Support git self-signed SSL certs (#142)

Add new boolean property gitSelfSignedCertthat applies environment variables that contain SSL certificate and git host written from che-git-self-signed-cert config map.
The same logic is applied for the helm deployment: eclipse-che/che#15218

fixes eclipse-che/che#15285

Docs PR: eclipse-che/che-docs#1001

Signed-off-by: Igor Vinokur <ivinokur@redhat.com>

deploy/crds/org_v1_che_cr.yaml

@@ -33,6 +33,9 @@ spec:
     # when set to true the operator will attempt to get a secret in OpenShift router namespace
     # to add it to Java trust store of Che server. Requires cluster-admin privileges for operator service account
     selfSignedCert: false
+    ## If enabled then the certificate from `che-git-self-signed-cert` config map
+    ## will be propagated to the Che components and provide particular configuration for Git.
+    gitSelfSignedCert: false
     # TLS mode for Che. Make sure you either have public cert, or set selfSignedCert to true
     tlsSupport: false
     # protocol+hostname of a proxy server. Automatically added as JAVA_OPTS and https(s)_proxy

deploy/crds/org_v1_che_crd.yaml

@@ -388,6 +388,11 @@ spec:
                     clusters that have not been setup with a valid certificate for
                     the routes. This is disabled by default.
                   type: boolean
+                gitSelfSignedCert:
+                  description: If enabled, then the certificate from `che-git-self-signed-cert`
+                  config map will be propagated to the Che components and provide particular
+                  configuration for Git.
+                  type: boolean
                 serverMemoryLimit:
                   description: Overrides the memory limit used in the Che server deployment.
                     Defaults to 1Gi.

pkg/apis/org/v1/che_types.go

@@ -117,6 +117,7 @@ type CheClusterSpecServer struct {
 	// This is disabled by default.
 	// +optional
 	SelfSignedCert bool `json:"selfSignedCert"`
+	GitSelfSignedCert bool `json:"gitSelfSignedCert"`
 	// Instructs the operator to deploy Che in TLS mode, ie with TLS routes or ingresses.
 	// This is disabled by default.
 	// WARNING: Enabling TLS might require enabling the `selfSignedCert` field also in some cases.

pkg/controller/che/che_controller.go

@@ -1157,11 +1157,14 @@ func (r *ReconcileChe) Reconcile(request reconcile.Request) (reconcile.Result, e
 	desiredImagePullPolicy := util.GetValue(string(instance.Spec.Server.CheImagePullPolicy), deploy.DefaultPullPolicyFromDockerImage(cheImageRepo+":"+cheImageTag))
 	effectiveImagePullPolicy := string(effectiveCheDeployment.Spec.Template.Spec.Containers[0].ImagePullPolicy)
 	desiredSelfSignedCert := instance.Spec.Server.SelfSignedCert
+	desiredGitSelfSignedCert := instance.Spec.Server.GitSelfSignedCert
 	effectiveSelfSignedCert := r.GetDeploymentEnvVarSource(effectiveCheDeployment, "CHE_SELF__SIGNED__CERT") != nil
+	effectiveGitSelfSignedCert := r.GetDeploymentEnvVarSource(effectiveCheDeployment, "CHE_GIT_SELF__SIGNED__CERT") != nil
 	if desiredMemRequest.Cmp(effectiveMemRequest) != 0 ||
 		desiredMemLimit.Cmp(effectiveMemLimit) != 0 ||
 		effectiveImagePullPolicy != desiredImagePullPolicy ||
-		effectiveSelfSignedCert != desiredSelfSignedCert {
+		effectiveSelfSignedCert != desiredSelfSignedCert ||
+		effectiveGitSelfSignedCert != desiredGitSelfSignedCert {
 		cheDeployment, err := deploy.NewCheDeployment(instance, cheImageRepo, cheImageTag, cmResourceVersion, isOpenShift)
 		if err != nil {
 			logrus.Errorf("An error occurred: %s", err)

pkg/deploy/deployment_che.go

@@ -32,7 +32,14 @@ func NewCheDeployment(cr *orgv1.CheCluster, cheImage string, cheTag string, cmRe
 		Name:  "CHE_SELF__SIGNED__CERT",
 		Value: "",
 	}
-
+	gitSelfSignedCertEnv := corev1.EnvVar{
+        Name:  "CHE_GIT_SELF__SIGNED__CERT",
+        Value: "",
+    }
+    gitSelfSignedCertHostEnv := corev1.EnvVar{
+        Name:  "CHE_GIT_SELF__SIGNED__CERT__HOST",
+        Value: "",
+    }
 	if cr.Spec.Server.SelfSignedCert {
 		selfSignedCertEnv = corev1.EnvVar{
 			Name: "CHE_SELF__SIGNED__CERT",
@@ -47,6 +54,33 @@ func NewCheDeployment(cr *orgv1.CheCluster, cheImage string, cheTag string, cmRe
 			},
 		}
 	}
+	if cr.Spec.Server.GitSelfSignedCert {
+        gitSelfSignedCertEnv = corev1.EnvVar{
+            Name: "CHE_GIT_SELF__SIGNED__CERT",
+            ValueFrom: &corev1.EnvVarSource{
+                ConfigMapKeyRef: &corev1.ConfigMapKeySelector{
+                    Key: "ca.crt",
+                    LocalObjectReference: corev1.LocalObjectReference{
+                        Name: "che-git-self-signed-cert",
+                    },
+                    Optional: &optionalEnv,
+                },
+            },
+        }
+        gitSelfSignedCertHostEnv = corev1.EnvVar{
+            Name: "CHE_GIT_SELF__SIGNED__CERT__HOST",
+            ValueFrom: &corev1.EnvVarSource{
+                ConfigMapKeyRef: &corev1.ConfigMapKeySelector{
+                    Key: "githost",
+                    LocalObjectReference: corev1.LocalObjectReference{
+                        Name: "che-git-self-signed-cert",
+                    },
+                    Optional: &optionalEnv,
+                },
+            },
+        }
+    }
+
 	memLimit := util.GetValue(cr.Spec.Server.ServerMemoryLimit, DefaultServerMemoryLimit)
 	pullPolicy := corev1.PullPolicy(util.GetValue(string(cr.Spec.Server.CheImagePullPolicy), DefaultPullPolicyFromDockerImage(cheImageAndTag)))
 
@@ -155,6 +189,8 @@ func NewCheDeployment(cr *orgv1.CheCluster, cheImage string, cheTag string, cmRe
 											FieldPath: "metadata.namespace"}},
 								},
 								selfSignedCertEnv,
+								gitSelfSignedCertEnv,
+								gitSelfSignedCertHostEnv,
 							}},
 					},
 				},