Generate and share LTPA key (#533)

* Create Job to mount LTPA keys

* Mount shared ltpa.xml into Liberty pods

* Isolate the ltpa.keys file in dir and allow writes

* Fix Pod log buffer refresh

* Delete Liberty app if LTPA secret is not found

* Add RBAC and script for LTPA Job

* Remove RestConfig from wlapp controller

* Load LTPA script from fs, add resource version ENV

* Generate random password for ltpa keys file

* Add .spec.manageLTPA to enable LTPA key sharing

* Add comments

* Remove redundant spec update

* Fix keysFileName to use ${server.config.dir}

* Add indexed completion to LTPA Job

* Move LTPA code into one file, share keys across ns

* Update ltpa_keys_sharing.go

* Prevent deleting the LTPA Job

* Update create_ltpa_keys.sh

* Remove initContainer for loading LTPA keys

* Update ltpa_keys_sharing.go

* Add Job RBAC permissions

* Move create_ltpa_keys.sh script, add RBAC perm

* Fix naming/labels & don't delete LTPA xml w/ app

* Update status messages

* Restart LTPA keys generation on app image change

Author: kabicin

api/v1/webspherelibertyapplication_types.go

@@ -73,91 +73,95 @@ type WebSphereLibertyApplicationSpec struct {
 	// +operator-sdk:csv:customresourcedefinitions:order=8,type=spec,displayName="Expose",xDescriptors="urn:alm:descriptor:com.tectonic.ui:booleanSwitch"
 	Expose *bool `json:"expose,omitempty"`
 
+	// Enable management of LTPA key sharing amongst Liberty containers. Defaults to false.
+	// +operator-sdk:csv:customresourcedefinitions:order=9,type=spec,displayName="Manage LTPA",xDescriptors="urn:alm:descriptor:com.tectonic.ui:booleanSwitch"
+	ManageLTPA *bool `json:"manageLTPA,omitempty"`
+
 	// Enable management of TLS certificates. Defaults to true.
-	// +operator-sdk:csv:customresourcedefinitions:order=8,type=spec,displayName="Manage TLS",xDescriptors="urn:alm:descriptor:com.tectonic.ui:booleanSwitch"
+	// +operator-sdk:csv:customresourcedefinitions:order=10,type=spec,displayName="Manage TLS",xDescriptors="urn:alm:descriptor:com.tectonic.ui:booleanSwitch"
 	ManageTLS *bool `json:"manageTLS,omitempty"`
 
 	// Number of pods to create. Defaults to 1. Not applicable when .spec.autoscaling or .spec.createKnativeService is specified.
-	// +operator-sdk:csv:customresourcedefinitions:order=9,type=spec,displayName="Replicas",xDescriptors="urn:alm:descriptor:com.tectonic.ui:podCount"
+	// +operator-sdk:csv:customresourcedefinitions:order=11,type=spec,displayName="Replicas",xDescriptors="urn:alm:descriptor:com.tectonic.ui:podCount"
 	Replicas *int32 `json:"replicas,omitempty"`
 
-	// +operator-sdk:csv:customresourcedefinitions:order=10,type=spec,displayName="Auto Scaling"
+	// +operator-sdk:csv:customresourcedefinitions:order=12,type=spec,displayName="Auto Scaling"
 	Autoscaling *WebSphereLibertyApplicationAutoScaling `json:"autoscaling,omitempty"`
 
 	// Resource requests and limits for the application container.
-	// +operator-sdk:csv:customresourcedefinitions:order=11,type=spec,displayName="Resource Requirements",xDescriptors="urn:alm:descriptor:com.tectonic.ui:resourceRequirements"
+	// +operator-sdk:csv:customresourcedefinitions:order=13,type=spec,displayName="Resource Requirements",xDescriptors="urn:alm:descriptor:com.tectonic.ui:resourceRequirements"
 	Resources *corev1.ResourceRequirements `json:"resources,omitempty"`
 
-	// +operator-sdk:csv:customresourcedefinitions:order=12,type=spec,displayName="Probes"
+	// +operator-sdk:csv:customresourcedefinitions:order=14,type=spec,displayName="Probes"
 	Probes *WebSphereLibertyApplicationProbes `json:"probes,omitempty"`
 
-	// +operator-sdk:csv:customresourcedefinitions:order=13,type=spec,displayName="Deployment"
+	// +operator-sdk:csv:customresourcedefinitions:order=15,type=spec,displayName="Deployment"
 	Deployment *WebSphereLibertyApplicationDeployment `json:"deployment,omitempty"`
 
-	// +operator-sdk:csv:customresourcedefinitions:order=14,type=spec,displayName="StatefulSet"
+	// +operator-sdk:csv:customresourcedefinitions:order=16,type=spec,displayName="StatefulSet"
 	StatefulSet *WebSphereLibertyApplicationStatefulSet `json:"statefulSet,omitempty"`
 
-	// +operator-sdk:csv:customresourcedefinitions:order=15,type=spec,displayName="Service"
+	// +operator-sdk:csv:customresourcedefinitions:order=17,type=spec,displayName="Service"
 	Service *WebSphereLibertyApplicationService `json:"service,omitempty"`
 
-	// +operator-sdk:csv:customresourcedefinitions:order=16,type=spec,displayName="Route"
+	// +operator-sdk:csv:customresourcedefinitions:order=18,type=spec,displayName="Route"
 	Route *WebSphereLibertyApplicationRoute `json:"route,omitempty"`
 
 	// Configures the Semeru Cloud Compiler to handle Just-In-Time (JIT) compilation requests from the application.
-	// +operator-sdk:csv:customresourcedefinitions:order=17,type=spec,displayName="Semeru Cloud Compiler"
+	// +operator-sdk:csv:customresourcedefinitions:order=19,type=spec,displayName="Semeru Cloud Compiler"
 	SemeruCloudCompiler *WebSphereLibertyApplicationSemeruCloudCompiler `json:"semeruCloudCompiler,omitempty"`
 
-	// +operator-sdk:csv:customresourcedefinitions:order=18,type=spec,displayName="Network Policy"
+	// +operator-sdk:csv:customresourcedefinitions:order=20,type=spec,displayName="Network Policy"
 	NetworkPolicy *WebSphereLibertyApplicationNetworkPolicy `json:"networkPolicy,omitempty"`
 
-	// +operator-sdk:csv:customresourcedefinitions:order=19,type=spec,displayName="Serviceability"
+	// +operator-sdk:csv:customresourcedefinitions:order=21,type=spec,displayName="Serviceability"
 	Serviceability *WebSphereLibertyApplicationServiceability `json:"serviceability,omitempty"`
 
-	// +operator-sdk:csv:customresourcedefinitions:order=20,type=spec,displayName="Single Sign-On"
+	// +operator-sdk:csv:customresourcedefinitions:order=22,type=spec,displayName="Single Sign-On"
 	SSO *WebSphereLibertyApplicationSSO `json:"sso,omitempty"`
 
-	// +operator-sdk:csv:customresourcedefinitions:order=21,type=spec,displayName="Monitoring"
+	// +operator-sdk:csv:customresourcedefinitions:order=23,type=spec,displayName="Monitoring"
 	Monitoring *WebSphereLibertyApplicationMonitoring `json:"monitoring,omitempty"`
 
 	// An array of environment variables for the application container.
 	// +listType=map
 	// +listMapKey=name
-	// +operator-sdk:csv:customresourcedefinitions:order=22,type=spec,displayName="Environment Variables"
+	// +operator-sdk:csv:customresourcedefinitions:order=24,type=spec,displayName="Environment Variables"
 	Env []corev1.EnvVar `json:"env,omitempty"`
 
 	// List of sources to populate environment variables in the application container.
 	// +listType=atomic
-	// +operator-sdk:csv:customresourcedefinitions:order=23,type=spec,displayName="Environment Variables from Sources"
+	// +operator-sdk:csv:customresourcedefinitions:order=25,type=spec,displayName="Environment Variables from Sources"
 	EnvFrom []corev1.EnvFromSource `json:"envFrom,omitempty"`
 
 	// Represents a volume with data that is accessible to the application container.
 	// +listType=map
 	// +listMapKey=name
-	// +operator-sdk:csv:customresourcedefinitions:order=24,type=spec,displayName="Volumes"
+	// +operator-sdk:csv:customresourcedefinitions:order=26,type=spec,displayName="Volumes"
 	Volumes []corev1.Volume `json:"volumes,omitempty"`
 
 	// Represents where to mount the volumes into the application container.
 	// +listType=atomic
-	// +operator-sdk:csv:customresourcedefinitions:order=25,type=spec,displayName="Volume Mounts"
+	// +operator-sdk:csv:customresourcedefinitions:order=27,type=spec,displayName="Volume Mounts"
 	VolumeMounts []corev1.VolumeMount `json:"volumeMounts,omitempty"`
 
 	// List of containers to run before other containers in a pod.
 	// +listType=map
 	// +listMapKey=name
-	// +operator-sdk:csv:customresourcedefinitions:order=26,type=spec,displayName="Init Containers"
+	// +operator-sdk:csv:customresourcedefinitions:order=28,type=spec,displayName="Init Containers"
 	InitContainers []corev1.Container `json:"initContainers,omitempty"`
 
 	// List of sidecar containers. These are additional containers to be added to the pods.
 	// +listType=map
 	// +listMapKey=name
-	// +operator-sdk:csv:customresourcedefinitions:order=27,type=spec,displayName="Sidecar Containers"
+	// +operator-sdk:csv:customresourcedefinitions:order=29,type=spec,displayName="Sidecar Containers"
 	SidecarContainers []corev1.Container `json:"sidecarContainers,omitempty"`
 
-	// +operator-sdk:csv:customresourcedefinitions:order=28,type=spec,displayName="Affinity"
+	// +operator-sdk:csv:customresourcedefinitions:order=30,type=spec,displayName="Affinity"
 	Affinity *WebSphereLibertyApplicationAffinity `json:"affinity,omitempty"`
 
 	// Security context for the application container.
-	// +operator-sdk:csv:customresourcedefinitions:order=29,type=spec,displayName="Security Context"
+	// +operator-sdk:csv:customresourcedefinitions:order=31,type=spec,displayName="Security Context"
 	SecurityContext *corev1.SecurityContext `json:"securityContext,omitempty"`
 }
 
@@ -800,6 +804,11 @@ func (cr *WebSphereLibertyApplication) GetExpose() *bool {
 	return cr.Spec.Expose
 }
 
+// GetManageLTPA returns the LTPA key sharing status
+func (cr *WebSphereLibertyApplication) GetManageLTPA() *bool {
+	return cr.Spec.ManageLTPA
+}
+
 // GetManageTLS returns deployment's node and pod affinity settings
 func (cr *WebSphereLibertyApplication) GetManageTLS() *bool {
 	return cr.Spec.ManageTLS