fix: check is che self-signed secret exist before mounting

2021-09-17 12:30:22 +03:00 · 2021-09-17 12:30:22 +03:00 · d010adde34
parent 14fb855c14
commit d010adde34
4 changed files with 57 additions and 14 deletions
--- a/pkg/deploy/dashboard/dashboard_deployment_test.go
+++ b/pkg/deploy/dashboard/dashboard_deployment_test.go
@ -255,8 +255,40 @@ func TestDashboardDeploymentVolumes(t *testing.T) {
 	}
 	testCases := []resourcesTestCase{
 		{
-			name:        "Test provisioning CAs",
-			initObjects: []runtime.Object{},
+			name:        "Test provisioning Custom CAs only",
+			initObjects: []runtime.Object{
+				// no deploy.CheTLSSelfSignedCertificateSecretName is created
+			},
+			volumes: []corev1.Volume{
+				{
+					Name: "che-custom-ca",
+					VolumeSource: corev1.VolumeSource{
+						ConfigMap: &corev1.ConfigMapVolumeSource{
+							LocalObjectReference: corev1.LocalObjectReference{
+								Name: "ca-certs-merged",
+							},
+						},
+					}},
+			},
+			volumeMounts: []corev1.VolumeMount{
+				{Name: "che-custom-ca", MountPath: "/public-certs/custom"},
+			},
+			cheCluster: &orgv1.CheCluster{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "eclipse-che",
+				},
+			},
+		},
+		{
+			name: "Test provisioning Che and Custom CAs",
+			initObjects: []runtime.Object{
+				&corev1.Secret{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      deploy.CheTLSSelfSignedCertificateSecretName,
+						Namespace: "eclipse-che",
+					},
+				},
+			},
 			volumes: []corev1.Volume{
 				{
 					Name: "che-custom-ca",
--- a/pkg/deploy/dashboard/deployment_dashboard.go
+++ b/pkg/deploy/dashboard/deployment_dashboard.go
@ -33,11 +33,11 @@ func (d *Dashboard) getDashboardDeploymentSpec() (*appsv1.Deployment, error) {

 	volumes, volumeMounts = d.provisionCustomPublicCA(volumes, volumeMounts)

-	selfSignedCertUsed, err := deploy.IsSelfSignedCertificateUsed(d.deployContext)
+	selfSignedCertSecretExist, err := deploy.IsSelfSignedCASecretExists(d.deployContext)
 	if err != nil {
 		return nil, err
 	}
-	if selfSignedCertUsed {
+	if selfSignedCertSecretExist {
 		volumes, volumeMounts = d.provisionCheSelfSignedCA(volumes, volumeMounts)
 	}

--- a/pkg/deploy/server/server_deployment.go
+++ b/pkg/deploy/server/server_deployment.go
@ -27,7 +27,7 @@ import (
 )

 func (s Server) getDeploymentSpec() (*appsv1.Deployment, error) {
-	selfSignedCertUsed, err := deploy.IsSelfSignedCertificateUsed(s.deployContext)
+	selfSignedCASecretExists, err := deploy.IsSelfSignedCASecretExists(s.deployContext)
 	if err != nil {
 		return nil, err
 	}
@ -65,7 +65,7 @@ func (s Server) getDeploymentSpec() (*appsv1.Deployment, error) {
 		Name:  "CHE_GIT_SELF__SIGNED__CERT__HOST",
 		Value: "",
 	}
-	if selfSignedCertUsed {
+	if selfSignedCASecretExists {
 		selfSignedCertEnv = corev1.EnvVar{
 			Name: "CHE_SELF__SIGNED__CERT",
 			ValueFrom: &corev1.EnvVarSource{
--- a/pkg/deploy/tls.go
+++ b/pkg/deploy/tls.go
@ -63,23 +63,34 @@ const (
 	labelCommaSign = "."
 )

+// IsSelfSignedCASecretExists checks if CheTLSSelfSignedCertificateSecretName exists so depending components can mount it
+func IsSelfSignedCASecretExists(deployContext *DeployContext) (bool, error) {
+	cheTLSSelfSignedCertificateSecret := &corev1.Secret{}
+	err := deployContext.ClusterAPI.Client.Get(context.TODO(), types.NamespacedName{Namespace: deployContext.CheCluster.Namespace, Name: CheTLSSelfSignedCertificateSecretName}, cheTLSSelfSignedCertificateSecret)
+	if err != nil {
+		if errors.IsNotFound(err) {
+			return false, nil
+		}
+		return false, err
+	}
+	return true, nil
+}
+
 // IsSelfSignedCertificateUsed detects whether endpoints are/should be secured by self-signed certificate.
 func IsSelfSignedCertificateUsed(deployContext *DeployContext) (bool, error) {
 	if util.IsTestMode() {
 		return true, nil
 	}

-	cheTLSSelfSignedCertificateSecret := &corev1.Secret{}
-	err := deployContext.ClusterAPI.Client.Get(context.TODO(), types.NamespacedName{Namespace: deployContext.CheCluster.Namespace, Name: CheTLSSelfSignedCertificateSecretName}, cheTLSSelfSignedCertificateSecret)
-	if err == nil {
-		// "self signed-certificate" secret found
-		return true, nil
-	}
-	if !errors.IsNotFound(err) {
-		// Failed to get secret, return error to restart reconcile loop.
+	cheCASecretExist, err := IsSelfSignedCASecretExists(deployContext)
+	if err != nil {
 		return false, err
 	}

+	if cheCASecretExist {
+		return true, nil
+	}
+
 	if !util.IsOpenShift {
 		// Handle custom tls secret for Che ingresses
 		cheTLSSecretName := deployContext.CheCluster.Spec.K8s.TlsSecretName