OWLS-67335 Rework the 2.0 operator helm chart external REST config to look more like GA, OWLS-67336 Rework some of the 2.0 operator values.yaml create properties

Author: moreaut

kubernetes/charts/weblogic-operator/templates/_inputs-utils.tpl

@@ -22,9 +22,10 @@ Verify that an input value of a specific kind has been specified.
 {{- define "operator.verifyInputKind" -}}
 {{- $requiredKind := index . 0 -}}
 {{- $scope := index . 1 -}}
-{{- $name := index . 2 -}}
-{{- if hasKey $scope $name -}}
-{{-   $value := index $scope $name -}}
+{{- $parent := index . 2 -}}
+{{- $name := index . 3 -}}
+{{- if hasKey $parent $name -}}
+{{-   $value := index $parent $name -}}
 {{-   $actualKind := kindOf $value -}}
 {{-   if eq $requiredKind $actualKind -}}
         true
@@ -72,10 +73,11 @@ Verify that an enum string input value has been specified
 */}}
 {{- define "operator.verifyEnumInput" -}}
 {{- $scope := index . 0 -}}
-{{- $name := index . 1 -}}
-{{- $legalValues := index . 2 -}}
-{{- if include "operator.verifyStringInput" (list $scope $name) -}}
-{{-   $value := index $scope $name -}}
+{{- $parent := index . 1 -}}
+{{- $name := index . 2 -}}
+{{- $legalValues := index . 3 -}}
+{{- if include "operator.verifyStringInput" (list $scope $parent $name) -}}
+{{-   $value := index $parent $name -}}
 {{-   if has $value $legalValues -}}
       true
 {{-   else -}}

kubernetes/charts/weblogic-operator/templates/_operator-cm.tpl

@@ -6,7 +6,7 @@
 apiVersion: "v1"
 data:
   internalOperatorCert: {{ .internalOperatorCert | quote }}
-  {{- if .externalRestEnabled }}
+  {{- if not (eq .externalRestOption "NONE") }}
   externalOperatorCert: {{ .externalOperatorCert | quote }}
   {{- end }}
   serviceaccount: {{ .operatorServiceAccount | quote }}
@@ -15,7 +15,7 @@ data:
 {{- if eq $len 0 -}}
 {{-   $ignore := set $domainsNamespaces "default" (dict) -}}
 {{- end }}
-  targetNamespaces: {{ keys $domainsNamespaces | join "," }}
+  targetNamespaces: {{ keys $domainsNamespaces | sortAlpha | join "," }}
 kind: "ConfigMap"
 metadata:
   labels:

kubernetes/charts/weblogic-operator/templates/_operator-external-svc.tpl

@@ -2,7 +2,7 @@
 # Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl.
 
 {{- define "operator.operatorExternalService" }}
-{{- if (or .externalRestEnabled .remoteDebugNodePortEnabled) }}
+{{- if or (not (eq .externalRestOption "NONE")) .remoteDebugNodePortEnabled }}
 ---
 apiVersion: "v1"
 kind: "Service"
@@ -17,7 +17,7 @@ spec:
   selector:
     app: "weblogic-operator"
   ports:
-    {{- if .externalRestEnabled }}
+    {{- if not (eq .externalRestOption "NONE") }}
     - name: "rest"
       port: 8081
       nodePort: {{ .externalRestHttpsPort }}

kubernetes/charts/weblogic-operator/templates/_operator-ns.tpl

@@ -2,7 +2,6 @@
 # Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl.
 
 {{- define "operator.operatorNamespace" }}
-{{- if (and (.createOperatorNamespace) (not (eq .operatorNamespace "default"))) }}
 ---
 apiVersion: "v1"
 kind: "Namespace"
@@ -12,4 +11,3 @@ metadata:
     weblogic.resourceVersion: "operator-v1"
   name: {{ .operatorNamespace | quote }}
 {{- end }}
-{{- end }}

kubernetes/charts/weblogic-operator/templates/_operator-secrets.yaml.tpl renamed to kubernetes/charts/weblogic-operator/templates/_operator-secret.tpl

@@ -7,7 +7,7 @@ apiVersion: "v1"
 kind: "Secret"
 data:
   internalOperatorKey: {{ .internalOperatorKey | quote }}
-  {{- if .externalRestEnabled }}
+  {{- if not (eq .externalRestOption "NONE") }}
   externalOperatorKey: {{ .externalOperatorKey | quote }}
   {{- end }}
 metadata:

kubernetes/charts/weblogic-operator/templates/_validate-inputs.tpl

@@ -3,41 +3,58 @@
 
 {{- define "operator.validateInputs" -}}
 {{- $scope := . -}}
-{{- if include "operator.verifyBooleanInput" (list $scope "setupKubernetesCluster") -}}
+{{- if include "operator.verifyBooleanInput" (list $scope $scope "setupKubernetesCluster") -}}
 {{-   if $scope.setupKubernetesCluster }}
-{{-     $ignore := include "operator.verifyBooleanInput" (list $scope "elkIntegrationEnabled") -}}
+{{-     $ignore := include "operator.verifyBooleanInput" (list $scope $scope "elkIntegrationEnabled") -}}
 {{-   end }}
 {{- end }}
-{{- if include "operator.verifyBooleanInput" (list $scope "createOperator") -}}
+{{- if include "operator.verifyBooleanInput" (list $scope $scope "createOperator") -}}
 {{-   if .createOperator }}
-{{-     $ignore := include "operator.verifyBooleanInput" (list $scope "elkIntegrationEnabled") -}}
-{{-     $ignore := include "operator.verifyBooleanInput" (list $scope "createOperatorNamespace") -}}
-{{-     $ignore := include "operator.verifyStringInput"  (list $scope "operatorNamespace") -}}
-{{-     $ignore := include "operator.verifyStringInput"  (list $scope "operatorServiceAccount") -}}
-{{-     $ignore := include "operator.verifyStringInput"  (list $scope "operatorImage") -}}
-{{-     $ignore := include "operator.verifyEnumInput"    (list $scope "operatorImagePullPolicy" (list "Always" "IfNotPresent" "Never")) -}}
-{{-     $ignore := include "operator.verifyEnumInput"    (list $scope "javaLoggingLevel" (list "SEVERE" "WARNING" "INFO" "CONFIG" "FINE" "FINER" "FINEST")) -}}
-{{-     $ignore := include "operator.verifyStringInput"  (list $scope "internalOperatorCert") -}}
-{{-     $ignore := include "operator.verifyStringInput"  (list $scope "internalOperatorKey") -}}
-{{-     if include "operator.verifyBooleanInput" (list $scope "externalRestEnabled") -}}
-{{-       if $scope.externalRestEnabled -}}
-{{-         $ignore := include "operator.verifyIntegerInput" (list $scope "externalRestHttpsPort") -}}
-{{-         $ignore := include "operator.verifyStringInput"  (list $scope "externalOperatorCert") -}}
-{{-         $ignore := include "operator.verifyStringInput"  (list $scope "externalOperatorKey") -}}
+{{-     $ignore := include "operator.verifyBooleanInput" (list $scope $scope "elkIntegrationEnabled") -}}
+{{-     $ignore := include "operator.verifyStringInput"  (list $scope $scope "operatorNamespace") -}}
+{{-     $ignore := include "operator.verifyStringInput"  (list $scope $scope "operatorServiceAccount") -}}
+{{-     $ignore := include "operator.verifyStringInput"  (list $scope $scope "operatorImage") -}}
+{{-     $ignore := include "operator.verifyEnumInput"    (list $scope $scope "operatorImagePullPolicy" (list "Always" "IfNotPresent" "Never")) -}}
+{{-     $ignore := include "operator.verifyEnumInput"    (list $scope $scope "javaLoggingLevel" (list "SEVERE" "WARNING" "INFO" "CONFIG" "FINE" "FINER" "FINEST")) -}}
+{{-     $ignore := include "operator.verifyStringInput"  (list $scope $scope "internalOperatorCert") -}}
+{{-     $ignore := include "operator.verifyStringInput"  (list $scope $scope "internalOperatorKey") -}}
+{{-     if include "operator.verifyEnumInput" (list $scope $scope "externalRestOption" (list "NONE" "SELF_SIGNED_CERT" "CUSTOM_CERT")) -}}
+{{-       if eq $scope.externalRestOption "SELF_SIGNED_CERT" -}}
+{{-         $ignore := include "operator.verifyIntegerInput" (list $scope $scope "externalRestHttpsPort") -}}
+{{-         $ignore := include "operator.verifyStringInput"  (list $scope $scope "externalOperatorCertSans") -}}
+{{/*        TBD - temporarily require the cert and key too until the operator runtime is updated to generate them */}}
+{{-         $ignore := include "operator.verifyStringInput"  (list $scope $scope "externalOperatorCert") -}}
+{{-         $ignore := include "operator.verifyStringInput"  (list $scope $scope "externalOperatorKey") -}}
+{{-       end -}}
+{{-       if eq $scope.externalRestOption "CUSTOM_CERT" -}}
+{{-         $ignore := include "operator.verifyIntegerInput" (list $scope $scope "externalRestHttpsPort") -}}
+{{-         $ignore := include "operator.verifyStringInput"  (list $scope $scope "externalOperatorCert") -}}
+{{-         $ignore := include "operator.verifyStringInput"  (list $scope $scope "externalOperatorKey") -}}
+{{-       end -}}
+{{-     end -}}
+{{-     if include "operator.verifyEnumInput" (list $scope $scope "internalRestOption" (list "SELF_SIGNED_CERT" "CUSTOM_CERT")) -}}
+{{-       if eq $scope.internalRestOption "SELF_SIGNED_CERT" -}}
+{{/*        TBD - temporarily require the cert and key too until the operator runtime is updated to generate them */}}
+{{-         $ignore := include "operator.verifyStringInput"  (list $scope $scope "internalOperatorCert") -}}
+{{-         $ignore := include "operator.verifyStringInput"  (list $scope $scope "internalOperatorKey") -}}
+{{-       end -}}
+{{-       if eq $scope.internalRestOption "CUSTOM_CERT" -}}
+{{-         $ignore := include "operator.verifyStringInput"  (list $scope $scope "internalOperatorCert") -}}
+{{-         $ignore := include "operator.verifyStringInput"  (list $scope $scope "internalOperatorKey") -}}
 {{-       end -}}
 {{-     end -}}
-{{-     if include "operator.verifyBooleanInput" (list $scope "remoteDebugNodePortEnabled") -}}
+{{-     if include "operator.verifyBooleanInput" (list $scope $scope "remoteDebugNodePortEnabled") -}}
 {{-       if $scope.remoteDebugNodePortEnabled -}}
-{{-         $ignore := include "operator.verifyIntegerInput" (list $scope "internalDebugHttpPort") -}}
-{{-         $ignore := include "operator.verifyIntegerInput" (list $scope "externalDebugHttpPort") -}}
+{{-         $ignore := include "operator.verifyIntegerInput" (list $scope $scope "internalDebugHttpPort") -}}
+{{-         $ignore := include "operator.verifyIntegerInput" (list $scope $scope "externalDebugHttpPort") -}}
 {{-       end -}}
 {{-     end -}}
-{{-     if include "operator.verifyObjectInput" (list $scope "domainsNamespaces") -}}
+{{-     if include "operator.verifyObjectInput" (list $scope $scope "domainsNamespaces") -}}
 {{-       $domainsNamespaces := $scope.domainsNamespaces -}}
 {{-       range $key, $element := $domainsNamespaces -}}
-{{-         if include "operator.verifyObjectInput" (list $domainsNamespaces $key) -}}
+{{-         if include "operator.verifyObjectInput" (list $scope $domainsNamespaces $key) -}}
 {{-           $s := merge (dict) $element $scope -}}
-{{-           if include "operator.verifyBooleanInput" (list $s "createDomainsNamespace") -}}
+{{-           if include "operator.verifyBooleanInput" (list $scope $s "createDomainsNamespace") -}}
 {{-             if eq $key "default" -}}
 {{-               if $s.createDomainsNamespace -}}
 {{-                 $errorMsg := cat "The effective createDomainsNamespace value for the 'default' domainsNamespace must be set to false." -}}

kubernetes/charts/weblogic-operator/values.yaml

@@ -8,11 +8,6 @@ setupKubernetesCluster: true
 # createOperator specifies whether or not the installation should create the operator and its resources.
 createOperator: true
 
-# createOperatorNamespace specifies whether or not the installation should create the Kubernetes
-# namespace that the operator will be deployed in.  If createOperatorNamespace is false than the
-# namespace must exist before the operator can be installed.
-createOperatorNamespace: true
-
 # operatorNamespace specifies the name of the Kubernetes namespace that the operator will be deployed in.
 # It is recommended that a namespace be created for the operator rather
 # than using the default namespace.
@@ -57,15 +52,83 @@ operatorImage: "weblogic-kubernetes-operator:1.0"
 # operatorImagePullPolicy specifies the image pull policy for the operator docker image.
 operatorImagePullPolicy: "IfNotPresent"
 
-# externalRestEnabled specifies whether or not the operator externally exposes a REST https interface
-# (i.e. outside of the Kubernetes cluster).
-externalRestEnabled: false
+# Options for externally exposing the operator REST https interface
+# (i.e. outside of the Kubernetes cluster). Valid values are:
+#
+# "NONE"
+#    The REST interface is not exposed outside the Kubernetes cluster.
+#
+# "SELF_SIGNED_CERT"
+#    The REST interface is exposed outside of the Kubernetes cluster on the
+#    port specified by the 'externalRestHttpsPort' property.
+#    A self-signed certificate and private key are generated for the REST interface.
+#    The certificate's subject alternative names are specified by the 'externalSans'
+#    property.
+#
+# "CUSTOM_CERT"
+#    The REST interface is exposed outside of the Kubernetes cluster on the
+#    port specified by the 'externalRestHttpsPort' property.
+#    The customer supplied certificate and private key are used for the REST
+#    interface.  They are specified by the 'externalOperatorCert' and
+#    'externalOperatorKey' properties.
+externalRestOption: NONE
 
 # externalRestHttpsPort specifies the node port that should be allocated for the external operator REST https interface.
 # This parameter is required if 'externalRestEnabled' is 'true'.
 # Otherwise, it is ignored.
 externalRestHttpsPort: 31001
 
+# The subject alternative names to put into the generated self-signed certificate
+# for the external WebLogic Operator REST https interface, for example:
+#   DNS:myhost,DNS:localhost,IP:127.0.0.1
+# This parameter is required if 'externalRestOption' is 'SELF_SIGNED_CERT'.
+# Otherwise, it is ignored.
+#externalOperatorCertSans:
+
+# The customer supplied certificate to use for the external operator REST
+# https interface.  The value must be a string containing a base64 encoded PEM certificate.
+# This parameter is required if 'externalRestOption' is 'CUSTOM_CERT'.
+# Otherwise, it is ignored.
+#externalOperatorCert:
+
+# The customer supplied private key to use for the external operator REST
+# https interface.  The value must be a string containing a base64 encoded PEM key.
+# This parameter is required if 'externalRestOption' is 'CUSTOM_CERT'.
+# Otherwise, it is ignored.
+#externalOperatorKey:
+
+# Options for the operator REST https interface inside the Kubernetes cluster.
+# Valid values are:
+#
+# "SELF_SIGNED_CERT"
+#    A self-signed certificate and private key are generated for the internal REST interface.
+#
+# "CUSTOM_CERT"
+#    The customer supplied certificate and private key are used for the REST
+#    interface.  They are specified by the 'internalOperatorCert' and
+#    'internalOperatorKey' properties.
+# 
+internalRestOption: SELF_SIGNED_CERT
+
+# The customer supplied certificate to use for the internal operator REST
+# https interface.  The value must be a string containing a base64 encoded PEM certificate.
+# This parameter is required if 'internalRestOption' is 'CUSTOM_CERT'.
+# Otherwise, it is ignored.
+# Note: the customer must ensure that the certificate contains the following
+# subject alternative names:
+#   DNS:internal-weblogic-operator-service
+#   DNS:internal-weblogic-operator-service.OPERATOR_NAMESPACE
+#   DNS:internal-weblogic-operator-service.OPERATOR_NAMESPACE.svc
+#   DNS:internal-weblogic-operator-service.OPERATOR_NAMESPACE.svc.cluster.local"
+# where OPERTOR_NAMESPACE is the name of the operator's namespace.
+#internalOperatorCert:
+
+# The customer supplied private key to use for the internal operator REST
+# https interface.  The value must be a string containing a base64 encoded PEM key.
+# This parameter is required if 'internalRestOption' is 'CUSTOM_CERT'.
+# Otherwise, it is ignored.
+#internalOperatorKey:
+
 # remoteDebugNodePortEnabled specifies whether or not the operator will start a Java remote debug server on the
 # provided port and suspend execution until a remote debugger has attached.
 # The 'internalDebugHttpPort' property controls the port number inside the Kubernetes