Merge pull request #1034 from oracle/owls-72193

OWLS-72193 - Operator logs repeated NPE when a domain resource credential secret is missing

Author: rjeberhard

operator/src/main/java/oracle/kubernetes/operator/DomainProcessorImpl.java

@@ -35,7 +35,9 @@
 import oracle.kubernetes.operator.helpers.ServiceHelper;
 import oracle.kubernetes.operator.logging.LoggingFacade;
 import oracle.kubernetes.operator.logging.LoggingFactory;
+import oracle.kubernetes.operator.logging.LoggingFilter;
 import oracle.kubernetes.operator.logging.MessageKeys;
+import oracle.kubernetes.operator.logging.OncePerMessageLoggingFilter;
 import oracle.kubernetes.operator.steps.BeforeAdminServiceStep;
 import oracle.kubernetes.operator.steps.DeleteDomainStep;
 import oracle.kubernetes.operator.steps.DomainPresenceStep;
@@ -290,6 +292,7 @@ public void dispatchDomainWatch(Watch.Response<Domain> item) {
 
   private void scheduleDomainStatusUpdating(DomainPresenceInfo info) {
     AtomicInteger unchangedCount = new AtomicInteger(0);
+    final OncePerMessageLoggingFilter loggingFilter = new OncePerMessageLoggingFilter();
     Runnable command =
         new Runnable() {
           public void run() {
@@ -301,6 +304,7 @@ public void run() {
                   .put(
                       ProcessingConstants.DOMAIN_COMPONENT_NAME,
                       Component.createFor(info, delegate.getVersion()));
+              packet.put(LoggingFilter.LOGGING_FILTER_PACKET_KEY, loggingFilter);
               MainTuning main = TuningParameters.getInstance().getMainTuning();
               Step strategy =
                   DomainStatusUpdater.createStatusStep(main.statusUpdateTimeoutSeconds, null);
@@ -312,6 +316,11 @@ public void run() {
                   new CompletionCallback() {
                     @Override
                     public void onCompletion(Packet packet) {
+                      if (Boolean.TRUE.equals(packet.get(ProcessingConstants.SERVER_HEALTH_READ))) {
+                        loggingFilter.setFiltering(false).resetLogHistory();
+                      } else {
+                        loggingFilter.setFiltering(true);
+                      }
                       Boolean isStatusUnchanged =
                           (Boolean) packet.get(ProcessingConstants.STATUS_UNCHANGED);
                       if (Boolean.TRUE.equals(isStatusUnchanged)) {
@@ -344,6 +353,7 @@ public void onCompletion(Packet packet) {
                     @Override
                     public void onThrowable(Packet packet, Throwable throwable) {
                       LOGGER.severe(MessageKeys.EXCEPTION, throwable);
+                      loggingFilter.setFiltering(true);
                       // retry to trying after shorter delay because of exception
                       unchangedCount.set(0);
                       registerStatusUpdater(

operator/src/main/java/oracle/kubernetes/operator/ProcessingConstants.java

@@ -33,4 +33,6 @@ public interface ProcessingConstants {
   public static final String DOMAIN_INTROSPECTOR_JOB = "domainIntrospectorJob";
   public static final String DOMAIN_INTROSPECTOR_LOG_RESULT = "domainIntrospectorLogResult";
   public static final String SIT_CONFIG_MAP = "sitConfigMap";
+
+  public static final String SERVER_HEALTH_READ = "serverHealthRead";
 }

operator/src/main/java/oracle/kubernetes/operator/helpers/SecretHelper.java

@@ -11,6 +11,7 @@
 import java.util.Map;
 import oracle.kubernetes.operator.logging.LoggingFacade;
 import oracle.kubernetes.operator.logging.LoggingFactory;
+import oracle.kubernetes.operator.logging.LoggingFilter;
 import oracle.kubernetes.operator.logging.MessageKeys;
 import oracle.kubernetes.operator.work.ContainerResolver;
 import oracle.kubernetes.operator.work.NextAction;
@@ -72,7 +73,7 @@ public Map<String, byte[]> getSecretData(SecretType secretType, String secretNam
         return null;
       }
 
-      return harvestAdminSecretData(secret);
+      return harvestAdminSecretData(secret, null);
     } catch (Throwable e) {
       LOGGER.severe(MessageKeys.EXCEPTION, e);
       return null;
@@ -116,6 +117,7 @@ public NextAction apply(Packet packet) {
       }
 
       LOGGER.fine(MessageKeys.RETRIEVING_SECRET, secretName);
+      final LoggingFilter loggingFilter = packet.getValue(LoggingFilter.LOGGING_FILTER_PACKET_KEY);
       CallBuilderFactory factory =
           ContainerResolver.getInstance().getContainer().getSPI(CallBuilderFactory.class);
       Step read =
@@ -132,7 +134,7 @@ public NextAction onFailure(
                         int statusCode,
                         Map<String, List<String>> responseHeaders) {
                       if (statusCode == CallBuilder.NOT_FOUND) {
-                        LOGGER.warning(MessageKeys.SECRET_NOT_FOUND, secretName);
+                        LOGGER.warning(loggingFilter, MessageKeys.SECRET_NOT_FOUND, secretName);
                         return doNext(packet);
                       }
                       return super.onFailure(packet, e, statusCode, responseHeaders);
@@ -144,7 +146,7 @@ public NextAction onSuccess(
                         V1Secret result,
                         int statusCode,
                         Map<String, List<String>> responseHeaders) {
-                      packet.put(SECRET_DATA_KEY, harvestAdminSecretData(result));
+                      packet.put(SECRET_DATA_KEY, harvestAdminSecretData(result, loggingFilter));
                       return doNext(packet);
                     }
                   });
@@ -153,21 +155,24 @@ public NextAction onSuccess(
     }
   }
 
-  private static Map<String, byte[]> harvestAdminSecretData(V1Secret secret) {
+  private static Map<String, byte[]> harvestAdminSecretData(
+      V1Secret secret, LoggingFilter loggingFilter) {
     Map<String, byte[]> secretData = new HashMap<>();
     byte[] usernameBytes = secret.getData().get(ADMIN_SERVER_CREDENTIALS_USERNAME);
     byte[] passwordBytes = secret.getData().get(ADMIN_SERVER_CREDENTIALS_PASSWORD);
 
     if (usernameBytes != null) {
       secretData.put(ADMIN_SERVER_CREDENTIALS_USERNAME, usernameBytes);
     } else {
-      LOGGER.warning(MessageKeys.SECRET_DATA_NOT_FOUND, ADMIN_SERVER_CREDENTIALS_USERNAME);
+      LOGGER.warning(
+          loggingFilter, MessageKeys.SECRET_DATA_NOT_FOUND, ADMIN_SERVER_CREDENTIALS_USERNAME);
     }
 
     if (passwordBytes != null) {
       secretData.put(ADMIN_SERVER_CREDENTIALS_PASSWORD, passwordBytes);
     } else {
-      LOGGER.warning(MessageKeys.SECRET_DATA_NOT_FOUND, ADMIN_SERVER_CREDENTIALS_PASSWORD);
+      LOGGER.warning(
+          loggingFilter, MessageKeys.SECRET_DATA_NOT_FOUND, ADMIN_SERVER_CREDENTIALS_PASSWORD);
     }
     return secretData;
   }

operator/src/main/java/oracle/kubernetes/operator/http/HttpClient.java

@@ -196,15 +196,23 @@ public NextAction apply(Packet packet) {
       if (secretData != null) {
         username = secretData.get(SecretHelper.ADMIN_SERVER_CREDENTIALS_USERNAME);
         password = secretData.get(SecretHelper.ADMIN_SERVER_CREDENTIALS_PASSWORD);
-      }
-      packet.put(KEY, createAuthenticatedClient(username, password));
+        packet.put(KEY, createAuthenticatedClient(username, password));
 
-      Arrays.fill(username, (byte) 0);
-      Arrays.fill(password, (byte) 0);
+        clearCredential(username);
+        clearCredential(password);
+      }
       return doNext(packet);
     }
   }
 
+  /**
+   * Erase authentication credential so that it is not sitting in memory where a rogue program can
+   * find it.
+   */
+  private static void clearCredential(byte[] credential) {
+    if (credential != null) Arrays.fill(credential, (byte) 0);
+  }
+
   /**
    * Create authenticated client specifically targeted at an admin server.
    *

operator/src/main/java/oracle/kubernetes/operator/logging/LoggingFacade.java

@@ -292,6 +292,20 @@ public void info(String msg, Object... params) {
     }
   }
 
+  /**
+   * Logs a message which requires parameters at the INFO level with a logging filter applied
+   *
+   * @param loggingFilter LoggingFilter to be applied, can be null
+   * @param msg the message to log
+   * @param params varargs list of objects to include in the log message
+   */
+  public void info(LoggingFilter loggingFilter, String msg, Object... params) {
+    if (isInfoEnabled() && LoggingFilter.canLog(loggingFilter, msg)) {
+      CallerDetails details = inferCaller();
+      logger.logp(Level.INFO, details.clazz, details.method, msg, params);
+    }
+  }
+
   /**
    * Logs a message which accompanies a Throwable at the INFO level.
    *
@@ -449,6 +463,20 @@ public void severe(String msg, Object... params) {
     }
   }
 
+  /**
+   * Logs a message which requires parameters at the SEVERE level with a logging filter applied
+   *
+   * @param loggingFilter LoggingFilter to be applied, can be null
+   * @param msg the message to log
+   * @param params varargs list of objects to include in the log message
+   */
+  public void severe(LoggingFilter loggingFilter, String msg, Object... params) {
+    if (isSevereEnabled() && LoggingFilter.canLog(loggingFilter, msg)) {
+      CallerDetails details = inferCaller();
+      logger.logp(Level.SEVERE, details.clazz, details.method, msg, params);
+    }
+  }
+
   /**
    * Logs a message which accompanies a Throwable at the SEVERE level.
    *
@@ -462,6 +490,20 @@ public void severe(String msg, Throwable thrown) {
     }
   }
 
+  /**
+   * Logs a message which accompanies a Throwable at the SEVERE level with a logging filter applied
+   *
+   * @param loggingFilter LoggingFilter to be applied, can be null
+   * @param msg the message to log
+   * @param thrown an Exception to include in the logged message
+   */
+  public void severe(LoggingFilter loggingFilter, String msg, Throwable thrown) {
+    if (isSevereEnabled() && LoggingFilter.canLog(loggingFilter, msg)) {
+      CallerDetails details = inferCaller();
+      logger.logp(Level.SEVERE, details.clazz, details.method, msg, thrown);
+    }
+  }
+
   /**
    * Logs that an exception will be thrown. The calling class and method names will be inferred.
    *
@@ -499,6 +541,20 @@ public void warning(String msg, Object... params) {
     }
   }
 
+  /**
+   * Logs a message which requires parameters at the WARNING level with a logging filter applied
+   *
+   * @param loggingFilter LoggingFilter to be applied, can be null
+   * @param msg the message to log
+   * @param params varargs list of objects to include in the log message
+   */
+  public void warning(LoggingFilter loggingFilter, String msg, Object... params) {
+    if (isWarningEnabled() && LoggingFilter.canLog(loggingFilter, msg)) {
+      CallerDetails details = inferCaller();
+      logger.logp(Level.WARNING, details.clazz, details.method, msg, params);
+    }
+  }
+
   /**
    * Logs a message which accompanies a Throwable at the WARNING level.
    *

operator/src/main/java/oracle/kubernetes/operator/logging/LoggingFilter.java

@@ -0,0 +1,32 @@
+// Copyright 2019, Oracle Corporation and/or its affiliates.  All rights reserved.
+// Licensed under the Universal Permissive License v 1.0 as shown at
+// http://oss.oracle.com/licenses/upl.
+
+package oracle.kubernetes.operator.logging;
+
+/** A filter to control whether a log message should be logged */
+public interface LoggingFilter {
+
+  // Constant for key for storing LoggingFilter object in Packet map
+  String LOGGING_FILTER_PACKET_KEY = "loggingFilter";
+
+  /**
+   * Checks if the message should be logged
+   *
+   * @param msg the message to be loggged
+   */
+  boolean canLog(String msg);
+
+  /**
+   * Checks if the message should be logged according to an optional LoggingFilter
+   *
+   * @param loggingFilter LoggingFilter that decides whether the log message should be logged, can
+   *     be null
+   * @param msg The log message to be loggd
+   * @return the canLog() return value from the provided loggingFilter, message, and parameters, or
+   *     true if loggingFilter is null
+   */
+  static boolean canLog(LoggingFilter loggingFilter, String msg) {
+    return loggingFilter == null || loggingFilter.canLog(msg);
+  }
+}

operator/src/main/java/oracle/kubernetes/operator/logging/MessageKeys.java

@@ -154,4 +154,5 @@ private MessageKeys() {}
   public static final String EXTERNAL_CHANNEL_SERVICE_CREATED = "WLSKO-0150";
   public static final String EXTERNAL_CHANNEL_SERVICE_REPLACED = "WLSKO-0151";
   public static final String EXTERNAL_CHANNEL_SERVICE_EXISTS = "WLSKO-0152";
+  public static final String WLS_HEALTH_READ_FAILED_NO_HTTPCLIENT = "WLSKO-0153";
 }

operator/src/main/java/oracle/kubernetes/operator/logging/OncePerMessageLoggingFilter.java

@@ -0,0 +1,44 @@
+// Copyright 2019, Oracle Corporation and/or its affiliates.  All rights reserved.
+// Licensed under the Universal Permissive License v 1.0 as shown at
+// http://oss.oracle.com/licenses/upl.
+
+package oracle.kubernetes.operator.logging;
+
+import java.util.HashSet;
+import java.util.Set;
+
+/** A LoggingFilter that logs each log message, which are typically message keys, at most once */
+public class OncePerMessageLoggingFilter implements LoggingFilter {
+
+  // allow all messages to be logged when filtering is off
+  boolean filtering = false;
+
+  Set messagesLogged = new HashSet();
+
+  /**
+   * Turn on or off the filtering of log messages and skip logging of messages that have already
+   * been logged
+   *
+   * @param value true if filtering should be on, false if filtering should be off
+   */
+  public synchronized OncePerMessageLoggingFilter setFiltering(boolean value) {
+    filtering = value;
+    return this;
+  }
+
+  /** Clears the list of history of messages logged and turn off filtering */
+  public synchronized OncePerMessageLoggingFilter resetLogHistory() {
+    messagesLogged.clear();
+    return this;
+  }
+
+  @Override
+  public synchronized boolean canLog(String msg) {
+    // Do not log if filtering is on and message has already been logged
+    if (filtering && messagesLogged.contains(msg)) {
+      return false;
+    }
+    messagesLogged.add(msg);
+    return true;
+  }
+}