From d010adde3472688868a48a319d9dbdac2c01155c Mon Sep 17 00:00:00 2001
From: Sergii Leshchenko <sleshche@redhat.com>
Date: Fri, 17 Sep 2021 12:30:22 +0300
Subject: [PATCH] fix: check is che self-signed secret exist before mounting

---
 .../dashboard/dashboard_deployment_test.go    | 36 +++++++++++++++++--
 pkg/deploy/dashboard/deployment_dashboard.go  |  4 +--
 pkg/deploy/server/server_deployment.go        |  4 +--
 pkg/deploy/tls.go                             | 27 +++++++++-----
 4 files changed, 57 insertions(+), 14 deletions(-)

diff --git a/pkg/deploy/dashboard/dashboard_deployment_test.go b/pkg/deploy/dashboard/dashboard_deployment_test.go
index c852d9029..e28c4a2da 100644
--- a/pkg/deploy/dashboard/dashboard_deployment_test.go
+++ b/pkg/deploy/dashboard/dashboard_deployment_test.go
@@ -255,8 +255,40 @@ func TestDashboardDeploymentVolumes(t *testing.T) {
 	}
 	testCases := []resourcesTestCase{
 		{
-			name:        "Test provisioning CAs",
-			initObjects: []runtime.Object{},
+			name:        "Test provisioning Custom CAs only",
+			initObjects: []runtime.Object{
+				// no deploy.CheTLSSelfSignedCertificateSecretName is created
+			},
+			volumes: []corev1.Volume{
+				{
+					Name: "che-custom-ca",
+					VolumeSource: corev1.VolumeSource{
+						ConfigMap: &corev1.ConfigMapVolumeSource{
+							LocalObjectReference: corev1.LocalObjectReference{
+								Name: "ca-certs-merged",
+							},
+						},
+					}},
+			},
+			volumeMounts: []corev1.VolumeMount{
+				{Name: "che-custom-ca", MountPath: "/public-certs/custom"},
+			},
+			cheCluster: &orgv1.CheCluster{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "eclipse-che",
+				},
+			},
+		},
+		{
+			name: "Test provisioning Che and Custom CAs",
+			initObjects: []runtime.Object{
+				&corev1.Secret{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      deploy.CheTLSSelfSignedCertificateSecretName,
+						Namespace: "eclipse-che",
+					},
+				},
+			},
 			volumes: []corev1.Volume{
 				{
 					Name: "che-custom-ca",
diff --git a/pkg/deploy/dashboard/deployment_dashboard.go b/pkg/deploy/dashboard/deployment_dashboard.go
index 24b9736a5..e63e13bbe 100644
--- a/pkg/deploy/dashboard/deployment_dashboard.go
+++ b/pkg/deploy/dashboard/deployment_dashboard.go
@@ -33,11 +33,11 @@ func (d *Dashboard) getDashboardDeploymentSpec() (*appsv1.Deployment, error) {
 
 	volumes, volumeMounts = d.provisionCustomPublicCA(volumes, volumeMounts)
 
-	selfSignedCertUsed, err := deploy.IsSelfSignedCertificateUsed(d.deployContext)
+	selfSignedCertSecretExist, err := deploy.IsSelfSignedCASecretExists(d.deployContext)
 	if err != nil {
 		return nil, err
 	}
-	if selfSignedCertUsed {
+	if selfSignedCertSecretExist {
 		volumes, volumeMounts = d.provisionCheSelfSignedCA(volumes, volumeMounts)
 	}
 
diff --git a/pkg/deploy/server/server_deployment.go b/pkg/deploy/server/server_deployment.go
index d35dfe8d2..f97143875 100644
--- a/pkg/deploy/server/server_deployment.go
+++ b/pkg/deploy/server/server_deployment.go
@@ -27,7 +27,7 @@ import (
 )
 
 func (s Server) getDeploymentSpec() (*appsv1.Deployment, error) {
-	selfSignedCertUsed, err := deploy.IsSelfSignedCertificateUsed(s.deployContext)
+	selfSignedCASecretExists, err := deploy.IsSelfSignedCASecretExists(s.deployContext)
 	if err != nil {
 		return nil, err
 	}
@@ -65,7 +65,7 @@ func (s Server) getDeploymentSpec() (*appsv1.Deployment, error) {
 		Name:  "CHE_GIT_SELF__SIGNED__CERT__HOST",
 		Value: "",
 	}
-	if selfSignedCertUsed {
+	if selfSignedCASecretExists {
 		selfSignedCertEnv = corev1.EnvVar{
 			Name: "CHE_SELF__SIGNED__CERT",
 			ValueFrom: &corev1.EnvVarSource{
diff --git a/pkg/deploy/tls.go b/pkg/deploy/tls.go
index 66b190a4c..74843252b 100644
--- a/pkg/deploy/tls.go
+++ b/pkg/deploy/tls.go
@@ -63,23 +63,34 @@ const (
 	labelCommaSign = "."
 )
 
+// IsSelfSignedCASecretExists checks if CheTLSSelfSignedCertificateSecretName exists so depending components can mount it
+func IsSelfSignedCASecretExists(deployContext *DeployContext) (bool, error) {
+	cheTLSSelfSignedCertificateSecret := &corev1.Secret{}
+	err := deployContext.ClusterAPI.Client.Get(context.TODO(), types.NamespacedName{Namespace: deployContext.CheCluster.Namespace, Name: CheTLSSelfSignedCertificateSecretName}, cheTLSSelfSignedCertificateSecret)
+	if err != nil {
+		if errors.IsNotFound(err) {
+			return false, nil
+		}
+		return false, err
+	}
+	return true, nil
+}
+
 // IsSelfSignedCertificateUsed detects whether endpoints are/should be secured by self-signed certificate.
 func IsSelfSignedCertificateUsed(deployContext *DeployContext) (bool, error) {
 	if util.IsTestMode() {
 		return true, nil
 	}
 
-	cheTLSSelfSignedCertificateSecret := &corev1.Secret{}
-	err := deployContext.ClusterAPI.Client.Get(context.TODO(), types.NamespacedName{Namespace: deployContext.CheCluster.Namespace, Name: CheTLSSelfSignedCertificateSecretName}, cheTLSSelfSignedCertificateSecret)
-	if err == nil {
-		// "self signed-certificate" secret found
-		return true, nil
-	}
-	if !errors.IsNotFound(err) {
-		// Failed to get secret, return error to restart reconcile loop.
+	cheCASecretExist, err := IsSelfSignedCASecretExists(deployContext)
+	if err != nil {
 		return false, err
 	}
 
+	if cheCASecretExist {
+		return true, nil
+	}
+
 	if !util.IsOpenShift {
 		// Handle custom tls secret for Che ingresses
 		cheTLSSecretName := deployContext.CheCluster.Spec.K8s.TlsSecretName