setup configmap with certs and mount them in required workbenches

[harshad16]

setup configmap with certs and mount them in required workbenches

Description

The current approach is to mount all the odh-trusted certs to the workbench on custom location /etc/pki/tls/certs/custom-* , this path is not recognized directly by pods, either the pods needs to be run with
update-ca-trust which is only possible in root mode.

based on that, this is new approach, which notices the odh-trusted-ca-bundle configmap and also self-signed certs available on the kube-root-ca.cert confimap, combines these two into a new configmap and mounts it into in notebook
which satisfies the pattern that both odh-trusted-ca-bundle and workbench-ca-bundle exists.

The concatenation of the ca-bundle provided in odh-trusted-ca-bundle into a new configmap is inspired by the work done on data-science-pipeline-operator: opendatahub-io/data-science-pipelines-operator#575

The edges-case, yet to work on:

1. what happens if the odh-trusted-ca-bundle is deleted?
2. what happens if the data of odh-trusted-ca-bundle is empty?

How Has This Been Tested?

1. setup a 2.8.0 operator.
2. include the odh-notebook-controller with this pr images
3. test out all the scenarios.

• on setup of odh 2.8 + operator, NBC should be creating a workbench configmap : workbench-trusted-ca-bundle
• creation of new workbench should include the env var and volume mount
  • these workbenches should be able to content to URL, submit pipeline, connect db without SSL errors.
• deletion of the configmap: should reconcile the configmap.
• deletion of both configmap odh-trusted-ca-bundle and workbench-trusted-ca-bundle should reconcile the notebook which have the volume mount attached.
• whole setup should disrupt any long-running notebook.

These were scenarios tested on.

Merge criteria:

• The commits are squashed in a cohesive manner and have meaningful messages.
• Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
• The developer has manually tested the changes and verified that the changes work

[rkpattnaik780]

LGTM. Verified the scenarios listed in the PR description.

[atheo89]

Great work!! 👍
Tested locally and it works as expected
/lgtm

[harshad16]

Rebased.
@atheo89 and @rkpattnaik780 can you please add lgtm again.

[rkpattnaik780]

/lgtm

[rkpattnaik780]

/lgtm

[openshift-ci]

@harshad16: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/odh-notebook-controller-e2e	f44055f	link	true	/test odh-notebook-controller-e2e

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[harshad16]

/approve

Merging to get this in release.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: harshad16, rkpattnaik780

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [harshad16]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[harshad16]

/cherrypick stable

[openshift-cherrypick-robot]

@harshad16: new pull request created: #279

In response to this:

/cherrypick stable

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.