Propagate custom public certificate to env variable

deploy/crds/org_v1_che_cr.yaml

@@ -33,6 +33,8 @@ spec:
     # when set to true the operator will attempt to get a secret in OpenShift router namespace
     # to add it to Java trust store of Che server. Requires cluster-admin privileges for operator service account
     selfSignedCert: false
+    ## If enabled then the certificate from `custom-public-cert` config map will be added to Java trust store of Che server.
+    customPublicCert: false
     ## If enabled then the certificate from `che-git-self-signed-cert` config map
     ## will be propagated to the Che components and provide particular configuration for Git.
     gitSelfSignedCert: false

deploy/crds/org_v1_che_crd.yaml

@@ -393,6 +393,10 @@ spec:
                     clusters that have not been setup with a valid certificate for
                     the routes. This is disabled by default.
                   type: boolean
+                customPublicCert:
+                  description: If enabled, then the certificate from `custom-public-cert`
+                    config map will be added to Java trust store of Che server.
+                  type: boolean
                 serverMemoryLimit:
                   description: Overrides the memory limit used in the Che server deployment.
                     Defaults to 1Gi.

pkg/apis/org/v1/che_types.go

@@ -117,6 +117,13 @@ type CheClusterSpecServer struct {
 	// This is disabled by default.
 	// +optional
 	SelfSignedCert bool `json:"selfSignedCert"`
+	// If enabled, then the certificate from `custom-public-cert`
+	// config map will be added to Java trust store of Che server.
+	// This is usually required when adding the OpenShift OAuth provider
+	// which can receive unrecognized http requests.
+	// This is disabled by default.
+	// +optional
+	CustomPublicCert bool `json:"customPublicCert"`
 	// If enabled, then the certificate from `che-git-self-signed-cert`
 	// config map will be propagated to the Che components and provide particular
 	// configuration for Git.

pkg/controller/che/che_controller.go

@@ -1157,13 +1157,16 @@ func (r *ReconcileChe) Reconcile(request reconcile.Request) (reconcile.Result, e
 	desiredImagePullPolicy := util.GetValue(string(instance.Spec.Server.CheImagePullPolicy), deploy.DefaultPullPolicyFromDockerImage(cheImageRepo+":"+cheImageTag))
 	effectiveImagePullPolicy := string(effectiveCheDeployment.Spec.Template.Spec.Containers[0].ImagePullPolicy)
 	desiredSelfSignedCert := instance.Spec.Server.SelfSignedCert
+	desiredCustomPublicCert := instance.Spec.Server.CustomPublicCert
 	desiredGitSelfSignedCert := instance.Spec.Server.GitSelfSignedCert
 	effectiveSelfSignedCert := r.GetDeploymentEnvVarSource(effectiveCheDeployment, "CHE_SELF__SIGNED__CERT") != nil
+	effectiveCustomPublicCert := r.GetDeploymentEnvVarSource(effectiveCheDeployment, "CHE_CUSTOM_PUBLIC_CERT") != nil
 	effectiveGitSelfSignedCert := r.GetDeploymentEnvVarSource(effectiveCheDeployment, "CHE_GIT_SELF__SIGNED__CERT") != nil
 	if desiredMemRequest.Cmp(effectiveMemRequest) != 0 ||
 		desiredMemLimit.Cmp(effectiveMemLimit) != 0 ||
 		effectiveImagePullPolicy != desiredImagePullPolicy ||
 		effectiveSelfSignedCert != desiredSelfSignedCert ||
+		effectiveCustomPublicCert != desiredCustomPublicCert ||
 		effectiveGitSelfSignedCert != desiredGitSelfSignedCert {
 		cheDeployment, err := deploy.NewCheDeployment(instance, cheImageRepo, cheImageTag, cmResourceVersion, isOpenShift)
 		if err != nil {

pkg/deploy/deployment_che.go

@@ -32,6 +32,10 @@ func NewCheDeployment(cr *orgv1.CheCluster, cheImage string, cheTag string, cmRe
 		Name:  "CHE_SELF__SIGNED__CERT",
 		Value: "",
 	}
+	customPublicCertEnv := corev1.EnvVar{
+        Name:  "CHE_CUSTOM_PUBLIC_CERT",
+        Value: "",
+    }
 	gitSelfSignedCertEnv := corev1.EnvVar{
         Name:  "CHE_GIT_SELF__SIGNED__CERT",
         Value: "",
@@ -54,6 +58,20 @@ func NewCheDeployment(cr *orgv1.CheCluster, cheImage string, cheTag string, cmRe
 			},
 		}
 	}
+	if cr.Spec.Server.CustomPublicCert {
+        customPublicCertEnv = corev1.EnvVar{
+            Name: "CHE_CUSTOM_PUBLIC_CERT",
+            ValueFrom: &corev1.EnvVarSource{
+                ConfigMapKeyRef: &corev1.ConfigMapKeySelector{
+                    Key: "ca.crt",
+                    LocalObjectReference: corev1.LocalObjectReference{
+                        Name: "custom-public-cert",
+                    },
+                    Optional: &optionalEnv,
+                },
+            },
+        }
+    }
 	if cr.Spec.Server.GitSelfSignedCert {
         gitSelfSignedCertEnv = corev1.EnvVar{
             Name: "CHE_GIT_SELF__SIGNED__CERT",
@@ -171,6 +189,7 @@ func NewCheDeployment(cr *orgv1.CheCluster, cheImage string, cheTag string, cmRe
 											FieldPath: "metadata.namespace"}},
 								},
 								selfSignedCertEnv,
+								customPublicCertEnv,
 								gitSelfSignedCertEnv,
 								gitSelfSignedCertHostEnv,
 							}},