Port server status reader fixes

Author: rjeberhard

docs-source/content/security/rbac.md

@@ -112,7 +112,7 @@ to a `Role` or `ClusterRole` granting permission to the operator.
 | RoleBinding | Mapped to Role | Resource Access | Notes |
 | --- | --- | --- | --- |
 | `weblogic-operator-rolebinding` | `weblogic-operator-role` | **Edit**: secrets, configmaps, events | The RoleBinding is created in the namespace `weblogic-operator-ns` [^1] |
-| `weblogic-operator-rolebinding-namespace` | Operator Cluster Role `namespace` | **Read**: secrets, pods/log | The RoleBinding is created in the namespace `domain1-ns` [^2] |
+| `weblogic-operator-rolebinding-namespace` | Operator Cluster Role `namespace` | **Read**: secrets, pods/log, pods/exec | The RoleBinding is created in the namespace `domain1-ns` [^2] |
 | | | **Edit**: configmaps, events, pods, services, jobs.batch | |
 | | | **Create**: pods/exec | |
 

docs/charts/index.yaml

@@ -2,83 +2,83 @@ apiVersion: v1
 entries:
   weblogic-operator:
   - apiVersion: v1
-    created: "2020-05-18T20:31:11.167108-04:00"
+    created: "2020-06-01T11:06:47.01222-04:00"
     description: Helm chart for configuring the WebLogic operator.
     digest: 5f4cd8f4f3282b52b5e90a1169f26986e8272671845053606ade9c855fb04151
     name: weblogic-operator
     urls:
     - https://oracle.github.io/weblogic-kubernetes-operator/charts/weblogic-operator-3.0.0-rc1.tgz
     version: 3.0.0-rc1
   - apiVersion: v1
-    created: "2020-05-18T20:31:11.165473-04:00"
+    created: "2020-06-01T11:06:47.009924-04:00"
     description: Helm chart for configuring the WebLogic operator.
-    digest: 9102d05ccd9311f77179aa91f0f8ea28ac0255d0905361cc5ae7a6d7b84cdb27
+    digest: 90cce593163ff508ccfe1e00046d2bd7f0ea28b2403812e427f3d6fed473771e
     name: weblogic-operator
     urls:
     - https://oracle.github.io/weblogic-kubernetes-operator/charts/weblogic-operator-2.6.0.tgz
     version: 2.6.0
   - apiVersion: v1
-    created: "2020-05-18T20:31:11.161746-04:00"
+    created: "2020-06-01T11:06:46.996245-04:00"
     description: Helm chart for configuring the WebLogic operator.
     digest: fe41421b7dc45dc8a3b2888d3a626a37f5d3c8e1fa292fb6699deedc5e1db33d
     name: weblogic-operator
     urls:
     - https://oracle.github.io/weblogic-kubernetes-operator/charts/weblogic-operator-2.5.0.tgz
     version: 2.5.0
   - apiVersion: v1
-    created: "2020-05-18T20:31:11.160293-04:00"
+    created: "2020-06-01T11:06:46.984232-04:00"
     description: Helm chart for configuring the WebLogic operator.
     digest: b36bd32083f67453a62d089a2c09ce38e6655d88ac8a7b38691230c55c40e672
     name: weblogic-operator
     urls:
     - https://oracle.github.io/weblogic-kubernetes-operator/charts/weblogic-operator-2.4.0.tgz
     version: 2.4.0
   - apiVersion: v1
-    created: "2020-05-18T20:31:11.158404-04:00"
+    created: "2020-06-01T11:06:46.957724-04:00"
     description: Helm chart for configuring the WebLogic operator.
     digest: a3eafe4c2c6ff49384e56421201e59a3737d651af8d5b605b87a19eb1f6f1dc3
     name: weblogic-operator
     urls:
     - https://oracle.github.io/weblogic-kubernetes-operator/charts/weblogic-operator-2.3.1.tgz
     version: 2.3.1
   - apiVersion: v1
-    created: "2020-05-18T20:31:11.153312-04:00"
+    created: "2020-06-01T11:06:46.91045-04:00"
     description: Helm chart for configuring the WebLogic operator.
     digest: cbc6caaa6eb28e3c7e906ede14b2ae511a0b35fc12a8e3ab629155b09993e8b2
     name: weblogic-operator
     urls:
     - https://oracle.github.io/weblogic-kubernetes-operator/charts/weblogic-operator-2.3.0.tgz
     version: 2.3.0
   - apiVersion: v1
-    created: "2020-05-18T20:31:11.150352-04:00"
+    created: "2020-06-01T11:06:46.888509-04:00"
     description: Helm chart for configuring the WebLogic operator.
     digest: 23d5a1c554fa8211cc1e86b7ade09460917cb2069e68fb4bfdddafc8db44fdcd
     name: weblogic-operator
     urls:
     - https://oracle.github.io/weblogic-kubernetes-operator/charts/weblogic-operator-2.2.1.tgz
     version: 2.2.1
   - apiVersion: v1
-    created: "2020-05-18T20:31:11.148716-04:00"
+    created: "2020-06-01T11:06:46.885035-04:00"
     description: Helm chart for configuring the WebLogic operator.
     digest: bba303686cb55d84fe8c0d693a2436e7e686b028085b56e012f6381699a3911f
     name: weblogic-operator
     urls:
     - https://oracle.github.io/weblogic-kubernetes-operator/charts/weblogic-operator-2.2.0.tgz
     version: 2.2.0
   - apiVersion: v1
-    created: "2020-05-18T20:31:11.147022-04:00"
+    created: "2020-06-01T11:06:46.879707-04:00"
     description: Helm chart for configuring the WebLogic operator.
     digest: 391e23c0969ada5f0cd2a088ddc6f11f237f57521801ed3925db2149a8437a0d
     name: weblogic-operator
     urls:
     - https://oracle.github.io/weblogic-kubernetes-operator/charts/weblogic-operator-2.1.tgz
     version: "2.1"
   - apiVersion: v1
-    created: "2020-05-18T20:31:11.145318-04:00"
+    created: "2020-06-01T11:06:46.872459-04:00"
     description: Helm chart for configuring the WebLogic operator.
     digest: 298acda78ab73db6b7ba6f2752311bfa40c65874e03fb196b70976192211c1a5
     name: weblogic-operator
     urls:
     - https://oracle.github.io/weblogic-kubernetes-operator/charts/weblogic-operator-2.0.1.tgz
     version: 2.0.1
-generated: "2020-05-18T20:31:11.139713-04:00"
+generated: "2020-06-01T11:06:46.867346-04:00"

docs/charts/weblogic-operator-2.6.0.tgz

@@ -31,7 +31,7 @@ rules:
   verbs: ["get", "list"]
 - apiGroups: [""]
   resources: ["pods/exec"]
-  verbs: ["create"]
+  verbs: ["get", "create"]
 - apiGroups: ["weblogic.oracle"]
   resources: ["domains"]
   verbs: ["get", "list", "watch", "create", "update", "patch", "delete", "deletecollection"]

kubernetes/charts/weblogic-operator/templates/_operator-clusterrole-domain-admin.tpl

@@ -31,7 +31,7 @@ rules:
   verbs: ["get", "list"]
 - apiGroups: [""]
   resources: ["pods/exec"]
-  verbs: ["create"]
+  verbs: ["get", "create"]
 - apiGroups: ["batch"]
   resources: ["jobs"]
   verbs: ["get", "list", "watch", "create", "update", "patch", "delete", "deletecollection"]

kubernetes/charts/weblogic-operator/templates/_operator-clusterrole-namespace.tpl

@@ -31,5 +31,5 @@ rules:
   verbs: ["get", "list"]
 - apiGroups: [""]
   resources: ["pods/exec"]
-  verbs: ["create"]
+  verbs: ["get", "create"]
 {{- end }}

kubernetes/charts/weblogic-operator/templates/_operator-clusterrole-operator-admin.tpl

@@ -611,7 +611,7 @@ private V1ClusterRole getExpectedWeblogicOperatorNamespaceRole() {
             newPolicyRule()
                 .addApiGroupsItem("")
                 .resources(singletonList("pods/exec"))
-                .verbs(singletonList("create")))
+                .verbs(asList("get", "create")))
         .addRulesItem(
             newPolicyRule()
                 .addApiGroupsItem("batch")

kubernetes/src/test/java/oracle/kubernetes/operator/create/CreateOperatorGeneratedFilesTestBase.java

@@ -4,7 +4,6 @@
 package oracle.kubernetes.operator;
 
 import java.io.IOException;
-import java.io.InputStream;
 import java.io.InputStreamReader;
 import java.io.Reader;
 import java.util.Collection;
@@ -15,7 +14,6 @@
 import java.util.function.Function;
 import java.util.stream.Collectors;
 
-import com.google.common.base.Charsets;
 import com.google.common.io.CharStreams;
 import io.kubernetes.client.openapi.ApiClient;
 import io.kubernetes.client.openapi.ApiException;
@@ -160,11 +158,8 @@ public NextAction apply(Packet packet) {
         return doNext(packet);
       }
 
-      // Even though we don't need input data for this call, the API server is
-      // returning 400 Bad Request any time we set these to false.  There is likely some bug in the
-      // client
-      final boolean stdin = true;
-      final boolean tty = true;
+      final boolean stdin = false;
+      final boolean tty = false;
 
       return doSuspend(
           fiber -> {
@@ -178,20 +173,19 @@ public NextAction apply(Packet packet) {
               kubernetesExec.setTty(tty);
               proc = kubernetesExec.exec("/weblogic-operator/scripts/readState.sh");
 
-              InputStream in = proc.getInputStream();
+              try (final Reader reader = new InputStreamReader(proc.getInputStream())) {
+                state = CharStreams.toString(reader);
+              }
+
               if (proc.waitFor(timeoutSeconds, TimeUnit.SECONDS)) {
                 int exitValue = proc.exitValue();
                 LOGGER.fine("readState exit: " + exitValue + ", readState for " + pod.getMetadata().getName());
-                if (exitValue == 0) {
-                  try (final Reader reader = new InputStreamReader(in, Charsets.UTF_8)) {
-                    state = CharStreams.toString(reader);
-                  }
-                } else if (exitValue == 1 || exitValue == 2) {
+                if (exitValue == 1 || exitValue == 2) {
                   state =
                       PodHelper.isDeleting(pod)
                           ? WebLogicConstants.SHUTDOWN_STATE
                           : WebLogicConstants.STARTING_STATE;
-                } else {
+                } else if (exitValue != 0) {
                   state = WebLogicConstants.UNKNOWN_STATE;
                 }
               }

operator/src/main/java/oracle/kubernetes/operator/ServerStatusReader.java

@@ -69,7 +69,7 @@ public class HealthCheckHelperTest {
   private static final List<String> CLUSTER_READ_UPDATE_RESOURCES =
       Arrays.asList("domains//weblogic.oracle", "domains/status/weblogic.oracle");
 
-  private static final List<String> CREATE_ONLY_RESOURCES =
+  private static final List<String> CREATE_AND_GET_RESOURCES =
       Arrays.asList("pods/exec", "tokenreviews//authentication.k8s.io",
           "selfsubjectrulesreviews//authorization.k8s.io");
 
@@ -89,6 +89,9 @@ public class HealthCheckHelperTest {
   private static final List<Operation> READ_UPDATE_OPERATIONS =
       Arrays.asList(get, list, watch, update, patch);
 
+  private static final List<Operation> CREATE_GET_OPERATIONS =
+      Arrays.asList(create, get);
+
   private static final String POD_LOGS = "pods/log";
   private static final KubernetesVersion RULES_REVIEW_VERSION = new KubernetesVersion(1, 8);
 
@@ -189,7 +192,7 @@ private void addNamespaceRules(List<V1ResourceRule> rules) {
       rules.add(createRule(CRUD_RESOURCES, CRUD_OPERATIONS));
       rules.add(createRule(READ_WATCH_RESOURCES, READ_WATCH_OPERATIONS));
       rules.add(createRule(singletonList(POD_LOGS), READ_ONLY_OPERATIONS));
-      rules.add(createRule(CREATE_ONLY_RESOURCES, singletonList(create)));
+      rules.add(createRule(CREATE_AND_GET_RESOURCES, CREATE_GET_OPERATIONS));
     }
 
     private void addClusterRules(List<V1ResourceRule> rules) {

operator/src/test/java/oracle/kubernetes/operator/helpers/HealthCheckHelperTest.java

@@ -64,8 +64,8 @@ cp /operator/logstash.conf /logs/logstash.conf
 # assumption is that we have mounted a volume on /logs which is also visible to
 # the logstash container/pod.
 
-# Container memory optimizaton flags
-HEAP="-XX:+UnlockExperimentalVMOptions -XX:MaxRAMFraction=1 -XshowSettings:vm"
+# Container memory optimization flags
+HEAP="-XshowSettings:vm"
 
 # Start operator
 java $HEAP $MOCKING_WLS $DEBUG $LOGGING -jar /operator/weblogic-kubernetes-operator.jar &