OWLS-107961 - Restore security context on init containers to avoid pod roll during operator upgrade from 4.0 to latest. (#4143)

Author: ankedia

operator/src/main/java/oracle/kubernetes/operator/helpers/PodStepContext.java

@@ -1350,6 +1350,12 @@ private void restoreSecurityContext(V1Pod recipe, V1Pod currentPod) {
               container.setSecurityContext(null);
             }
           }));
+      Optional.ofNullable(recipe.getSpec().getInitContainers())
+          .ifPresent(initContainers -> initContainers.forEach(initContainer -> {
+            if (PodSecurityHelper.getDefaultContainerSecurityContext().equals(initContainer.getSecurityContext())) {
+              initContainer.setSecurityContext(null);
+            }
+          }));
     }
 
     private boolean canAdjustRecentOperatorMajorVersion3HashToMatch(V1Pod currentPod, String requiredHash) {

operator/src/test/java/oracle/kubernetes/operator/helpers/AdminPodHelperTest.java

@@ -167,6 +167,11 @@ String getReferenceMiiConvertedAuxImagePodYaml_3_4_1() {
     return ReferenceObjects.ADMIN_MII_CONVERTED_AUX_IMAGE_POD_3_4_1;
   }
 
+  @Override
+  String getReferenceMiiAuxImagePodYaml_4_0() {
+    return ReferenceObjects.ADMIN_MII_AUX_IMAGE_POD_4_0;
+  }
+
   @Override
   String getReferenceIstioMonitoringExporterTcpProtocol() {
     return ReferenceObjects.ADMIN_ISTIO_MONITORING_EXPORTER_TCP_PROTOCOL;

operator/src/test/java/oracle/kubernetes/operator/helpers/ManagedPodHelperTest.java

@@ -1329,6 +1329,11 @@ String getReferenceMiiAuxImagePodYaml_3_3() {
     return ReferenceObjects.MANAGED_MII_AUX_IMAGE_POD_3_3;
   }
 
+  @Override
+  String getReferenceMiiAuxImagePodYaml_4_0() {
+    return ReferenceObjects.MANAGED_MII_AUX_IMAGE_POD_4_0;
+  }
+
   @Override
   String getReferenceMiiConvertedAuxImagePodYaml_3_4() {
     return ReferenceObjects.MANAGED_MII_CONVERTED_AUX_IMAGE_POD_3_4;

operator/src/test/java/oracle/kubernetes/operator/helpers/PodHelperTestBase.java

@@ -807,6 +807,9 @@ void whenPodCreated_hasSha256HashAnnotationForRecipe() {
   // Returns the YAML for a 3.3 Mii pod with aux image.
   abstract String getReferenceMiiAuxImagePodYaml_3_3();
 
+  // Returns the YAML for a 4.0 Mii pod with aux image.
+  abstract String getReferenceMiiAuxImagePodYaml_4_0();
+
   // Returns the YAML for a 3.4 Mii pod with converted aux image.
   abstract String getReferenceMiiConvertedAuxImagePodYaml_3_4();
 
@@ -899,6 +902,20 @@ void afterUpgradingMiiDomainWith3_4_1_ConvertedAuxImages_patchIt() {
     assertThat(AnnotationHelper.getHash(patchedPod), equalTo(AnnotationHelper.getHash(createPodModel())));
   }
 
+  @Test
+  void afterUpgradingMiiDomainWith4_0_AuxImages_patchIt() {
+    configureDomain().withAuxiliaryImages(getAuxiliaryImages("wdt-image:v1"));
+
+    useProductionHash();
+    initializeExistingPod(loadPodModel(getReferenceMiiAuxImagePodYaml_4_0()));
+
+    verifyPodPatched();
+
+    V1Pod patchedPod = domainPresenceInfo.getServerPod(getServerName());
+    assertThat(patchedPod.getMetadata().getLabels().get(OPERATOR_VERSION), equalTo(TEST_PRODUCT_VERSION));
+    assertThat(AnnotationHelper.getHash(patchedPod), equalTo(AnnotationHelper.getHash(createPodModel())));
+  }
+
   @Test
   void afterUpgradingPlainPortPodFrom31_patchIt() {
     useProductionHash();

operator/src/test/java/oracle/kubernetes/operator/helpers/ReferenceObjects.java

@@ -2373,4 +2373,275 @@ class ReferenceObjects {
           + "    name: weblogic-domain-introspect-cm-volume\n"
           + "  - emptyDir: {}\n"
           + "    name: compat-ai-vol-auxiliaryimagevolume1\n";
+
+  static final String ADMIN_MII_AUX_IMAGE_POD_4_0 =
+      "metadata:\n"
+          + "  annotations:\n"
+          + "    prometheus.io/path: /wls-exporter/metrics\n"
+          + "    prometheus.io/port: '7001'\n"
+          + "    prometheus.io/scrape: 'true'\n"
+          + "    weblogic.sha256: f8ce3566270c93f214545fd8398012c8ce7e48c9e591e3c502f71b3f83259407\n"
+          + "  labels:\n"
+          + "    weblogic.domainName: domain1\n"
+          + "    weblogic.serverName: ADMIN_SERVER\n"
+          + "    weblogic.domainRestartVersion: null\n"
+          + "    weblogic.domainUID: uid1\n"
+          + "    weblogic.createdByOperator: 'true'\n"
+          + "    weblogic.operatorVersion: 4.0\n"
+          + "    weblogic.clusterRestartVersion: null\n"
+          + "    weblogic.serverRestartVersion: null\n"
+          + "  name: uid1-admin-server\n"
+          + "  namespace: namespace\n"
+          + "spec:\n"
+          + "  containers:\n"
+          + "  - command:\n"
+          + "    - /weblogic-operator/scripts/startServer.sh\n"
+          + "    env:\n"
+          + "    - name: DOMAIN_NAME\n"
+          + "      value: domain1\n"
+          + "    - name: DOMAIN_HOME\n"
+          + "      value: /u01/oracle/user_projects/domains\n"
+          + "    - name: ADMIN_NAME\n"
+          + "      value: ADMIN_SERVER\n"
+          + "    - name: ADMIN_PORT\n"
+          + "      value: '7001'\n"
+          + "    - name: SERVER_NAME\n"
+          + "      value: ADMIN_SERVER\n"
+          + "    - name: DOMAIN_UID\n"
+          + "      value: uid1\n"
+          + "    - name: NODEMGR_HOME\n"
+          + "      value: /u01/nodemanager\n"
+          + "    - name: LOG_HOME\n"
+          + "    - name: SERVER_OUT_IN_POD_LOG\n"
+          + "      value: 'true'\n"
+          + "    - name: SERVICE_NAME\n"
+          + "      value: uid1-admin-server\n"
+          + "    - name: AS_SERVICE_NAME\n"
+          + "      value: uid1-admin-server\n"
+          + "    - name: USER_MEM_ARGS\n"
+          + "      value: -Djava.security.egd=file:/dev/./urandom\n"
+          + "    - name: ADMIN_USERNAME\n"
+          + "    - name: ADMIN_PASSWORD\n"
+          + "    image: image:latest\n"
+          + "    imagePullPolicy: Always\n"
+          + "    lifecycle:\n"
+          + "      preStop:\n"
+          + "        exec:\n"
+          + "          command:\n"
+          + "          - /weblogic-operator/scripts/stopServer.sh\n"
+          + "    livenessProbe:\n"
+          + "      exec:\n"
+          + "        command:\n"
+          + "        - /weblogic-operator/scripts/livenessProbe.sh\n"
+          + "      failureThreshold: 1\n"
+          + "      initialDelaySeconds: 4\n"
+          + "      periodSeconds: 6\n"
+          + "      timeoutSeconds: 5\n"
+          + "    name: weblogic-server\n"
+          + "    ports:\n"
+          + "    - containerPort: 7001\n"
+          + "      name: default\n"
+          + "      protocol: TCP\n"
+          + "    readinessProbe:\n"
+          + "      failureThreshold: 1\n"
+          + "      httpGet:\n"
+          + "        path: /weblogic/ready\n"
+          + "        port: 7001\n"
+          + "      initialDelaySeconds: 1\n"
+          + "      periodSeconds: 3\n"
+          + "      timeoutSeconds: 2\n"
+          + "    resources:\n"
+          + "      limits: {}\n"
+          + "      requests:\n"
+          + "        memory: 768Mi\n"
+          + "        cpu: 250m\n"
+          + "    securityContext: {}\n"
+          + "    volumeMounts:\n"
+          + "    - mountPath: /weblogic-operator/scripts\n"
+          + "      name: weblogic-scripts-cm-volume\n"
+          + "      readOnly: true\n"
+          + "    - mountPath: /weblogic-operator/debug\n"
+          + "      name: weblogic-domain-debug-cm-volume\n"
+          + "      readOnly: true\n"
+          + "    - mountPath: /weblogic-operator/introspector\n"
+          + "      name: weblogic-domain-introspect-cm-volume\n"
+          + "    - mountPath: /auxiliary\n"
+          + "      name: aux-image-volume-auxiliaryimagevolume1\n"
+          + "  hostname: uid1-admin-server\n"
+          + "  imagePullSecrets: []\n"
+          + "  initContainers:\n"
+          + "  - command:\n"
+          + "    - /weblogic-operator/scripts/auxImage.sh\n"
+          + "    env:\n"
+          + "    - name: AUXILIARY_IMAGE_PATH\n"
+          + "      value: /auxiliary\n"
+          + "    - name: AUXILIARY_IMAGE_TARGET_PATH\n"
+          + "      value: /tmpAuxiliaryImage\n"
+          + "    - name: AUXILIARY_IMAGE_COMMAND\n"
+          + "      value: cp -R $AUXILIARY_IMAGE_PATH/* $AUXILIARY_IMAGE_TARGET_PATH\n"
+          + "    - name: AUXILIARY_IMAGE_CONTAINER_IMAGE\n"
+          + "      value: model-in-image:WLS-AI-v1\n"
+          + "    - name: AUXILIARY_IMAGE_CONTAINER_NAME\n"
+          + "      value: operator-aux-container1\n"
+          + "    image: model-in-image:WLS-AI-v1\n"
+          + "    imagePullPolicy: IfNotPresent\n"
+          + "    name: operator-aux-container1\n"
+          + "    volumeMounts:\n"
+          + "    - mountPath: /tmpAuxiliaryImage\n"
+          + "      name: aux-image-volume-auxiliaryimagevolume1\n"
+          + "    - mountPath: /weblogic-operator/scripts\n"
+          + "      name: weblogic-scripts-cm-volume\n"
+          + "  nodeSelector: {}\n"
+          + "  securityContext: {}\n"
+          + "  volumes:\n"
+          + "  - configMap:\n"
+          + "      defaultMode: 365\n"
+          + "      name: weblogic-scripts-cm\n"
+          + "    name: weblogic-scripts-cm-volume\n"
+          + "  - configMap:\n"
+          + "      defaultMode: 365\n"
+          + "      name: uid1-weblogic-domain-debug-cm\n"
+          + "      optional: true\n"
+          + "    name: weblogic-domain-debug-cm-volume\n"
+          + "  - configMap:\n"
+          + "      defaultMode: 365\n"
+          + "      name: uid1-weblogic-domain-introspect-cm\n"
+          + "    name: weblogic-domain-introspect-cm-volume\n"
+          + "  - emptyDir: {}\n"
+          + "    name: aux-image-volume-auxiliaryimagevolume1\n";
+
+  static final String MANAGED_MII_AUX_IMAGE_POD_4_0 =
+      "metadata:\n"
+          + "  annotations:\n"
+          + "    prometheus.io/path: /wls-exporter/metrics\n"
+          + "    prometheus.io/port: '7001'\n"
+          + "    prometheus.io/scrape: 'true'\n"
+          + "    weblogic.sha256: 82ec0ede6f40b4cd03d5cc40c593f8552677a89b73e602df33afe967b378881a\n"
+          + "  labels:\n"
+          + "    weblogic.domainName: domain1\n"
+          + "    weblogic.serverName: ess_server1\n"
+          + "    weblogic.domainRestartVersion: null\n"
+          + "    weblogic.domainUID: uid1\n"
+          + "    weblogic.createdByOperator: 'true'\n"
+          + "    weblogic.operatorVersion: 4.0\n"
+          + "    weblogic.clusterRestartVersion: null\n"
+          + "    weblogic.serverRestartVersion: null\n"
+          + "  name: uid1-ess-server1\n"
+          + "  namespace: namespace\n"
+          + "spec:\n"
+          + "  containers:\n"
+          + "  - command:\n"
+          + "    - /weblogic-operator/scripts/startServer.sh\n"
+          + "    env:\n"
+          + "    - name: DOMAIN_NAME\n"
+          + "      value: domain1\n"
+          + "    - name: DOMAIN_HOME\n"
+          + "      value: /u01/oracle/user_projects/domains\n"
+          + "    - name: ADMIN_NAME\n"
+          + "      value: ADMIN_SERVER\n"
+          + "    - name: ADMIN_PORT\n"
+          + "      value: '7001'\n"
+          + "    - name: SERVER_NAME\n"
+          + "      value: ess_server1\n"
+          + "    - name: DOMAIN_UID\n"
+          + "      value: uid1\n"
+          + "    - name: NODEMGR_HOME\n"
+          + "      value: /u01/nodemanager\n"
+          + "    - name: LOG_HOME\n"
+          + "    - name: SERVER_OUT_IN_POD_LOG\n"
+          + "      value: 'true'\n"
+          + "    - name: SERVICE_NAME\n"
+          + "      value: uid1-ess-server1\n"
+          + "    - name: AS_SERVICE_NAME\n"
+          + "      value: uid1-admin-server\n"
+          + "    - name: USER_MEM_ARGS\n"
+          + "      value: -Djava.security.egd=file:/dev/./urandom\n"
+          + "    - name: ADMIN_USERNAME\n"
+          + "    - name: ADMIN_PASSWORD\n"
+          + "    image: image:latest\n"
+          + "    imagePullPolicy: Always\n"
+          + "    lifecycle:\n"
+          + "      preStop:\n"
+          + "        exec:\n"
+          + "          command:\n"
+          + "          - /weblogic-operator/scripts/stopServer.sh\n"
+          + "    livenessProbe:\n"
+          + "      exec:\n"
+          + "        command:\n"
+          + "        - /weblogic-operator/scripts/livenessProbe.sh\n"
+          + "      failureThreshold: 1\n"
+          + "      initialDelaySeconds: 4\n"
+          + "      periodSeconds: 6\n"
+          + "      timeoutSeconds: 5\n"
+          + "    name: weblogic-server\n"
+          + "    ports:\n"
+          + "    - containerPort: 8001\n"
+          + "      name: default\n"
+          + "      protocol: TCP\n"
+          + "    readinessProbe:\n"
+          + "      failureThreshold: 1\n"
+          + "      httpGet:\n"
+          + "        path: /weblogic/ready\n"
+          + "        port: 8001\n"
+          + "      initialDelaySeconds: 1\n"
+          + "      periodSeconds: 3\n"
+          + "      timeoutSeconds: 2\n"
+          + "    resources:\n"
+          + "      limits: {}\n"
+          + "      requests:\n"
+          + "        memory: 768Mi\n"
+          + "        cpu: 250m\n"
+          + "    securityContext: {}\n"
+          + "    volumeMounts:\n"
+          + "    - mountPath: /weblogic-operator/scripts\n"
+          + "      name: weblogic-scripts-cm-volume\n"
+          + "      readOnly: true\n"
+          + "    - mountPath: /weblogic-operator/debug\n"
+          + "      name: weblogic-domain-debug-cm-volume\n"
+          + "      readOnly: true\n"
+          + "    - mountPath: /weblogic-operator/introspector\n"
+          + "      name: weblogic-domain-introspect-cm-volume\n"
+          + "    - mountPath: /auxiliary\n"
+          + "      name: aux-image-volume-auxiliaryimagevolume1\n"
+          + "  imagePullSecrets: []\n"
+          + "  initContainers:\n"
+          + "  - command:\n"
+          + "    - /weblogic-operator/scripts/auxImage.sh\n"
+          + "    env:\n"
+          + "    - name: AUXILIARY_IMAGE_PATH\n"
+          + "      value: /auxiliary\n"
+          + "    - name: AUXILIARY_IMAGE_TARGET_PATH\n"
+          + "      value: /tmpAuxiliaryImage\n"
+          + "    - name: AUXILIARY_IMAGE_COMMAND\n"
+          + "      value: cp -R $AUXILIARY_IMAGE_PATH/* $AUXILIARY_IMAGE_TARGET_PATH\n"
+          + "    - name: AUXILIARY_IMAGE_CONTAINER_IMAGE\n"
+          + "      value: model-in-image:WLS-AI-v1\n"
+          + "    - name: AUXILIARY_IMAGE_CONTAINER_NAME\n"
+          + "      value: operator-aux-container1\n"
+          + "    image: model-in-image:WLS-AI-v1\n"
+          + "    imagePullPolicy: IfNotPresent\n"
+          + "    name: operator-aux-container1\n"
+          + "    volumeMounts:\n"
+          + "    - mountPath: /tmpAuxiliaryImage\n"
+          + "      name: aux-image-volume-auxiliaryimagevolume1\n"
+          + "    - mountPath: /weblogic-operator/scripts\n"
+          + "      name: weblogic-scripts-cm-volume\n"
+          + "  nodeSelector: {}\n"
+          + "  securityContext: {}\n"
+          + "  volumes:\n"
+          + "  - configMap:\n"
+          + "      defaultMode: 365\n"
+          + "      name: weblogic-scripts-cm\n"
+          + "    name: weblogic-scripts-cm-volume\n"
+          + "  - configMap:\n"
+          + "      defaultMode: 365\n"
+          + "      name: uid1-weblogic-domain-debug-cm\n"
+          + "      optional: true\n"
+          + "    name: weblogic-domain-debug-cm-volume\n"
+          + "  - configMap:\n"
+          + "      defaultMode: 365\n"
+          + "      name: uid1-weblogic-domain-introspect-cm\n"
+          + "    name: weblogic-domain-introspect-cm-volume\n"
+          + "  - emptyDir: {}\n"
+          + "    name: aux-image-volume-auxiliaryimagevolume1\n";
 }