From 5105bd00e650dea019e4caacc3de7765df0d35a4 Mon Sep 17 00:00:00 2001
From: Anatolii Bazko <abazko@redhat.com>
Date: Wed, 12 May 2021 17:18:43 +0300
Subject: [PATCH] Use OpenShift API internal URL to fetch certficate (#829)

Signed-off-by: Anatolii Bazko <abazko@redhat.com>
---
 pkg/controller/che/che_controller.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pkg/controller/che/che_controller.go b/pkg/controller/che/che_controller.go
index 64e4e3e80..35768af46 100644
--- a/pkg/controller/che/che_controller.go
+++ b/pkg/controller/che/che_controller.go
@@ -492,10 +492,11 @@ func (r *ReconcileChe) Reconcile(request reconcile.Request) (reconcile.Result, e
 
 		if util.IsOAuthEnabled(instance) {
 			// create a secret with OpenShift API crt to be added to keystore that RH SSO will consume
-			baseURL, _, err := util.GetOpenShiftAPIUrls()
+			apiUrl, apiInternalUrl, err := util.GetOpenShiftAPIUrls()
 			if err != nil {
 				logrus.Errorf("Failed to get OpenShift cluster public hostname. A secret with API crt will not be created and consumed by RH-SSO/Keycloak")
 			} else {
+				baseURL := map[bool]string{true: apiInternalUrl, false: apiUrl}[apiInternalUrl != ""]
 				if err := deploy.CreateTLSSecretFromEndpoint(deployContext, baseURL, "openshift-api-crt"); err != nil {
 					return reconcile.Result{}, err
 				}