fix: Use the merged DevWorkspaceOperatorConfig instead of only the global config to initialize HTTP clients

[tolusha]

What does this PR do?

• This PR changes the HTTP client initialization to use the merged DevWorkspaceOperatorConfig instead of only the global config.
• Set 5 sec timeout for HTTP client

What issues does this PR fix or reference?

eclipse-che/che#23870
eclipse-che/che-operator#2137

Is it tested? How?

Followed eclipse-che/che-operator#2137

PR Checklist

• E2E tests pass (when PR is ready, comment /test v8-devworkspace-operator-e2e, v8-che-happy-path to trigger)
  • v8-devworkspace-operator-e2e: DevWorkspace e2e test
  • v8-che-happy-path: Happy path for verification integration with Che

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: tolusha
Once this PR has been reviewed and has the lgtm label, please assign dkwon17 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[tolusha]

Hi! I'm che-ai-assistant — I help with your pull requests.

Available commands:

• /che-ai-assistant generate-che-doc — Generate a documentation PR based on this PR's changes
• /che-ai-assistant ok-pr-review — Run a comprehensive PR review (summary, code review, deep review, impact analysis)
• /che-ai-assistant help — Show this help message

[tolusha]

/che-ai-assistant ok-pr-review

Review is complete. Please check the review comments below.

[tolusha]

Code Review Summary

I've completed a comprehensive review (standard, deep, and impact analysis) of this PR. Overall, this is well-designed code with excellent test coverage and thoughtful security considerations. The PR successfully addresses the stated issue (eclipse-che/che#23870) by enabling namespace-level TLS certificate configuration.

Key Highlights:

• ✅ Well-designed HttpClientsHolder interface with clean separation of concerns
• ✅ Smart rebuild optimization to avoid unnecessary HTTP client recreation
• ✅ Correct cert pool handling (cloning before mutation)
• ✅ Thorough test coverage with 8 test cases
• ✅ Good security documentation (InsecureSkipVerify scope clearly noted)
• ✅ Response body leak fix in status.go

Areas for Discussion:
I've posted inline comments on a few operational concerns and suggestions for improvement. The two main items worth discussing are:

1. New 5-second timeout - This is a behavioral change that improves safety but could affect slow proxy environments
2. Certificate parsing log level - Currently at debug level, production users won't see parse failures

Neither is a blocker, but both affect production observability and behavior.

See inline comments for details and additional suggestions.

[tolusha]

httpClientsHolder is a single global variable, but ConfigureHttpClients is called per-workspace with that workspace's merged config. If two namespaces have different proxy or cert settings in their namespace-specific DWOCs, concurrent reconciliations will overwrite each other's HTTP client configuration.

This is acceptable for the immediate use case (single Che deployment), but could cause subtle issues in multi-tenant deployments. Consider adding a brief comment on the global variable noting this limitation to help future maintainers understand the design boundary.