Merge pull request #849 from oracle/OWLS-70638

OWLS-70638

Author: rjeberhard

integration-tests/src/test/java/oracle/kubernetes/operator/ITOperator.java

@@ -33,6 +33,7 @@ public class ITOperator extends BaseTest {
   private static String op2YamlFile = "operator2.yaml";
   private static final String opForDelYamlFile1 = "operator_del1.yaml";
   private static final String opForDelYamlFile2 = "operator_del2.yaml";
+  private static final String opForBackwardCompatibility = "operator_bc.yaml";
 
   // property file used to customize domain properties for domain inputs yaml
   private static String domain1YamlFile = "domain1.yaml";
@@ -59,6 +60,8 @@ public class ITOperator extends BaseTest {
   private static Operator operatorForDel1;
   private static Operator operatorForDel2;
 
+  private static Operator operatorForBackwardCompatibility;
+
   private static boolean QUICKTEST;
   private static boolean SMOKETEST;
   private static boolean JENKINS;
@@ -580,6 +583,28 @@ public void testAutoSitConfigOverrides() throws Exception {
     }
     logger.info("SUCCESS - testAutoSitConfigOverrides");
   }
+
+  /**
+   * Create operator and enable external rest endpoint using the externalOperatorCert and
+   * externalOperatorKey defined in the helm chart values instead of the tls secret. This test is
+   * for backward compatibility
+   *
+   * @throws Exception
+   */
+  @Test
+  public void testRESTIdentityBackwardCompatibility() throws Exception {
+    Assume.assumeFalse(QUICKTEST);
+
+    logTestBegin("testRESTIdentityBackwardCompatibility");
+    logger.info("Checking if operatorForBackwardCompatibility is running, if not creating");
+    if (operatorForBackwardCompatibility == null) {
+      operatorForBackwardCompatibility = TestUtils.createOperator(opForBackwardCompatibility, true);
+    }
+    logger.info("Operator using legacy REST identity created successfully");
+    operatorForBackwardCompatibility.destroy();
+    logger.info("SUCCESS - testRESTIdentityBackwardCompatibility");
+  }
+
   /**
    * Create Operator and create domain with some junk value for t3 channel public address and using
    * custom situational config override replace with valid public address using secret Verify the

integration-tests/src/test/java/oracle/kubernetes/operator/utils/Operator.java

@@ -37,6 +37,19 @@ public class Operator {
   private static int maxIterationsOp = BaseTest.getMaxIterationsPod(); // 50 * 5 = 250 seconds
   private static int waitTimeOp = BaseTest.getWaitTimePod();
 
+  /**
+   * Takes operator input properties which needs to be customized and generates a operator input
+   * yaml file.
+   *
+   * @param inputYaml
+   * @throws Exception
+   */
+  public Operator(String inputYaml, boolean useLegacyRESTIdentity) throws Exception {
+    initialize(inputYaml);
+    generateInputYaml(useLegacyRESTIdentity);
+    callHelmInstall();
+  }
+
   /**
    * Takes operator input properties which needs to be customized and generates a operator input
    * yaml file.
@@ -245,19 +258,30 @@ private String getExecFailure(String cmd, ExecResult result) throws Exception {
   }
 
   private void generateInputYaml() throws Exception {
+    generateInputYaml(false);
+  }
+
+  private void generateInputYaml(boolean useLegacyRESTIdentity) throws Exception {
     Path parentDir =
         Files.createDirectories(Paths.get(userProjectsDir + "/weblogic-operators/" + operatorNS));
     generatedInputYamlFile = parentDir + "/weblogic-operator-values.yaml";
     TestUtils.createInputFile(operatorMap, generatedInputYamlFile);
-
-    // write certificates
-    ExecCommand.exec(
-        BaseTest.getProjectRoot()
-            + "/kubernetes/samples/scripts/rest/generate-external-rest-identity.sh "
-            + "DNS:"
-            + TestUtils.getHostName()
-            + " >> "
-            + generatedInputYamlFile);
+    StringBuilder sb = new StringBuilder(200);
+    sb.append(BaseTest.getProjectRoot());
+    if (useLegacyRESTIdentity) {
+      sb.append(
+          "/integration-tests/src/test/resources/scripts/legacy-generate-external-rest-identity.sh ");
+    } else {
+      sb.append("/kubernetes/samples/scripts/rest/generate-external-rest-identity.sh ");
+      sb.append(" -n ");
+      sb.append(operatorNS);
+    }
+    sb.append(" DNS:");
+    sb.append(TestUtils.getHostName());
+    sb.append(" >> ");
+    sb.append(generatedInputYamlFile);
+    logger.info("Invoking " + sb.toString());
+    ExecCommand.exec(sb.toString());
   }
 
   private void runCommandInLoop(String command) throws Exception {

integration-tests/src/test/java/oracle/kubernetes/operator/utils/TestUtils.java

@@ -419,10 +419,11 @@ public static String getExternalOperatorCertificate(String operatorNS, String us
     File certFile =
         new File(userProjectsDir + "/weblogic-operators/" + operatorNS + "/operator.cert.pem");
 
-    StringBuffer opCertCmd = new StringBuffer("kubectl get cm -n ");
+    StringBuffer opCertCmd = new StringBuffer("kubectl get secret -n ");
     opCertCmd
         .append(operatorNS)
-        .append(" weblogic-operator-cm -o jsonpath='{.data.externalOperatorCert}'");
+        .append(
+            " weblogic-operator-external-rest-identity -o yaml | grep tls.crt | cut -d':' -f 2");
 
     ExecResult result = ExecCommand.exec(opCertCmd.toString());
     if (result.exitValue() != 0) {
@@ -440,7 +441,7 @@ public static String getExternalOperatorCertificate(String operatorNS, String us
         .append(" | base64 --decode > ")
         .append(certFile.getAbsolutePath());
 
-    String decodedOpCert = ExecCommand.exec(opCertDecodeCmd.toString()).stdout().trim();
+    ExecCommand.exec(opCertDecodeCmd.toString()).stdout().trim();
     return certFile.getAbsolutePath();
   }
 
@@ -449,12 +450,11 @@ public static String getExternalOperatorKey(String operatorNS, String userProjec
     File keyFile =
         new File(userProjectsDir + "/weblogic-operators/" + operatorNS + "/operator.key.pem");
 
-    StringBuffer opKeyCmd = new StringBuffer("grep externalOperatorKey: ");
+    StringBuffer opKeyCmd = new StringBuffer("kubectl get secret -n ");
     opKeyCmd
-        .append(userProjectsDir)
-        .append("/weblogic-operators/")
         .append(operatorNS)
-        .append("/weblogic-operator-values.yaml | awk '{ print $2 }'");
+        .append(
+            " weblogic-operator-external-rest-identity -o yaml | grep tls.key | cut -d':' -f 2");
 
     ExecResult result = ExecCommand.exec(opKeyCmd.toString());
     if (result.exitValue() != 0) {
@@ -467,7 +467,7 @@ public static String getExternalOperatorKey(String operatorNS, String userProjec
     StringBuffer opKeyDecodeCmd = new StringBuffer("echo ");
     opKeyDecodeCmd.append(opKey).append(" | base64 --decode > ").append(keyFile.getAbsolutePath());
 
-    String decodedOpKey = ExecCommand.exec(opKeyDecodeCmd.toString()).stdout().trim();
+    ExecCommand.exec(opKeyDecodeCmd.toString()).stdout().trim();
     return keyFile.getAbsolutePath();
   }
 
@@ -480,9 +480,10 @@ public static String getGitBranchName() throws Exception {
     return result.stdout().trim();
   }
 
-  public static Operator createOperator(String opYamlFile) throws Exception {
+  public static Operator createOperator(String opYamlFile, boolean useLegacyRESTIdentity)
+      throws Exception {
     // create op
-    Operator operator = new Operator(opYamlFile);
+    Operator operator = new Operator(opYamlFile, useLegacyRESTIdentity);
 
     logger.info("Check Operator status");
     operator.verifyPodCreated();
@@ -492,6 +493,10 @@ public static Operator createOperator(String opYamlFile) throws Exception {
     return operator;
   }
 
+  public static Operator createOperator(String opYamlFile) throws Exception {
+    return createOperator(opYamlFile, false);
+  }
+
   public static Domain createDomain(String inputYaml) throws Exception {
     logger.info("Creating domain with yaml, waiting for the script to complete execution");
     return new Domain(inputYaml);

integration-tests/src/test/resources/operator_bc.yaml

@@ -0,0 +1,11 @@
+# Copyright 2019, Oracle Corporation and/or its affiliates.  All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl.
+
+#any property can be provided here from kubernetes/charts/weblogic-operator/values.yaml
+releaseName: op3
+serviceAccount: weblogic-operator
+namespace: weblogic-operator-backward-compatibility
+domainNamespaces: [ "domain-backward-compatibility"]
+externalRestEnabled: true
+externalRestHttpsPort: 32004
+javaLoggingLevel: FINE

integration-tests/src/test/resources/scripts/legacy-generate-external-rest-identity.sh

@@ -0,0 +1,142 @@
+#!/usr/bin/env bash
+# Copyright 2017, 2018, Oracle Corporation and/or its affiliates.  All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl.
+#
+# When the customer enables the operator's external REST api (by setting
+# externalRestEnabled to true when installing the operator helm chart), the customer needs
+# to provide the certificate and private key for api's SSL identity too (by setting
+# externalOperatorCert and externalOperatorKey to the base64 encoded PEM of the cert and
+# key when installing the operator helm chart).
+#
+# This sample script generates a self-signed certificate and private key that can be used
+# for the operator's external REST api when experimenting with the operator.  They should
+# not be used in a production environment.
+#
+# The sytax of the script is:
+#   kubernetes/samples/scripts/generate-external-rest-identity.sh <subject alternative names>
+#
+# <subject alternative names> lists the subject alternative names to put into the generated
+# self-signed certificate for the external WebLogic Operator REST https interface,
+# for example:
+#   DNS:myhost,DNS:localhost,IP:127.0.0.1
+#
+# The script prints out the base64 encoded pem of the generated certificate and private key
+# in the same format that the operator helm chart's values.yaml requires.
+#
+# Example usage:
+#   generate-external-rest-identity.sh IP:127.0.0.1 > my_values.yaml
+#   echo "externalRestEnabled: true" >> my_values.yaml
+#   ...
+#   helm install kubernetes/charts/weblogic-operator --name my_operator --namespace my_operator-ns --values my_values.yaml --wait
+
+if [ "$#" != 1 ] ; then
+  1>&2 echo "Syntax: ${BASH_SOURCE[0]} <subject alternative names>"
+  exit 1
+fi
+
+if [ ! -x "$(command -v keytool)" ]; then
+  echo "Can't find keytool.  Please add it to the path."
+  exit 1
+fi
+
+if [ ! -x "$(command -v openssl)" ]; then
+  echo "Can't find openssl.  Please add it to the path."
+  exit 1
+fi
+
+if [ ! -x "$(command -v base64)" ]; then
+  echo "Can't find base64.  Please add it to the path."
+  exit 1
+fi
+
+TEMP_DIR=`mktemp -d`
+if [ $? -ne 0 ]; then
+  echo "$0: Can't create temp directory."
+  exit 1
+fi
+
+if [ -z $TEMP_DIR ]; then
+  echo "Can't create temp directory."
+  exit 1
+fi
+
+function cleanup {
+  rm -r $TEMP_DIR
+  if [[ $SUCCEEDED != "true" ]]; then
+    exit 1
+  fi
+}
+
+set -e
+
+trap "cleanup" EXIT
+
+#set -x
+
+SANS=$1
+DAYS_VALID="3650"
+TEMP_PW="temp_password"
+OP_PREFIX="weblogic-operator"
+OP_ALIAS="${OP_PREFIX}-alias"
+OP_JKS="${TEMP_DIR}/${OP_PREFIX}.jks"
+OP_PKCS12="${TEMP_DIR}/${OP_PREFIX}.p12"
+OP_CSR="${TEMP_DIR}/${OP_PREFIX}.csr"
+OP_CERT_PEM="${TEMP_DIR}/${OP_PREFIX}.cert.pem"
+OP_KEY_PEM="${TEMP_DIR}/${OP_PREFIX}.key.pem"
+KEYTOOL=/usr/java/jdk1.8.0_141/bin/keytool
+
+# generate a keypair for the operator's REST service, putting it in a keystore
+keytool \
+  -genkey \
+  -keystore ${OP_JKS} \
+  -alias ${OP_ALIAS} \
+  -storepass ${TEMP_PW} \
+  -keypass ${TEMP_PW} \
+  -keysize 2048 \
+  -keyalg RSA \
+  -validity ${DAYS_VALID} \
+  -dname "CN=weblogic-operator" \
+  -ext KU=digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement \
+  -ext SAN="${SANS}" \
+2> /dev/null
+
+# extract the cert to a pem file
+keytool \
+  -exportcert \
+  -keystore ${OP_JKS} \
+  -storepass ${TEMP_PW} \
+  -alias ${OP_ALIAS} \
+  -rfc \
+> ${OP_CERT_PEM} 2> /dev/null
+
+# convert the keystore to a pkcs12 file
+keytool \
+  -importkeystore \
+  -srckeystore ${OP_JKS} \
+  -srcstorepass ${TEMP_PW} \
+  -destkeystore ${OP_PKCS12} \
+  -srcstorepass ${TEMP_PW} \
+  -deststorepass ${TEMP_PW} \
+  -deststoretype PKCS12 \
+2> /dev/null
+
+# extract the private key from the pkcs12 file to a pem file
+openssl \
+  pkcs12 \
+  -in ${OP_PKCS12} \
+  -passin pass:${TEMP_PW} \
+  -nodes \
+  -nocerts \
+  -out ${OP_KEY_PEM} \
+2> /dev/null
+
+# base64 encode the cert and private key pem
+CERT_DATA=`base64 -i ${OP_CERT_PEM} | tr -d '\n'`
+KEY_DATA=`base64 -i ${OP_KEY_PEM} | tr -d '\n'`
+
+# print out the cert and pem in the form that can be added to
+# the operator helm chart's values.yaml
+echo "externalOperatorCert: ${CERT_DATA}"
+echo "externalOperatorKey: ${KEY_DATA}"
+
+SUCCEEDED=true

kubernetes/charts/weblogic-operator/templates/_operator-cm.tpl

@@ -6,8 +6,8 @@
 apiVersion: "v1"
 data:
   {{- if .externalRestEnabled }}
-    {{- if (hasKey . "externalCertificateSecret") }}
-  externalCertificateSecret: {{ .externalCertificateSecret | quote }}
+    {{- if (hasKey . "externalRestIdentitySecret") }}
+  externalRestIdentitySecret: {{ .externalRestIdentitySecret | quote }}
     {{- else }}
   externalOperatorCert: {{ .externalOperatorCert | quote }}
     {{- end }}

kubernetes/charts/weblogic-operator/templates/_validate-inputs.tpl

@@ -12,15 +12,15 @@
 {{- $ignore := include "utils.verifyEnum" (list $scope "imagePullPolicy" (list "Always" "IfNotPresent" "Never")) -}}
 {{- $ignore := include "utils.verifyOptionalDictionaryList" (list $scope "imagePullSecrets") -}}
 {{- $ignore := include "utils.verifyEnum" (list $scope "javaLoggingLevel" (list "SEVERE" "WARNING" "INFO" "CONFIG" "FINE" "FINER" "FINEST")) -}}
-{{- $ignore := include "utils.mutexString" (list $scope "externalCertificateSecret" (list "externalOperatorKey" "externalOperatorCert")) -}}
 {{- if include "utils.verifyBoolean" (list $scope "externalRestEnabled") -}}
 {{-   if $scope.externalRestEnabled -}}
 {{-     $ignore := include "utils.verifyInteger" (list $scope "externalRestHttpsPort") -}}
+{{-     $ignore := include "utils.mutexString" (list $scope "externalRestIdentitySecret" (list "externalOperatorKey" "externalOperatorCert")) -}}
 {{-     if (or (hasKey $scope "externalOperatorCert") (hasKey $scope "externalOperatorKey")) -}}
 {{-       $ignore := include "utils.verifyString"  (list $scope "externalOperatorCert") -}}
 {{-       $ignore := include "utils.verifyString"  (list $scope "externalOperatorKey") -}}
 {{-     else }}
-{{-       $ignore := include "utils.verifyString"  (list $scope "externalCertificateSecret") -}}
+{{-       $ignore := include "utils.verifyString"  (list $scope "externalRestIdentitySecret") -}}
 {{-     end -}}
 {{-   end -}}
 {{- end -}}

kubernetes/charts/weblogic-operator/values.yaml

@@ -55,9 +55,9 @@ externalRestHttpsPort: 31001
 # The name of the secret used to store the certificate and private key to use for the external operator REST https interface.
 # The secret has to be created in the same namespace of the welbogic operator.
 # This parameter is required if 'externalRestEnabled' is true. Otherwise, it is ignored.
-# As example, a self-sigend certificate can be created and stored in weblogic-operator-certificate using the 
-# following sample script kubernetes/samples/scripts/rest/generate-external-rest-identity.sh
-#externalCertificateSecret: 
+# As example, an external rest identity can be created using the following sample script 
+# kubernetes/samples/scripts/rest/generate-external-rest-identity.sh
+#externalRestIdentitySecret: 
 
 # remoteDebugNodePortEnabled specifies whether or not the operator will start a Java remote debug server
 # on the provided port and suspend execution until a remote debugger has attached.