Add WDT model encryption to DOPV testcase

Author: sankarpn

integration-tests/src/test/java/oracle/weblogic/domain/InitializeDomainOnPV.java

@@ -51,6 +51,13 @@ public class InitializeDomainOnPV {
       + " If the 'fsGroup' is specified as part of 'spec.introspector.serverPod.podSecurityContext', then the operator"
       + " will use that 'fsGroup' instead of the default 'fsGroup'. Defaults to true.")
   public Boolean setDefaultSecurityContextFsGroup;
+  
+  @ApiModelProperty("Specifies the secret name of the WebLogic Deployment Tool encryption passphrase if the WDT models "
+      + "provided in the 'domainCreationImages' or 'domainCreationConfigMap' are encrypted using the "
+      + "WebLogic Deployment Tool 'encryptModel' command. "
+      + "The secret must use the key 'passphrase' containing the actual passphrase for encryption.")
+  public String wdtModelEncryptionPassphraseSecret;
+  
 
   public PersistentVolume getPersistentVolume() {
     return persistentVolume;
@@ -105,6 +112,15 @@ public InitializeDomainOnPV setDefaultFsGroup(Boolean setDefaultFsGroup) {
     this.setDefaultSecurityContextFsGroup = setDefaultFsGroup;
     return this;
   }
+  
+  public String getWdtModelEncryptionPassphraseSecret() {
+    return wdtModelEncryptionPassphraseSecret;
+  }
+
+  public InitializeDomainOnPV  wdtModelEncryptionPassphraseSecret(String wdtModelEncryptionPassphraseSecret) {
+    this.wdtModelEncryptionPassphraseSecret = wdtModelEncryptionPassphraseSecret;
+    return this;
+  }  
 
   @Override
   public String toString() {
@@ -138,12 +154,13 @@ public boolean equals(Object other) {
     }
 
     InitializeDomainOnPV rhs = ((InitializeDomainOnPV) other);
-    EqualsBuilder builder =
-        new EqualsBuilder()
+    EqualsBuilder builder
+        = new EqualsBuilder()
             .append(persistentVolume, rhs.persistentVolume)
             .append(persistentVolumeClaim, rhs.persistentVolumeClaim)
             .append(domain, rhs.domain)
-            .append(waitForPvcToBind, rhs.waitForPvcToBind);
+            .append(waitForPvcToBind, rhs.waitForPvcToBind)
+            .append(wdtModelEncryptionPassphraseSecret, rhs.wdtModelEncryptionPassphraseSecret);
 
     return builder.isEquals();
   }

integration-tests/src/test/java/oracle/weblogic/kubernetes/ItSystemResOverrides.java

@@ -4,8 +4,11 @@
 package oracle.weblogic.kubernetes;
 
 import java.io.File;
+import java.io.FileOutputStream;
 import java.io.IOException;
 import java.net.http.HttpResponse;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.time.OffsetDateTime;
@@ -15,7 +18,9 @@
 import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Properties;
 import java.util.concurrent.Callable;
+import java.util.stream.Collectors;
 
 import io.kubernetes.client.custom.Quantity;
 import io.kubernetes.client.custom.V1Patch;
@@ -24,6 +29,7 @@
 import io.kubernetes.client.openapi.models.V1LocalObjectReference;
 import io.kubernetes.client.openapi.models.V1ObjectMeta;
 import io.kubernetes.client.openapi.models.V1PersistentVolumeClaimVolumeSource;
+import io.kubernetes.client.openapi.models.V1Secret;
 import io.kubernetes.client.openapi.models.V1Volume;
 import io.kubernetes.client.openapi.models.V1VolumeMount;
 import oracle.weblogic.domain.AdminServer;
@@ -38,6 +44,8 @@
 import oracle.weblogic.domain.DomainResource;
 import oracle.weblogic.domain.DomainSpec;
 import oracle.weblogic.domain.ServerPod;
+import oracle.weblogic.kubernetes.actions.impl.primitive.Command;
+import oracle.weblogic.kubernetes.actions.impl.primitive.CommandParams;
 import oracle.weblogic.kubernetes.actions.impl.primitive.WitParams;
 import oracle.weblogic.kubernetes.annotations.IntegrationTest;
 import oracle.weblogic.kubernetes.annotations.Namespaces;
@@ -60,18 +68,24 @@
 import static oracle.weblogic.kubernetes.TestConstants.K8S_NODEPORT_HOST;
 import static oracle.weblogic.kubernetes.TestConstants.MII_BASIC_IMAGE_TAG;
 import static oracle.weblogic.kubernetes.TestConstants.OKE_CLUSTER;
+import static oracle.weblogic.kubernetes.TestConstants.RESULTS_ROOT;
+import static oracle.weblogic.kubernetes.TestConstants.RESULTS_TEMPFILE;
 import static oracle.weblogic.kubernetes.TestConstants.TRAEFIK_INGRESS_HTTP_HOSTPORT;
 import static oracle.weblogic.kubernetes.TestConstants.WEBLOGIC_IMAGE_TO_USE_IN_SPEC;
 import static oracle.weblogic.kubernetes.actions.ActionConstants.APP_DIR;
+import static oracle.weblogic.kubernetes.actions.ActionConstants.DOWNLOAD_DIR;
 import static oracle.weblogic.kubernetes.actions.ActionConstants.MODEL_DIR;
 import static oracle.weblogic.kubernetes.actions.ActionConstants.RESOURCE_DIR;
+import static oracle.weblogic.kubernetes.actions.ActionConstants.WDT_DOWNLOAD_URL;
+import static oracle.weblogic.kubernetes.actions.TestActions.createSecret;
 import static oracle.weblogic.kubernetes.actions.TestActions.getNextIntrospectVersion;
 import static oracle.weblogic.kubernetes.actions.TestActions.getServiceNodePort;
 import static oracle.weblogic.kubernetes.actions.TestActions.getServicePort;
 import static oracle.weblogic.kubernetes.actions.TestActions.shutdownDomain;
 import static oracle.weblogic.kubernetes.actions.TestActions.startDomain;
 import static oracle.weblogic.kubernetes.actions.impl.Domain.patchDomainCustomResource;
 import static oracle.weblogic.kubernetes.assertions.TestAssertions.podStateNotChanged;
+import static oracle.weblogic.kubernetes.assertions.TestAssertions.secretExists;
 import static oracle.weblogic.kubernetes.utils.ApplicationUtils.verifyAdminServerRESTAccess;
 import static oracle.weblogic.kubernetes.utils.AuxiliaryImageUtils.createAndPushAuxiliaryImage;
 import static oracle.weblogic.kubernetes.utils.BuildApplication.buildApplication;
@@ -90,7 +104,6 @@
 import static oracle.weblogic.kubernetes.utils.ConfigMapUtils.createConfigMapFromFiles;
 import static oracle.weblogic.kubernetes.utils.DeployUtil.deployUsingWlst;
 import static oracle.weblogic.kubernetes.utils.DomainUtils.createDomainAndVerify;
-import static oracle.weblogic.kubernetes.utils.FileUtils.createWdtPropertyFile;
 import static oracle.weblogic.kubernetes.utils.FmwUtils.getConfiguration;
 import static oracle.weblogic.kubernetes.utils.ImageUtils.createBaseRepoSecret;
 import static oracle.weblogic.kubernetes.utils.JobUtils.createDomainJob;
@@ -142,6 +155,10 @@ class ItSystemResOverrides {
   static Path sitconfigAppPath;
   String overridecm = "configoverride-cm";
   LinkedHashMap<String, OffsetDateTime> podTimestamps;
+  
+  private static Path encryptModelScript;
+  private static final String passPhrase = "encryptPA55word";
+  private static final String encryptionSecret = "model-encryption-secret";
 
   private static LoggingFacade logger = null;
 
@@ -156,7 +173,7 @@ class ItSystemResOverrides {
    * @param namespaces injected by JUnit
    */
   @BeforeAll
-  public void initAll(@Namespaces(2) List<String> namespaces) {
+  public void initAll(@Namespaces(2) List<String> namespaces) throws IOException {
     logger = getLogger();
 
     logger.info("Assign a unique namespace for operator");
@@ -165,6 +182,9 @@ public void initAll(@Namespaces(2) List<String> namespaces) {
     logger.info("Assign a unique namespace for domain namspace");
     assertNotNull(namespaces.get(1), "Namespace is null");
     domainNamespace = namespaces.get(1);
+    
+    logger.info("installing WebLogic Deploy Tool");
+    downloadAndInstallWDT();
 
     // install operator and verify its running in ready state
     installAndVerifyOperator(opNamespace, domainNamespace);
@@ -381,7 +401,7 @@ private void verifyIntrospectorRuns() {
   }
 
   //create a standard WebLogic domain.
-  private void createDomain() {
+  private void createDomain() throws IOException {
     String uniqueDomainHome = "/shared/" + domainNamespace + "/domains/";
 
     // create pull secrets for WebLogic image when running in non Kind Kubernetes cluster
@@ -394,8 +414,17 @@ private void createDomain() {
     final String wlsModelFilePrefix = "sitconfig-dci-model";
     final String wlsModelFile = wlsModelFilePrefix + ".yaml";
     t3ChannelPort = getNextFreePort();
+    logger.info("Create WDT property file");
     File wlsModelPropFile = createWdtPropertyFile(wlsModelFilePrefix,
         K8S_NODEPORT_HOST, t3ChannelPort);
+    logger.info("Create WDT passphrase file"); 
+    File passphraseFile = createPassphraseFile(passPhrase);    
+    logger.info("Run encruptModel.sh script to encrypt clear text password in property file");    
+    encryptModel(encryptModelScript,
+        Path.of(MODEL_DIR, wlsModelFile),
+        wlsModelPropFile.toPath(), passphraseFile.toPath());
+    createSecretWithUsernamePassword(wlSecretName, opNamespace, clusterName, passPhrase);
+    createEncryptionSecret(encryptionSecret, domainNamespace);
 
     // create domainCreationImage
     String domainCreationImageName = DOMAIN_IMAGES_PREFIX + "sitconfig-domain-on-pv-image";
@@ -426,10 +455,12 @@ private void createDomain() {
       configuration = getConfiguration(pvName, pvcName, pvCapacity, pvcRequest, storageClassName,
           ItSystemResOverrides.class.getSimpleName());
     }
-    configuration.getInitializeDomainOnPV().domain(new DomainOnPV()
-        .createMode(CreateIfNotExists.DOMAIN)
-        .domainCreationImages(Collections.singletonList(domainCreationImage))
-        .domainType(DomainOnPVType.WLS));
+    configuration.getInitializeDomainOnPV()
+        .wdtModelEncryptionPassphraseSecret(encryptionSecret)
+        .domain(new DomainOnPV()
+            .createMode(CreateIfNotExists.DOMAIN)
+            .domainCreationImages(Collections.singletonList(domainCreationImage))
+            .domainType(DomainOnPVType.WLS));
     configuration.overrideDistributionStrategy("Dynamic");
 
     // create secrets
@@ -616,4 +647,82 @@ private void restartDomain() {
       checkPodReadyAndServiceExists(managedServerPodNamePrefix + i, domainUid, domainNamespace);
     }
   }
+  
+  public static File createWdtPropertyFile(String wlsModelFilePrefix, String nodePortHost, int t3Port) {
+    // create property file used with domain model file
+    Properties p = new Properties();
+    p.setProperty("WebLogicAdminUserName", ADMIN_USERNAME_DEFAULT);
+    p.setProperty("WebLogicAdminPassword", ADMIN_PASSWORD_DEFAULT);
+    p.setProperty("K8S_NODEPORT_HOST", nodePortHost);
+    p.setProperty("T3_CHANNEL_PORT", Integer.toString(t3Port));
+
+    // create a model property file
+    File domainPropertiesFile = assertDoesNotThrow(() ->
+            File.createTempFile(wlsModelFilePrefix, ".properties", new File(RESULTS_TEMPFILE)),
+        "Failed to create WLS model properties file");
+
+    // create the property file
+    assertDoesNotThrow(() ->
+            p.store(new FileOutputStream(domainPropertiesFile), "WLS properties file"),
+        "Failed to write WLS properties file");
+
+    return domainPropertiesFile;
+  }
+  
+  private static void downloadAndInstallWDT() throws IOException {
+    String wdtUrl = WDT_DOWNLOAD_URL + "/download/weblogic-deploy.zip";
+    Path destLocation = Path.of(DOWNLOAD_DIR, "wdt", "weblogic-deploy.zip");
+    encryptModelScript = Path.of(DOWNLOAD_DIR, "wdt", "weblogic-deploy", "bin", "encryptModel.sh");
+    if (!Files.exists(destLocation) && !Files.exists(encryptModelScript)) {
+      logger.info("Downloading WDT to {0}", destLocation);
+      Files.createDirectories(destLocation.getParent());
+      OracleHttpClient.downloadFile(wdtUrl, destLocation.toString(), null, null, 3);
+      String cmd = "cd " + destLocation.getParent() + ";unzip " + destLocation;
+      assertTrue(Command.withParams(new CommandParams().command(cmd)).execute(), "unzip command failed");
+    }
+    assertTrue(Files.exists(encryptModelScript), "could not find createDomain.sh script");
+  }
+  
+  private static File createPassphraseFile(String passPhrase) throws IOException {
+    // create pass phrase file used with domain model file
+    File passphraseFile = assertDoesNotThrow(()
+        -> File.createTempFile("passphrase", ".txt", new File(RESULTS_TEMPFILE)),
+        "Failed to create WLS model encrypt passphrase file");
+    Files.write(passphraseFile.toPath(), passPhrase.getBytes(StandardCharsets.UTF_8));
+    logger.info("passphrase file contents {0}", Files.readString(passphraseFile.toPath()));
+    return passphraseFile;
+  }
+  
+  private static void encryptModel(Path encryptModelScript, Path modelFile,
+      Path propertyFile, Path passphraseFile) throws IOException {
+    Path mwHome = Path.of(RESULTS_ROOT, "mwhome");
+    logger.info("Encrypting property file containing the secrets {0}", propertyFile.toString());
+    List<String> command = List.of(
+        encryptModelScript.toString(),
+        "-oracle_home", mwHome.toString(),
+        "-model_file", modelFile.toString(),
+        "-variable_file", propertyFile.toString(),
+        "-passphrase_file", passphraseFile.toString()
+    );
+    logger.info("running {0}", command);
+    assertTrue(Command.withParams(new CommandParams()
+        .command(command.stream().collect(Collectors.joining(" ")))).execute(),
+        "encryptModel.sh command failed");
+    logger.info("Encrypted passphrase file contents {0}", Files.readString(propertyFile));
+  }
+  
+  public static void createEncryptionSecret(String secretName, String namespace) {
+    Map<String, String> secretMap = new HashMap<>();
+    secretMap.put("passphrase", passPhrase);
+
+    if (!secretExists(secretName, namespace)) {
+      boolean secretCreated = assertDoesNotThrow(() -> createSecret(new V1Secret()
+          .metadata(new V1ObjectMeta()
+              .name(secretName)
+              .namespace(namespace))
+          .stringData(secretMap)), "Create secret failed with ApiException");
+
+      assertTrue(secretCreated, String.format("create secret failed for %s", secretName));
+    }
+  }
 }