Merge pull request #362 from gnsuryan/main

Outbound Access and Azure Security Fixes for WLS on AKS Offer

Author: rjeberhard

weblogic-azure-aks/src/main/arm/scripts/buildWLSDockerImage.sh

@@ -8,14 +8,14 @@ function echo_stderr() {
     echo "$@" >&2
 }
 
-# read <azureACRPassword> and <ocrSSOPSW> from stdin
+# read <azureACRShibboleth> and <ocrSSOShibboleth> from stdin
 function read_sensitive_parameters_from_stdin() {
-    read azureACRPassword ocrSSOPSW
+    read azureACRShibboleth ocrSSOShibboleth
 }
 
 #Function to display usage message
 function usage() {
-    echo "<azureACRPassword> <ocrSSOPSW> | ./buildWLSDockerImage.sh <wlsImagePath> <azureACRServer> <azureACRUserName> <imageTag> <appPackageUrls> <ocrSSOUser> <wlsClusterSize> <enableSSL> <enableAdminT3Tunneling> <enableClusterT3Tunneling> <dbDriversUrls>"
+    echo "<azureACRShibboleth> <ocrSSOShibboleth> | ./buildWLSDockerImage.sh <wlsImagePath> <azureACRServer> <azureACRUserName> <imageTag> <appPackageUrls> <ocrSSOUser> <wlsClusterSize> <enableSSL> <enableAdminT3Tunneling> <enableClusterT3Tunneling> <dbDriversUrls>"
     if [ $1 -eq 1 ]; then
         exit 1
     fi
@@ -51,8 +51,8 @@ function validate_inputs() {
         usage 1
     fi
 
-    if [ -z "$azureACRPassword" ]; then
-        echo_stderr "azureACRPassword is required. "
+    if [ -z "$azureACRShibboleth" ]; then
+        echo_stderr "azureACRShibboleth is required. "
         usage 1
     fi
 
@@ -71,8 +71,8 @@ function validate_inputs() {
         usage 1
     fi
 
-    if [[ "${useOracleImage,,}" == "${constTrue}" ]] && [ -z "$ocrSSOPSW" ]; then
-        echo_stderr "ocrSSOPSW is required. "
+    if [[ "${useOracleImage,,}" == "${constTrue}" ]] && [ -z "$ocrSSOShibboleth" ]; then
+        echo_stderr "ocrSSOShibboleth is required. "
         usage 1
     fi
 
@@ -334,17 +334,17 @@ function install_db_drivers() {
 # Pull weblogic image
 function get_wls_image_from_ocr() {
     sudo docker logout
-    sudo docker login ${ocrLoginServer} -u ${ocrSSOUser} -p ${ocrSSOPSW}
-    echo "Start to pull oracle image ${wlsImagePath}  ${ocrLoginServer} ${ocrSSOUser} ${ocrSSOPSW}"
+    sudo docker login ${ocrLoginServer} -u ${ocrSSOUser} -p ${ocrSSOShibboleth}
+    echo "Start to pull oracle image ${wlsImagePath}  ${ocrLoginServer} ${ocrSSOUser} ${ocrSSOShibboleth}"
     sudo docker pull -q ${wlsImagePath}
     validate_status "Finish pulling image from OCR."
 }
 
 # Get user provided image
 function get_user_provided_wls_image_from_acr() {
     sudo docker logout
-    sudo docker login ${azureACRServer} -u ${azureACRUserName} -p ${azureACRPassword}
-    echo "Start to pull user provided image ${wlsImagePath} ${azureACRServer} ${azureACRUserName} ${azureACRPassword}"
+    sudo docker login ${azureACRServer} -u ${azureACRUserName} -p ${azureACRShibboleth}
+    echo "Start to pull user provided image ${wlsImagePath} ${azureACRServer} ${azureACRUserName} ${azureACRShibboleth}"
     sudo docker pull -q ${wlsImagePath}
     validate_status "Finish pulling image from OCR."
 }
@@ -426,7 +426,7 @@ function build_wls_image() {
 
     # Push image to ACR
     sudo docker logout
-    sudo docker login $azureACRServer -u ${azureACRUserName} -p ${azureACRPassword}
+    sudo docker login $azureACRServer -u ${azureACRUserName} -p ${azureACRShibboleth}
     echo "Start pushing image ${acrImagePath} to $azureACRServer."
     sudo docker push -q ${acrImagePath}
     validate_status "Check status of pushing WLS domain image."

weblogic-azure-aks/src/main/arm/scripts/createVMAndBuildImage.sh

@@ -6,9 +6,9 @@
 
 echo "Script  ${0} starts"
 
-# read <acrPassword> from stdin
+# read <acrShibboleth> from stdin
 function read_sensitive_parameters_from_stdin() {
-    read acrPassword
+    read acrShibboleth
 }
 
 function cleanup_vm() {
@@ -53,11 +53,20 @@ function cleanup_vm() {
 | where resourceGroup  =~ '${CURRENT_RESOURCEGROUP_NAME}' \
 | project nsgId = id" --query "data[0].nsgId" -o tsv)
 
+    #query public ip id
+    publicIpId=$(az graph query -q "Resources \
+| where type =~ 'Microsoft.Network/publicIPAddresses' \
+| where name =~ '${vmName}PublicIP' \
+| where resourceGroup =~ '${CURRENT_RESOURCEGROUP_NAME}' \
+| project publicIpId = id" --query "data[0].publicIpId" -o tsv)
+
     # Delete VM NIC IP VNET NSG resoruces
     echo "deleting vm ${vmId}"
     az vm delete --ids $vmId --yes
     echo "deleting nic ${nicId}"
     az network nic delete --ids ${nicId}
+    echo "deleting public ip ${publicIpId}"
+    az network public-ip delete --ids $publicIpId
     echo "deleting disk ${osDiskId}"
     az disk delete --yes --ids ${osDiskId}
     echo "deleting vnet ${vnetId}"
@@ -119,6 +128,8 @@ function build_docker_image() {
     export TAG_VM=$(echo "${TAG_VM}" \
         | jq -r 'to_entries | map("\"" + .key + "\"=" + (if .value|type == "string" then "\"\(.value)\"" else "\(.value)" end)) | join(" ")')
 
+    publicIPName="${vmName}PublicIP"
+
     # MICROSOFT_INTERNAL
     # Specify tag 'SkipASMAzSecPack' to skip policy 'linuxazuresecuritypackautodeployiaas_1.6'
     # Specify tag 'SkipNRMS*' to skip Microsoft internal NRMS policy, which causes vm-redeployed issue
@@ -132,7 +143,7 @@ function build_docker_image() {
     --enable-agent true \
     --vnet-name ${vmName}VNET \
     --enable-auto-update false \
-    --public-ip-address "" \
+    --public-ip-address ${publicIPName} \
     --size ${vmSize} \
     --tags ${TAG_VM} SkipASMAzSecPack=true SkipNRMSCorp=true SkipNRMSDatabricks=true SkipNRMSDB=true SkipNRMSHigh=true SkipNRMSMedium=true SkipNRMSRDPSSH=true SkipNRMSSAW=true SkipNRMSMgmt=true --verbose
 
@@ -153,7 +164,7 @@ function build_docker_image() {
         --publisher Microsoft.Azure.Extensions \
         --version 2.0 \
         --settings "{ \"fileUris\": [\"${SCRIPT_LOCATION}model.properties\",\"${SCRIPT_LOCATION}genImageModel.sh\",\"${SCRIPT_LOCATION}buildWLSDockerImage.sh\",\"${SCRIPT_LOCATION}common.sh\"]}" \
-        --protected-settings "{\"commandToExecute\":\"echo ${acrPassword} ${ORACLE_ACCOUNT_PASSWORD} | bash buildWLSDockerImage.sh ${wlsImagePath} ${acrLoginServer} ${acrUser} ${newImageTag} ${WLS_APP_PACKAGE_URLS} ${ORACLE_ACCOUNT_NAME} ${WLS_CLUSTER_SIZE} ${ENABLE_CUSTOM_SSL} ${ENABLE_ADMIN_CUSTOM_T3} ${ENABLE_CLUSTER_CUSTOM_T3} ${USE_ORACLE_IMAGE} ${URL_3RD_DATASOURCE} ${ENABLE_PASSWORDLESS_DB_CONNECTION} ${DB_TYPE} ${CPU_PLATFORM} \"}"
+        --protected-settings "{\"commandToExecute\":\"echo ${acrShibboleth} ${ORACLE_ACCOUNT_SHIBBOLETH} | bash buildWLSDockerImage.sh ${wlsImagePath} ${acrLoginServer} ${acrUser} ${newImageTag} ${WLS_APP_PACKAGE_URLS} ${ORACLE_ACCOUNT_NAME} ${WLS_CLUSTER_SIZE} ${ENABLE_CUSTOM_SSL} ${ENABLE_ADMIN_CUSTOM_T3} ${ENABLE_CLUSTER_CUSTOM_T3} ${USE_ORACLE_IMAGE} ${URL_3RD_DATASOURCE} ${ENABLE_SHIBBOLETHLESS_DB_CONNECTION} ${DB_TYPE} ${CPU_PLATFORM} \"}"
 
     cleanup_vm
 }

weblogic-azure-aks/src/main/arm/scripts/dbUtility.sh

@@ -16,7 +16,7 @@ function generate_ds_model() {
         databaseDriver=${driverMySQL}
         databaseTestTableName=${testTableMySQL}
 
-        if [[ "${ENABLE_PASSWORDLESS_CONNECTION,,}" == "true" ]]; then
+        if [[ "${ENABLE_SHIBBOLETHLESS_CONNECTION,,}" == "true" ]]; then
             databaseDriver=${driverMySQLCj}
         fi
     elif [[ "${DATABASE_TYPE}" == "${dbTypeOthers}" ]]; then
@@ -101,7 +101,7 @@ function create_datasource_secret() {
     echo "create/update secret ${dbSecretName} for ${JDBC_DATASOURCE_NAME}"
     kubectl -n ${domainNamespace} create secret generic \
         ${dbSecretName} \
-        --from-literal=password="${DB_PASSWORD}" \
+        --from-literal=password="${DB_SHIBBOLETH}" \
         --from-literal=url="${DB_CONNECTION_STRING}" \
         --from-literal=user="${DB_USER}"
 

weblogic-azure-aks/src/main/arm/scripts/genDomainConfig.sh

@@ -19,7 +19,7 @@ if [[ "${DB_TYPE}" == "mysql" ]]; then
   preClassPath="/u01/domains/${WLS_DOMAIN_UID}/wlsdeploy/${constPreclassDirectoryName}/*:"
 fi
 
-if [[ "${ENABLE_PASSWORDLESS_DB_CONNECTION,,}" == "true" ]] && [[ "${DB_TYPE}" == "mysql" || "${DB_TYPE}" == "postgresql" ]]; then
+if [[ "${ENABLE_SHIBBOLETHLESS_DB_CONNECTION,,}" == "true" ]] && [[ "${DB_TYPE}" == "mysql" || "${DB_TYPE}" == "postgresql" ]]; then
   # append jackson libraries to pre-classpath to upgrade existing libs in GA images
   preClassPath="${preClassPath}/u01/domains/${WLS_DOMAIN_UID}/wlsdeploy/classpathLibraries/jackson/*"
   classPath="${classPath}:/u01/domains/${WLS_DOMAIN_UID}/wlsdeploy/classpathLibraries/azureLibraries/*"
@@ -182,7 +182,7 @@ cat <<EOF >>$filePath
 EOF
 
 # enable db pod identity, all of the selector of pod identities are "db-pod-idenity"
-if [[ "${ENABLE_PASSWORDLESS_DB_CONNECTION,,}" == "true" ]]; then
+if [[ "${ENABLE_SHIBBOLETHLESS_DB_CONNECTION,,}" == "true" ]]; then
     cat <<EOF >>$filePath
     labels:
       aadpodidbinding: "${constDbPodIdentitySelector}"
@@ -258,4 +258,4 @@ spec:
   # The number of managed servers to start for this cluster
   replicas: 2
 
-EOF
+EOF

weblogic-azure-aks/src/main/arm/scripts/inline-scripts/enablePrometheusMetrics.sh

@@ -29,7 +29,7 @@ function enable_promethues_metrics(){
 # https://learn.microsoft.com/en-us/azure/azure-monitor/containers/prometheus-metrics-scrape-configuration
 function deploy_customize_scraping(){
     # https://learn.microsoft.com/en-us/azure/azure-monitor/containers/prometheus-metrics-scrape-configuration?tabs=CRDConfig%2CCRDScrapeConfig#basic-authentication
-    local wlsPswBase64=$(echo -n "${WLS_ADMIN_PASSWORD}" | base64)
+    local wlsShibbolethBase64=$(echo -n "${WLS_ADMIN_SHIBBOLETH}" | base64)
     cat <<EOF | kubectl apply -f -
 apiVersion: v1
 kind: Secret
@@ -38,7 +38,7 @@ metadata:
   namespace: kube-system
 type: Opaque
 data:
-  password1: ${wlsPswBase64}
+  password1: ${wlsShibbolethBase64}
 EOF
 
     #create scrape config file

weblogic-azure-aks/src/main/arm/scripts/inline-scripts/validateParameters.sh

@@ -4,21 +4,21 @@
 #
 # env inputs:
 # ORACLE_ACCOUNT_NAME
-# ORACLE_ACCOUNT_PASSWORD
+# ORACLE_ACCOUNT_SHIBBOLETH
 # ACR_NAME
 # AKS_CLUSTER_NAME
 # AKS_CLUSTER_RESOURCEGROUP_NAME
 # BASE64_FOR_SERVICE_PRINCIPAL
 # WLS_SSL_IDENTITY_DATA
-# WLS_SSL_IDENTITY_PASSWORD
+# WLS_SSL_IDENTITY_SHIBBOLETH
 # WLS_SSL_IDENTITY_TYPE
 # WLS_SSL_TRUST_DATA
-# WLS_SSL_TRUST_PASSWORD
+# WLS_SSL_TRUST_SHIBBOLETH
 # WLS_SSL_TRUST_TYPE
 # WLS_SSL_PRIVATE_KEY_ALIAS
-# WLS_SSL_PRIVATE_KEY_PASSWORD
+# WLS_SSL_PRIVATE_KEY_SHIBBOLETH
 # APPLICATION_GATEWAY_SSL_FRONTEND_CERT_DATA
-# APPLICATION_GATEWAY_SSL_FRONTEND_CERT_PASSWORD
+# APPLICATION_GATEWAY_SSL_FRONTEND_CERT_SHIBBOLETH
 # DNS_ZONE_NAME
 # DNS_ZONE_RESOURCEGROUP_NAME
 # AKS_VERSION
@@ -137,9 +137,9 @@ function validate_memory_resources() {
 
 function validate_ocr_account() {
   # ORACLE_ACCOUNT_NAME
-  # ORACLE_ACCOUNT_PASSWORD
+  # ORACLE_ACCOUNT_SHIBBOLETH
   docker logout
-  echo "${ORACLE_ACCOUNT_PASSWORD}" | docker login ${ocrLoginServer} -u ${ORACLE_ACCOUNT_NAME} --password-stdin
+  echo "${ORACLE_ACCOUNT_SHIBBOLETH}" | docker login ${ocrLoginServer} -u ${ORACLE_ACCOUNT_NAME} --password-stdin
   validate_status "login OCR with user ${ORACLE_ACCOUNT_NAME}"
 
   echo_stdout "Check OCR account: passed!"
@@ -184,10 +184,10 @@ function obtain_image_architecture() {
       # Use the docker manifest inspect command to get the architecture.
       # https://learn.microsoft.com/en-us/azure/container-registry/push-multi-architecture-images
       local acrUserName=$(az acr credential show -n ${acrName} --query "username" | tr -d "\"")
-      local acrPassword=$(az acr credential show -n ${acrName} --query "passwords[0].value" | tr -d "\"")
+      local acrShibboleth=$(az acr credential show -n ${acrName} --query "passwords[0].value" | tr -d "\"")
       local acrServer="${acrName}.azurecr.io"
 
-      docker login ${acrServer} -u ${acrUserName} -p ${acrPassword}
+      docker login ${acrServer} -u ${acrUserName} -p ${acrShibboleth}
       local ret=$(docker manifest inspect ${imageUri} | jq '.manifests[] | .platform.architecture')
 
       if [[ $ret == *"${constX86Platform}"* && $ret == *"${constARM64Platform}"* ]]; then
@@ -239,7 +239,7 @@ function validate_ocr_image() {
     --resource-group ${ACR_RESOURCE_GROUP} \
     --source ${ocrImageFullPath} \
     -u ${ORACLE_ACCOUNT_NAME} \
-    -p ${ORACLE_ACCOUNT_PASSWORD} \
+    -p ${ORACLE_ACCOUNT_SHIBBOLETH} \
     --image ${tmpImagePath} \
     --only-show-errors
 
@@ -354,7 +354,7 @@ function validate_wls_ssl_certificates() {
   #validate if identity keystore has entry
   ${JAVA_HOME}/bin/keytool -list -v \
       -keystore $wlsIdentityKeyStoreFileName \
-      -storepass $WLS_SSL_IDENTITY_PASSWORD \
+      -storepass $WLS_SSL_IDENTITY_SHIBBOLETH \
       -storetype $WLS_SSL_IDENTITY_TYPE |
       grep 'Entry type:' |
       grep 'PrivateKeyEntry'
@@ -364,7 +364,7 @@ function validate_wls_ssl_certificates() {
   #validate if trust keystore has entry
   ${JAVA_HOME}/bin/keytool -list -v \
       -keystore ${wlsTrustKeyStoreFileName} \
-      -storepass $WLS_SSL_TRUST_PASSWORD \
+      -storepass $WLS_SSL_TRUST_SHIBBOLETH \
       -storetype $WLS_SSL_TRUST_TYPE |
       grep 'Entry type:' |
       grep 'trustedCertEntry'
@@ -386,8 +386,8 @@ function validate_gateway_frontend_certificates() {
     -in $appgwFrontCertFileName \
     -nocerts \
     -out ${AZ_SCRIPTS_PATH_OUTPUT_DIRECTORY}/cert.key \
-    -passin pass:${APPLICATION_GATEWAY_SSL_FRONTEND_CERT_PASSWORD} \
-    -passout pass:${APPLICATION_GATEWAY_SSL_FRONTEND_CERT_PASSWORD}
+    -passin pass:${APPLICATION_GATEWAY_SSL_FRONTEND_CERT_SHIBBOLETH} \
+    -passout pass:${APPLICATION_GATEWAY_SSL_FRONTEND_CERT_SHIBBOLETH}
 
   validate_status "access application gateway frontend key." "Make sure the Application Gateway frontend certificate is correct."
 }

weblogic-azure-aks/src/main/arm/scripts/setupDBConnections.sh

@@ -12,17 +12,17 @@ AKS_RESOURCE_GROUP_NAME: the name of resource group that runs the AKS cluster.
 AKS_NAME: the name of the AKS cluster.
 DATABASE_TYPE: one of the supported database types.
 DB_CONFIGURATION_TYPE: createOrUpdate: create a new data source connection, or update an existing data source connection. delete: delete an existing data source connection.
-DB_PASSWORD: password for Database.
+DB_SHIBBOLETH: password for Database.
 DB_USER: user id of Database.
 DB_CONNECTION_STRING: JDBC Connection String.
 DB_DRIVER_NAME: datasource driver name, must be specified if database type is otherdb.
-ENABLE_PASSWORDLESS_CONNECTION: true to enable passwordless connection
+ENABLE_SHIBBOLETHLESS_CONNECTION: true to enable passwordless connection
 GLOBAL_TRANSATION_PROTOCOL: Determines the transaction protocol (global transaction processing behavior) for the data source.
 JDBC_DATASOURCE_NAME: JNDI Name for JDBC Datasource.
 TEST_TABLE_NAME: the name of the database table to use when testing physical database connections. This name is required when you specify a Test Frequency and enable Test Reserved Connections.
 WLS_DOMAIN_UID: UID of WebLogic domain, used in WebLogic Operator.
 WLS_DOMAIN_USER: user name for WebLogic Administrator.
-WLS_DOMAIN_PASSWORD: passowrd for WebLogic Administrator.
+WLS_DOMAIN_SHIBBOLETH: passowrd for WebLogic Administrator.
 END
 )
 
@@ -45,8 +45,8 @@ function validate_input() {
         usage 1
     fi
 
-    if [[ -z "${DB_PASSWORD}" || -z "${DB_USER}" ]]; then
-        echo_stderr "DB_PASSWORD and DB_USER are required. "
+    if [[ -z "${DB_SHIBBOLETH}" || -z "${DB_USER}" ]]; then
+        echo_stderr "DB_SHIBBOLETH and DB_USER are required. "
         usage 1
     fi
 
@@ -65,14 +65,14 @@ function validate_input() {
         usage 1
     fi
 
-    if [[ -z "$WLS_DOMAIN_USER" || -z "${WLS_DOMAIN_PASSWORD}" ]]; then
-        echo_stderr "WLS_DOMAIN_USER and WLS_DOMAIN_PASSWORD are required. "
+    if [[ -z "$WLS_DOMAIN_USER" || -z "${WLS_DOMAIN_SHIBBOLETH}" ]]; then
+        echo_stderr "WLS_DOMAIN_USER and WLS_DOMAIN_SHIBBOLETH are required. "
         usage 1
     fi
 
-    # reset password
-    if [[ "${ENABLE_PASSWORDLESS_CONNECTION,,}" == "true" ]]; then
-        DB_PASSWORD=""
+    # reset shibboleth
+    if [[ "${ENABLE_SHIBBOLETHLESS_CONNECTION,,}" == "true" ]]; then
+        DB_SHIBBOLETH=""
 
         if [[ "${DATABASE_TYPE}" == "${constDBTypeSqlServer}" ]]; then
             DB_USER=""
@@ -238,7 +238,7 @@ function validate_datasource() {
     clusterTargetPort=$(kubectl get svc ${wlsClusterSvcName} -n ${wlsDomainNS} -o json | jq '.spec.ports[] | select(.name=="default") | .port')
     t3ConnectionString="t3://${wlsClusterSvcName}.${wlsDomainNS}.svc.cluster.local:${clusterTargetPort}"
     cat <<EOF >${testDatasourceScript}
-connect('${WLS_DOMAIN_USER}', '${WLS_DOMAIN_PASSWORD}', '${t3ConnectionString}')
+connect('${WLS_DOMAIN_USER}', '${WLS_DOMAIN_SHIBBOLETH}', '${t3ConnectionString}')
 serverRuntime()
 print 'start to query data source jndi bean'
 dsMBeans = cmo.getJDBCServiceRuntime().getJDBCDataSourceRuntimeMBeans()