chore: Mount DWO_NAMESPACE into dashboard pod (#2102)

tolusha · web-flow · commit 4b7f77ca8cb9 · 2026-03-19T12:42:56.000+01:00
* chore: Mount DWO_NAMESPACE into dashboard pod

Signed-off-by: Anatolii Bazko &lt;abazko@redhat.com&gt;
diff --git a/controllers/che/checluster_controller.go b/controllers/che/checluster_controller.go
@@ -19,6 +19,7 @@ import (
 	"github.com/eclipse-che/che-operator/pkg/common/constants"
 	k8sclient "github.com/eclipse-che/che-operator/pkg/common/k8s-client"
 	"github.com/eclipse-che/che-operator/pkg/common/reconciler"
+	"github.com/eclipse-che/che-operator/pkg/deploy/devworkspace"
 	"k8s.io/utils/pointer"
 	"sigs.k8s.io/controller-runtime/pkg/controller"
 
@@ -28,16 +29,14 @@ import (
 
 	editorsdefinitions "github.com/eclipse-che/che-operator/pkg/deploy/editors-definitions"
 
-	"github.com/eclipse-che/che-operator/pkg/common/test"
-	containerbuild "github.com/eclipse-che/che-operator/pkg/deploy/container-capabilities"
-
 	"github.com/devfile/devworkspace-operator/pkg/infrastructure"
 	"github.com/eclipse-che/che-operator/pkg/common/chetypes"
+	"github.com/eclipse-che/che-operator/pkg/common/test"
 	"github.com/eclipse-che/che-operator/pkg/common/utils"
 	"github.com/eclipse-che/che-operator/pkg/deploy"
 	"github.com/eclipse-che/che-operator/pkg/deploy/consolelink"
+	containerbuild "github.com/eclipse-che/che-operator/pkg/deploy/container-capabilities"
 	"github.com/eclipse-che/che-operator/pkg/deploy/dashboard"
-	devworkspaceconfig "github.com/eclipse-che/che-operator/pkg/deploy/dev-workspace-config"
 	"github.com/eclipse-che/che-operator/pkg/deploy/devfileregistry"
 	"github.com/eclipse-che/che-operator/pkg/deploy/gateway"
 	identityprovider "github.com/eclipse-che/che-operator/pkg/deploy/identity-provider"
@@ -103,7 +102,7 @@ func NewReconciler(
 
 	reconcilerManager.AddReconciler(tls.NewCertificatesReconciler())
 	reconcilerManager.AddReconciler(tls.NewTlsSecretReconciler())
-	reconcilerManager.AddReconciler(devworkspaceconfig.NewDevWorkspaceConfigReconciler())
+	reconcilerManager.AddReconciler(devworkspace.NewDevWorkspaceConfigReconciler())
 	reconcilerManager.AddReconciler(rbac.NewGatewayPermissionsReconciler())
 
 	// we have to expose che endpoint independently of syncing other server
@@ -116,6 +115,7 @@ func NewReconciler(
 	reconcilerManager.AddReconciler(devfileregistry.NewDevfileRegistryReconciler())
 	reconcilerManager.AddReconciler(pluginregistry.NewPluginRegistryReconciler())
 	reconcilerManager.AddReconciler(editorsdefinitions.NewEditorsDefinitionsReconciler())
+	reconcilerManager.AddReconciler(devworkspace.NewDwoNamespaceReconciler())
 	reconcilerManager.AddReconciler(dashboard.NewDashboardReconciler())
 	reconcilerManager.AddReconciler(gateway.NewGatewayReconciler())
 	reconcilerManager.AddReconciler(server.NewCheServerReconciler())
diff --git a/pkg/common/chetypes/types.go b/pkg/common/chetypes/types.go
@@ -32,6 +32,7 @@ type DeployContext struct {
 	Proxy                   *Proxy
 	IsSelfSignedCertificate bool
 	CheHost                 string
+	DwoNamespace            string
 }
 
 type ClusterAPI struct {
diff --git a/pkg/common/test/deploy_context.go b/pkg/common/test/deploy_context.go
@@ -68,7 +68,8 @@ func (f *DeployContextBuild) Build() *chetypes.DeployContext {
 			ClientWrapper:           k8s_client.NewK8sClient(fakeClient, scheme),
 			NonCachingClientWrapper: k8s_client.NewK8sClient(fakeClient, scheme),
 		},
-		Proxy: &chetypes.Proxy{},
+		Proxy:        &chetypes.Proxy{},
+		DwoNamespace: "devworkspace-controller",
 	}
 
 	if f.cheCluster != nil {
diff --git a/pkg/deploy/container-capabilities/container_capabilities.go b/pkg/deploy/container-capabilities/container_capabilities.go
@@ -14,7 +14,6 @@ package containercapabilities
 
 import (
 	"context"
-	"fmt"
 	"time"
 
 	chev2 "github.com/eclipse-che/che-operator/api/v2"
@@ -24,18 +23,13 @@ import (
 	"github.com/eclipse-che/che-operator/pkg/common/utils"
 	ctrl "sigs.k8s.io/controller-runtime"
 
-	"k8s.io/apimachinery/pkg/labels"
-
-	"sigs.k8s.io/controller-runtime/pkg/client"
-
 	"k8s.io/apimachinery/pkg/types"
 
 	"github.com/eclipse-che/che-operator/pkg/common/chetypes"
 	"github.com/eclipse-che/che-operator/pkg/common/constants"
 	defaults "github.com/eclipse-che/che-operator/pkg/common/operator-defaults"
 	"github.com/eclipse-che/che-operator/pkg/deploy"
 	securityv1 "github.com/openshift/api/security/v1"
-	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
@@ -116,11 +110,6 @@ func (r *ContainerCapabilitiesReconciler) sync(ctx *chetypes.DeployContext, cc C
 		return nil
 	}
 
-	devWorkspaceServiceAccountNamespace, err := r.getDevWorkspaceServiceAccountNamespace(ctx)
-	if err != nil {
-		return err
-	}
-
 	if err := ctx.ClusterAPI.ClientWrapper.Sync(
 		context.TODO(),
 		r.getDWOClusterRole(
@@ -135,7 +124,7 @@ func (r *ContainerCapabilitiesReconciler) sync(ctx *chetypes.DeployContext, cc C
 	if err := ctx.ClusterAPI.ClientWrapper.Sync(
 		context.TODO(),
 		r.getDWClusterRoleBinding(
-			devWorkspaceServiceAccountNamespace,
+			ctx.DwoNamespace,
 			cc.getDWOClusterRoleName(),
 			cc.getDWOClusterRoleBindingName(),
 		),
@@ -239,35 +228,6 @@ func (r *ContainerCapabilitiesReconciler) delete(ctx *chetypes.DeployContext, cc
 	return nil
 }
 
-// getDevWorkspaceServiceAccountNamespace returns the namespace of the DevWorkspace ServiceAccount.
-// It searches for the DevWorkspace Operator Pods by its labels.
-func (r *ContainerCapabilitiesReconciler) getDevWorkspaceServiceAccountNamespace(ctx *chetypes.DeployContext) (string, error) {
-	selector := labels.SelectorFromSet(
-		labels.Set{
-			constants.KubernetesNameLabelKey:   constants.DevWorkspaceControllerName,
-			constants.KubernetesPartOfLabelKey: constants.DevWorkspaceOperatorName,
-		},
-	)
-
-	items, err := ctx.ClusterAPI.NonCachingClientWrapper.List(
-		context.TODO(),
-		&corev1.PodList{},
-		&client.ListOptions{LabelSelector: selector},
-	)
-	if err != nil {
-		return "", err
-	}
-
-	for _, item := range items {
-		pod := item.(*corev1.Pod)
-		if pod.Spec.ServiceAccountName == constants.DevWorkspaceServiceAccountName {
-			return pod.Namespace, nil
-		}
-	}
-
-	return "", fmt.Errorf("ServiceAccount %s not found", constants.DevWorkspaceServiceAccountName)
-}
-
 func (r *ContainerCapabilitiesReconciler) getUserClusterRole(sccName string, clusterRoleName string) *rbacv1.ClusterRole {
 	return &rbacv1.ClusterRole{
 		TypeMeta: metav1.TypeMeta{
diff --git a/pkg/deploy/container-capabilities/container_capabilities_test.go b/pkg/deploy/container-capabilities/container_capabilities_test.go
@@ -149,6 +149,7 @@ func TestShouldNotSyncSCCIfAlreadyExists(t *testing.T) {
 	}
 
 	ctx := test.NewCtxBuilder().WithObjects(dwPod, sccBuild, sccRun).Build()
+	ctx.DwoNamespace = "devworkspace-controller"
 
 	ctx.CheCluster.Spec.DevEnvironments.DisableContainerBuildCapabilities = pointer.Bool(false)
 	ctx.CheCluster.Spec.DevEnvironments.ContainerBuildConfiguration = &chev2.ContainerBuildConfiguration{OpenShiftSecurityContextConstraint: "scc-build"}
diff --git a/pkg/deploy/dashboard/deployment_dashboard.go b/pkg/deploy/dashboard/deployment_dashboard.go
@@ -92,6 +92,10 @@ func (d *DashboardReconciler) getDashboardDeploymentSpec(ctx *chetypes.DeployCon
 		corev1.EnvVar{
 			Name:  "CHECLUSTER_CR_NAME",
 			Value: ctx.CheCluster.Name},
+		corev1.EnvVar{
+			Name:  "DWO_NAMESPACE",
+			Value: ctx.DwoNamespace,
+		},
 	)
 
 	envVars = append(envVars,
diff --git a/pkg/deploy/devworkspace/dev_workspace_config.go b/pkg/deploy/devworkspace/dev_workspace_config.go
@@ -10,7 +10,7 @@
 //   Red Hat, Inc. - initial API and implementation
 //
 
-package devworkspaceconfig
+package devworkspace
 
 import (
 	"encoding/json"
diff --git a/pkg/deploy/devworkspace/dev_workspace_config_test.go b/pkg/deploy/devworkspace/dev_workspace_config_test.go
@@ -10,7 +10,7 @@
 //   Red Hat, Inc. - initial API and implementation
 //
 
-package devworkspaceconfig
+package devworkspace
 
 import (
 	"context"
diff --git a/pkg/deploy/devworkspace/dwo_namespace.go b/pkg/deploy/devworkspace/dwo_namespace.go
@@ -0,0 +1,77 @@
+//
+// Copyright (c) 2019-2025 Red Hat, Inc.
+// This program and the accompanying materials are made
+// available under the terms of the Eclipse Public License 2.0
+// which is available at https://www.eclipse.org/legal/epl-2.0/
+//
+// SPDX-License-Identifier: EPL-2.0
+//
+// Contributors:
+//   Red Hat, Inc. - initial API and implementation
+//
+
+package devworkspace
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/eclipse-che/che-operator/pkg/common/chetypes"
+	"github.com/eclipse-che/che-operator/pkg/common/constants"
+	"github.com/eclipse-che/che-operator/pkg/common/reconciler"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+)
+
+type DwoNamespaceReconciler struct {
+	reconciler.Reconcilable
+}
+
+func NewDwoNamespaceReconciler() *DwoNamespaceReconciler {
+	return &DwoNamespaceReconciler{}
+}
+
+func (r *DwoNamespaceReconciler) Reconcile(ctx *chetypes.DeployContext) (reconcile.Result, bool, error) {
+	dwoNamespace, err := r.getDevWorkspaceNamespace(ctx)
+	if err != nil {
+		return reconcile.Result{}, false, err
+	}
+
+	ctx.DwoNamespace = dwoNamespace
+	return reconcile.Result{}, true, nil
+}
+
+func (r *DwoNamespaceReconciler) Finalize(ctx *chetypes.DeployContext) bool {
+	return true
+}
+
+// getDevWorkspaceNamespace returns the namespace of the DevWorkspace operator.
+// It searches for the DevWorkspace Operator Pods by its labels.
+func (r *DwoNamespaceReconciler) getDevWorkspaceNamespace(ctx *chetypes.DeployContext) (string, error) {
+	selector := labels.SelectorFromSet(
+		labels.Set{
+			constants.KubernetesNameLabelKey:   constants.DevWorkspaceControllerName,
+			constants.KubernetesPartOfLabelKey: constants.DevWorkspaceOperatorName,
+		},
+	)
+
+	items, err := ctx.ClusterAPI.NonCachingClientWrapper.List(
+		context.TODO(),
+		&corev1.PodList{},
+		&client.ListOptions{LabelSelector: selector},
+	)
+	if err != nil {
+		return "", err
+	}
+
+	for _, item := range items {
+		pod := item.(*corev1.Pod)
+		if pod.Spec.ServiceAccountName == constants.DevWorkspaceServiceAccountName {
+			return pod.Namespace, nil
+		}
+	}
+
+	return "", fmt.Errorf("DevWorkspace namespace not found")
+}
diff --git a/pkg/deploy/devworkspace/init_test.go b/pkg/deploy/devworkspace/init_test.go
@@ -10,7 +10,7 @@
 //   Red Hat, Inc. - initial API and implementation
 //
 
-package devworkspaceconfig
+package devworkspace
 
 import (
 	"github.com/devfile/devworkspace-operator/pkg/infrastructure"

Original file line number	Diff line number	Diff line change
`@@ -32,6 +32,7 @@ type DeployContext struct {`
`32`	`32`	`Proxy *Proxy`
`33`	`33`	`IsSelfSignedCertificate bool`
`34`	`34`	`CheHost string`
	`35`	`+ DwoNamespace string`
`35`	`36`	`}`
`36`	`37`
`37`	`38`	`type ClusterAPI struct {`
Original file line number	Diff line number	Diff line change
`@@ -68,7 +68,8 @@ func (f DeployContextBuild) Build() chetypes.DeployContext {`
`68`	`68`	`ClientWrapper: k8s_client.NewK8sClient(fakeClient, scheme),`
`69`	`69`	`NonCachingClientWrapper: k8s_client.NewK8sClient(fakeClient, scheme),`
`70`	`70`	`},`
`71`		`- Proxy: &chetypes.Proxy{},`
	`71`	`+ Proxy: &chetypes.Proxy{},`
	`72`	`+ DwoNamespace: "devworkspace-controller",`
`72`	`73`	`}`
`73`	`74`
`74`	`75`	`if f.cheCluster != nil {`
Original file line number	Diff line number	Diff line change
`@@ -149,6 +149,7 @@ func TestShouldNotSyncSCCIfAlreadyExists(t *testing.T) {`
`149`	`149`	`}`
`150`	`150`
`151`	`151`	`ctx := test.NewCtxBuilder().WithObjects(dwPod, sccBuild, sccRun).Build()`
	`152`	`+ ctx.DwoNamespace = "devworkspace-controller"`
`152`	`153`
`153`	`154`	`ctx.CheCluster.Spec.DevEnvironments.DisableContainerBuildCapabilities = pointer.Bool(false)`
`154`	`155`	`ctx.CheCluster.Spec.DevEnvironments.ContainerBuildConfiguration = &chev2.ContainerBuildConfiguration{OpenShiftSecurityContextConstraint: "scc-build"}`