Automatically propagate ca-certs configmap content into server and identity provider

pkg/controller/che/che_controller.go

@@ -14,14 +14,15 @@ package che
 import (
 	"context"
 	"fmt"
-	"github.com/eclipse/che-operator/pkg/deploy/devfile-registry"
+	"strconv"
+	"time"
+
+	devfile_registry "github.com/eclipse/che-operator/pkg/deploy/devfile-registry"
 	"github.com/eclipse/che-operator/pkg/deploy/gateway"
-	"github.com/eclipse/che-operator/pkg/deploy/identity-provider"
-	"github.com/eclipse/che-operator/pkg/deploy/plugin-registry"
+	identity_provider "github.com/eclipse/che-operator/pkg/deploy/identity-provider"
+	plugin_registry "github.com/eclipse/che-operator/pkg/deploy/plugin-registry"
 	"github.com/eclipse/che-operator/pkg/deploy/postgres"
 	"github.com/eclipse/che-operator/pkg/deploy/server"
-	"strconv"
-	"time"
 
 	orgv1 "github.com/eclipse/che-operator/pkg/apis/org/v1"
 	"github.com/eclipse/che-operator/pkg/deploy"
@@ -43,7 +44,6 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller"
-	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 	"sigs.k8s.io/controller-runtime/pkg/handler"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
@@ -771,8 +771,21 @@ func (r *ReconcileChe) Reconcile(request reconcile.Request) (reconcile.Result, e
 		}
 	}
 
+	trustStoreCMResourceVersion := ""
+	if instance.Spec.Server.ServerTrustStoreConfigMapName != "" {
+		trustStoreConfigMap, _ := deploy.GetClusterConfigMap(instance.Spec.Server.ServerTrustStoreConfigMapName, instance.Namespace, clusterAPI.Client)
+		if trustStoreConfigMap != nil {
+			// trustStoreConfigMap might be created by user, to detect changes we have to add the owner
+			if !deploy.HasCheClusterOwner(deployContext, trustStoreConfigMap) {
+				err := deploy.UpdateCheClusterOwner(deployContext, trustStoreConfigMap)
+				return reconcile.Result{}, err
+			}
+			trustStoreCMResourceVersion = trustStoreConfigMap.ResourceVersion
+		}
+	}
+
 	// create and provision Keycloak related objects
-	provisioned, err := identity_provider.SyncIdentityProviderToCluster(deployContext, cheHost, protocol, cheFlavor)
+	provisioned, err := identity_provider.SyncIdentityProviderToCluster(deployContext, trustStoreCMResourceVersion)
 	if !tests {
 		if !provisioned {
 			if err != nil {
@@ -802,13 +815,6 @@ func (r *ReconcileChe) Reconcile(request reconcile.Request) (reconcile.Result, e
 		}
 	}
 
-	if serverTrustStoreConfigMapName := instance.Spec.Server.ServerTrustStoreConfigMapName; serverTrustStoreConfigMapName != "" {
-		certMap := r.GetEffectiveConfigMap(instance, serverTrustStoreConfigMapName)
-		if err := controllerutil.SetControllerReference(instance, certMap, r.scheme); err != nil {
-			logrus.Errorf("An error occurred: %s", err)
-		}
-	}
-
 	// create Che ConfigMap which is synced with CR and is not supposed to be manually edited
 	// controller will reconcile this CM with CR spec
 	cheConfigMap, err := server.SyncCheConfigMapToCluster(deployContext)
@@ -820,15 +826,8 @@ func (r *ReconcileChe) Reconcile(request reconcile.Request) (reconcile.Result, e
 			}
 			return reconcile.Result{}, err
 		}
-	}
-
-	// configMap resource version will be an env in Che deployment to easily update it when a ConfigMap changes
-	// which will automatically trigger Che rolling update
-	var cmResourceVersion string
-	if tests {
-		cmResourceVersion = r.GetEffectiveConfigMap(instance, server.CheConfigMapName).ResourceVersion
 	} else {
-		cmResourceVersion = cheConfigMap.ResourceVersion
+		cheConfigMap, _ = deploy.GetClusterConfigMap(server.CheConfigMapName, instance.Namespace, clusterAPI.Client)
 	}
 
 	err = gateway.SyncGatewayToCluster(deployContext)
@@ -838,7 +837,11 @@ func (r *ReconcileChe) Reconcile(request reconcile.Request) (reconcile.Result, e
 	}
 
 	// Create a new che deployment
-	deploymentStatus := server.SyncCheDeploymentToCluster(deployContext, cmResourceVersion)
+	cmRevisions := cheConfigMap.ResourceVersion
+	if trustStoreCMResourceVersion != "" {
+		cmRevisions += "," + trustStoreCMResourceVersion
+	}
+	deploymentStatus := server.SyncCheDeploymentToCluster(deployContext, cmRevisions)
 	if !tests {
 		if !deploymentStatus.Continue {
 			logrus.Infof("Waiting on deployment '%s' to be ready", cheFlavor)

pkg/controller/che/get.go

@@ -18,7 +18,6 @@ import (
 	oauth "github.com/openshift/api/oauth/v1"
 	"github.com/sirupsen/logrus"
 	appsv1 "k8s.io/api/apps/v1"
-	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 )
@@ -29,17 +28,6 @@ func (r *ReconcileChe) GetEffectiveDeployment(instance *orgv1.CheCluster, name s
 	return deployment, err
 }
 
-func (r *ReconcileChe) GetEffectiveConfigMap(instance *orgv1.CheCluster, name string) (configMap *corev1.ConfigMap) {
-	configMap = &corev1.ConfigMap{}
-	err := r.client.Get(context.TODO(), types.NamespacedName{Name: name, Namespace: instance.Namespace}, configMap)
-	if err != nil {
-		logrus.Errorf("Failed to get %s config map: %s", name, err)
-		return nil
-	}
-	return configMap
-
-}
-
 func (r *ReconcileChe) GetCR(request reconcile.Request) (instance *orgv1.CheCluster, err error) {
 	instance = &orgv1.CheCluster{}
 	err = r.client.Get(context.TODO(), request.NamespacedName, instance)

pkg/deploy/identity-provider/deployment_keycloak.go

@@ -13,12 +13,13 @@ package identity_provider
 
 import (
 	"context"
-	"github.com/eclipse/che-operator/pkg/deploy"
-	"github.com/eclipse/che-operator/pkg/deploy/postgres"
 	"regexp"
 	"strconv"
 	"strings"
 
+	"github.com/eclipse/che-operator/pkg/deploy"
+	"github.com/eclipse/che-operator/pkg/deploy/postgres"
+
 	orgv1 "github.com/eclipse/che-operator/pkg/apis/org/v1"
 	"github.com/eclipse/che-operator/pkg/util"
 	"github.com/google/go-cmp/cmp"
@@ -58,15 +59,15 @@ var (
 	}
 )
 
-func SyncKeycloakDeploymentToCluster(deployContext *deploy.DeployContext) deploy.DeploymentProvisioningStatus {
+func SyncKeycloakDeploymentToCluster(deployContext *deploy.DeployContext, cmRevisions string) deploy.DeploymentProvisioningStatus {
 	clusterDeployment, err := deploy.GetClusterDeployment(KeycloakDeploymentName, deployContext.CheCluster.Namespace, deployContext.ClusterAPI.Client)
 	if err != nil {
 		return deploy.DeploymentProvisioningStatus{
 			ProvisioningStatus: deploy.ProvisioningStatus{Err: err},
 		}
 	}
 
-	specDeployment, err := getSpecKeycloakDeployment(deployContext, clusterDeployment)
+	specDeployment, err := getSpecKeycloakDeployment(deployContext, clusterDeployment, cmRevisions)
 	if err != nil {
 		return deploy.DeploymentProvisioningStatus{
 			ProvisioningStatus: deploy.ProvisioningStatus{Err: err},
@@ -78,7 +79,8 @@ func SyncKeycloakDeploymentToCluster(deployContext *deploy.DeployContext) deploy
 
 func getSpecKeycloakDeployment(
 	deployContext *deploy.DeployContext,
-	clusterDeployment *appsv1.Deployment) (*appsv1.Deployment, error) {
+	clusterDeployment *appsv1.Deployment,
+	cmRevisions string) (*appsv1.Deployment, error) {
 	optionalEnv := true
 	labels := deploy.GetLabels(deployContext.CheCluster, KeycloakDeploymentName)
 	cheFlavor := deploy.DefaultCheFlavor(deployContext.CheCluster)
@@ -221,6 +223,10 @@ func getSpecKeycloakDeployment(
 	}
 
 	keycloakEnv := []corev1.EnvVar{
+		{
+			Name:  "CM_REVISIONS",
+			Value: cmRevisions,
+		},
 		{
 			Name:  "PROXY_ADDRESS_FORWARDING",
 			Value: "true",
@@ -348,6 +354,10 @@ func getSpecKeycloakDeployment(
 
 	if cheFlavor == "codeready" {
 		keycloakEnv = []corev1.EnvVar{
+			{
+				Name:  "CM_REVISIONS",
+				Value: cmRevisions,
+			},
 			{
 				Name:  "PROXY_ADDRESS_FORWARDING",
 				Value: "true",

pkg/deploy/identity-provider/identity_provider.go

@@ -31,8 +31,16 @@ const (
 
 // SyncIdentityProviderToCluster instantiates the identity provider (Keycloak) in the cluster. Returns true if
 // the provisioning is complete, false if requeue of the reconcile request is needed.
-func SyncIdentityProviderToCluster(deployContext *deploy.DeployContext, cheHost string, protocol string, cheFlavor string) (bool, error) {
+func SyncIdentityProviderToCluster(
+	deployContext *deploy.DeployContext,
+	cmRevisions string) (bool, error) {
 	instance := deployContext.CheCluster
+	cheHost := instance.Spec.Server.CheHost
+	protocol := "http"
+	if instance.Spec.Server.TlsSupport {
+		protocol = "https"
+	}
+	cheFlavor := deploy.DefaultCheFlavor(instance)
 	cheMultiUser := deploy.GetCheMultiUser(instance)
 	tests := util.IsTestMode()
 	isOpenShift := util.IsOpenShift
@@ -82,7 +90,7 @@ func SyncIdentityProviderToCluster(deployContext *deploy.DeployContext, cheHost
 		}
 	}
 
-	deploymentStatus := SyncKeycloakDeploymentToCluster(deployContext)
+	deploymentStatus := SyncKeycloakDeploymentToCluster(deployContext, cmRevisions)
 	if !tests {
 		if !deploymentStatus.Continue {
 			logrus.Info("Waiting on deployment 'keycloak' to be ready")

pkg/deploy/owner.go

@@ -0,0 +1,44 @@
+//
+// Copyright (c) 2012-2019 Red Hat, Inc.
+// This program and the accompanying materials are made
+// available under the terms of the Eclipse Public License 2.0
+// which is available at https://www.eclipse.org/legal/epl-2.0/
+//
+// SPDX-License-Identifier: EPL-2.0
+//
+// Contributors:
+//   Red Hat, Inc. - initial API and implementation
+//
+package deploy
+
+import (
+	"context"
+	stderrors "errors"
+
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+)
+
+func HasCheClusterOwner(deployContext *DeployContext, object v1.Object) bool {
+	for _, owner := range object.GetOwnerReferences() {
+		if owner.Name == deployContext.CheCluster.Name {
+			return true
+		}
+	}
+
+	return false
+}
+
+func UpdateCheClusterOwner(deployContext *DeployContext, object v1.Object) error {
+	if err := controllerutil.SetControllerReference(deployContext.CheCluster, object, deployContext.ClusterAPI.Scheme); err != nil {
+		return err
+	}
+
+	robj, ok := object.(runtime.Object)
+	if !ok {
+		return stderrors.New("object " + object.GetName() + " is not a runtime.Object. Cannot update it")
+	}
+
+	return deployContext.ClusterAPI.Client.Update(context.TODO(), robj)
+}

pkg/deploy/server/deployment_che.go

@@ -27,15 +27,15 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 )
 
-func SyncCheDeploymentToCluster(deployContext *deploy.DeployContext, cmResourceVersion string) deploy.DeploymentProvisioningStatus {
+func SyncCheDeploymentToCluster(deployContext *deploy.DeployContext, cmRevisions string) deploy.DeploymentProvisioningStatus {
 	clusterDeployment, err := deploy.GetClusterDeployment(deploy.DefaultCheFlavor(deployContext.CheCluster), deployContext.CheCluster.Namespace, deployContext.ClusterAPI.Client)
 	if err != nil {
 		return deploy.DeploymentProvisioningStatus{
 			ProvisioningStatus: deploy.ProvisioningStatus{Err: err},
 		}
 	}
 
-	specDeployment, err := getSpecCheDeployment(deployContext, cmResourceVersion)
+	specDeployment, err := getSpecCheDeployment(deployContext, cmRevisions)
 	if err != nil {
 		return deploy.DeploymentProvisioningStatus{
 			ProvisioningStatus: deploy.ProvisioningStatus{Err: err},
@@ -45,7 +45,7 @@ func SyncCheDeploymentToCluster(deployContext *deploy.DeployContext, cmResourceV
 	return deploy.SyncDeploymentToCluster(deployContext, specDeployment, clusterDeployment, nil, nil)
 }
 
-func getSpecCheDeployment(deployContext *deploy.DeployContext, cmResourceVersion string) (*appsv1.Deployment, error) {
+func getSpecCheDeployment(deployContext *deploy.DeployContext, cmRevisions string) (*appsv1.Deployment, error) {
 	isOpenShift, _, err := util.DetectOpenShift()
 	if err != nil {
 		return nil, err
@@ -174,8 +174,8 @@ func getSpecCheDeployment(deployContext *deploy.DeployContext, cmResourceVersion
 
 	cheEnv = append(cheEnv,
 		corev1.EnvVar{
-			Name:  "CM_REVISION",
-			Value: cmResourceVersion,
+			Name:  "CM_REVISIONS",
+			Value: cmRevisions,
 		},
 		corev1.EnvVar{
 			Name: "KUBERNETES_NAMESPACE",