oracle
diff --git a/‎documentation/4.0/content/introduction/platforms/environments.md
Lines changed: 7 additions & 3 deletions b/‎documentation/4.0/content/introduction/platforms/environments.md
Lines changed: 7 additions & 3 deletions
diff --git a/‎documentation/4.0/content/security/openshift.md
Lines changed: 38 additions & 31 deletions b/‎documentation/4.0/content/security/openshift.md
Lines changed: 38 additions & 31 deletions
diff --git a/‎integration-tests/src/test/java/oracle/weblogic/kubernetes/ItHorizontalPodAutoscalerCustomMetrics.java
Lines changed: 19 additions & 2 deletions b/‎integration-tests/src/test/java/oracle/weblogic/kubernetes/ItHorizontalPodAutoscalerCustomMetrics.java
Lines changed: 19 additions & 2 deletions
diff --git a/‎integration-tests/src/test/java/oracle/weblogic/kubernetes/ItRetryImprovements.java
Lines changed: 21 additions & 17 deletions b/‎integration-tests/src/test/java/oracle/weblogic/kubernetes/ItRetryImprovements.java
Lines changed: 21 additions & 17 deletions
diff --git a/‎integration-tests/src/test/java/oracle/weblogic/kubernetes/TestConstants.java
Lines changed: 1 addition & 0 deletions b/‎integration-tests/src/test/java/oracle/weblogic/kubernetes/TestConstants.java
Lines changed: 1 addition & 0 deletions
diff --git a/‎integration-tests/src/test/java/oracle/weblogic/kubernetes/actions/impl/TraefikParams.java
Lines changed: 8 additions & 0 deletions b/‎integration-tests/src/test/java/oracle/weblogic/kubernetes/actions/impl/TraefikParams.java
Lines changed: 8 additions & 0 deletions
diff --git a/‎integration-tests/src/test/java/oracle/weblogic/kubernetes/assertions/TestAssertions.java
Lines changed: 28 additions & 1 deletion b/‎integration-tests/src/test/java/oracle/weblogic/kubernetes/assertions/TestAssertions.java
Lines changed: 28 additions & 1 deletion
diff --git a/‎integration-tests/src/test/java/oracle/weblogic/kubernetes/utils/DomainUtils.java
Lines changed: 22 additions & 1 deletion b/‎integration-tests/src/test/java/oracle/weblogic/kubernetes/utils/DomainUtils.java
Lines changed: 22 additions & 1 deletion
diff --git a/‎operator/src/main/java/oracle/kubernetes/operator/steps/HttpRequestProcessing.java
Lines changed: 1 addition & 1 deletion b/‎operator/src/main/java/oracle/kubernetes/operator/steps/HttpRequestProcessing.java
Lines changed: 1 addition & 1 deletion
@@ -166,10 +166,14 @@ See also the [Tanzu Kubernetes Grid sample]({{<relref "/samples/tanzu-kubernetes
 
 OpenShift can be a cloud platform or can be deployed on premises.
 
-- Operator 3.4.0+ is certified for use on OpenShift Container Platform 4.10.4+ with Kubernetes 1.23+.
-- Operator v3.4.4 is certified for use on:
+- Operator v3.4.6 is certified for use on:
   - OpenShift Container Platform 4.9.50 with Kubernetes 1.22, RedHat OpenShift Mesh 2.3, and Istio 1.14.
-  - OpenShift Container Platform 4.11.0 with Kubernetes 1.24, RedHat OpenShift Mesh 2.3, and Istio 1.14.
+  - OpenShift Container Platform 4.10.20 with Kubernetes 1.23, RedHat OpenShift Mesh 2.2.1, and Istio 1.14.
+  - OpenShift Container Platform 4.11.6 with Kubernetes 1.24, RedHat OpenShift Mesh 2.2.3, and Istio 1.12.9.
+  - 
+- Operator v4.0.5 is certified for use on:
+  - OpenShift Container Platform 4.11.30 with Kubernetes 1.24, RedHat OpenShift Mesh 2.3.2, and Istio 1.14.5.
+  - OpenShift Container Platform 4.12.2 with Kubernetes 1.25, RedHat OpenShift Mesh 2.3.2, and Istio 1.14.5.
 
 To accommodate OpenShift security requirements:
 - For security requirements to run WebLogic Server in OpenShift, see the [OpenShift]({{<relref "/security/openshift.md">}}) documentation.
 
@@ -5,6 +5,40 @@ weight: 7
 description: "OpenShift information for the operator."
 ---
 
+#### Set the Helm chart property `kubernetesPlatform` to `OpenShift`
+
+Beginning with operator version 3.3.2,
+set the operator `kubernetesPlatform` Helm chart property to `OpenShift`.
+This property accommodates OpenShift security requirements. Specifically, the operator's deployment and any pods created
+by the operator for WebLogic Server instances will not contain `runAsUser: 1000` in the configuration of the `securityContext`. This is to
+accommodate OpenShift's default `restricted` security context constraint.
+For more information, see [Operator Helm configuration values]({{<relref "/managing-operators/using-helm#operator-helm-configuration-values">}}).
+
+#### Use a dedicated namespace
+
+When the user that installs an individual instance of the operator
+does _not_ have the required privileges to create resources at the Kubernetes cluster level,
+they can use a `Dedicated` namespace selection strategy for the operator instance to limit
+it to managing domain resources in its local namespace only
+(see [Operator namespace management]({{< relref "/managing-operators/namespace-management#choose-a-domain-namespace-selection-strategy" >}})),
+and they may need to manually install the Domain Custom Resource (CRD)
+(see [Prepare for installation]({{< relref "/managing-operators/preparation#how-to-manually-install-the-domain-resource-custom-resource-definition-crd" >}})).
+
+#### With WIT, set the `target` parameter to `OpenShift`
+
+When using the [WebLogic Image Tool](https://oracle.github.io/weblogic-image-tool/) (WIT),
+`create`, `rebase`, or `update` command, to create a
+[Domain in Image]({{< relref "/managing-domains/choosing-a-model/_index.md" >}}) domain home,
+[Model in Image]({{< relref "/managing-domains/choosing-a-model/_index.md" >}}) image,
+or [Model in Image]({{< relref "/managing-domains/choosing-a-model/_index.md" >}}) auxiliary image,
+you can specify the `--target` parameter for the target Kubernetes environment.
+Its value can be either `Default` or `OpenShift`.
+The `OpenShift` option changes the domain directory files such that the group permissions
+for those files will be the same as the user permissions (group writable, in most cases).
+If you do not supply the OS group and user setting with `--chown`,
+then the `Default` setting for this option is changed from `oracle:oracle` to `oracle:root`
+to be in line with the expectations of an OpenShift environment.
+
 #### Security requirements to run WebLogic in OpenShift
 
 WebLogic Kubernetes Operator images starting with version 3.1 and
@@ -50,6 +84,10 @@ than are needed, and is therefore less secure.
 
 #### Create a custom Security Context Constraint
 
+For most use cases, customers should use OpenShift's default `restricted` security context constraint. If you do need to
+create and use a custom security context constraint, this section describes the settings necessary to be compatible with
+the operator and pods for WebLogic Server instances.
+
 To create a custom security context constraint, create a YAML file with the following
 content.  This example assumes that your OpenShift project is called `weblogic` and
 that the service account you will use to run the operator and domains
@@ -113,34 +151,3 @@ For additional information about OpenShift requirements and the operator,
 see [OpenShift]({{<relref  "/introduction/platforms/environments#openshift">}}).
 {{% /notice %}}
 
-#### Use a dedicated namespace
-
-When the user that installs an individual instance of the operator
-does _not_ have the required privileges to create resources at the Kubernetes cluster level,
-they can use a `Dedicated` namespace selection strategy for the operator instance to limit
-it to managing domain resources in its local namespace only
-(see [Operator namespace management]({{< relref "/managing-operators/namespace-management#choose-a-domain-namespace-selection-strategy" >}})),
-and they may need to manually install the Domain Custom Resource (CRD)
-(see [Prepare for installation]({{< relref "/managing-operators/preparation.md" >}})).
-
-#### Set the Helm chart property `kubernetesPlatform` to `OpenShift`
-
-Beginning with operator version 3.3.2,
-set the operator `kubernetesPlatform` Helm chart property to `OpenShift`.
-This property accommodates OpenShift security requirements.
-For more information, see [Operator Helm configuration values]({{<relref "/managing-operators/using-helm#operator-helm-configuration-values">}}).
-
-#### With WIT, set the `target` parameter to `OpenShift`
-
-When using the [WebLogic Image Tool](https://oracle.github.io/weblogic-image-tool/) (WIT),
-`create`, `rebase`, or `update` command, to create a
-[Domain in Image]({{< relref "/managing-domains/choosing-a-model/_index.md" >}}) domain home,
-[Model in Image]({{< relref "/managing-domains/choosing-a-model/_index.md" >}}) image,
-or [Model in Image]({{< relref "/managing-domains/choosing-a-model/_index.md" >}}) auxiliary image,
-you can specify the `--target` parameter for the target Kubernetes environment.
-Its value can be either `Default` or `OpenShift`.
-The `OpenShift` option changes the domain directory files such that the group permissions
-for those files will be the same as the user permissions (group writable, in most cases).
-If you do not supply the OS group and user setting with `--chown`,
-then the `Default` setting for this option is changed from `oracle:oracle` to `oracle:root`
-to be in line with the expectations of an OpenShift environment.
 
@@ -28,6 +28,7 @@
 import oracle.weblogic.kubernetes.actions.impl.primitive.HelmParams;
 import oracle.weblogic.kubernetes.annotations.IntegrationTest;
 import oracle.weblogic.kubernetes.annotations.Namespaces;
+import oracle.weblogic.kubernetes.assertions.impl.Kubernetes;
 import oracle.weblogic.kubernetes.logging.LoggingFacade;
 import oracle.weblogic.kubernetes.utils.ExecCommand;
 import oracle.weblogic.kubernetes.utils.ExecResult;
@@ -305,11 +306,27 @@ void testHPAWithCustomMetrics() {
         () -> verifyHPA(domainNamespace, "0/5"),
         logger,
         "Checking if total_open_session metric is 0");
+    testUntil(
+        withLongRetryPolicy,
+        () -> verifyHPA(domainNamespace, "2         3         2"),
+        logger,
+        "Checking if replica switched to 2");
+
     try {
       checkPodDeleted(managedServerPrefix + 3, domainUid, domainNamespace);
     } catch (Exception ex) {
-      //retry again
-      checkPodDeleted(managedServerPrefix + 3, domainUid, domainNamespace);
+      //check if different server was scaled down
+      try {
+        if (!Kubernetes.doesPodExist(domainNamespace, domainUid, managedServerPrefix + 1)) {
+          logger.info("HPA scaled down managed server 1");
+        } else if (!Kubernetes.doesPodExist(domainNamespace, domainUid, managedServerPrefix + 2)) {
+          logger.info("HPA scaled down managed server 2");
+        } else {
+          checkPodDeleted(managedServerPrefix + 3, domainUid, domainNamespace);
+        }
+      } catch (Exception ex1) {
+        throw ex;
+      }
     }
   }
 
 
@@ -1,4 +1,4 @@
-// Copyright (c) 2022, Oracle and/or its affiliates.
+// Copyright (c) 2022, 2023, Oracle and/or its affiliates.
 // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 package oracle.weblogic.kubernetes;
@@ -54,6 +54,7 @@
 import static oracle.weblogic.kubernetes.utils.CommonTestUtils.testUntil;
 import static oracle.weblogic.kubernetes.utils.ConfigMapUtils.configMapExist;
 import static oracle.weblogic.kubernetes.utils.ConfigMapUtils.createConfigMapFromFiles;
+import static oracle.weblogic.kubernetes.utils.DomainUtils.checkDomainStatusMessageContainsExpectedMsg;
 import static oracle.weblogic.kubernetes.utils.DomainUtils.createDomainAndVerify;
 import static oracle.weblogic.kubernetes.utils.DomainUtils.createDomainResourceForDomainInImage;
 import static oracle.weblogic.kubernetes.utils.DomainUtils.createMiiDomainResourceWithConfigMap;
@@ -357,14 +358,12 @@ void testRetryStoppedAfterfailureRetryLimitMinutesExpired() {
     DomainResource domain = createDomainResourceForRetryTest(failureRetryLimitMinutes, replicaCount,false);
     createDomainForRetryTest(domain);
 
-    String retryDoneMsgRegex = new StringBuffer(".*operator\\s*failed\\s*after\\s*retrying\\s*for\\s*")
-        .append(failureRetryLimitMinutes.toString())
-        .append("\\s*minutes.*Please\\s*resolve.*update\\s*domain.spec.introspectVersion\\s*")
-        .append(".*to\\s*force\\s*another\\s*retry.*").toString();
-
-    // verify that the operator stops retry after failure retry limit minutes expired
-    testUntil(() -> findStringInDomainStatusMessage(domainNamespace, domainUid, retryDoneMsgRegex),
-        logger, "The operator stops retry after failure retry limit minutes expired");
+    String retryDoneMsgRegex = "The operator failed after retrying for "
+        + failureRetryLimitMinutes
+        + " minutes. This time limit may be specified in spec.failureRetryLimitMinutes. "
+        + "Please resolve the error and then update domain.spec.introspectVersion to force another retry.";
+    // verify that retryDoneMsgRegex message found in domain status message
+    checkDomainStatusMessageContainsExpectedMsg(domainUid, domainNamespace, retryDoneMsgRegex);
   }
 
   /**
@@ -382,23 +381,23 @@ void testRetryOccursAndErrorFromIntrospectorLoggedInOperator() throws Exception
     String badModelFileCm = "bad-model-in-cm";
     String badModelFileName = "bad-model-file.yaml";
     Path badModelFile = Paths.get(MODEL_DIR, badModelFileName);
+    String domainUid = "retrydomain2";
 
     logger.info("Creating a domain resource with bad model file from configmap");
     DomainResource domain =
         createDomainResourceForRetryTestWithConfigMap(failureRetryLimitMinutes,
-        replicaCount, badModelFile, badModelFileCm);
+        replicaCount, badModelFile, badModelFileCm, domainUid);
     createDomainAndVerify(domain, domainNamespace);
 
     String createDomainFailedMsgRegex = new StringBuffer(".*SEVERE.*createDomain\\s*was\\s*unable\\s*to\\s*load.*")
         .append(badModelFileName).toString();
-    String retryDoneMsgRegex = new StringBuffer(".*operator\\s*failed\\s*after\\s*retrying\\s*for\\s*")
-        .append(failureRetryLimitMinutes.toString())
-        .append("\\s*minutes.*Please\\s*resolve.*update\\s*domain.spec.introspectVersion\\s*")
-        .append(".*to\\s*force\\s*another\\s*retry.*").toString();
 
+    String retryDoneMsgRegex = "The operator failed after retrying for "
+        + failureRetryLimitMinutes
+        + " minutes. This time limit may be specified in spec.failureRetryLimitMinutes. "
+        + "Please resolve the error and then update domain.spec.introspectVersion to force another retry.";
     // verify that retryDoneMsgRegex message found in domain status message
-    testUntil(() -> findStringInDomainStatusMessage(domainNamespace, domainUid, retryDoneMsgRegex),
-        logger, "{0} is found in domain status message", retryDoneMsgRegex);
+    checkDomainStatusMessageContainsExpectedMsg(domainUid, domainNamespace, retryDoneMsgRegex);
 
     // verify that SEVERE and createDomainFailedMsgRegex message found in Operator log
     testUntil(() -> checkPodLogContainsRegex(createDomainFailedMsgRegex, operatorPodName, opNamespace),
@@ -418,6 +417,10 @@ void testRetryOccursAndErrorFromIntrospectorLoggedInOperator() throws Exception
     if (configMapExist.call().booleanValue()) {
       deleteConfigMap(badModelFileCm, domainNamespace);
     }
+    deleteClusterCustomResource(domainUid + "-" + clusterName, domainNamespace);
+    if (domainExists(domainUid, DOMAIN_VERSION, domainNamespace).call().booleanValue()) {
+      deleteDomainResource(domainNamespace, domainUid);
+    }
   }
 
   private void verifyDomainExistsAndServerStarted(int replicaCount) {
@@ -485,7 +488,8 @@ private static DomainResource createDomainResourceForRetryTest(Long failureRetry
   private static DomainResource createDomainResourceForRetryTestWithConfigMap(Long failureRetryLimitMinutes,
                                                                               int replicaCount,
                                                                               Path modelFile,
-                                                                              String configmapName) {
+                                                                              String configmapName,
+                                                                              String domainUid) {
     final List<Path> modelList = Collections.singletonList(modelFile);
     String imageName = MII_BASIC_IMAGE_NAME;
     String imageTag = "empty-domain-image";
 
@@ -183,6 +183,7 @@ public interface TestConstants {
   public static final String TRAEFIK_CHART_NAME = "traefik";
   public static final String TRAEFIK_INGRESS_IMAGE_NAME = "weblogick8s/test-images/traefik-ingress/traefik";
   public static final String TRAEFIK_INGRESS_IMAGE_REGISTRY = TEST_IMAGES_REPO;
+
   public static final String TRAEFIK_INGRESS_IMAGE_TAG = "v2.9.6";
 
   // Voyager constants
 
@@ -23,9 +23,11 @@ public class TraefikParams {
   private String traefikImage = TRAEFIK_INGRESS_IMAGE_NAME;
   private String traefikImageTag = TRAEFIK_INGRESS_IMAGE_TAG;
   private String traefikRegistry = TRAEFIK_INGRESS_IMAGE_REGISTRY;
+
   private static final String NODEPORTS_HTTP = "ports.web.nodePort";
   private static final String NODEPORTS_HTTPS = "ports.websecure.nodePort";
   private static final String TRAEFIK_IMAGE = "image.repository";
+  private static final String TRAEFIK_IMAGE_REGISTRY = "image.registry";
   private static final String TRAEFIK_IMAGE_TAG = "image.tag";
   private static final String TRAEFIK_IMAGE_REGISTRY = "image.registry";
 
@@ -58,6 +60,11 @@ public TraefikParams traefikImage(String traefikImage) {
     return this;
   }
 
+  public TraefikParams traefikRegistry(String traefikRegistry) {
+    this.traefikRegistry = traefikRegistry;
+    return this;
+  }
+
   public TraefikParams traefikImageTag(String traefikImageTag) {
     this.traefikImageTag = traefikImageTag;
     return this;
@@ -79,6 +86,7 @@ public Map<String, Object> getValues() {
     }
 
     values.put(TRAEFIK_IMAGE, traefikImage);
+    values.put(TRAEFIK_IMAGE_REGISTRY, traefikRegistry);
     values.put(TRAEFIK_IMAGE_TAG, traefikImageTag);
     values.put(TRAEFIK_IMAGE_REGISTRY, traefikRegistry);
     values.values().removeIf(Objects::isNull);
 
@@ -1,4 +1,4 @@
-// Copyright (c) 2020, 2022, Oracle and/or its affiliates.
+// Copyright (c) 2020, 2023, Oracle and/or its affiliates.
 // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 package oracle.weblogic.kubernetes.assertions;
@@ -622,6 +622,33 @@ public static Callable<Boolean> domainStatusReasonMatches(String domainUid, Stri
     };
   }
 
+  /**
+   * Check the status message of the domain contains the expected message.
+   * @param domainUid  domain uid
+   * @param namespace namespace in which the domain resource exists
+   * @param statusMsg the expected status message of the domain
+   * @return true if the status message contains the expected message, false otherwise
+   */
+  public static Callable<Boolean> domainStatusMessageContainsExpectedMsg(String domainUid, String namespace,
+                                                                         String statusMsg) {
+    LoggingFacade logger = getLogger();
+    return () -> {
+      DomainResource domain = getDomainCustomResource(domainUid, namespace);
+      if (domain != null && domain.getStatus() != null && domain.getStatus().getMessage() != null) {
+        return domain.getStatus().getMessage().equalsIgnoreCase(statusMsg);
+      } else {
+        if (domain == null) {
+          logger.info("domain is null");
+        } else if (domain.getStatus() == null) {
+          logger.info("domain status is null");
+        } else if (domain.getStatus().getMessage() == null) {
+          logger.info("domain status message is null");
+        }
+        return false;
+      }
+    };
+  }
+
   /**
    * Check the domain status condition type exists.
    * @param domainUid uid of the domain
 
@@ -105,6 +105,7 @@
 import static oracle.weblogic.kubernetes.assertions.TestAssertions.domainExists;
 import static oracle.weblogic.kubernetes.assertions.TestAssertions.domainStatusConditionTypeExists;
 import static oracle.weblogic.kubernetes.assertions.TestAssertions.domainStatusConditionTypeHasExpectedStatus;
+import static oracle.weblogic.kubernetes.assertions.TestAssertions.domainStatusMessageContainsExpectedMsg;
 import static oracle.weblogic.kubernetes.assertions.TestAssertions.domainStatusReasonMatches;
 import static oracle.weblogic.kubernetes.assertions.TestAssertions.domainStatusServerStatusHasExpectedPodStatus;
 import static oracle.weblogic.kubernetes.assertions.TestAssertions.pvExists;
@@ -242,12 +243,32 @@ public static void checkDomainStatusReasonMatches(String domainUid, String names
     LoggingFacade logger = getLogger();
     testUntil(assertDoesNotThrow(() -> domainStatusReasonMatches(domainUid, namespace, statusReason)),
         logger,
-        "the status reason of the domain {0} in namespace {1}",
+        "the status reason of the domain {0} in namespace {1} matches {2}",
         domainUid,
         namespace,
         statusReason);
   }
 
+  /**
+   * Check the status message of the domainUid contains the expected msg.
+   *
+   * @param domainUid  domain uid
+   * @param namespace the namespace in which the domainUid exists
+   * @param statusMsg the expected status msg of the domainUid
+   */
+  public static void checkDomainStatusMessageContainsExpectedMsg(String domainUid,
+                                                                 String namespace,
+                                                                 String statusMsg) {
+    LoggingFacade logger = getLogger();
+    testUntil(withLongRetryPolicy,
+        assertDoesNotThrow(() -> domainStatusMessageContainsExpectedMsg(domainUid, namespace, statusMsg)),
+        logger,
+        "the status msg of the domain {0} in namespace {1} contains {2}",
+        domainUid,
+        namespace,
+        statusMsg);
+  }
+
   /**
    * Check the domain status condition has expected status value.
    * @param domainUid Uid of the domain
 
@@ -131,7 +131,7 @@ private String getHost() {
 
   private String toServiceHost(@Nonnull V1ObjectMeta meta) {
     String ns = Optional.ofNullable(meta.getNamespace()).orElse("default");
-    return meta.getName() + "." + ns;
+    return meta.getName() + "." + ns + ".svc";
   }
 
   protected V1Pod getPod() {
Original file line number	Diff line number	Diff line change
`@@ -131,7 +131,7 @@ private String getHost() {`
`131`	`131`
`132`	`132`	`private String toServiceHost(@Nonnull V1ObjectMeta meta) {`
`133`	`133`	`String ns = Optional.ofNullable(meta.getNamespace()).orElse("default");`
`134`		`- return meta.getName() + "." + ns;`
	`134`	`+ return meta.getName() + "." + ns + ".svc";`
`135`	`135`	`}`
`136`	`136`
`137`	`137`	`protected V1Pod getPod() {`