From a4e36cc24a11a6178353a2560a8a4b2565eb8c55 Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Thu, 18 Jun 2026 13:19:26 +0000 Subject: [PATCH] docs: Document automatic DevWorkspace Operator TLS certificate configuration Update the importing-untrusted-tls-certificates article to document that the Che operator automatically configures the DevWorkspace Operator to trust imported certificates by setting tlsCertificateConfigmapRef in the DWO routing configuration. This enables DevWorkspace Operator to resolve parent devfile references via URI with untrusted TLS certificates. Changes: - Add parent devfile URI with untrusted TLS to the list of external services - Document automatic DevWorkspace Operator configuration - Add verification step to check DWO configuration Co-Authored-By: Claude Sonnet 4.5 Signed-off-by: Anatolii Bazko --- .../importing-untrusted-tls-certificates.adoc | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/modules/administration-guide/pages/importing-untrusted-tls-certificates.adoc b/modules/administration-guide/pages/importing-untrusted-tls-certificates.adoc index 2145770da2..88bd5287b1 100644 --- a/modules/administration-guide/pages/importing-untrusted-tls-certificates.adoc +++ b/modules/administration-guide/pages/importing-untrusted-tls-certificates.adoc @@ -14,6 +14,7 @@ Therefore, you must import into {prod-short} all untrusted CA chains in use by a * A proxy * An identity provider (OIDC) * A source code repositories provider (Git) +* A parent devfile referenced via URI with untrusted TLS {prod-short} uses labeled ConfigMaps in {prod-short} {orch-namespace} as sources for TLS certificates. The ConfigMaps can have an arbitrary amount of keys with an arbitrary amount of certificates each. @@ -40,6 +41,9 @@ spec: On OpenShift cluster, {prod-short} operator automatically adds Red Hat Enterprise Linux CoreOS (RHCOS) trust bundle into mounted certificates. ==== +When certificates are imported, the {prod-short} operator automatically configures the {devworkspace} Operator to trust these certificates by setting the `tlsCertificateConfigmapRef` field in the {devworkspace} Operator configuration to reference the `ca-certs-merged` ConfigMap. +This enables the {devworkspace} Operator to trust the certificates when resolving parent devfile references via URI that use untrusted TLS certificates. + .Prerequisites * An active `{orch-cli}` session with administrative permissions to the destination {orch-name} cluster. See {orch-cli-link}. @@ -113,6 +117,24 @@ This command returns {prod-short} CA bundle certificates in PEM format: --output='jsonpath={.data.tls-ca-bundle\.pem}' ---- +. Verify that the {devworkspace} Operator is configured to trust the imported certificates. +This command returns the TLS certificate ConfigMap reference in the {devworkspace} Operator configuration: ++ +[subs="+attributes,+quotes",options="nowrap",role=white-space-pre] +---- +{orch-cli} get devworkspaceoperatorconfig \ + --namespace={prod-namespace} \ + devworkspace-config \ + --output='jsonpath={.config.routing.tlsCertificateConfigmapRef}' +---- ++ +The output should show the reference to the `ca-certs-merged` ConfigMap: ++ +[subs="+attributes,+quotes",options="nowrap",role=white-space-pre] +---- +{"name":"ca-certs-merged","namespace":"____"} +---- + . Verify that the workspace pod mounts the `ca-certs-merged` ConfigMap: + [subs="+attributes,+quotes",options="nowrap",role=white-space-pre]