Merge pull request #1212 from oracle/develop_OWLS-76349

Fix secure protocol in AdminURL

Author: rjeberhard

operator/src/main/java/oracle/kubernetes/operator/helpers/PodStepContext.java

@@ -142,12 +142,31 @@ Integer getAsPort() {
         .getLocalAdminProtocolChannelPort();
   }
 
+  /**
+   * Check if the server is listening on a secure port. NOTE: If the targetted server is a managed
+   * server, this method is overridden to check if the managed server has a secure listen port rather
+   * than the admin server. See PodHelper.ManagedPodStepContext
+   *
+   * @return true if server is listening on a secure port
+   */
   boolean isLocalAdminProtocolChannelSecure() {
+    return domainTopology
+        .getServerConfig(getServerName())
+        .isLocalAdminProtocolChannelSecure();
+  }
+
+  /**
+   * Check if the admin server is listening on a secure port.
+   *
+   * @return true if admin server is listening on a secure port
+   */
+  private boolean isAdminServerProtocolChannelSecure() {
     return domainTopology
         .getServerConfig(domainTopology.getAdminServerName())
         .isLocalAdminProtocolChannelSecure();
   }
 
+
   Integer getLocalAdminProtocolChannelPort() {
     return domainTopology
         .getServerConfig(domainTopology.getAdminServerName())
@@ -587,8 +606,16 @@ void addStartupEnvVars(List<V1EnvVar> vars) {
     addEnvVar(vars, ServerEnvVars.ADMIN_NAME, getAsName());
     addEnvVar(vars, ServerEnvVars.ADMIN_PORT, getAsPort().toString());
     if (isLocalAdminProtocolChannelSecure()) {
+      // This env variable indicates whether the administration port in the WLS server on the local pod is secure
       addEnvVar(vars, ServerEnvVars.ADMIN_PORT_SECURE, "true");
     }
+    if (isAdminServerProtocolChannelSecure()) {
+      // The following env variable determines whether to set a secure protocol(https/t3s) in the "AdminURL" property
+      // in NM startup.properties.
+      // WebLogic Node Manager then sets the ADMIN_URL env variable(based on the "AdminURL") before starting
+      // the managed server
+      addEnvVar(vars, "ADMIN_SERVER_PORT_SECURE", "true");
+    }
     addEnvVar(vars, ServerEnvVars.SERVER_NAME, getServerName());
     addEnvVar(vars, ServerEnvVars.DOMAIN_UID, getDomainUid());
     addEnvVar(vars, ServerEnvVars.NODEMGR_HOME, NODEMGR_HOME);

operator/src/main/java/oracle/kubernetes/operator/wlsconfig/WlsDomainConfig.java

@@ -245,9 +245,9 @@ public String getName() {
   }
 
   /**
-   * Return the name of the WLS domain.
+   * Return the name of the admin server.
    *
-   * @return Name of the WLS domain
+   * @return Name of the admin server
    */
   public String getAdminServerName() {
     return this.adminServerName;

operator/src/main/resources/scripts/startNodeManager.sh

@@ -260,15 +260,8 @@ EOF
   [ ! $? -eq 0 ] && trace SEVERE "Failed to create '${wl_props_file}'." && exit 1
 
   if [ ! "${ADMIN_NAME}" = "${SERVER_NAME}" ]; then
-    admin_protocol="http"
-    if [ "${ADMIN_PORT_SECURE}" = "true" ]; then
-      admin_protocol="https"
-    fi  
-    if [ "${ISTIO_ENABLED}" == "true" ]; then
-      echo "AdminURL=t3\\://${AS_SERVICE_NAME}\\:${ADMIN_PORT}" >> ${wl_props_file}
-    else
-      echo "AdminURL=$admin_protocol\\://${AS_SERVICE_NAME}\\:${ADMIN_PORT}" >> ${wl_props_file}
-    fi
+    ADMIN_URL=$(getAdminServerUrl)
+    echo "AdminURL=$ADMIN_URL" >> ${wl_props_file}
   fi
 fi
 

operator/src/main/resources/scripts/utils.sh

@@ -395,3 +395,26 @@ checkWebLogicVersion()
   fi
   return 0
 }
+
+
+#
+# getAdminUrl
+#   purpose: Get the admin URL used to connect to the admin server internally, e.g. when starting a managed server
+#   sample:
+#     ADMIN_URL=$(getAdminServerUrl)
+#
+function getAdminServerUrl() {
+  local admin_protocol="http"
+  if [ "${ISTIO_ENABLED}" = "true" ]; then
+    admin_protocol="t3"
+  fi 
+
+  if [ "${ADMIN_SERVER_PORT_SECURE}" = "true" ]; then
+    if [ "${ISTIO_ENABLED}" = "true" ]; then
+      admin_protocol="t3s"
+    else
+      admin_protocol="https"
+    fi
+  fi
+  echo ${admin_protocol}://${AS_SERVICE_NAME}:${ADMIN_PORT}
+}

operator/src/test/java/oracle/kubernetes/operator/helpers/AdminPodHelperTest.java

@@ -218,6 +218,34 @@ public void whenAdminPodCreated_hasOperatorCertEnvVariable() {
         hasEnvVar(INTERNAL_OPERATOR_CERT_ENV_NAME, InMemoryCertificates.INTERNAL_CERT_DATA));
   }
 
+  @Test
+  public void whenAdminPodCreatedWithAdminPortEnabled_adminServerPortSecureEnvVarIsTrue() {
+    final Integer adminPort = 9002;
+    getServerTopology().setAdminPort(adminPort);
+    assertThat(getCreatedPodSpecContainer().getEnv(), hasEnvVar("ADMIN_SERVER_PORT_SECURE", "true"));
+  }
+
+  @Test
+  public void whenAdminPodCreatedWithNullAdminPort_adminServerPortSecureEnvVarIsNotSet() {
+    final Integer adminPort = null;
+    getServerTopology().setAdminPort(adminPort);
+    assertThat(getCreatedPodSpecContainer().getEnv(), not(hasEnvVar("ADMIN_SERVER_PORT_SECURE", "true")));
+  }
+
+  @Test
+  public void whenAdminPodCreatedWithAdminServerHasSSLPortEnabled_adminServerPortSecureEnvVarIsTrue() {
+    final Integer adminServerSSLPort = 9999;
+    getServerTopology().setSslListenPort(adminServerSSLPort);
+    assertThat(getCreatedPodSpecContainer().getEnv(), hasEnvVar("ADMIN_SERVER_PORT_SECURE", "true"));
+  }
+
+  @Test
+  public void whenAdminPodCreatedWithAdminServerHasNullSSLPort_adminServerPortSecureEnvVarIsNotSet() {
+    final Integer adminServerSSLPort = null;
+    getServerTopology().setSslListenPort(adminServerSSLPort);
+    assertThat(getCreatedPodSpecContainer().getEnv(), not(hasEnvVar("ADMIN_SERVER_PORT_SECURE", "true")));
+  }
+
   @Test
   public void whenDomainPresenceHasNoEnvironmentItems_createAdminPodStartupWithDefaultItems() {
     assertThat(getCreatedPodSpecContainer().getEnv(), not(empty()));