Backport for prometheus and grafana sec context changes

Author: marinakog

integration-tests/src/test/java/oracle/weblogic/kubernetes/ItMonitoringExporterMetricsFiltering.java

@@ -112,7 +112,7 @@ class ItMonitoringExporterMetricsFiltering {
   private static Map<String, Integer> clusterNameMsPortMap;
   private static LoggingFacade logger = null;
   private static List<String> clusterNames = new ArrayList<>();
-  private static String releaseSuffix = "test2";
+  private static String releaseSuffix = "testfilter";
   private static String prometheusReleaseName = "prometheus" + releaseSuffix;
   private static String grafanaReleaseName = "grafana" + releaseSuffix;
   private static  String monitoringExporterDir;

integration-tests/src/test/java/oracle/weblogic/kubernetes/ItMonitoringExporterSamples.java

@@ -154,7 +154,7 @@ class ItMonitoringExporterSamples {
   private static Map<String, Integer> clusterNameMsPortMap;
   private static LoggingFacade logger = null;
   private static List<String> clusterNames = new ArrayList<>();
-  private static String releaseSuffix = "test3";
+  private static String releaseSuffix = "testsamples";
   private static String prometheusReleaseName = "prometheus" + releaseSuffix;
   private static String grafanaReleaseName = "grafana" + releaseSuffix;
   private static  String monitoringExporterDir;

integration-tests/src/test/java/oracle/weblogic/kubernetes/ItMonitoringExporterWebApp.java

@@ -130,7 +130,7 @@ class ItMonitoringExporterWebApp {
   private static Map<String, Integer> clusterNameMsPortMap;
   private static LoggingFacade logger = null;
   private static List<String> clusterNames = new ArrayList<>();
-  private static String releaseSuffix = "test2";
+  private static String releaseSuffix = "testwebapp";
   private static String prometheusReleaseName = "prometheus" + releaseSuffix;
   private static String grafanaReleaseName = "grafana" + releaseSuffix;
   private static  String monitoringExporterDir;

integration-tests/src/test/java/oracle/weblogic/kubernetes/utils/CommonMiiTestUtils.java

@@ -1,4 +1,4 @@
-// Copyright (c) 2020, 2022, Oracle and/or its affiliates.
+// Copyright (c) 2020, 2023, Oracle and/or its affiliates.
 // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 package oracle.weblogic.kubernetes.utils;
@@ -655,6 +655,54 @@ public static DomainResource createDomainResourceWithLogHome(
           String dbSecretName,
           boolean onlineUpdateEnabled,
           boolean setDataHome) {
+    return createDomainResourceWithLogHome(domainResourceName,
+        domNamespace,
+        imageName,
+        adminSecretName,
+        repoSecretName,
+        encryptionSecretName,
+        pvName,
+        pvcName,
+        configMapName,
+        dbSecretName,
+        "-Dweblogic.security.SSL.ignoreHostnameVerification=true",
+    onlineUpdateEnabled,
+    setDataHome);
+  }
+
+  /**
+   * Create a domain object for a Kubernetes domain custom resource using the basic model-in-image
+   * image.
+   *
+   * @param domainResourceName name of the domain resource
+   * @param domNamespace Kubernetes namespace that the domain is hosted
+   * @param imageName name of the image including its tag
+   * @param adminSecretName name of the new WebLogic admin credentials secret
+   * @param repoSecretName name of the secret for pulling the WebLogic image
+   * @param encryptionSecretName name of the secret used to encrypt the models
+   * @param pvName Name of persistent volume
+   * @param pvcName Name of persistent volume claim
+   * @param configMapName name of the configMap containing Weblogic Deploy Tooling model
+   * @param dbSecretName name of the Secret for WebLogic configuration overrides
+   * @param javaOpt sting of all java options to be set
+   * @param onlineUpdateEnabled whether to enable onlineUpdate feature for mii dynamic update
+   * @param setDataHome whether to set data home at domain resource
+   * @return domain object of the domain resource
+   */
+  public static DomainResource createDomainResourceWithLogHome(
+      String domainResourceName,
+      String domNamespace,
+      String imageName,
+      String adminSecretName,
+      String repoSecretName,
+      String encryptionSecretName,
+      String pvName,
+      String pvcName,
+      String configMapName,
+      String dbSecretName,
+      String javaOpt,
+      boolean onlineUpdateEnabled,
+      boolean setDataHome) {
     LoggingFacade logger = getLogger();
 
     List<String> securityList = new ArrayList<>();
@@ -679,7 +727,7 @@ public static DomainResource createDomainResourceWithLogHome(
         .serverPod(new ServerPod()
             .addEnvItem(new V1EnvVar()
                 .name("JAVA_OPTIONS")
-                .value("-Dweblogic.security.SSL.ignoreHostnameVerification=true"))
+                .value(javaOpt))
             .addEnvItem(new V1EnvVar()
                 .name("USER_MEM_ARGS")
                 .value("-Djava.security.egd=file:/dev/./urandom "))
@@ -1156,6 +1204,71 @@ public static void createJobToChangePermissionsOnPvHostPath(String pvName, Strin
     }
   }
 
+  /**
+   * Create a job to change the permissions on the pv host path.
+   *
+   * @param pvName Name of the persistent volume
+   * @param pvcName Name of the persistent volume claim
+   * @param namespace Namespace containing the persistent volume claim and where the job should be created in
+   * @param mountPath path
+   * @param command to change permission
+   */
+  public static void createJobToChangePermissionsOnPvHostPath(String pvName, String pvcName,
+                                                              String namespace, String mountPath, String command) {
+    LoggingFacade logger = getLogger();
+
+    if (!OKD) {
+      logger.info("Running Kubernetes job to create domain");
+      V1Job jobBody = new V1Job()
+          .metadata(
+              new V1ObjectMeta()
+                  .name("change-permissions-onpv-job-" + pvName) // name of the job
+                  .namespace(namespace))
+          .spec(new V1JobSpec()
+              .backoffLimit(0) // try only once
+              .template(new V1PodTemplateSpec()
+                  .spec(new V1PodSpec()
+                      .restartPolicy("Never")
+                      .addContainersItem(
+                          createfixPVCOwnerContainer(pvName,
+                              mountPath,
+                              command))
+                      .volumes(Arrays.asList(
+                          new V1Volume()
+                              .name(pvName)
+                              .persistentVolumeClaim(
+                                  new V1PersistentVolumeClaimVolumeSource()
+                                      .claimName(pvcName))))
+                      .imagePullSecrets(Arrays.asList(
+                          new V1LocalObjectReference()
+                              .name(TEST_IMAGES_REPO_SECRET_NAME)))))); // this secret is used only for non-kind cluster
+
+      String jobName = createJobAndWaitUntilComplete(jobBody, namespace);
+
+      // check job status and fail test if the job failed
+      V1Job job = assertDoesNotThrow(() -> getJob(jobName, namespace),
+          "Getting the job failed");
+      if (job != null) {
+        V1JobCondition jobCondition = job.getStatus().getConditions().stream().filter(
+                v1JobCondition -> "Failed".equals(v1JobCondition.getType()))
+            .findAny()
+            .orElse(null);
+        if (jobCondition != null) {
+          logger.severe("Job {0} failed to change permissions on PV hostpath", jobName);
+          List<V1Pod> pods = assertDoesNotThrow(() -> listPods(
+                  namespace, "job-name=" + jobName).getItems(),
+              "Listing pods failed");
+          if (!pods.isEmpty()) {
+            String podLog = assertDoesNotThrow(() -> getPodLog(pods.get(0).getMetadata().getName(), namespace),
+                "Failed to get pod log");
+            logger.severe(podLog);
+            fail("Change permissions on PV hostpath job failed");
+          }
+        }
+      }
+    }
+  }
+
   /**
    * Check logs are written on PV by running the specified command on the pod.
    * @param domainNamespace Kubernetes namespace that the domain is hosted

integration-tests/src/test/java/oracle/weblogic/kubernetes/utils/MonitoringUtils.java

@@ -583,7 +583,7 @@ public static GrafanaParams installAndVerifyGrafana(String grafanaReleaseName,
         BUSYBOX_IMAGE), "Failed to replace String ");
     assertDoesNotThrow(() -> replaceStringInFile(targetGrafanaFile.toString(),
         "busybox_tag",
-        BUSYBOX_TAG), "Failed to replace String ");
+        BUSYBOX_TAG), "Failed to replace String ");   
     if (!OKE_CLUSTER) {
       assertDoesNotThrow(() -> replaceStringInFile(targetGrafanaFile.toString(),
               "enabled: false", "enabled: true"));
@@ -668,6 +668,9 @@ public static void cleanupPromGrafanaClusterRoles(String prometheusReleaseName,
       if (ClusterRole.clusterRoleExists(prometheusReleaseName + "-kube-state-metrics")) {
         Kubernetes.deleteClusterRole(prometheusReleaseName + "-kube-state-metrics");
       }
+      if (ClusterRole.clusterRoleExists(prometheusReleaseName + "-pushgateway")) {
+        Kubernetes.deleteClusterRole(prometheusReleaseName + "-pushgateway");
+      }
       if (ClusterRole.clusterRoleExists(prometheusReleaseName + "-server")) {
         Kubernetes.deleteClusterRole(prometheusReleaseName + "-server");
       }
@@ -686,6 +689,9 @@ public static void cleanupPromGrafanaClusterRoles(String prometheusReleaseName,
       if (ClusterRoleBinding.clusterRoleBindingExists(prometheusReleaseName + "-kube-state-metrics")) {
         Kubernetes.deleteClusterRoleBinding(prometheusReleaseName + "-kube-state-metrics");
       }
+      if (ClusterRoleBinding.clusterRoleBindingExists(prometheusReleaseName + "-pushgateway")) {
+        Kubernetes.deleteClusterRoleBinding(prometheusReleaseName + "-pushgateway");
+      }
       if (ClusterRoleBinding.clusterRoleBindingExists(prometheusReleaseName + "-server")) {
         Kubernetes.deleteClusterRoleBinding(prometheusReleaseName + "-server");
       }

integration-tests/src/test/java/oracle/weblogic/kubernetes/utils/PersistentVolumeUtils.java

@@ -1,4 +1,4 @@
-// Copyright (c) 2021, 2022, Oracle and/or its affiliates.
+// Copyright (c) 2021, 2023, Oracle and/or its affiliates.
 // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 
@@ -42,7 +42,9 @@
 import static oracle.weblogic.kubernetes.assertions.TestAssertions.pvExists;
 import static oracle.weblogic.kubernetes.assertions.TestAssertions.pvNotExists;
 import static oracle.weblogic.kubernetes.assertions.TestAssertions.pvcExists;
+import static oracle.weblogic.kubernetes.utils.CommonMiiTestUtils.createJobToChangePermissionsOnPvHostPath;
 import static oracle.weblogic.kubernetes.utils.CommonTestUtils.testUntil;
+import static oracle.weblogic.kubernetes.utils.ImageUtils.createTestRepoSecret;
 import static oracle.weblogic.kubernetes.utils.ThreadSafeLogger.getLogger;
 import static org.apache.commons.io.FileUtils.deleteDirectory;
 import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
@@ -193,6 +195,13 @@ public static void createPV(String pvName, String domainUid, String className) {
     boolean success = assertDoesNotThrow(() -> createPersistentVolume(v1pv),
         "Failed to create persistent volume");
     assertTrue(success, "PersistentVolume creation failed");
+
+    testUntil(
+        assertDoesNotThrow(() -> pvExists(pvName, null),
+          String.format("pvExists failed with ApiException when checking pv %s", pvName)),
+        logger,
+        "persistent volume {0} exists",
+        pvName);
   }
 
   public static void setVolumeSource(Path pvHostPath, V1PersistentVolume v1pv) {
@@ -204,6 +213,7 @@ private static void setVolumeSource(Path pvHostPath, V1PersistentVolume v1pv, St
       String fssDir = FSS_DIR[new Random().nextInt(FSS_DIR.length)];
       LoggingFacade logger = getLogger();
       logger.info("Using FSS PV directory {0}", fssDir);
+      logger.info("Using NFS_SERVER  {0}", NFS_SERVER);
       v1pv.getSpec()
               .storageClassName("oci-fss")
               .nfs(new V1NFSVolumeSource()
@@ -225,8 +235,14 @@ private static void setVolumeSource(Path pvHostPath, V1PersistentVolume v1pv, St
     }
   }
 
+  /**
+   * Create PV hostPath directory.
+   * @param pvName Persistent Volume Name
+   * @param className Test class name to create the PV
+   * @return Path object representing PV host path
+   */
   @Nonnull
-  private static Path createPVHostPathDir(String pvName, String className) {
+  public static Path createPVHostPathDir(String pvName, String className) {
     Path pvHostPath = null;
     LoggingFacade logger = getLogger();
     try {
@@ -280,6 +296,16 @@ public static void createPVC(String pvName, String pvcName, String domainUid, St
     boolean success = assertDoesNotThrow(() -> createPersistentVolumeClaim(v1pvc),
         "Failed to create persistent volume claim");
     assertTrue(success, "PersistentVolumeClaim creation failed");
+
+    // wait for PVC exists
+    testUntil(
+        assertDoesNotThrow(() -> pvcExists(pvcName, namespace),
+          String.format("pvcExists failed with ApiException when checking pvc %s in namespace %s",
+            pvcName, namespace)),
+        logger,
+        "persistent volume claim {0} exists in namespace {1}",
+        pvcName,
+        namespace);
   }
 
   /**
@@ -297,13 +323,26 @@ public static synchronized V1Container createfixPVCOwnerContainer(String pvName,
           + mountPath
           + "/. -maxdepth 1 ! -name '.snapshot' ! -name '.' -print0 | xargs -r -0  chown -R 1000:0";
     }
+    return createfixPVCOwnerContainer(pvName, mountPath, argCommand);
+  }
+
+  /**
+   * Create container to fix pvc owner for pod.
+   *
+   * @param pvName name of pv
+   * @param mountPath mounting path for pv
+   * @param command to run for ownership
+   * @return container object with required ownership based on OKE_CLUSTER variable value.
+   */
+  public static synchronized V1Container createfixPVCOwnerContainer(String pvName, String mountPath, String command) {
+
     V1Container container = new V1Container()
         .name("fix-pvc-owner") // change the ownership of the pv to opc:opc
         .image(WEBLOGIC_IMAGE_TO_USE_IN_SPEC)
         .imagePullPolicy(IMAGE_PULL_POLICY)
         .addCommandItem("/bin/sh")
         .addArgsItem("-c")
-        .addArgsItem(argCommand)
+        .addArgsItem(command)
         .volumeMounts(Arrays.asList(
             new V1VolumeMount()
                 .name(pvName)
@@ -381,6 +420,23 @@ public static void createPvAndPvc(String nameSuffix, String namespace,
           .storageClassName(nameSuffix);
     }
 
-    createPVPVCAndVerify(v1pv,v1pvc, labelSelector, namespace);
+    createPVPVCAndVerify(v1pv, v1pvc, labelSelector, namespace);
+    if (nameSuffix.contains("grafana") || nameSuffix.contains("prometheus")) {
+      String mountPath = "/data";
+      if (nameSuffix.contains("grafana")) {
+        mountPath = "/var/lib/grafana";
+      }
+      String argCommand = "chown -R 1000:1000 " + mountPath;
+      if (OKE_CLUSTER) {
+        argCommand = "chown 1000:1000 " + mountPath
+            + "/. && find "
+            + mountPath
+            + "/. -maxdepth 1 ! -name '.snapshot' ! -name '.' -print0 | xargs -r -0  chown -R 1000:1000";
+      }
+      createTestRepoSecret(namespace);
+      createJobToChangePermissionsOnPvHostPath("pv-test" + nameSuffix,
+          "pvc-" + nameSuffix, namespace,
+          mountPath, argCommand);
+    }
   }
 }

integration-tests/src/test/resources/exporter/grafanavalues.yaml

@@ -31,6 +31,6 @@ initChownData:
     pullPolicy: IfNotPresent
 
 securityContext:
-  fsGroup: 0
-  runAsGroup: 0
-  runAsUser: 0
+  fsGroup: 1000
+  runAsGroup: 1000
+  runAsUser: 1000

integration-tests/src/test/resources/exporter/promvalues.yaml

@@ -26,9 +26,9 @@ alertmanager:
     tag: prometheus_alertmanager_tag
     pullPolicy: IfNotPresent
   securityContext:
-    runAsUser: 65534
+    runAsUser: 1000
     runAsNonRoot: true
-    runAsGroup: 65534
+    runAsGroup: 1000
 
 #nodeExporter:
 prometheus-node-exporter:
@@ -66,8 +66,24 @@ server:
     type: NodePort
     nodePort: 30500
   securityContext:
-    runAsUser: 0
-    runAsNonRoot: false
+    runAsNonRoot: true
+    runAsUser: 1000
+  initContainers:
+    - command: [ "chown","-R","1000:1000","/data" ]
+      image: busybox
+      name: prometheus-data-permission-fix
+      volumeMounts:
+        - mountPath: /data
+          name: storage-volume
+      securityContext:
+        runAsNonRoot: false
+        runAsUser: 0
+        runAsGroup: 0
+
+  volumes:
+    - name: storage-volume
+      persistentVolumeClaim:
+        claimName: pvc-prometheus
 
   global:
     evaluation_interval: 1m