Merge pull request #614 from HumairAK/RHOAIENG-4709

Add System Certs when they are not available or overridden
opendatahub-io · Mar 22, 2024 · b80afc2 · b80afc2
2 parents db78e2b + 7cab923
commit b80afc2
Show file tree

Hide file tree

Showing 8 changed files with 177 additions and 80 deletions.
diff --git a/.github/workflows/functests.yml b/.github/workflows/functests.yml
@@ -11,4 +11,6 @@ jobs:
         with:
           go-version: '1.19.x'
       - name: Run Functional Tests
+        env:
+          SSL_CERT_FILE: ${{ github.workspace }}/controllers/testdata/tls/ca-bundle.crt
         run: make functest
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -6,6 +6,7 @@ repos:
         exclude: README.md
       - id: check-merge-conflict
       - id: end-of-file-fixer
+        exclude: controllers/testdata/tls/ca-bundle.crt
       - id: check-added-large-files
       - id: check-case-conflict
       - id: check-json
@@ -18,7 +19,7 @@ repos:
       - id: yamllint
         files: \.(yaml|yml)$
         types: [file, yaml]
-        entry: yamllint --strict
+        entry: yamllint --strict -c .yamllint.yaml
 
   - repo: https://github.com/dnephin/pre-commit-golang
     rev: c17f835cf9

diff --git a/controllers/config/defaults.go b/controllers/config/defaults.go
@@ -33,10 +33,16 @@ const (
 	// GlobalODHCaBundleConfigMapName key and label values  are a contract with
 	// ODH Platform https://github.com/opendatahub-io/architecture-decision-records/pull/28
 	GlobalODHCaBundleConfigMapName = "odh-trusted-ca-bundle"
+	// GlobalODHCaBundleConfigMapSystemBundleKey is the key that is added by network operator
+	// https://docs.openshift.com/container-platform/4.15/networking/configuring-a-custom-pki.html#certificate-injection-using-operators_configuring-a-custom-pki
+	GlobalODHCaBundleConfigMapSystemBundleKey = "ca-bundle.crt"
 
 	CustomDSPTrustedCAConfigMapNamePrefix = "dsp-trusted-ca"
 	CustomDSPTrustedCAConfigMapKey        = "dsp-ca.crt"
 
+	DefaultSystemSSLCertFile     = "SSL_CERT_FILE"
+	DefaultSystemSSLCertFilePath = "/etc/pki/tls/certs/ca-bundle.crt" // Fedora/RHEL 6
+
 	MLPipelineUIConfigMapPrefix       = "ds-pipeline-ui-configmap-"
 	ArtifactScriptConfigMapNamePrefix = "ds-pipeline-artifact-script-"
 	ArtifactScriptConfigMapKey        = "artifact_script"

diff --git a/controllers/dspipeline_params.go b/controllers/dspipeline_params.go
@@ -593,18 +593,25 @@ func (p *DSPAParams) ExtractParams(ctx context.Context, dsp *dspa.DataSciencePip
 			}
 		}
 
+		// Track whether the "ca-bundle.crt" configmap key from odh-trusted-ca bundle
+		// was found, this will be used to decide whether we need to account for this
+		// ourselves later or not.
+		odhTrustedCABundleAdded := false
+
 		// Check for cert bundle provided by the platform instead of by the DSPA user
 		// If it exists, include this cert for tls verifications
 		globalCABundleCFGMapName := config.GlobalODHCaBundleConfigMapName
-		err, globalCerts := util.GetConfigMapValues(ctx, globalCABundleCFGMapName, p.Namespace, client)
+
+		odhTrustedCABundleConfigMap, err := util.GetConfigMap(ctx, globalCABundleCFGMapName, p.Namespace, client)
 		if err != nil {
 			// If the global cert configmap is not available, that is OK
 			if !apierrs.IsNotFound(err) {
 				log.Info(fmt.Sprintf("Encountered error when attempting to fetch ConfigMap: [%s], Error: %v", globalCABundleCFGMapName, err))
 				return err
 			}
 		} else {
-			// Found a cert provided by odh-operator. Consume it
+			// Found a cert provided by odh-operator. Consume it.
+			globalCerts := util.GetConfigMapValues(odhTrustedCABundleConfigMap)
 			log.Info(fmt.Sprintf("Found global CA Bundle %s present in this namespace %s, this bundle will be included in external tls connections.", config.GlobalODHCaBundleConfigMapName, p.Namespace))
 			// "odh-trusted-ca-bundle" can have fields: "odh-ca-bundle.crt" and "ca-bundle.crt", we need to utilize both
 			for _, val := range globalCerts {
@@ -613,19 +620,26 @@ func (p *DSPAParams) ExtractParams(ctx context.Context, dsp *dspa.DataSciencePip
 					p.APICustomPemCerts = append(p.APICustomPemCerts, []byte(val))
 				}
 			}
+			// If odh-trusted-ca-bundle is created via network operator then this is always going to be present
+			// however if a user creates this, they may accidentally leave this out, so we need to account for this
+			_, ok := odhTrustedCABundleConfigMap.Data[config.GlobalODHCaBundleConfigMapSystemBundleKey]
+			if ok {
+				odhTrustedCABundleAdded = true
+			}
 		}
 
 		// If user provided a CA bundle, include this in tls verification
 		if p.APIServer.CABundle != nil {
 			dspaCaBundleCfgKey, dspaCaBundleCfgName := p.APIServer.CABundle.ConfigMapKey, p.APIServer.CABundle.ConfigMapName
-			dspaCACfgErr, dspaProvidedCABundle := util.GetConfigMapValue(ctx, dspaCaBundleCfgKey, dspaCaBundleCfgName, p.Namespace, client, log)
+			dspaCAConfigMap, dspaCACfgErr := util.GetConfigMap(ctx, dspaCaBundleCfgName, p.Namespace, client)
 			if dspaCACfgErr != nil && apierrs.IsNotFound(dspaCACfgErr) {
-				log.Info(fmt.Sprintf("ConfigMap [%s] was not found in namespace [%s]", dspaCaBundleCfgKey, p.Namespace))
+				log.Info(fmt.Sprintf("ConfigMap [%s] was not found in namespace [%s]", dspaCAConfigMap.Name, p.Namespace))
 				return dspaCACfgErr
 			} else if dspaCACfgErr != nil {
 				log.Info(fmt.Sprintf("Encountered error when attempting to fetch ConfigMap: [%s], Error: %v", dspaCaBundleCfgName, dspaCACfgErr))
 				return dspaCACfgErr
 			}
+			dspaProvidedCABundle := util.GetConfigMapValue(dspaCaBundleCfgKey, dspaCAConfigMap)
 			// If the ca-bundle field is empty, ignore it
 			if dspaProvidedCABundle != "" {
 				p.APICustomPemCerts = append(p.APICustomPemCerts, []byte(dspaProvidedCABundle))
@@ -643,6 +657,18 @@ func (p *DSPAParams) ExtractParams(ctx context.Context, dsp *dspa.DataSciencePip
 		// 2) populate CustomCABundle SOT var for pipeline pods and artifact script to utilize during templating
 		// 3) set ssl_cert_dir for api server
 		if len(p.APICustomPemCerts) > 0 {
+
+			// We need to ensure system certs are always part of this new configmap
+			// We can either source this from odh-trusted-ca-bundle cfgmap if provided,
+			// or fetch one from "config-trusted-cabundle" configmap, which is always present in an ocp ns
+			if !odhTrustedCABundleAdded {
+				certs, sysCertsErr := util.GetSystemCerts()
+				if sysCertsErr != nil {
+					return sysCertsErr
+				}
+				p.APICustomPemCerts = append(p.APICustomPemCerts, certs)
+			}
+
 			p.CustomCABundle = &dspa.CABundle{
 				ConfigMapKey:  config.CustomDSPTrustedCAConfigMapKey,
 				ConfigMapName: fmt.Sprintf("%s-%s", config.CustomDSPTrustedCAConfigMapNamePrefix, p.Name),

diff --git a/controllers/testdata/declarative/case_8/deploy/00_configmap.yaml b/controllers/testdata/declarative/case_8/deploy/00_configmap.yaml
@@ -5,34 +5,32 @@ metadata:
 data:
   testcabundleconfigmapkey8.crt: |
     -----BEGIN CERTIFICATE-----
-    MIIFlTCCA32gAwIBAgIUQTPwwkR17jDrdIe4VqhzNQ6OY0swDQYJKoZIhvcNAQEL
+    MIIFLTCCAxWgAwIBAgIUIvY4jV0212P/ddjuCZhcUyJfoocwDQYJKoZIhvcNAQEL
     BQAwJjELMAkGA1UEBhMCWFgxFzAVBgNVBAMMDnJoLWRzcC1kZXZzLmlvMB4XDTI0
     MDMwNTAxMTExN1oXDTM0MDMwMzAxMTExN1owJjELMAkGA1UEBhMCWFgxFzAVBgNV
-    BAMMDioudGNwLm5ncm9rLmlvMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC
-    AgEApZbmrvisGgN2XmPbWSD8A89g2CwUgqUIfd1yU6TyZMmvnP+c+xG6SzqDZkxI
-    oiQ0fierPuMyrp0Yv+mRBvYtZ+Rv4zZ8OASD5UGDblKa6U8EJvXEKa5K9rZsqYpW
-    MOaZv8M5/KAr8AkH4zmXvgGtsfNT6xvBxIhUexJmSRB5lRLtZZr7ea/XQiuzJYPr
-    2CqHitm6MUWLG74vKetRi9ZDaDxgcW78nhBwM2Ujh0qrSeb4QhEcHP3Lhom0WObd
-    te+ipK5fqqMSQl1mj5W6tKORIm256TbG+uHY8e3lsT2fnCVL/zgFGROr0NqNbies
-    90dH7i6Wr1yn74umJ1HNF5nXem1jaqYVhQWWBlTurSqkHtRpIE2OWygpM4IoSTu8
-    gbIaKJdexx9GN9ch/zQBeevsYT1Wb/wQVZUp4TgJJIq1fCAkz3yQNsojUwZqsAPT
-    worehTHFT20onAutnkGv0lgGQH9ur1Gm4VipWbBQTRCEhEKIFVDDkQtbPZwQBjl/
-    voj7O659pIuPsGW5HYWawTbdU4ymEP4672KLpIaDxJHnA9sJsz2ns2KgsUesjGdQ
-    SnlMoanph1kW+qFM4tMnHFTad3yz6TLL0Mp1ej8gUd1FnYHrVewVeFl83gRFKhqP
-    XZX/hl7SAYn1Bnc6OsFegtQukcJc+AqZBja+8k+xc8yWC38CAwEAAaOBujCBtzAf
-    BgNVHSMEGDAWgBQ4+5eH7tKVwoWbF1OQoLJq+U2KuzAJBgNVHRMEAjAAMGoGA1Ud
-    EQRjMGGCDHRjcC5uZ3Jvay5pb4IOKi50Y3Aubmdyb2suaW+CE21hcmlhZGIubWFy
-    aWFkYi5zdmOCIW1hcmlhZGIubWFyaWFkYi5zdmMuY2x1c3Rlci5sb2NhbIIJbG9j
-    YWxob3N0MB0GA1UdDgQWBBTJmuX3UrWQn6AKXAvkUw/h7g6PsjANBgkqhkiG9w0B
-    AQsFAAOCAgEAKk/pfGTH3xgQg5a+obLx9xkfYz0jwfr5+TiD+FTrNlIPZpvCiYYk
-    RWNjMyYqKpuEfHry6P9spgk28+wQx7CRSi+cGiiNSvPswI3Ww8KHJQoJzl2vPQYe
-    1OESU6es8ZACIXdPcILj8zXHNFvfUD0rt7r34zqGw5PNWKQJ8gurqP9ZcBHNq9xz
-    nPG1QTdA5gOzAXQeOa8rGpK0lODo/WkRlV7KXU5ss737HcljGz8KSVUhfgy8io5z
-    xaKnCy8trt8CdGNb/ysK+a7oKZSqAYcKASwYxCrS1zgS06uLC78WjnYbxta/gnlC
-    a0XIfQt2dM/7L+ZvIwg0PbbPzBJU5zwiXSL9AMzp1/1hjlG4v06UKjv4V1t0McFC
-    xEaLG3AyDx9HHxbAIn/lkQ12Tg38rn5R0OKVKZSAzT6THCULbHC0Q+EQW4c8/No2
-    gtZgaZfA9bUTtQRyxSxQJlWbm4c6KfQa5g+oGQ9BjPCFjPmEvN9SCWcvR/aZE/Uy
-    IRtueAdEz+FiXmVeaJd7BImvF6P6OVDP4zhfXh9NIq9vovVNlGReDGOsqPF0iW/7
-    bLJ7EOwHNhqMkYbBvXnZmfmXpJ24S93M6OmjdkJIUN8iWtjX0yg8FqEGoCfFv4ub
-    a6IRpmyHdJoUJ4icStKB2m3sdRy7Aj5meAYQCVefvZYIQq4rRz/0chs=
+    BAMMDnJoLWRzcC1kZXZzLmlvMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC
+    AgEAnCxNdQ0EUhswfu8/K6icQKc//2xpTvcp9Bn9QZ9UUy3f2UXv5hvd4W2PM/uX
+    FaZGoEzQsYagbjyuHDBxek8YOZvdRx9h7O+LLfN+DXeLbaY6tZ2AxNWwcaAmG0EH
+    nSDVORrk8/aZfFRoxgQigWyuK28YZn2SopjNyvOc8GkNjCFO4y7g4QuzWdGMgMIA
+    +whtt3EuYIwaRourKNFp4oR4InOVdPfuGezxbKRPcFfey1JEdTxGoWnHC+HDDMCf
+    R2vV8hAQB4fdvbOoz3+S7j7d8YiaFBK/P2us6Il5tsUw4kzhD2/OLzyERB7SloZk
+    NiIcSsU0USRGLb4/ybQsxu9UPIXUlKTK70HxIEIdPSPPMM84khIOuax0QXKORFHT
+    Ti9jgEfXjuX/2RPijQoCMDrqRQvDxExnTVMncqud6PeDxOWfvSG4oyZBr4HgNAap
+    wX7FWEY6SOH0e3GrH9ceI3afDO4A4YR+EE426GgHgYe8g4NTfD1D79+txmSY6VvV
+    MBwEvPo1LJVmvz23HBC60+e6Ld3WjwE+viOktt20R5Td3NPj7qcBlMDs105yiz+l
+    Ex1h/WDrAssETrelppg3Xgkkz+iY5RwiUB2BTzeiiDbN+AE6X+S5c61Izc2qAeH2
+    gVrvMDlAK6t6bQ696TzItdAs5SnXauxPjfwmK+F65SYy7z8CAwEAAaNTMFEwHQYD
+    VR0OBBYEFDj7l4fu0pXChZsXU5Cgsmr5TYq7MB8GA1UdIwQYMBaAFDj7l4fu0pXC
+    hZsXU5Cgsmr5TYq7MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIB
+    AGr5DblOsH7JE9JM3M4p4eiXD40B/VIACEDMYJvyr6QjmcT8+XnHkiu7OV3OJV/G
+    S4NKhleBhfpaaP2ZPGO/vUTmqXwcK78jl0WEjPrMVjs1eDoSnUNi+KwFTBypIusD
+    gSEnICXa26v1CHCQG0QB+rUrIxJqjtq+bnlw/Ns1wxTYfZBFW1ykCJuMsekPo0pN
+    yTH1eWr0eSVWgljqHKaUjKbRRTSTWvk2Sewaq004W+6QOSb3nb1+GHVMov/Q6vsz
+    j6/3B7+7wybR80UTBI/1DfTlefQaOOgEPBjQZ92NXSxMKe2J7FPD+7NHvwTNzzVD
+    jg3cmW8pbtLEyxa+C+6EN8xnmklVfyzuzVsRJvrZvzYcOgLK2ji35oq9FYGXm0yH
+    HRpQPBFkcgNedD3qrJNYKkIBiAh2SSKKA+J8eP3uD9NUOScgl2aKVz/phU5rSDwt
+    NlhRuX8sS7q4gpL9qk4jWrMb8tNeN5nYRvmJj+Slf9sQSTfvukKo+2X8GpAecQNC
+    z6OeQyN+3C2zm4cLCHHWC0ZR/iHQyHIVKlFXznWe6qA64o4x1A0GurjVMAw0Pe0v
+    WBV3KJBsYK/wijtLeip1oKobU76oE0ML/bnhV10k6usvl4n8cDmcONo5FnGoT8Pk
+    80htx6w5fanMFu4MnoBeyJhhzNfg7ywJcc2VZSM27s2B
     -----END CERTIFICATE-----
diff --git a/controllers/testdata/declarative/case_8/expected/created/configmap_dspa_trusted_ca.yaml b/controllers/testdata/declarative/case_8/expected/created/configmap_dspa_trusted_ca.yaml
@@ -3,36 +3,64 @@ apiVersion: v1
 metadata:
   name: dsp-trusted-ca-testdsp8
 data:
-  dsp-ca.crt: |
+  dsp-ca.crt: |-
     -----BEGIN CERTIFICATE-----
-    MIIFlTCCA32gAwIBAgIUQTPwwkR17jDrdIe4VqhzNQ6OY0swDQYJKoZIhvcNAQEL
+    MIIFLTCCAxWgAwIBAgIUIvY4jV0212P/ddjuCZhcUyJfoocwDQYJKoZIhvcNAQEL
     BQAwJjELMAkGA1UEBhMCWFgxFzAVBgNVBAMMDnJoLWRzcC1kZXZzLmlvMB4XDTI0
     MDMwNTAxMTExN1oXDTM0MDMwMzAxMTExN1owJjELMAkGA1UEBhMCWFgxFzAVBgNV
-    BAMMDioudGNwLm5ncm9rLmlvMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC
-    AgEApZbmrvisGgN2XmPbWSD8A89g2CwUgqUIfd1yU6TyZMmvnP+c+xG6SzqDZkxI
-    oiQ0fierPuMyrp0Yv+mRBvYtZ+Rv4zZ8OASD5UGDblKa6U8EJvXEKa5K9rZsqYpW
-    MOaZv8M5/KAr8AkH4zmXvgGtsfNT6xvBxIhUexJmSRB5lRLtZZr7ea/XQiuzJYPr
-    2CqHitm6MUWLG74vKetRi9ZDaDxgcW78nhBwM2Ujh0qrSeb4QhEcHP3Lhom0WObd
-    te+ipK5fqqMSQl1mj5W6tKORIm256TbG+uHY8e3lsT2fnCVL/zgFGROr0NqNbies
-    90dH7i6Wr1yn74umJ1HNF5nXem1jaqYVhQWWBlTurSqkHtRpIE2OWygpM4IoSTu8
-    gbIaKJdexx9GN9ch/zQBeevsYT1Wb/wQVZUp4TgJJIq1fCAkz3yQNsojUwZqsAPT
-    worehTHFT20onAutnkGv0lgGQH9ur1Gm4VipWbBQTRCEhEKIFVDDkQtbPZwQBjl/
-    voj7O659pIuPsGW5HYWawTbdU4ymEP4672KLpIaDxJHnA9sJsz2ns2KgsUesjGdQ
-    SnlMoanph1kW+qFM4tMnHFTad3yz6TLL0Mp1ej8gUd1FnYHrVewVeFl83gRFKhqP
-    XZX/hl7SAYn1Bnc6OsFegtQukcJc+AqZBja+8k+xc8yWC38CAwEAAaOBujCBtzAf
-    BgNVHSMEGDAWgBQ4+5eH7tKVwoWbF1OQoLJq+U2KuzAJBgNVHRMEAjAAMGoGA1Ud
-    EQRjMGGCDHRjcC5uZ3Jvay5pb4IOKi50Y3Aubmdyb2suaW+CE21hcmlhZGIubWFy
-    aWFkYi5zdmOCIW1hcmlhZGIubWFyaWFkYi5zdmMuY2x1c3Rlci5sb2NhbIIJbG9j
-    YWxob3N0MB0GA1UdDgQWBBTJmuX3UrWQn6AKXAvkUw/h7g6PsjANBgkqhkiG9w0B
-    AQsFAAOCAgEAKk/pfGTH3xgQg5a+obLx9xkfYz0jwfr5+TiD+FTrNlIPZpvCiYYk
-    RWNjMyYqKpuEfHry6P9spgk28+wQx7CRSi+cGiiNSvPswI3Ww8KHJQoJzl2vPQYe
-    1OESU6es8ZACIXdPcILj8zXHNFvfUD0rt7r34zqGw5PNWKQJ8gurqP9ZcBHNq9xz
-    nPG1QTdA5gOzAXQeOa8rGpK0lODo/WkRlV7KXU5ss737HcljGz8KSVUhfgy8io5z
-    xaKnCy8trt8CdGNb/ysK+a7oKZSqAYcKASwYxCrS1zgS06uLC78WjnYbxta/gnlC
-    a0XIfQt2dM/7L+ZvIwg0PbbPzBJU5zwiXSL9AMzp1/1hjlG4v06UKjv4V1t0McFC
-    xEaLG3AyDx9HHxbAIn/lkQ12Tg38rn5R0OKVKZSAzT6THCULbHC0Q+EQW4c8/No2
-    gtZgaZfA9bUTtQRyxSxQJlWbm4c6KfQa5g+oGQ9BjPCFjPmEvN9SCWcvR/aZE/Uy
-    IRtueAdEz+FiXmVeaJd7BImvF6P6OVDP4zhfXh9NIq9vovVNlGReDGOsqPF0iW/7
-    bLJ7EOwHNhqMkYbBvXnZmfmXpJ24S93M6OmjdkJIUN8iWtjX0yg8FqEGoCfFv4ub
-    a6IRpmyHdJoUJ4icStKB2m3sdRy7Aj5meAYQCVefvZYIQq4rRz/0chs=
+    BAMMDnJoLWRzcC1kZXZzLmlvMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC
+    AgEAnCxNdQ0EUhswfu8/K6icQKc//2xpTvcp9Bn9QZ9UUy3f2UXv5hvd4W2PM/uX
+    FaZGoEzQsYagbjyuHDBxek8YOZvdRx9h7O+LLfN+DXeLbaY6tZ2AxNWwcaAmG0EH
+    nSDVORrk8/aZfFRoxgQigWyuK28YZn2SopjNyvOc8GkNjCFO4y7g4QuzWdGMgMIA
+    +whtt3EuYIwaRourKNFp4oR4InOVdPfuGezxbKRPcFfey1JEdTxGoWnHC+HDDMCf
+    R2vV8hAQB4fdvbOoz3+S7j7d8YiaFBK/P2us6Il5tsUw4kzhD2/OLzyERB7SloZk
+    NiIcSsU0USRGLb4/ybQsxu9UPIXUlKTK70HxIEIdPSPPMM84khIOuax0QXKORFHT
+    Ti9jgEfXjuX/2RPijQoCMDrqRQvDxExnTVMncqud6PeDxOWfvSG4oyZBr4HgNAap
+    wX7FWEY6SOH0e3GrH9ceI3afDO4A4YR+EE426GgHgYe8g4NTfD1D79+txmSY6VvV
+    MBwEvPo1LJVmvz23HBC60+e6Ld3WjwE+viOktt20R5Td3NPj7qcBlMDs105yiz+l
+    Ex1h/WDrAssETrelppg3Xgkkz+iY5RwiUB2BTzeiiDbN+AE6X+S5c61Izc2qAeH2
+    gVrvMDlAK6t6bQ696TzItdAs5SnXauxPjfwmK+F65SYy7z8CAwEAAaNTMFEwHQYD
+    VR0OBBYEFDj7l4fu0pXChZsXU5Cgsmr5TYq7MB8GA1UdIwQYMBaAFDj7l4fu0pXC
+    hZsXU5Cgsmr5TYq7MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIB
+    AGr5DblOsH7JE9JM3M4p4eiXD40B/VIACEDMYJvyr6QjmcT8+XnHkiu7OV3OJV/G
+    S4NKhleBhfpaaP2ZPGO/vUTmqXwcK78jl0WEjPrMVjs1eDoSnUNi+KwFTBypIusD
+    gSEnICXa26v1CHCQG0QB+rUrIxJqjtq+bnlw/Ns1wxTYfZBFW1ykCJuMsekPo0pN
+    yTH1eWr0eSVWgljqHKaUjKbRRTSTWvk2Sewaq004W+6QOSb3nb1+GHVMov/Q6vsz
+    j6/3B7+7wybR80UTBI/1DfTlefQaOOgEPBjQZ92NXSxMKe2J7FPD+7NHvwTNzzVD
+    jg3cmW8pbtLEyxa+C+6EN8xnmklVfyzuzVsRJvrZvzYcOgLK2ji35oq9FYGXm0yH
+    HRpQPBFkcgNedD3qrJNYKkIBiAh2SSKKA+J8eP3uD9NUOScgl2aKVz/phU5rSDwt
+    NlhRuX8sS7q4gpL9qk4jWrMb8tNeN5nYRvmJj+Slf9sQSTfvukKo+2X8GpAecQNC
+    z6OeQyN+3C2zm4cLCHHWC0ZR/iHQyHIVKlFXznWe6qA64o4x1A0GurjVMAw0Pe0v
+    WBV3KJBsYK/wijtLeip1oKobU76oE0ML/bnhV10k6usvl4n8cDmcONo5FnGoT8Pk
+    80htx6w5fanMFu4MnoBeyJhhzNfg7ywJcc2VZSM27s2B
+    -----END CERTIFICATE-----
+    -----BEGIN CERTIFICATE-----
+    MIIFLTCCAxWgAwIBAgIUIvY4jV0212P/ddjuCZhcUyJfoocwDQYJKoZIhvcNAQEL
+    BQAwJjELMAkGA1UEBhMCWFgxFzAVBgNVBAMMDnJoLWRzcC1kZXZzLmlvMB4XDTI0
+    MDMwNTAxMTExN1oXDTM0MDMwMzAxMTExN1owJjELMAkGA1UEBhMCWFgxFzAVBgNV
+    BAMMDnJoLWRzcC1kZXZzLmlvMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC
+    AgEAnCxNdQ0EUhswfu8/K6icQKc//2xpTvcp9Bn9QZ9UUy3f2UXv5hvd4W2PM/uX
+    FaZGoEzQsYagbjyuHDBxek8YOZvdRx9h7O+LLfN+DXeLbaY6tZ2AxNWwcaAmG0EH
+    nSDVORrk8/aZfFRoxgQigWyuK28YZn2SopjNyvOc8GkNjCFO4y7g4QuzWdGMgMIA
+    +whtt3EuYIwaRourKNFp4oR4InOVdPfuGezxbKRPcFfey1JEdTxGoWnHC+HDDMCf
+    R2vV8hAQB4fdvbOoz3+S7j7d8YiaFBK/P2us6Il5tsUw4kzhD2/OLzyERB7SloZk
+    NiIcSsU0USRGLb4/ybQsxu9UPIXUlKTK70HxIEIdPSPPMM84khIOuax0QXKORFHT
+    Ti9jgEfXjuX/2RPijQoCMDrqRQvDxExnTVMncqud6PeDxOWfvSG4oyZBr4HgNAap
+    wX7FWEY6SOH0e3GrH9ceI3afDO4A4YR+EE426GgHgYe8g4NTfD1D79+txmSY6VvV
+    MBwEvPo1LJVmvz23HBC60+e6Ld3WjwE+viOktt20R5Td3NPj7qcBlMDs105yiz+l
+    Ex1h/WDrAssETrelppg3Xgkkz+iY5RwiUB2BTzeiiDbN+AE6X+S5c61Izc2qAeH2
+    gVrvMDlAK6t6bQ696TzItdAs5SnXauxPjfwmK+F65SYy7z8CAwEAAaNTMFEwHQYD
+    VR0OBBYEFDj7l4fu0pXChZsXU5Cgsmr5TYq7MB8GA1UdIwQYMBaAFDj7l4fu0pXC
+    hZsXU5Cgsmr5TYq7MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIB
+    AGr5DblOsH7JE9JM3M4p4eiXD40B/VIACEDMYJvyr6QjmcT8+XnHkiu7OV3OJV/G
+    S4NKhleBhfpaaP2ZPGO/vUTmqXwcK78jl0WEjPrMVjs1eDoSnUNi+KwFTBypIusD
+    gSEnICXa26v1CHCQG0QB+rUrIxJqjtq+bnlw/Ns1wxTYfZBFW1ykCJuMsekPo0pN
+    yTH1eWr0eSVWgljqHKaUjKbRRTSTWvk2Sewaq004W+6QOSb3nb1+GHVMov/Q6vsz
+    j6/3B7+7wybR80UTBI/1DfTlefQaOOgEPBjQZ92NXSxMKe2J7FPD+7NHvwTNzzVD
+    jg3cmW8pbtLEyxa+C+6EN8xnmklVfyzuzVsRJvrZvzYcOgLK2ji35oq9FYGXm0yH
+    HRpQPBFkcgNedD3qrJNYKkIBiAh2SSKKA+J8eP3uD9NUOScgl2aKVz/phU5rSDwt
+    NlhRuX8sS7q4gpL9qk4jWrMb8tNeN5nYRvmJj+Slf9sQSTfvukKo+2X8GpAecQNC
+    z6OeQyN+3C2zm4cLCHHWC0ZR/iHQyHIVKlFXznWe6qA64o4x1A0GurjVMAw0Pe0v
+    WBV3KJBsYK/wijtLeip1oKobU76oE0ML/bnhV10k6usvl4n8cDmcONo5FnGoT8Pk
+    80htx6w5fanMFu4MnoBeyJhhzNfg7ywJcc2VZSM27s2B
     -----END CERTIFICATE-----
diff --git a/controllers/testdata/tls/ca-bundle.crt b/controllers/testdata/tls/ca-bundle.crt
@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIFLTCCAxWgAwIBAgIUIvY4jV0212P/ddjuCZhcUyJfoocwDQYJKoZIhvcNAQEL
+BQAwJjELMAkGA1UEBhMCWFgxFzAVBgNVBAMMDnJoLWRzcC1kZXZzLmlvMB4XDTI0
+MDMwNTAxMTExN1oXDTM0MDMwMzAxMTExN1owJjELMAkGA1UEBhMCWFgxFzAVBgNV
+BAMMDnJoLWRzcC1kZXZzLmlvMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC
+AgEAnCxNdQ0EUhswfu8/K6icQKc//2xpTvcp9Bn9QZ9UUy3f2UXv5hvd4W2PM/uX
+FaZGoEzQsYagbjyuHDBxek8YOZvdRx9h7O+LLfN+DXeLbaY6tZ2AxNWwcaAmG0EH
+nSDVORrk8/aZfFRoxgQigWyuK28YZn2SopjNyvOc8GkNjCFO4y7g4QuzWdGMgMIA
++whtt3EuYIwaRourKNFp4oR4InOVdPfuGezxbKRPcFfey1JEdTxGoWnHC+HDDMCf
+R2vV8hAQB4fdvbOoz3+S7j7d8YiaFBK/P2us6Il5tsUw4kzhD2/OLzyERB7SloZk
+NiIcSsU0USRGLb4/ybQsxu9UPIXUlKTK70HxIEIdPSPPMM84khIOuax0QXKORFHT
+Ti9jgEfXjuX/2RPijQoCMDrqRQvDxExnTVMncqud6PeDxOWfvSG4oyZBr4HgNAap
+wX7FWEY6SOH0e3GrH9ceI3afDO4A4YR+EE426GgHgYe8g4NTfD1D79+txmSY6VvV
+MBwEvPo1LJVmvz23HBC60+e6Ld3WjwE+viOktt20R5Td3NPj7qcBlMDs105yiz+l
+Ex1h/WDrAssETrelppg3Xgkkz+iY5RwiUB2BTzeiiDbN+AE6X+S5c61Izc2qAeH2
+gVrvMDlAK6t6bQ696TzItdAs5SnXauxPjfwmK+F65SYy7z8CAwEAAaNTMFEwHQYD
+VR0OBBYEFDj7l4fu0pXChZsXU5Cgsmr5TYq7MB8GA1UdIwQYMBaAFDj7l4fu0pXC
+hZsXU5Cgsmr5TYq7MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIB
+AGr5DblOsH7JE9JM3M4p4eiXD40B/VIACEDMYJvyr6QjmcT8+XnHkiu7OV3OJV/G
+S4NKhleBhfpaaP2ZPGO/vUTmqXwcK78jl0WEjPrMVjs1eDoSnUNi+KwFTBypIusD
+gSEnICXa26v1CHCQG0QB+rUrIxJqjtq+bnlw/Ns1wxTYfZBFW1ykCJuMsekPo0pN
+yTH1eWr0eSVWgljqHKaUjKbRRTSTWvk2Sewaq004W+6QOSb3nb1+GHVMov/Q6vsz
+j6/3B7+7wybR80UTBI/1DfTlefQaOOgEPBjQZ92NXSxMKe2J7FPD+7NHvwTNzzVD
+jg3cmW8pbtLEyxa+C+6EN8xnmklVfyzuzVsRJvrZvzYcOgLK2ji35oq9FYGXm0yH
+HRpQPBFkcgNedD3qrJNYKkIBiAh2SSKKA+J8eP3uD9NUOScgl2aKVz/phU5rSDwt
+NlhRuX8sS7q4gpL9qk4jWrMb8tNeN5nYRvmJj+Slf9sQSTfvukKo+2X8GpAecQNC
+z6OeQyN+3C2zm4cLCHHWC0ZR/iHQyHIVKlFXznWe6qA64o4x1A0GurjVMAw0Pe0v
+WBV3KJBsYK/wijtLeip1oKobU76oE0ML/bnhV10k6usvl4n8cDmcONo5FnGoT8Pk
+80htx6w5fanMFu4MnoBeyJhhzNfg7ywJcc2VZSM27s2B
+-----END CERTIFICATE-----
diff --git a/controllers/util/util.go b/controllers/util/util.go
@@ -17,13 +17,12 @@ limitations under the License.
 package util
 
 import (
+	"github.com/opendatahub-io/data-science-pipelines-operator/controllers/config"
 	"os"
 	"path/filepath"
 
 	"context"
 	"crypto/x509"
-	"fmt"
-	"github.com/go-logr/logr"
 	appsv1 "k8s.io/api/apps/v1"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -81,38 +80,45 @@ func IsX509UnknownAuthorityError(err error) bool {
 	return ok
 }
 
-// GetConfigMapValue fetches the value for the provided configmap mapped to a given key
-func GetConfigMapValue(ctx context.Context, cfgKey, cfgName, ns string, client client.Client, log logr.Logger) (error, string) {
+func GetConfigMap(ctx context.Context, cfgName, ns string, client client.Client) (*v1.ConfigMap, error) {
 	cfgMap := &v1.ConfigMap{}
 	namespacedName := types.NamespacedName{
 		Name:      cfgName,
 		Namespace: ns,
 	}
 	err := client.Get(ctx, namespacedName, cfgMap)
 	if err != nil {
-		return err, ""
+		return &v1.ConfigMap{}, err
 	}
+	return cfgMap, nil
+}
+
+// GetConfigMapValue fetches the value for the provided configmap mapped to a given key
+func GetConfigMapValue(cfgKey string, cfgMap *v1.ConfigMap) string {
 	if val, ok := cfgMap.Data[cfgKey]; ok {
-		return nil, val
+		return val
 	} else {
-		return fmt.Errorf("ConfigMap %s does not contain expected key %s", cfgName, cfgKey), ""
+		return ""
 	}
 }
 
 // GetConfigMapValues fetches the value for the provided configmap mapped to a given key
-func GetConfigMapValues(ctx context.Context, cfgName, ns string, client client.Client) (error, []string) {
-	cfgMap := &v1.ConfigMap{}
-	namespacedName := types.NamespacedName{
-		Name:      cfgName,
-		Namespace: ns,
-	}
-	err := client.Get(ctx, namespacedName, cfgMap)
-	if err != nil {
-		return err, []string{}
-	}
+func GetConfigMapValues(cfgMap *v1.ConfigMap) []string {
 	var values []string
 	for _, val := range cfgMap.Data {
 		values = append(values, val)
 	}
-	return nil, values
+	return values
+}
+
+func GetSystemCerts() ([]byte, error) {
+	sslCertFile := os.Getenv(config.DefaultSystemSSLCertFile)
+	if sslCertFile == "" {
+		sslCertFile = config.DefaultSystemSSLCertFilePath
+	}
+	data, err := os.ReadFile(sslCertFile)
+	if err != nil {
+		return []byte{}, err
+	}
+	return data, err
 }