.9.9-nightly.1594209361.clusterserviceversion.yaml	2020-07-08 14:56:02.467007934 +0300
+@@ -49,12 +49,12 @@
+     categories: Developer Tools, OpenShift Optional
+     certified: "false"
+     containerImage: quay.io/eclipse/che-operator:nightly
+-    createdAt: "2020-07-07T14:50:21Z"
++    createdAt: "2020-07-08T11:56:01Z"
+     description: A Kube-native development solution that delivers portable and collaborative
+       developer workspaces in OpenShift.
+     repository: https://github.com/eclipse/che-operator
+     support: Eclipse Foundation
+-  name: eclipse-che-preview-openshift.v9.9.9-nightly.1594133421
++  name: eclipse-che-preview-openshift.v9.9.9-nightly.1594209361
+   namespace: placeholder
+ spec:
+   apiservicedefinitions: {}
+@@ -244,8 +244,11 @@
+               resources:
+                 - infrastructures
+                 - oauths
++                - proxies
+               verbs:
+                 - get
++                - list
++                - watch
+             - apiGroups:
+                 - user.openshift.io
+               resources:
+@@ -327,6 +330,8 @@
+                         value: che-identity-postgres-secret
+                       - name: CHE_POSTGRES_SECRET
+                         value: che-postgres-secret
++                      - name: CHE_SERVER_TRUST_STORE_CONFIGMAP_NAME
++                        value: ca-certs
+                     image: quay.io/eclipse/che-operator:nightly
+                     imagePullPolicy: Always
+                     name: che-operator
+@@ -441,5 +446,5 @@
+   maturity: stable
+   provider:
+     name: Eclipse Foundation
+-  replaces: eclipse-che-preview-openshift.v9.9.9-nightly.1594019198
+-  version: 9.9.9-nightly.1594133421
++  replaces: eclipse-che-preview-openshift.v9.9.9-nightly.1594133421
++  version: 9.9.9-nightly.1594209361

olm/eclipse-che-preview-openshift/deploy/olm-catalog/eclipse-che-preview-openshift/eclipse-che-preview-openshift.package.yaml

@@ -1,5 +1,5 @@
 channels:
-- currentCSV: eclipse-che-preview-openshift.v9.9.9-nightly.1594133421
+- currentCSV: eclipse-che-preview-openshift.v9.9.9-nightly.1594209361
   name: nightly
 - currentCSV: eclipse-che-preview-openshift.v7.15.1
   name: stable

pkg/controller/che/che_controller.go

@@ -21,6 +21,7 @@ import (
 	orgv1 "github.com/eclipse/che-operator/pkg/apis/org/v1"
 	"github.com/eclipse/che-operator/pkg/deploy"
 	"github.com/eclipse/che-operator/pkg/util"
+	configv1 "github.com/openshift/api/config/v1"
 	oauthv1 "github.com/openshift/api/config/v1"
 	consolev1 "github.com/openshift/api/console/v1"
 	oauth "github.com/openshift/api/oauth/v1"
@@ -96,6 +97,9 @@ func add(mgr manager.Manager, r reconcile.Reconciler) error {
 		if err := oauthv1.AddToScheme(mgr.GetScheme()); err != nil {
 			logrus.Errorf("Failed to add OpenShift OAuth to scheme: %s", err)
 		}
+		if err := configv1.AddToScheme(mgr.GetScheme()); err != nil {
+			logrus.Errorf("Failed to add OpenShift Config to scheme: %s", err)
+		}
 		if hasConsolelinkObject() {
 			if err := consolev1.AddToScheme(mgr.GetScheme()); err != nil {
 				logrus.Errorf("Failed to add OpenShift ConsoleLink to scheme: %s", err)
@@ -307,6 +311,26 @@ func (r *ReconcileChe) Reconcile(request reconcile.Request) (reconcile.Result, e
 		}
 	}
 
+	// Read proxy configuration
+	proxy, err := r.getProxyConfiguration(instance)
+	if err != nil {
+		logrus.Errorf("Error on reading proxy configuration: %v", err)
+		return reconcile.Result{}, err
+	}
+
+	if proxy.TrustedCAMapName != "" {
+		provisioned, err := r.putOpenShiftCertsIntoConfigMap(instance, proxy, clusterAPI)
+		if !provisioned {
+			configMapName := instance.Spec.Server.ServerTrustStoreConfigMapName
+			if err != nil {
+				logrus.Errorf("Error on provisioning config map '%s': %v", configMapName, err)
+			} else {
+				logrus.Infof("Waiting on provisioning config map '%s'", configMapName)
+			}
+			return reconcile.Result{}, err
+		}
+	}
+
 	cheFlavor := deploy.DefaultCheFlavor(instance)
 	cheDeploymentName := cheFlavor
 
@@ -319,7 +343,7 @@ func (r *ReconcileChe) Reconcile(request reconcile.Request) (reconcile.Result, e
 	}
 
 	// Detect whether self-signed certificate is used
-	selfSignedCertUsed, err := deploy.IsSelfSignedCertificateUsed(instance, clusterAPI)
+	selfSignedCertUsed, err := deploy.IsSelfSignedCertificateUsed(instance, proxy, clusterAPI)
 	if err != nil {
 		logrus.Errorf("Failed to detect if self-signed certificate used. Cause: %v", err)
 		return reconcile.Result{}, err
@@ -332,7 +356,7 @@ func (r *ReconcileChe) Reconcile(request reconcile.Request) (reconcile.Result, e
 			// and NOT from the Openshift API Master URL (as in v3)
 			// So we also need the self-signed certificate to access them (same as the Che server)
 			(isOpenShift4 && instance.Spec.Auth.OpenShiftoAuth && !instance.Spec.Server.TlsSupport) {
-			if err := deploy.CreateTLSSecretFromRoute(instance, "", deploy.CheTLSSelfSignedCertificateSecretName, clusterAPI); err != nil {
+			if err := deploy.CreateTLSSecretFromRoute(instance, "", deploy.CheTLSSelfSignedCertificateSecretName, proxy, clusterAPI); err != nil {
 				return reconcile.Result{}, err
 			}
 		}
@@ -353,7 +377,7 @@ func (r *ReconcileChe) Reconcile(request reconcile.Request) (reconcile.Result, e
 			if err != nil {
 				logrus.Errorf("Failed to get OpenShift cluster public hostname. A secret with API crt will not be created and consumed by RH-SSO/Keycloak")
 			} else {
-				if err := deploy.CreateTLSSecretFromRoute(instance, baseURL, "openshift-api-crt", clusterAPI); err != nil {
+				if err := deploy.CreateTLSSecretFromRoute(instance, baseURL, "openshift-api-crt", proxy, clusterAPI); err != nil {
 					return reconcile.Result{}, err
 				}
 			}
@@ -793,7 +817,7 @@ func (r *ReconcileChe) Reconcile(request reconcile.Request) (reconcile.Result, e
 				}
 			}
 
-			deploymentStatus := deploy.SyncKeycloakDeploymentToCluster(instance, clusterAPI)
+			deploymentStatus := deploy.SyncKeycloakDeploymentToCluster(instance, proxy, clusterAPI)
 			if !tests {
 				if !deploymentStatus.Continue {
 					logrus.Info("Waiting on deployment 'keycloak' to be ready")
@@ -992,7 +1016,7 @@ func (r *ReconcileChe) Reconcile(request reconcile.Request) (reconcile.Result, e
 					logrus.Errorf("An error occurred: %v", err)
 					return reconcile.Result{}, err
 				}
-				logrus.Info(" Updating plugin-registry ConfigMap")
+				logrus.Info("Updating plugin-registry ConfigMap")
 				err = r.client.Update(context.TODO(), pluginRegistryConfigMap)
 				if err != nil {
 					logrus.Errorf("Error updating plugin-registry ConfigMap: %v", err)
@@ -1088,16 +1112,14 @@ func (r *ReconcileChe) Reconcile(request reconcile.Request) (reconcile.Result, e
 
 	// create Che ConfigMap which is synced with CR and is not supposed to be manually edited
 	// controller will reconcile this CM with CR spec
-	cheEnv := deploy.GetConfigMapData(instance)
-	configMapStatus := deploy.SyncConfigMapToCluster(instance, cheEnv, clusterAPI)
+	cheConfigMap, err := deploy.SyncCheConfigMapToCluster(instance, proxy, clusterAPI)
 	if !tests {
-		if !configMapStatus.Continue {
-			logrus.Infof("Waiting on config map '%s' to be created", cheFlavor)
-			if configMapStatus.Err != nil {
-				logrus.Error(configMapStatus.Err)
+		if cheConfigMap == nil {
+			logrus.Infof("Waiting on config map '%s' to be created", deploy.CheConfigMapName)
+			if err != nil {
+				logrus.Error(err)
 			}
-
-			return reconcile.Result{Requeue: configMapStatus.Requeue}, configMapStatus.Err
+			return reconcile.Result{}, err
 		}
 	}
 
@@ -1107,11 +1129,11 @@ func (r *ReconcileChe) Reconcile(request reconcile.Request) (reconcile.Result, e
 	if tests {
 		cmResourceVersion = r.GetEffectiveConfigMap(instance, deploy.CheConfigMapName).ResourceVersion
 	} else {
-		cmResourceVersion = configMapStatus.ConfigMap.ResourceVersion
+		cmResourceVersion = cheConfigMap.ResourceVersion
 	}
 
 	// Create a new che deployment
-	deploymentStatus := deploy.SyncCheDeploymentToCluster(instance, cmResourceVersion, clusterAPI)
+	deploymentStatus := deploy.SyncCheDeploymentToCluster(instance, cmResourceVersion, proxy, clusterAPI)
 	if !tests {
 		if !deploymentStatus.Continue {
 			logrus.Infof("Waiting on deployment '%s' to be ready", cheFlavor)

pkg/controller/che/create.go

@@ -135,9 +135,7 @@ func (r *ReconcileChe) GenerateAndSaveFields(instance *orgv1.CheCluster, request
 		if len(instance.Spec.Auth.IdentityProviderPostgresSecret) < 1 {
 			keycloakPostgresPassword := util.GeneratePasswd(12)
 			keycloakDeployment, err := r.GetEffectiveDeployment(instance, "keycloak")
-			if err != nil {
-				logrus.Info("Disregard the error. No existing Identity provider deployment found. Generating passwd")
-			} else {
+			if err == nil {
 				keycloakPostgresPassword = util.GetDeploymentEnv(keycloakDeployment, "DB_PASSWORD")
 			}
 
@@ -156,9 +154,7 @@ func (r *ReconcileChe) GenerateAndSaveFields(instance *orgv1.CheCluster, request
 			keycloakAdminPassword := util.GetValue(instance.Spec.Auth.IdentityProviderPassword, util.GeneratePasswd(12))
 
 			keycloakDeployment, err := r.GetEffectiveDeployment(instance, "keycloak")
-			if err != nil {
-				logrus.Info("Disregard the error. No existing Identity provider deployment found. Generating admin username and password")
-			} else {
+			if err == nil {
 				keycloakAdminUserName = util.GetDeploymentEnv(keycloakDeployment, "SSO_ADMIN_USERNAME")
 				keycloakAdminPassword = util.GetDeploymentEnv(keycloakDeployment, "SSO_ADMIN_PASSWORD")
 			}

pkg/controller/che/proxy.go

@@ -0,0 +1,60 @@
+//
+// Copyright (c) 2020 Red Hat, Inc.
+// This program and the accompanying materials are made
+// available under the terms of the Eclipse Public License 2.0
+// which is available at https://www.eclipse.org/legal/epl-2.0/
+//
+// SPDX-License-Identifier: EPL-2.0
+//
+// Contributors:
+//   Red Hat, Inc. - initial API and implementation
+//
+package che
+
+import (
+	"context"
+
+	orgv1 "github.com/eclipse/che-operator/pkg/apis/org/v1"
+	"github.com/eclipse/che-operator/pkg/deploy"
+	"github.com/eclipse/che-operator/pkg/util"
+	configv1 "github.com/openshift/api/config/v1"
+	"k8s.io/apimachinery/pkg/types"
+)
+
+func (r *ReconcileChe) getProxyConfiguration(checluster *orgv1.CheCluster) (*deploy.Proxy, error) {
+	proxy, err := deploy.ReadCheClusterProxyConfiguration(checluster)
+	if err != nil {
+		return nil, err
+	}
+
+	if util.IsOpenShift4 {
+		clusterProxy := &configv1.Proxy{}
+		if err := r.client.Get(context.TODO(), types.NamespacedName{Name: "cluster"}, clusterProxy); err != nil {
+			return nil, err
+		}
+
+		// If proxy configuration exists in CR then cluster wide proxy configuration is ignored
+		// otherwise cluster wide proxy configuration is used and non proxy hosts
+		// are merted with defined ones in CR
+		if proxy.HttpProxy == "" && clusterProxy.Status.HTTPProxy != "" {
+			proxy, err = deploy.ReadClusterWideProxyConfiguration(clusterProxy, proxy.NoProxy)
+			if err != nil {
+				return nil, err
+			}
+		}
+	}
+
+	return proxy, nil
+}
+
+func (r *ReconcileChe) putOpenShiftCertsIntoConfigMap(checluster *orgv1.CheCluster, proxy *deploy.Proxy, clusterAPI deploy.ClusterAPI) (bool, error) {
+	if checluster.Spec.Server.ServerTrustStoreConfigMapName == "" {
+		checluster.Spec.Server.ServerTrustStoreConfigMapName = deploy.DefaultServerTrustStoreConfigMapName()
+		if err := r.UpdateCheCRSpec(checluster, "truststore configmap", deploy.DefaultServerTrustStoreConfigMapName()); err != nil {
+			return false, err
+		}
+	}
+
+	certConfigMap, err := deploy.SyncTrustStoreConfigMapToCluster(checluster, clusterAPI)
+	return certConfigMap != nil, err
+}