WASdev · kabicin · Mar 19, 2025 · Mar 24, 2025 · Mar 25, 2025 · May 5, 2025
diff --git a/bundle/manifests/ibm-websphere-liberty.clusterserviceversion.yaml b/bundle/manifests/ibm-websphere-liberty.clusterserviceversion.yaml
@@ -1086,6 +1086,18 @@ spec:
           - patch
           - update
           - watch
+        - apiGroups:
+          - ""
+          resources:
+          - secrets
+          verbs:
+          - create
+          - delete
+          - get
+          - list
+          - patch
+          - update
+          - watch
         - apiGroups:
           - image.openshift.io
           resources:

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -86,6 +86,18 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - image.openshift.io
   resources:

diff --git a/go.mod b/go.mod
@@ -3,15 +3,14 @@ module github.com/WASdev/websphere-liberty-operator
 go 1.24
 
 require (
-	github.com/OpenLiberty/open-liberty-operator v0.8.1-0.20250417153026-02cfbf34f67c
-	github.com/application-stacks/runtime-component-operator v1.0.0-20220602-0850.0.20250417152956-6554621c89ab
+	github.com/OpenLiberty/open-liberty-operator v0.8.1-0.20250505185151-9968c73cb7cc
+	github.com/application-stacks/runtime-component-operator v1.0.0-20220602-0850.0.20250502192232-9e8e8d1ebd27
 	github.com/cert-manager/cert-manager v1.14.7
 	github.com/go-logr/logr v1.4.1
 	github.com/openshift/api v0.0.0-20230928134114-673ed0cfc7f1
 	github.com/openshift/library-go v0.0.0-20231002074440-3f69f773d102
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.74.0
-	gopkg.in/yaml.v2 v2.4.0
 	k8s.io/api v0.29.5
 	k8s.io/apimachinery v0.29.5
 	k8s.io/client-go v0.29.5
@@ -69,6 +68,7 @@ require (
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
 	google.golang.org/protobuf v1.34.1 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/apiextensions-apiserver v0.29.5 // indirect
 	k8s.io/component-base v0.29.5 // indirect

diff --git a/go.sum b/go.sum
@@ -2,10 +2,10 @@ contrib.go.opencensus.io/exporter/ocagent v0.7.1-0.20200907061046-05415f1de66d h
 contrib.go.opencensus.io/exporter/ocagent v0.7.1-0.20200907061046-05415f1de66d/go.mod h1:IshRmMJBhDfFj5Y67nVhMYTTIze91RUeT73ipWKs/GY=
 contrib.go.opencensus.io/exporter/prometheus v0.4.2 h1:sqfsYl5GIY/L570iT+l93ehxaWJs2/OwXtiWwew3oAg=
 contrib.go.opencensus.io/exporter/prometheus v0.4.2/go.mod h1:dvEHbiKmgvbr5pjaF9fpw1KeYcjrnC1J8B+JKjsZyRQ=
-github.com/OpenLiberty/open-liberty-operator v0.8.1-0.20250417153026-02cfbf34f67c h1:m+KMnwXnIawszaR40hMfKDLGKZ/6LhKbU4OFmC/17tI=
-github.com/OpenLiberty/open-liberty-operator v0.8.1-0.20250417153026-02cfbf34f67c/go.mod h1:Vuhp8dJFmkuaFCekwVRd9zRS19vrr7qJe8406nlXRBI=
-github.com/application-stacks/runtime-component-operator v1.0.0-20220602-0850.0.20250417152956-6554621c89ab h1:UrCenySbY8pJJkwZe+xBNlGqdVn5TFvAW3OiyqXT3BU=
-github.com/application-stacks/runtime-component-operator v1.0.0-20220602-0850.0.20250417152956-6554621c89ab/go.mod h1:AWpfq1fnI8tB4zVM7un+pTeTbasLVmjSlA55kXQGNGA=
+github.com/OpenLiberty/open-liberty-operator v0.8.1-0.20250505185151-9968c73cb7cc h1:YQ6grPY9Rkr65m05LffR9TsLuWkI4LXsOp8IL3/g8Eg=
+github.com/OpenLiberty/open-liberty-operator v0.8.1-0.20250505185151-9968c73cb7cc/go.mod h1:aZ6kbfmHPvnmVrNHujX/bMuLLGQLLaATIFbb2jbs+uc=
+github.com/application-stacks/runtime-component-operator v1.0.0-20220602-0850.0.20250502192232-9e8e8d1ebd27 h1:bp+5vrK0Uz7lwK388ZO4X6QTnkFRxz0RUFnWVTertak=
+github.com/application-stacks/runtime-component-operator v1.0.0-20220602-0850.0.20250502192232-9e8e8d1ebd27/go.mod h1:AWpfq1fnI8tB4zVM7un+pTeTbasLVmjSlA55kXQGNGA=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=

diff --git a/internal/controller/assets/trace-decision-tree.yaml b/internal/controller/assets/trace-decision-tree.yaml
@@ -0,0 +1,7 @@
+# This file enables resource sharing for day-2 operation Trace CR instances that share the same name
+#
+# '*' wildcard will map to a list of strings generated from the leader tracker at runtime
+tree:
+  v1_4_2:
+    name: "*"
+replace: {}
diff --git a/internal/controller/assets/trace-signature.yaml b/internal/controller/assets/trace-signature.yaml
@@ -0,0 +1,4 @@
+apiVersion: liberty.websphere.ibm.com/v1
+kind: WebSphereLibertyTrace
+name: "{0}"
+rootName: "" # empty root name is used because pod names are determined by the cluster
diff --git a/internal/controller/ltpa_keys_sharing.go b/internal/controller/ltpa_keys_sharing.go
diff --git a/internal/controller/ltpa_keys_sharing_test.go b/internal/controller/ltpa_keys_sharing_test.go
diff --git a/internal/controller/password_encryption_key_sharing.go b/internal/controller/password_encryption_key_sharing.go
@@ -23,6 +23,7 @@ import (
 	"sync"
 	"time"
 
+	"github.com/OpenLiberty/open-liberty-operator/utils/leader"
 	tree "github.com/OpenLiberty/open-liberty-operator/utils/tree"
 	wlv1 "github.com/WASdev/websphere-liberty-operator/api/v1"
 	lutils "github.com/WASdev/websphere-liberty-operator/utils"
@@ -36,12 +37,12 @@ import (
 const PASSWORD_ENCRYPTION_RESOURCE_SHARING_FILE_NAME = "password-encryption"
 
 func init() {
-	lutils.LeaderTrackerMutexes.Store(PASSWORD_ENCRYPTION_RESOURCE_SHARING_FILE_NAME, &sync.Mutex{})
+	leader.LeaderTrackerMutexes.Store(PASSWORD_ENCRYPTION_RESOURCE_SHARING_FILE_NAME, &sync.Mutex{})
 }
 
-func (r *ReconcileWebSphereLiberty) reconcilePasswordEncryptionKey(instance *wlv1.WebSphereLibertyApplication, passwordEncryptionMetadata *lutils.PasswordEncryptionMetadata) (string, string, string, error) {
+func (r *ReconcileWebSphereLiberty) reconcilePasswordEncryptionKey(rsf tree.ResourceSharingFactory, baseRSF tree.ResourceSharingFactoryBase, instance *wlv1.WebSphereLibertyApplication, passwordEncryptionMetadata *leader.PasswordEncryptionMetadata) (string, string, string, error) {
 	if r.isPasswordEncryptionKeySharingEnabled(instance) {
-		leaderName, thisInstanceIsLeader, _, err := r.reconcileLeader(instance, passwordEncryptionMetadata, PASSWORD_ENCRYPTION_RESOURCE_SHARING_FILE_NAME, true)
+		leaderName, thisInstanceIsLeader, _, err := tree.ReconcileLeader(rsf, OperatorName, OperatorShortName, instance.GetName(), instance.GetNamespace(), passwordEncryptionMetadata, PASSWORD_ENCRYPTION_RESOURCE_SHARING_FILE_NAME, true)
 		if err != nil && !kerrors.IsNotFound(err) {
 			return "", "", "", err
 		}
@@ -76,21 +77,21 @@ func (r *ReconcileWebSphereLiberty) reconcilePasswordEncryptionKey(instance *wlv
 			return "Failed to get the password encryption key Secret", "", "", err
 		}
 	} else {
-		err := r.RemoveLeaderTrackerReference(instance, PASSWORD_ENCRYPTION_RESOURCE_SHARING_FILE_NAME)
+		err := tree.RemoveLeaderTrackerReference(baseRSF, instance.GetName(), instance.GetNamespace(), OperatorName, OperatorShortName, PASSWORD_ENCRYPTION_RESOURCE_SHARING_FILE_NAME)
 		if err != nil {
 			return "Failed to remove leader tracking reference to the password encryption key", "", "", err
 		}
 	}
 	return "", "", "", nil
 }
 
-func (r *ReconcileWebSphereLiberty) reconcilePasswordEncryptionMetadata(treeMap map[string]interface{}, latestOperandVersion string) (lutils.LeaderTrackerMetadataList, error) {
-	metadataList := &lutils.PasswordEncryptionMetadataList{}
-	metadataList.Items = []lutils.LeaderTrackerMetadata{}
+func (r *ReconcileWebSphereLiberty) reconcilePasswordEncryptionMetadata(treeMap map[string]interface{}, latestOperandVersion string) (leader.LeaderTrackerMetadataList, error) {
+	metadataList := &leader.PasswordEncryptionMetadataList{}
+	metadataList.Items = []leader.LeaderTrackerMetadata{}
 
 	pathOptionsList, pathChoicesList := r.getPasswordEncryptionPathOptionsAndChoices(latestOperandVersion)
 	for i := range pathOptionsList {
-		metadata := &lutils.PasswordEncryptionMetadata{}
+		metadata := &leader.PasswordEncryptionMetadata{}
 		pathOptions := pathOptionsList[i]
 		pathChoices := pathChoicesList[i]
 
@@ -112,12 +113,12 @@ func (r *ReconcileWebSphereLiberty) reconcilePasswordEncryptionMetadata(treeMap
 		// Uncomment code below to extend to multiple password encryption keys per namespace. See ltpa_keys_sharing.go for an example.
 
 		// // retrieve the password encryption leader tracker to re-use an existing name or to create a new metadata.Name
-		// leaderTracker, _, err := lutils.GetLeaderTracker(instance, OperatorShortName, PASSWORD_ENCRYPTION_RESOURCE_SHARING_FILE_NAME, r.GetClient())
+		// leaderTracker, _, err := lutils.GetLeaderTracker(instance.GetNamespace(), OperatorShortName, PASSWORD_ENCRYPTION_RESOURCE_SHARING_FILE_NAME, r.GetClient())
 		// if err != nil {
 		// 	return metadataList, err
 		// }
 		// // if the leaderTracker is on a mismatched version, wait for a subsequent reconcile loop to re-create the leader tracker
-		// if leaderTracker.Labels[lutils.LeaderVersionLabel] != latestOperandVersion {
+		// if leaderTracker.Labels[leader.GetLeaderVersionLabel(lutils.LibertyURI)] != latestOperandVersion {
 		// 	return metadataList, fmt.Errorf("waiting for the Leader Tracker to be updated")
 		// }
 
@@ -160,15 +161,15 @@ func (r *ReconcileWebSphereLiberty) isPasswordEncryptionKeySharingEnabled(instan
 	return instance.GetManagePasswordEncryption() != nil && *instance.GetManagePasswordEncryption()
 }
 
-func (r *ReconcileWebSphereLiberty) isUsingPasswordEncryptionKeySharing(instance *wlv1.WebSphereLibertyApplication, passwordEncryptionMetadata *lutils.PasswordEncryptionMetadata) bool {
+func (r *ReconcileWebSphereLiberty) isUsingPasswordEncryptionKeySharing(instance *wlv1.WebSphereLibertyApplication, passwordEncryptionMetadata *leader.PasswordEncryptionMetadata) bool {
 	if r.isPasswordEncryptionKeySharingEnabled(instance) {
 		_, err := r.hasUserEncryptionKeySecret(instance, passwordEncryptionMetadata)
 		return err == nil
 	}
 	return false
 }
 
-func (r *ReconcileWebSphereLiberty) getInternalPasswordEncryptionKeyState(instance *wlv1.WebSphereLibertyApplication, passwordEncryptionMetadata *lutils.PasswordEncryptionMetadata) (string, string, bool, error) {
+func (r *ReconcileWebSphereLiberty) getInternalPasswordEncryptionKeyState(instance *wlv1.WebSphereLibertyApplication, passwordEncryptionMetadata *leader.PasswordEncryptionMetadata) (string, string, bool, error) {
 	if !r.isPasswordEncryptionKeySharingEnabled(instance) {
 		return "", "", false, nil
 	}
@@ -189,16 +190,16 @@ func (r *ReconcileWebSphereLiberty) getInternalPasswordEncryptionKeyState(instan
 }
 
 // Returns the Secret that contains the password encryption key used internally by the operator
-func (r *ReconcileWebSphereLiberty) hasInternalEncryptionKeySecret(instance *wlv1.WebSphereLibertyApplication, passwordEncryptionMetadata *lutils.PasswordEncryptionMetadata) (*corev1.Secret, error) {
+func (r *ReconcileWebSphereLiberty) hasInternalEncryptionKeySecret(instance *wlv1.WebSphereLibertyApplication, passwordEncryptionMetadata *leader.PasswordEncryptionMetadata) (*corev1.Secret, error) {
 	return r.getSecret(instance, lutils.LocalPasswordEncryptionKeyRootName+passwordEncryptionMetadata.Name+"-internal")
 }
 
 // Returns the Secret that contains the password encryption key provided by the user
-func (r *ReconcileWebSphereLiberty) hasUserEncryptionKeySecret(instance *wlv1.WebSphereLibertyApplication, passwordEncryptionMetadata *lutils.PasswordEncryptionMetadata) (*corev1.Secret, error) {
+func (r *ReconcileWebSphereLiberty) hasUserEncryptionKeySecret(instance *wlv1.WebSphereLibertyApplication, passwordEncryptionMetadata *leader.PasswordEncryptionMetadata) (*corev1.Secret, error) {
 	return r.getSecret(instance, lutils.PasswordEncryptionKeyRootName+passwordEncryptionMetadata.Name)
 }
 
-func (r *ReconcileWebSphereLiberty) encryptionKeySecretMirrored(instance *wlv1.WebSphereLibertyApplication, passwordEncryptionMetadata *lutils.PasswordEncryptionMetadata) bool {
+func (r *ReconcileWebSphereLiberty) encryptionKeySecretMirrored(instance *wlv1.WebSphereLibertyApplication, passwordEncryptionMetadata *leader.PasswordEncryptionMetadata) bool {
 	userEncryptionSecret, err := r.hasUserEncryptionKeySecret(instance, passwordEncryptionMetadata)
 	if err != nil {
 		return false
@@ -212,7 +213,7 @@ func (r *ReconcileWebSphereLiberty) encryptionKeySecretMirrored(instance *wlv1.W
 	return userPasswordEncryptionKey != "" && internalPasswordEncryptionKey == userPasswordEncryptionKey
 }
 
-func (r *ReconcileWebSphereLiberty) mirrorEncryptionKeySecretState(instance *wlv1.WebSphereLibertyApplication, passwordEncryptionMetadata *lutils.PasswordEncryptionMetadata) error {
+func (r *ReconcileWebSphereLiberty) mirrorEncryptionKeySecretState(instance *wlv1.WebSphereLibertyApplication, passwordEncryptionMetadata *leader.PasswordEncryptionMetadata) error {
 	userEncryptionSecret, userEncryptionSecretErr := r.hasUserEncryptionKeySecret(instance, passwordEncryptionMetadata)
 	// Error if there was an issue getting the userEncryptionSecret
 	if userEncryptionSecretErr != nil && !kerrors.IsNotFound(userEncryptionSecretErr) {
@@ -255,7 +256,7 @@ func (r *ReconcileWebSphereLiberty) mirrorEncryptionKeySecretState(instance *wlv
 }
 
 // Deletes the mirrored encryption key secret if the initial encryption key secret no longer exists
-func (r *ReconcileWebSphereLiberty) deleteMirroredEncryptionKeySecret(instance *wlv1.WebSphereLibertyApplication, passwordEncryptionMetadata *lutils.PasswordEncryptionMetadata) error {
+func (r *ReconcileWebSphereLiberty) deleteMirroredEncryptionKeySecret(instance *wlv1.WebSphereLibertyApplication, passwordEncryptionMetadata *leader.PasswordEncryptionMetadata) error {
 	_, userEncryptionSecretErr := r.hasUserEncryptionKeySecret(instance, passwordEncryptionMetadata)
 	// Error if there was an issue getting the userEncryptionSecret
 	if userEncryptionSecretErr != nil && !kerrors.IsNotFound(userEncryptionSecretErr) {
@@ -285,7 +286,7 @@ func (r *ReconcileWebSphereLiberty) getSecret(instance *wlv1.WebSphereLibertyApp
 }
 
 // Creates the Liberty XML to mount the password encryption keys Secret into the application pods
-func (r *ReconcileWebSphereLiberty) createPasswordEncryptionKeyLibertyConfig(instance *wlv1.WebSphereLibertyApplication, passwordEncryptionMetadata *lutils.PasswordEncryptionMetadata, encryptionKey string) error {
+func (r *ReconcileWebSphereLiberty) createPasswordEncryptionKeyLibertyConfig(instance *wlv1.WebSphereLibertyApplication, passwordEncryptionMetadata *leader.PasswordEncryptionMetadata, encryptionKey string) error {
 	if len(encryptionKey) == 0 {
 		return fmt.Errorf("a password encryption key was not specified")
 	}
@@ -328,11 +329,11 @@ func (r *ReconcileWebSphereLiberty) createPasswordEncryptionKeyLibertyConfig(ins
 
 // Tracks existing password encryption resources by populating a LeaderTracker array used to initialize the LeaderTracker
 func (r *ReconcileWebSphereLiberty) GetPasswordEncryptionResources(instance *wlv1.WebSphereLibertyApplication, treeMap map[string]interface{}, replaceMap map[string]map[string]string, latestOperandVersion string, assetsFolder *string) (*unstructured.UnstructuredList, string, error) {
-	passwordEncryptionResources, _, err := lutils.CreateUnstructuredResourceListFromSignature(PASSWORD_ENCRYPTION_RESOURCE_SHARING_FILE_NAME, assetsFolder, "") // TODO: replace prefix "" to specify operator precedence such as with prefix "wlo-"
+	passwordEncryptionResources, _, err := leader.CreateUnstructuredResourceListFromSignature(PASSWORD_ENCRYPTION_RESOURCE_SHARING_FILE_NAME, assetsFolder, "") // TODO: replace prefix "" to specify operator precedence such as with prefix "wlo-"
 	if err != nil {
 		return nil, "", err
 	}
-	passwordEncryptionResource, passwordEncryptionResourceName, err := lutils.CreateUnstructuredResourceFromSignature(PASSWORD_ENCRYPTION_RESOURCE_SHARING_FILE_NAME, assetsFolder, "", "") // TODO: replace prefix "" to specify operator precedence such as with prefix "wlo-"
+	passwordEncryptionResource, passwordEncryptionResourceName, err := leader.CreateUnstructuredResourceFromSignature(PASSWORD_ENCRYPTION_RESOURCE_SHARING_FILE_NAME, assetsFolder, "", "") // TODO: replace prefix "" to specify operator precedence such as with prefix "wlo-"
 	if err != nil {
 		return nil, "", err
 	}