JIRA WDT-498 - Add a list of secrets to domain resource for WKO and VZ targets; exclude admin secrets (#765)

Author: rakillen

core/src/main/python/discover.py

@@ -512,7 +512,8 @@ def main(args):
 
         if model_context.is_targetted_config():
             # do this before variables have been inserted into model
-            target_configuration_helper.create_additional_output(model, model_context, aliases, ExceptionType.DISCOVER)
+            target_configuration_helper.create_additional_output(model, model_context, aliases, credential_injector,
+                                                                 ExceptionType.DISCOVER)
 
         model = __check_and_customize_model(model, model_context, aliases, credential_injector)
 

core/src/main/python/prepare_model.py

@@ -295,7 +295,8 @@ def walk(self):
 
             # create any additional outputs from full model dictionary
             target_configuration_helper.create_additional_output(Model(full_model_dictionary), self.model_context,
-                                                                 self._aliases, ExceptionType.VALIDATE)
+                                                                 self._aliases, self.credential_injector,
+                                                                 ExceptionType.VALIDATE)
 
         except ValidateException, te:
             self._logger.severe('WLSDPLY-20009', _program_name, model_file_name, te.getLocalizedMessage(),

core/src/main/python/wlsdeploy/tool/util/targets/additional_output_helper.py

@@ -25,6 +25,8 @@
 __logger = PlatformLogger('wlsdeploy.tool.util')
 
 # substitution keys used in the templates
+ADDITIONAL_SECRET_NAME = 'additionalSecretName'
+ADDITIONAL_SECRETS = 'additionalSecrets'
 CLUSTER_NAME = 'clusterName'
 CLUSTERS = 'clusters'
 DATABASE_CREDENTIALS = 'databaseCredentials'
@@ -36,26 +38,28 @@
 DOMAIN_TYPE = 'domainType'
 DOMAIN_UID = 'domainUid'
 DS_URL = 'url'
+HAS_ADDITIONAL_SECRETS = 'hasAdditionalSecrets'
 HAS_CLUSTERS = 'hasClusters'
 HAS_DATABASES = 'hasDatabases'
 REPLICAS = 'replicas'
 WEBLOGIC_CREDENTIALS_SECRET = 'webLogicCredentialsSecret'
 
 
-def create_additional_output(model, model_context, aliases, exception_type):
+def create_additional_output(model, model_context, aliases, credential_injector, exception_type):
     """
     Create and write additional output for the configured target type.
     :param model: Model object, used to derive some values in the output
     :param model_context: used to determine location and content for the output
     :param aliases: used to derive secret names
+    :param credential_injector: used to identify secrets
     :param exception_type: the type of exception to throw if needed
     """
 
     # -output_dir argument was previously verified
     output_dir = model_context.get_output_dir()
 
     # all current output types use this hash, and process a set of template files
-    template_hash = _build_template_hash(model, model_context, aliases)
+    template_hash = _build_template_hash(model, model_context, aliases, credential_injector)
 
     file_names = model_context.get_target_configuration().get_additional_output_types()
     for file_name in file_names:
@@ -84,12 +88,13 @@ def _create_file(template_name, template_hash, model_context, output_dir, except
     file_template_helper.create_file_from_file(template_path, template_hash, output_file, exception_type)
 
 
-def _build_template_hash(model, model_context, aliases):
+def _build_template_hash(model, model_context, aliases, credential_injector):
     """
     Create a dictionary of substitution values to apply to the templates.
     :param model: Model object used to derive values
     :param model_context: used to determine domain type
     :param aliases: used to derive folder names
+    :param credential_injector: used to identify secrets
     :return: the hash dictionary
     """
     template_hash = dict()
@@ -107,9 +112,13 @@ def _build_template_hash(model, model_context, aliases):
     template_hash[DOMAIN_NAME] = domain_uid
     template_hash[DOMAIN_PREFIX] = domain_uid
 
+    # secrets that should not be included in secrets section
+    declared_secrets = []
+
     # admin credential
 
     admin_secret = domain_uid + target_configuration_helper.WEBLOGIC_CREDENTIALS_SECRET_SUFFIX
+    declared_secrets.append(admin_secret)
     template_hash[WEBLOGIC_CREDENTIALS_SECRET] = admin_secret
 
     # configuration / model
@@ -165,4 +174,26 @@ def _build_template_hash(model, model_context, aliases):
     template_hash[DATABASES] = databases
     template_hash[HAS_DATABASES] = len(databases) != 0
 
+    # additional secrets - exclude admin
+
+    additional_secrets = []
+
+    # combine user/password properties to get a single list
+    secrets = []
+    for property_name in credential_injector.get_variable_cache():
+        halves = property_name.split(':', 1)
+        name = halves[0]
+        if name not in secrets:
+            secrets.append(name)
+
+    for secret in secrets:
+        secrets_hash = dict()
+        qualified_name = domain_uid + "-" + secret
+        if qualified_name not in declared_secrets:
+            secrets_hash[ADDITIONAL_SECRET_NAME] = qualified_name
+            additional_secrets.append(secrets_hash)
+
+    template_hash[ADDITIONAL_SECRETS] = additional_secrets
+    template_hash[HAS_ADDITIONAL_SECRETS] = len(additional_secrets) != 0
+
     return template_hash

core/src/main/python/wlsdeploy/util/target_configuration_helper.py

@@ -229,17 +229,19 @@ def get_secret_name_for_location(location, domain_uid, aliases):
     return domain_uid + '-' + secret_name
 
 
-def create_additional_output(model, model_context, aliases, exception_type):
+def create_additional_output(model, model_context, aliases, credential_injector, exception_type):
     """
     Create any additional output specified in the target configuration.
     :param model: used to create additional content
     :param model_context: provides access to the target configuration
     :param aliases: used for template fields
+    :param credential_injector: used to identify secrets
     :param exception_type: type of exception to throw
     """
     _method_name = 'create_additional_output'
 
-    additional_output_helper.create_additional_output(model, model_context, aliases, exception_type)
+    additional_output_helper.create_additional_output(model, model_context, aliases, credential_injector,
+                                                      exception_type)
 
 
 def create_secret_name(variable_name, suffix=None):

core/src/main/targetconfigs/vz/model.yaml

@@ -47,6 +47,15 @@ spec:
         configuration:
           model:
             domainType: {{{domainType}}}
+{{#hasAdditionalSecrets}}
+
+          # Secrets that are referenced by model yaml macros
+          # (the model yaml in the optional configMap or in the image)
+          secrets:
+{{/hasAdditionalSecrets}}
+{{#additionalSecrets}}
+          - {{{additionalSecretName}}}
+{{/additionalSecrets}}
       connections:
         - ingress:
             - name: {{{domainPrefix}}}-ingress

core/src/main/targetconfigs/wko/model.yaml

@@ -32,9 +32,9 @@ spec:
     - name: USER_MEM_ARGS
       value: "-Djava.security.egd=file:/dev/./urandom -Xms64m -Xmx256m "
 
-  # clusters is used to configure the desired behavior for starting member servers of a cluster.  
-  # If you use this entry, then the rules will be applied to ALL servers that are members of the named clusters.
 {{#hasClusters}}
+  # clusters is used to configure the desired behavior for starting member servers of a cluster.
+  # If you use this entry, then the rules will be applied to ALL servers that are members of the named clusters.
   clusters:
 {{/hasClusters}}
 {{#clusters}}
@@ -58,3 +58,14 @@ spec:
     # The number of cluster member Managed Server instances to start for this WebLogic cluster
     replicas: {{{replicas}}}
 {{/clusters}}
+
+  configuration:
+{{#hasAdditionalSecrets}}
+
+    # Secrets that are referenced by model yaml macros
+    # (the model yaml in the optional configMap or in the image)
+    secrets:
+{{/hasAdditionalSecrets}}
+{{#additionalSecrets}}
+    - {{{additionalSecretName}}}
+{{/additionalSecrets}}