Retrieve internal certificate through RestServer

Author: lennyphan

operator/src/main/java/oracle/kubernetes/operator/Main.java

@@ -143,7 +143,6 @@ public Thread newThread(Runnable r) {
       new AtomicReference<>(DateTime.now());
 
   private static String principal;
-  private static RestServer restServer = null;
   private static KubernetesVersion version = null;
 
   static final String READINESS_PROBE_FAILURE_EVENT_FILTER =
@@ -450,13 +449,13 @@ private static Collection<String> getTargetNamespaces(String tnValue, String nam
 
   private static void startRestServer(String principal, Collection<String> targetNamespaces)
       throws Exception {
-    restServer = new RestServer(new RestConfigImpl(principal, targetNamespaces));
-    restServer.start(container);
+    RestServer.create(new RestConfigImpl(principal, targetNamespaces));
+    RestServer.getInstance().start(container);
   }
 
   private static void stopRestServer() {
-    restServer.stop();
-    restServer = null;
+    RestServer.getInstance().stop();
+    RestServer.destroy();
   }
 
   private static void startLivenessThread() {

operator/src/main/java/oracle/kubernetes/operator/OperatorConstants.java

@@ -259,8 +259,4 @@ public boolean equals(Object o) {
   public WatchTuning getWatchTuning();
 
   public PodTuning getPodTuning();
-
-  public String getFileContents(String path);
-
-  public boolean checkFileExists(String path);
 }

operator/src/main/java/oracle/kubernetes/operator/TuningParameters.java

@@ -4,10 +4,7 @@
 
 package oracle.kubernetes.operator;
 
-import java.io.File;
 import java.io.IOException;
-import java.nio.file.Files;
-import java.nio.file.Paths;
 import java.util.concurrent.ScheduledExecutorService;
 import java.util.concurrent.locks.ReadWriteLock;
 import java.util.concurrent.locks.ReentrantReadWriteLock;
@@ -137,38 +134,4 @@ public PodTuning getPodTuning() {
       lock.readLock().unlock();
     }
   }
-
-  // path - a file containing a base64 encoded string containing the operator's cert in pem format
-  public String getFileContents(String path) {
-    LOGGER.entering(path);
-    // in pem format
-    String result = null;
-    if (checkFileExists(path)) {
-      try {
-        result = new String(Files.readAllBytes(Paths.get(path)));
-      } catch (Throwable t) {
-        LOGGER.warning("Can't read " + path, t);
-      }
-    }
-    // do not include the certificate data in the log message
-    LOGGER.exiting();
-    return result;
-  }
-
-  public boolean checkFileExists(String path) {
-    LOGGER.entering(path);
-    File f = new File(path);
-    boolean result = false;
-    if (f.exists()) {
-      if (f.isFile()) {
-        result = true;
-      } else {
-        LOGGER.warning(path + " is not a file");
-      }
-    } else {
-      LOGGER.warning(path + " does not exist");
-    }
-    LOGGER.exiting(result);
-    return result;
-  }
 }

operator/src/main/java/oracle/kubernetes/operator/TuningParametersImpl.java

@@ -17,11 +17,11 @@
 import oracle.kubernetes.operator.DomainStatusUpdater;
 import oracle.kubernetes.operator.KubernetesConstants;
 import oracle.kubernetes.operator.LabelConstants;
-import oracle.kubernetes.operator.OperatorConstants;
 import oracle.kubernetes.operator.PodAwaiterStepFactory;
 import oracle.kubernetes.operator.ProcessingConstants;
 import oracle.kubernetes.operator.TuningParameters;
 import oracle.kubernetes.operator.logging.MessageKeys;
+import oracle.kubernetes.operator.rest.RestServer;
 import oracle.kubernetes.operator.steps.DefaultResponseStep;
 import oracle.kubernetes.operator.work.Component;
 import oracle.kubernetes.operator.work.NextAction;
@@ -132,7 +132,7 @@ protected Map<String, String> getPodAnnotations() {
     }
 
     private String getInternalOperatorCertFile(TuningParameters tuningParameters) {
-      return tuningParameters.getFileContents(OperatorConstants.INTERNAL_CERTIFICATE);
+      return RestServer.getInstance().getInternalCertificate();
     }
   }
 

operator/src/main/java/oracle/kubernetes/operator/helpers/PodHelper.java

@@ -4,21 +4,25 @@
 
 package oracle.kubernetes.operator.rest;
 
+import java.io.File;
+import java.nio.file.Files;
+import java.nio.file.Paths;
 import java.util.Collection;
-import oracle.kubernetes.operator.OperatorConstants;
-import oracle.kubernetes.operator.TuningParameters;
 import oracle.kubernetes.operator.logging.LoggingFacade;
 import oracle.kubernetes.operator.logging.LoggingFactory;
 import oracle.kubernetes.operator.rest.backend.RestBackend;
 
 /** RestConfigImpl provides the WebLogic Operator REST api configuration. */
-public class RestConfigImpl implements RestConfig, OperatorConstants {
+public class RestConfigImpl implements RestConfig {
 
   private static LoggingFacade LOGGER = LoggingFactory.getLogger("Operator", "Operator");
 
   private final String principal;
   private final Collection<String> targetNamespaces;
 
+  static final String OPERATOR_DIR = "/operator/";
+  static final String INTERNAL_REST_IDENTITY_DIR = OPERATOR_DIR + "internal-identity/";
+  static final String INTERNAL_CERTIFICATE = INTERNAL_REST_IDENTITY_DIR + "internalOperatorCert";
   private static final String INTERNAL_CERTIFICATE_KEY =
       INTERNAL_REST_IDENTITY_DIR + "internalOperatorKey";
   private static final String EXTERNAL_REST_IDENTITY_DIR = OPERATOR_DIR + "external-identity/";
@@ -58,12 +62,12 @@ public int getInternalHttpsPort() {
 
   @Override
   public String getOperatorExternalCertificateData() {
-    return TuningParameters.getInstance().getFileContents(EXTERNAL_CERTIFICATE);
+    return getCertificate(EXTERNAL_CERTIFICATE);
   }
 
   @Override
   public String getOperatorInternalCertificateData() {
-    return TuningParameters.getInstance().getFileContents(INTERNAL_CERTIFICATE);
+    return getCertificate(INTERNAL_CERTIFICATE);
   }
 
   @Override
@@ -104,13 +108,47 @@ public RestBackend getBackend(String accessToken) {
     return result;
   }
 
+  // path - a file containing a base64 encoded string containing the operator's cert in pem format
+  private String getCertificate(String path) {
+    LOGGER.entering(path);
+    // in pem format
+    String result = null;
+    if (checkFileExists(path)) {
+      try {
+        result = new String(Files.readAllBytes(Paths.get(path)));
+      } catch (Throwable t) {
+        LOGGER.warning("Can't read " + path, t);
+      }
+    }
+    // do not include the certificate data in the log message
+    LOGGER.exiting();
+    return result;
+  }
+
   // path - a file containing the operator's private key in pem format (cleartext)
   private String getKey(String path) {
     LOGGER.entering(path);
-    if (!TuningParameters.getInstance().checkFileExists(path)) {
+    if (!checkFileExists(path)) {
       path = null;
     }
     LOGGER.exiting(path);
     return path;
   }
+
+  private boolean checkFileExists(String path) {
+    LOGGER.entering(path);
+    File f = new File(path);
+    boolean result = false;
+    if (f.exists()) {
+      if (f.isFile()) {
+        result = true;
+      } else {
+        LOGGER.warning(path + " is not a file");
+      }
+    } else {
+      LOGGER.warning(path + " does not exist");
+    }
+    LOGGER.exiting(result);
+    return result;
+  }
 }

operator/src/main/java/oracle/kubernetes/operator/rest/RestConfigImpl.java

@@ -49,6 +49,8 @@ public class RestServer {
   private static final LoggingFacade LOGGER = LoggingFactory.getLogger("Operator", "Operator");
   private static final int CORE_POOL_SIZE = 3;
 
+  private static RestServer INSTANCE = null;
+
   private RestConfig config;
 
   // private String baseHttpUri;
@@ -63,14 +65,29 @@ public class RestServer {
     SSL_PROTOCOL
   }; // ONLY support TLSv1.2 (by default, we would get TLSv1 and TLSv1.1 too)
 
+  public static synchronized void create(RestConfig restConfig) {
+    if (INSTANCE == null) {
+      INSTANCE = new RestServer(restConfig);
+    }
+    // throw new IllegalStateException();
+  }
+
+  public static synchronized RestServer getInstance() {
+    return INSTANCE;
+  }
+
+  public static void destroy() {
+    INSTANCE = null;
+  }
+
   /**
    * Constructs the WebLogic Operator REST server.
    *
    * @param config - contains the REST server's configuration, which includes the hostnames and port
    *     numbers that the ports run on, the certificates and private keys for ssl, and the backend
    *     implementation that does the real work behind the REST api.
    */
-  public RestServer(RestConfig config) {
+  private RestServer(RestConfig config) {
     LOGGER.entering();
     this.config = config;
     baseExternalHttpsUri = "https://" + config.getHost() + ":" + config.getExternalHttpsPort();
@@ -168,6 +185,18 @@ public void stop() {
     LOGGER.exiting();
   }
 
+  public String getInternalCertificate() {
+    try {
+      return readCertFromDataOrFile(
+          this.config.getOperatorInternalCertificateData(),
+          this.config.getOperatorInternalCertificateFile());
+    } catch (IOException e) {
+      LOGGER.warning("Unable to read internal certificate data", e);
+    }
+
+    return null;
+  }
+
   private HttpServer createExternalHttpsServer(Container container) throws Exception {
     LOGGER.entering();
     HttpServer result =
@@ -321,6 +350,13 @@ private KeyManager[] createKeyManagers(
     return result;
   }
 
+  private static String readCertFromDataOrFile(String data, String file) throws IOException {
+    if (data != null && data.length() > 0) {
+      return data;
+    }
+    return new String(Files.readAllBytes(new File(file).toPath()));
+  }
+
   private static byte[] readFromDataOrFile(String data, String file) throws IOException {
     if (data != null && data.length() > 0) {
       return Base64.decodeBase64(data);

operator/src/main/java/oracle/kubernetes/operator/rest/RestServer.java

@@ -28,6 +28,8 @@
 import oracle.kubernetes.operator.helpers.KubernetesTestSupport;
 import oracle.kubernetes.operator.helpers.TuningParametersStub;
 import oracle.kubernetes.operator.helpers.UnitTestHash;
+import oracle.kubernetes.operator.rest.RestServer;
+import oracle.kubernetes.operator.rest.RestTest;
 import oracle.kubernetes.operator.steps.DomainPresenceStep;
 import oracle.kubernetes.operator.utils.WlsDomainConfigSupport;
 import oracle.kubernetes.operator.work.Step;
@@ -66,13 +68,17 @@ public void setUp() {
     mementos.add(testSupport.install());
 
     testSupport.addDomainPresenceInfo(domainPresenceInfo);
+
+    RestServer.create(new RestTest.TestRestConfigImpl());
   }
 
   @After
   public void tearDown() throws Exception {
     for (Memento memento : mementos) memento.revert();
 
     testSupport.throwOnCompletionFailure();
+
+    RestServer.destroy();
   }
 
   @Test

operator/src/test/java/oracle/kubernetes/operator/DomainUpPlanTest.java

@@ -29,10 +29,10 @@
 import java.util.List;
 import java.util.Map;
 import oracle.kubernetes.operator.LabelConstants;
-import oracle.kubernetes.operator.OperatorConstants;
 import oracle.kubernetes.operator.PodAwaiterStepFactory;
 import oracle.kubernetes.operator.ProcessingConstants;
 import oracle.kubernetes.operator.VersionConstants;
+import oracle.kubernetes.operator.rest.RestTest;
 import oracle.kubernetes.operator.work.FiberTestSupport;
 import oracle.kubernetes.operator.work.Packet;
 import oracle.kubernetes.operator.work.Step;
@@ -42,6 +42,7 @@
 
 @SuppressWarnings("SameParameterValue")
 public class AdminPodHelperTest extends PodHelperTestBase {
+  static final String INTERNAL_OPERATOR_CERT_FILE_PARAM = "internalOperatorCert";
   private static final String INTERNAL_OPERATOR_CERT_ENV_NAME = "INTERNAL_OPERATOR_CERT";
   private static final String CERTFILE = "certfile";
 
@@ -209,10 +210,10 @@ public void whenAdminPodCreated_containerHasStartServerCommand() {
 
   @Test
   public void whenAdminPodCreated_hasOperatorCertEnvVariable() {
-    putTuningParameter(OperatorConstants.INTERNAL_CERTIFICATE, CERTFILE);
+    // putTuningParameter(INTERNAL_OPERATOR_CERT_FILE_PARAM, CERTFILE);
     assertThat(
         getCreatedPodSpecContainer().getEnv(),
-        hasEnvVar(INTERNAL_OPERATOR_CERT_ENV_NAME, CERTFILE));
+        hasEnvVar(INTERNAL_OPERATOR_CERT_ENV_NAME, RestTest.OP_CERT_DATA));
   }
 
   @Test

operator/src/test/java/oracle/kubernetes/operator/helpers/AdminPodHelperTest.java

@@ -77,6 +77,8 @@
 import oracle.kubernetes.operator.PodAwaiterStepFactory;
 import oracle.kubernetes.operator.ProcessingConstants;
 import oracle.kubernetes.operator.VersionConstants;
+import oracle.kubernetes.operator.rest.RestServer;
+import oracle.kubernetes.operator.rest.RestTest;
 import oracle.kubernetes.operator.utils.WlsDomainConfigSupport;
 import oracle.kubernetes.operator.wlsconfig.NetworkAccessPoint;
 import oracle.kubernetes.operator.wlsconfig.WlsDomainConfig;
@@ -170,6 +172,8 @@ public void setUp() throws Exception {
     mementos.add(TuningParametersStub.install());
     mementos.add(UnitTestHash.install());
 
+    RestServer.create(new RestTest.TestRestConfigImpl());
+
     WlsDomainConfigSupport configSupport = new WlsDomainConfigSupport(DOMAIN_NAME);
     configSupport.addWlsServer(ADMIN_SERVER, ADMIN_PORT);
     if (!ADMIN_SERVER.equals(serverName)) configSupport.addWlsServer(serverName, listenPort);
@@ -197,6 +201,8 @@ public void tearDown() throws Exception {
 
     testSupport.throwOnCompletionFailure();
     testSupport.verifyAllDefinedResponsesInvoked();
+
+    RestServer.destroy();
   }
 
   private DomainPresenceInfo createDomainPresenceInfo(Domain domain) {