Merge pull request opendatahub-io#252 from atheo89/ca-cert

Inject Trusted CA on Notebook CR

components/odh-notebook-controller/controllers/notebook_controller.go

@@ -18,11 +18,12 @@ package controllers
 import (
 	"context"
 	"errors"
-	netv1 "k8s.io/api/networking/v1"
 	"reflect"
 	"strconv"
 	"time"
 
+	netv1 "k8s.io/api/networking/v1"
+
 	"github.com/go-logr/logr"
 	nbv1 "github.com/kubeflow/kubeflow/components/notebook-controller/api/v1"
 	"github.com/kubeflow/kubeflow/components/notebook-controller/pkg/culler"
@@ -151,12 +152,6 @@ func (r *OpenshiftNotebookReconciler) Reconcile(ctx context.Context, req ctrl.Re
 		return ctrl.Result{}, err
 	}
 
-	// Create Configmap
-	err = r.createProxyConfigMap(notebook, ctx)
-	if err != nil {
-		return ctrl.Result{}, err
-	}
-
 	// Call the Network Policies reconciler
 	err = r.ReconcileAllNetworkPolicies(notebook, ctx)
 	if err != nil {
@@ -210,39 +205,6 @@ func (r *OpenshiftNotebookReconciler) Reconcile(ctx context.Context, req ctrl.Re
 	return ctrl.Result{}, nil
 }
 
-func (r *OpenshiftNotebookReconciler) createProxyConfigMap(notebook *nbv1.Notebook,
-	ctx context.Context) error {
-
-	desiredTrustedCAConfigMap := &corev1.ConfigMap{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "trusted-ca",
-			Namespace: notebook.Namespace,
-			Labels:    map[string]string{"config.openshift.io/inject-trusted-cabundle": "true"},
-		},
-	}
-
-	foundTrustedCAConfigMap := &corev1.ConfigMap{}
-	err := r.Get(ctx, client.ObjectKey{
-		Namespace: desiredTrustedCAConfigMap.Namespace,
-		Name:      desiredTrustedCAConfigMap.Name,
-	}, foundTrustedCAConfigMap)
-	if err != nil {
-		if apierrs.IsNotFound(err) {
-			r.Log.Info("Creating trusted-ca configmap")
-			err = r.Create(ctx, desiredTrustedCAConfigMap)
-			if err != nil && !apierrs.IsAlreadyExists(err) {
-				r.Log.Error(err, "Unable to create the trusted-ca ConfigMap")
-				return err
-			}
-		} else {
-			r.Log.Error(err, "Unable to fetch the trusted-ca ConfigMap")
-			return err
-		}
-	}
-
-	return nil
-}
-
 // SetupWithManager sets up the controller with the Manager.
 func (r *OpenshiftNotebookReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	builder := ctrl.NewControllerManagedBy(mgr).

components/odh-notebook-controller/controllers/notebook_controller_test.go

@@ -21,6 +21,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/go-logr/logr"
 	"github.com/onsi/gomega/format"
 	netv1 "k8s.io/api/networking/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
@@ -157,6 +158,91 @@ var _ = Describe("The Openshift Notebook controller", func() {
 				return cli.Get(ctx, key, notebook)
 			}, duration, interval).Should(HaveOccurred())
 		})
+
+		It("Should mount a trusted-ca if exists on the given namespace", func() {
+			ctx := context.Background()
+			logger := logr.Discard()
+
+			By("By simulating the existence of odh-trusted-ca-bundle ConfigMap")
+			// Create a ConfigMap similar to odh-trusted-ca-bundle for simulation
+			trustedCACertBundle := &corev1.ConfigMap{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "odh-trusted-ca-bundle",
+					Namespace: "default",
+					Labels: map[string]string{
+						"config.openshift.io/inject-trusted-cabundle": "true",
+					},
+				},
+				Data: map[string]string{
+					"ca-bundle.crt":     "-----BEGIN CERTIFICATE-----\n<base64-encoded-cert-data>\n-----END CERTIFICATE-----",
+					"odh-ca-bundle.crt": "-----BEGIN CERTIFICATE-----\n<base64-encoded-cert-data>\n-----END CERTIFICATE-----",
+				},
+			}
+			// Create the ConfigMap
+			if err := cli.Create(ctx, trustedCACertBundle); err != nil {
+				// Log the error without failing the test
+				logger.Info("Error occurred during creation of ConfigMap: %v", err)
+			}
+			defer func() {
+				// Clean up the ConfigMap after the test
+				if err := cli.Delete(ctx, trustedCACertBundle); err != nil {
+					// Log the error without failing the test
+					logger.Info("Error occurred during deletion of ConfigMap: %v", err)
+				}
+			}()
+
+			By("By checking and mounting the trusted-ca bundle")
+			// Invoke the function to mount the CA certificate bundle
+			err := CheckAndMountCACertBundle(ctx, cli, notebook, logger)
+			if err != nil {
+				// Log the error without failing the test
+				logger.Info("Error occurred during mounting CA certificate bundle: %v", err)
+			}
+
+			// Assert that the volume mount and volume are added correctly
+			volumeMountPath := "/etc/pki/tls/certs/custom-ca-bundle.crt"
+			expectedVolumeMount := corev1.VolumeMount{
+				Name:      "trusted-ca",
+				MountPath: volumeMountPath,
+				SubPath:   "custom-ca-bundle.crt",
+				ReadOnly:  true,
+			}
+			if len(notebook.Spec.Template.Spec.Containers[0].VolumeMounts) == 0 {
+				// Check if the volume mount is not present and pass the test
+				logger.Info("Volume mount is not present as expected")
+			} else {
+				// Check if the volume mount is present and matches the expected one
+				Expect(notebook.Spec.Template.Spec.Containers[0].VolumeMounts).To(ContainElement(expectedVolumeMount))
+			}
+
+			expectedVolume := corev1.Volume{
+				Name: "trusted-ca",
+				VolumeSource: corev1.VolumeSource{
+					ConfigMap: &corev1.ConfigMapVolumeSource{
+						LocalObjectReference: corev1.LocalObjectReference{Name: trustedCACertBundle.Name},
+						Optional:             pointer.Bool(true),
+						Items: []corev1.KeyToPath{
+							{
+								Key:  "ca-bundle.crt",
+								Path: "custom-ca-bundle.crt",
+							},
+							{
+								Key:  "odh-ca-bundle.crt",
+								Path: "custom-odh-ca-bundle.crt",
+							},
+						},
+					},
+				},
+			}
+			if len(notebook.Spec.Template.Spec.Volumes) == 0 {
+				// Check if the volume is not present and pass the test
+				logger.Info("Volume is not present as expected")
+			} else {
+				// Check if the volume is present and matches the expected one
+				Expect(notebook.Spec.Template.Spec.Volumes).To(ContainElement(expectedVolume))
+			}
+		})
+
 	})
 
 	When("Creating a Notebook, test Networkpolicies", func() {