Merge pull request #812 from oracle/OWLS-70638

WIP: Get the external operator REST certificate and private key from a Kubernetes secret

Author: rjeberhard

kubernetes/charts/weblogic-operator/templates/_operator-cm.tpl

@@ -1,12 +1,16 @@
-# Copyright 2018 Oracle Corporation and/or its affiliates.  All rights reserved.
+# Copyright 2018, 2019, Oracle Corporation and/or its affiliates.  All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl.
 
 {{- define "operator.operatorConfigMap" }}
 ---
 apiVersion: "v1"
 data:
   {{- if .externalRestEnabled }}
+    {{- if (hasKey . "externalCertificateSecret") }}
+  externalCertificateSecret: {{ .externalCertificateSecret | quote }}
+    {{- else }}
   externalOperatorCert: {{ .externalOperatorCert | quote }}
+    {{- end }}
   {{- end }}
   serviceaccount: {{ .serviceAccount | quote }}
   targetNamespaces: {{ .domainNamespaces | uniq | sortAlpha | join "," | quote }}

kubernetes/charts/weblogic-operator/templates/_operator-secret.tpl

@@ -1,12 +1,12 @@
-# Copyright 2018 Oracle Corporation and/or its affiliates.  All rights reserved.
+# Copyright 2018, 2019, Oracle Corporation and/or its affiliates.  All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl.
 
 {{- define "operator.operatorSecrets" }}
 ---
 apiVersion: "v1"
 kind: "Secret"
 data:
-  {{- if .externalRestEnabled }}
+  {{- if (and .externalRestEnabled (hasKey . "externalOperatorKey")) }}
   externalOperatorKey: {{ .externalOperatorKey | quote }}
   {{- end }}
 metadata:

kubernetes/charts/weblogic-operator/templates/_utils.tpl

@@ -1,4 +1,4 @@
-# Copyright 2018 Oracle Corporation and/or its affiliates.  All rights reserved.
+# Copyright 2018, 2019, Oracle Corporation and/or its affiliates.  All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl.
 
 {{/*
@@ -426,3 +426,35 @@ TBD - does helm provide a clone method we can use instead?
 {{- define "utils.cloneDictionary" -}}
 {{- include "utils.mergeDictionaries" (list .) -}}
 {{- end -}}
+
+{{/*
+Verify that a list of values (exclude) can not be defined if another value (key) is already defined 
+*/}}
+{{- define "utils.mutexValue" -}}
+{{- $scope := index . 0 -}}
+{{- $key := index . 1 -}}
+{{- $exclude := index . 2 -}}
+{{- $type := index . 3 -}}
+{{- $parent := $scope.validationScope -}}
+{{- $args := . -}}
+{{- $status := dict -}}
+{{- if hasKey $parent $key -}}
+{{-   range $value := $exclude -}}
+{{-     if hasKey $parent $value -}}
+{{-       $errorMsg := cat $value "can not be present when" $key "is defined"  " " -}}
+{{-       include "utils.recordValidationError" (list $scope $errorMsg) -}}
+{{-       $ignore := set $status "error" true -}}
+{{-     end -}}
+{{-   end -}}
+{{- end -}}
+{{- if not (hasKey $status "error") -}}
+      true
+{{- end -}}
+{{- end -}}
+
+{{/*
+Verify that a list of strings can not be defined if another string is already defined 
+*/}}
+{{- define "utils.mutexString" -}}
+{{- include "utils.mutexValue" (append . "string") -}}
+{{- end -}}

kubernetes/charts/weblogic-operator/templates/_validate-inputs.tpl

@@ -1,4 +1,4 @@
-# Copyright 2018 Oracle Corporation and/or its affiliates.  All rights reserved.
+# Copyright 2018, 2019, Oracle Corporation and/or its affiliates.  All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl.
 
 {{- define "operator.validateInputs" -}}
@@ -12,11 +12,14 @@
 {{- $ignore := include "utils.verifyEnum" (list $scope "imagePullPolicy" (list "Always" "IfNotPresent" "Never")) -}}
 {{- $ignore := include "utils.verifyOptionalDictionaryList" (list $scope "imagePullSecrets") -}}
 {{- $ignore := include "utils.verifyEnum" (list $scope "javaLoggingLevel" (list "SEVERE" "WARNING" "INFO" "CONFIG" "FINE" "FINER" "FINEST")) -}}
+{{- $ignore := include "utils.mutexString" (list $scope "externalCertificateSecret" (list "externalOperatorKey" "externalOperatorCert")) -}}
 {{- if include "utils.verifyBoolean" (list $scope "externalRestEnabled") -}}
 {{-   if $scope.externalRestEnabled -}}
 {{-     $ignore := include "utils.verifyInteger" (list $scope "externalRestHttpsPort") -}}
-{{-     $ignore := include "utils.verifyString"  (list $scope "externalOperatorCert") -}}
-{{-     $ignore := include "utils.verifyString"  (list $scope "externalOperatorKey") -}}
+{{/*        The following condition is for backward compatibility only */}}
+{{-     if (or (not (hasKey $scope "externalOperatorCert")) (not (hasKey $scope "externalOperatorKey"))) -}}
+{{-       $ignore := include "utils.verifyString"  (list $scope "externalCertificateSecret") -}}
+{{-     end -}}
 {{-   end -}}
 {{- end -}}
 {{- if include "utils.verifyBoolean" (list $scope "remoteDebugNodePortEnabled") -}}

kubernetes/charts/weblogic-operator/values.yaml

@@ -1,4 +1,4 @@
-# Copyright 2018 Oracle Corporation and/or its affiliates.  All rights reserved.
+# Copyright 2018, 2019, Oracle Corporation and/or its affiliates.  All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl.
 
 # serviceAccount specifies the name of the service account in the operator's namespace that the
@@ -52,17 +52,12 @@ externalRestEnabled: false
 # Otherwise, it is ignored.
 externalRestHttpsPort: 31001
 
-# The customer supplied certificate to use for the external operator REST https interface.
-# The value must be a string containing a base64 encoded PEM certificate.
-# This parameter is required if 'externalRestEnabled' is true.
-# Otherwise, it is ignored.
-#externalOperatorCert:
-
-# The customer supplied private key to use for the external operator REST https interface.
-# The value must be a string containing a base64 encoded PEM key.
-# This parameter is required if 'externalRestEnabled' is true.
-# Otherwise, it is ignored.
-#externalOperatorKey:
+# The name of the secret used to store the certificate and private key to use for the external operator REST https interface.
+# The secret has to be created in the same namespace of the welbogic operator.
+# This parameter is required if 'externalRestEnabled' is true. Otherwise, it is ignored.
+# As example, a self-sigend certificate can be created and stored in weblogic-operator-certificate using the 
+# following sample script kubernetes/samples/scripts/rest/generate-external-rest-identity.sh
+#externalCertificateSecret: 
 
 # remoteDebugNodePortEnabled specifies whether or not the operator will start a Java remote debug server
 # on the provided port and suspend execution until a remote debugger has attached.

kubernetes/samples/scripts/rest/generate-external-rest-identity.sh

@@ -1,27 +1,26 @@
 #!/usr/bin/env bash
-# Copyright 2017, 2018, Oracle Corporation and/or its affiliates.  All rights reserved.
+# Copyright 2017, 2019, Oracle Corporation and/or its affiliates.  All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl.
 #
 # When the customer enables the operator's external REST api (by setting
 # externalRestEnabled to true when installing the operator helm chart), the customer needs
-# to provide the certificate and private key for api's SSL identity too (by setting
-# externalOperatorCert and externalOperatorKey to the base64 encoded PEM of the cert and
-# key when installing the operator helm chart).
+# to provide the certificate and private key for api's SSL identity too (by creating a 
+# tls secret befor the installation of the operator helm chart).
 #
 # This sample script generates a self-signed certificate and private key that can be used
 # for the operator's external REST api when experimenting with the operator.  They should
 # not be used in a production environment.
 #
 # The sytax of the script is:
-#   kubernetes/samples/scripts/generate-external-rest-identity.sh <subject alternative names>
+#   kubernetes/samples/scripts/rest/generate-external-rest-identity.sh <subject alternative names>
 #
 # <subject alternative names> lists the subject alternative names to put into the generated
 # self-signed certificate for the external WebLogic Operator REST https interface,
 # for example:
 #   DNS:myhost,DNS:localhost,IP:127.0.0.1
 #
-# The script prints out the base64 encoded pem of the generated certificate and private key
-# in the same format that the operator helm chart's values.yaml requires.
+# The script creates the weblogic-operator-certificate secret in the weblogic-operator namespace with 
+# the self-signed certificate and private key
 #
 # Example usage:
 #   generate-external-rest-identity.sh IP:127.0.0.1 > my_values.yaml
@@ -130,13 +129,7 @@ openssl \
   -out ${OP_KEY_PEM} \
 2> /dev/null
 
-# base64 encode the cert and private key pem
-CERT_DATA=`base64 -i ${OP_CERT_PEM} | tr -d '\n'`
-KEY_DATA=`base64 -i ${OP_KEY_PEM} | tr -d '\n'`
-
-# print out the cert and pem in the form that can be added to
-# the operator helm chart's values.yaml
-echo "externalOperatorCert: ${CERT_DATA}"
-echo "externalOperatorKey: ${KEY_DATA}"
-
+# Create the secret with the self-signed certificate and private key in the weblogic-operator namespace
+kubectl create secret tls "weblogic-operator-certificate" --cert=${OP_CERT_PEM} --key=${OP_KEY_PEM} -n weblogic-operator
+echo "externalCertificateSecret: weblogic-operator-certificate"
 SUCCEEDED=true

operator/src/main/java/oracle/kubernetes/operator/rest/RestConfigImpl.java

@@ -1,4 +1,4 @@
-// Copyright 2017, Oracle Corporation and/or its affiliates.  All rights reserved.
+// Copyright 2017, 2019, Oracle Corporation and/or its affiliates.  All rights reserved.
 // Licensed under the Universal Permissive License v 1.0 as shown at
 // http://oss.oracle.com/licenses/upl.
 
@@ -22,6 +22,15 @@ public class RestConfigImpl implements RestConfig {
 
   private static final String OPERATOR_DIR = "/operator/";
   private static final String INTERNAL_REST_IDENTITY_DIR = OPERATOR_DIR + "internal-identity/";
+  private static final String INTERNAL_CERTIFICATE =
+      INTERNAL_REST_IDENTITY_DIR + "internalOperatorCert";
+  private static final String INTERNAL_CERTIFICATE_KEY =
+      INTERNAL_REST_IDENTITY_DIR + "internalOperatorKey";
+  private static final String EXTERNAL_REST_IDENTITY_DIR = OPERATOR_DIR + "external-identity/";
+  private static final String EXTERNAL_CERTIFICATE =
+      EXTERNAL_REST_IDENTITY_DIR + "externalOperatorCert";
+  private static final String EXTERNAL_CERTIFICATE_KEY =
+      EXTERNAL_REST_IDENTITY_DIR + "externalOperatorKey";
 
   /**
    * Constructs a RestConfigImpl.
@@ -58,13 +67,13 @@ public int getInternalHttpsPort() {
   /** {@inheritDoc} */
   @Override
   public String getOperatorExternalCertificateData() {
-    return getCertificate(OPERATOR_DIR + "config/externalOperatorCert");
+    return getCertificate(EXTERNAL_CERTIFICATE);
   }
 
   /** {@inheritDoc} */
   @Override
   public String getOperatorInternalCertificateData() {
-    return getCertificate(INTERNAL_REST_IDENTITY_DIR + "internalOperatorCert");
+    return getCertificate(INTERNAL_CERTIFICATE);
   }
 
   /** {@inheritDoc} */
@@ -94,13 +103,13 @@ public String getOperatorInternalKeyData() {
   /** {@inheritDoc} */
   @Override
   public String getOperatorExternalKeyFile() {
-    return getKey(OPERATOR_DIR + "secrets/externalOperatorKey");
+    return getKey(EXTERNAL_CERTIFICATE_KEY);
   }
 
   /** {@inheritDoc} */
   @Override
   public String getOperatorInternalKeyFile() {
-    return getKey(INTERNAL_REST_IDENTITY_DIR + "internalOperatorKey");
+    return getKey(INTERNAL_CERTIFICATE_KEY);
   }
 
   /** {@inheritDoc} */

src/scripts/initialize-external-operator-identity.sh

@@ -0,0 +1,83 @@
+#!/usr/bin/env bash
+# Copyright 2019, Oracle Corporation and/or its affiliates.  All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl.
+
+# do not turn on 'set -x' since it can print sensitive info, like secrets and private keys, to the operator log
+#set -x
+
+if [ "$#" != 0 ] ; then
+  1>&2 echo "Syntax: ${BASH_SOURCE[0]}"
+  exit 1
+fi
+
+EXTERNAL_CERT="externalOperatorCert"
+EXTERNAL_KEY="externalOperatorKey"
+OPERATOR_DIR="/operator"
+EXTERNAL_IDENTITY_DIR="${OPERATOR_DIR}/external-identity"
+NAMESPACE=`cat /var/run/secrets/kubernetes.io/serviceaccount/namespace`
+OPERATOR_CONFIG_DIR=${OPERATOR_DIR}/config
+OPERATOR_SECRETS_DIR=${OPERATOR_DIR}/secrets
+
+# the operator runtime expects the external operator cert and private key to be in these files:
+EXTERNAL_CERT_PEM="${EXTERNAL_IDENTITY_DIR}/${EXTERNAL_CERT}"
+EXTERNAL_KEY_PEM="${EXTERNAL_IDENTITY_DIR}/${EXTERNAL_KEY}"
+EXTERNAL_CERT_SECRET="${OPERATOR_CONFIG_DIR}/externalCertificateSecret"
+
+# the legacy helm install mount the ceritificate and private key in the following locations:
+LEGACY_CERT_BASE64_PEM=${OPERATOR_CONFIG_DIR}/${EXTERNAL_CERT}
+LEGACY_KEY_PEM=${OPERATOR_SECRETS_DIR}/${EXTERNAL_KEY}
+
+CACERT='/var/run/secrets/kubernetes.io/serviceaccount/ca.crt'
+TOKEN=`cat /var/run/secrets/kubernetes.io/serviceaccount/token`
+KUBERNETES_MASTER="https://kubernetes.default.svc"
+
+function cleanup {
+  if [[ $SUCCEEDED != "true" ]]; then
+    exit 1
+  fi
+}
+
+function getExternalIdentity {
+  SECRET_NAME=`cat ${EXTERNAL_CERT_SECRET}`
+  
+  curl -s \
+    --cacert $CACERT \
+    -H "Authorization: Bearer $TOKEN" \
+    -H "Content-Type: application/json" \
+    -X GET \
+    $KUBERNETES_MASTER/api/v1/namespaces/weblogic-operator/secrets/$SECRET_NAME | \
+    python -c "import sys, json; print json.load(sys.stdin)['data']['tls.crt']" \
+    >> ${EXTERNAL_CERT_PEM}
+
+  curl -s \
+    --cacert $CACERT \
+    -H "Authorization: Bearer $TOKEN" \
+    -H "Content-Type: application/json" \
+    -X GET \
+    $KUBERNETES_MASTER/api/v1/namespaces/weblogic-operator/secrets/$SECRET_NAME | \
+    python -c "import sys, json; print json.load(sys.stdin)['data']['tls.key']" | base64 --decode \
+    >> ${EXTERNAL_KEY_PEM}
+}
+
+function getLegacyExternalIdentity {
+  cp ${LEGACY_CERT_BASE64_PEM} ${EXTERNAL_CERT_PEM}
+  cp ${LEGACY_KEY_PEM} ${EXTERNAL_KEY_PEM}
+}
+
+set -e
+
+trap "cleanup" EXIT
+
+mkdir ${EXTERNAL_IDENTITY_DIR}
+
+if [ -f "${EXTERNAL_CERT_SECRET}" ]; then
+  # The operator's external ssl certificate was defined within a kubernetes tls secret
+  getExternalIdentity
+else
+  if [ -f "${LEGACY_CERT_BASE64_PEM}" ]; then
+    # The operator's external ssl certificate was created by helm using the values.yaml.
+    getLegacyExternalIdentity
+  fi
+fi
+
+SUCCEEDED=true

src/scripts/operator.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# Copyright 2017, 2018, Oracle Corporation and/or its affiliates.  All rights reserved.
+# Copyright 2017, 2019, Oracle Corporation and/or its affiliates.  All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl.
 
 set -x
@@ -19,6 +19,8 @@ trap relay_SIGTERM SIGTERM
 
 /operator/initialize-internal-operator-identity.sh
 
+/operator/initialize-external-operator-identity.sh
+
 if [[ ! -z "$REMOTE_DEBUG_PORT" ]]; then
   DEBUG="-agentlib:jdwp=transport=dt_socket,server=y,suspend=y,address=$HOSTNAME:$REMOTE_DEBUG_PORT"
   echo "DEBUG=$DEBUG"