Merge pull request #1073 from oracle/owls-73691

OWLS-73691 - readiness probe needs to work with domain with administration port enabled

Author: rjeberhard

integration-tests/src/test/java/oracle/kubernetes/operator/JrfInOperatorAdvancedTest.java

@@ -293,6 +293,13 @@ public void testJRFDomainAdminPortEnabled() throws Exception {
       domain1Map.put(
           "createDomainPyScript",
           "integration-tests/src/test/resources/domain-home-on-pv/create-jrfdomain-admin-port-enabled.py");
+      // Use -Dweblogic.ssl.AcceptKSSDemoCertsEnabled=true so that managed servers can connect
+      // to admin server using SSL without running into host name verifcation check error
+      // in default JRF domain that uses KSS demo identity and trust
+      // https://docs.oracle.com/middleware/12213/wls/SECMG/kss.htm#SECMG673tm#ADMRF202
+      domain1Map.put(
+          "javaOptions",
+          "-Dweblogic.StdoutDebugEnabled=false -Dweblogic.ssl.AcceptKSSDemoCertsEnabled=true");
 
       // run RCU script to load db schema
       DBUtils.runRCU(rcuPodName, domain1Map);

operator/src/main/java/oracle/kubernetes/operator/helpers/PodHelper.java

@@ -289,6 +289,16 @@ protected Map<String, String> getPodAnnotations() {
       return getServerSpec().getPodAnnotations();
     }
 
+    @Override
+    boolean isLocalAdminProtocolChannelSecure() {
+      return scan.isLocalAdminProtocolChannelSecure();
+    }
+
+    @Override
+    Integer getLocalAdminProtocolChannelPort() {
+      return scan.getLocalAdminProtocolChannelPort();
+    }
+
     @Override
     Integer getDefaultPort() {
       return scan.getListenPort();

operator/src/main/java/oracle/kubernetes/operator/helpers/PodStepContext.java

@@ -172,7 +172,21 @@ String getAsName() {
   }
 
   Integer getAsPort() {
-    return domainTopology.getServerConfig(domainTopology.getAdminServerName()).getListenPort();
+    return domainTopology
+        .getServerConfig(domainTopology.getAdminServerName())
+        .getLocalAdminProtocolChannelPort();
+  }
+
+  boolean isLocalAdminProtocolChannelSecure() {
+    return domainTopology
+        .getServerConfig(domainTopology.getAdminServerName())
+        .isLocalAdminProtocolChannelSecure();
+  }
+
+  Integer getLocalAdminProtocolChannelPort() {
+    return domainTopology
+        .getServerConfig(domainTopology.getAdminServerName())
+        .getLocalAdminProtocolChannelPort();
   }
 
   private String getLogHome() {
@@ -789,6 +803,9 @@ void overrideContainerWeblogicEnvVars(List<V1EnvVar> vars) {
     addEnvVar(vars, "DOMAIN_HOME", getDomainHome());
     addEnvVar(vars, "ADMIN_NAME", getAsName());
     addEnvVar(vars, "ADMIN_PORT", getAsPort().toString());
+    if (isLocalAdminProtocolChannelSecure()) {
+      addEnvVar(vars, "ADMIN_PORT_SECURE", "true");
+    }
     addEnvVar(vars, "SERVER_NAME", getServerName());
     addEnvVar(vars, "DOMAIN_UID", getDomainUID());
     addEnvVar(vars, "NODEMGR_HOME", NODEMGR_HOME);
@@ -825,14 +842,21 @@ private V1Probe createReadinessProbe(TuningParameters.PodTuning tuning) {
         .timeoutSeconds(getReadinessProbeTimeoutSeconds(tuning))
         .periodSeconds(getReadinessProbePeriodSeconds(tuning))
         .failureThreshold(FAILURE_THRESHOLD)
-        .httpGet(httpGetAction(READINESS_PATH, getDefaultPort()));
+        .httpGet(
+            httpGetAction(
+                READINESS_PATH,
+                getLocalAdminProtocolChannelPort(),
+                isLocalAdminProtocolChannelSecure()));
     return readinessProbe;
   }
 
   @SuppressWarnings("SameParameterValue")
-  private V1HTTPGetAction httpGetAction(String path, int port) {
+  private V1HTTPGetAction httpGetAction(String path, int port, boolean useHTTPS) {
     V1HTTPGetAction getAction = new V1HTTPGetAction();
     getAction.path(path).port(new IntOrString(port));
+    if (useHTTPS) {
+      getAction.scheme("HTTPS");
+    }
     return getAction;
   }
 

operator/src/main/java/oracle/kubernetes/operator/wlsconfig/WlsDynamicServerConfig.java

@@ -72,6 +72,7 @@ static WlsDynamicServerConfig create(
         macroSubstitutor.substituteMacro(serverTemplate.getListenAddress()),
         sslListenPort,
         macroSubstitutor.substituteMacro(serverTemplate.getMachineName()),
+        serverTemplate.getAdminPort(),
         networkAccessPoints);
   }
 
@@ -84,6 +85,7 @@ static WlsDynamicServerConfig create(
    * @param listenAddress listen address of the dynamic server
    * @param sslListenPort SSL listen port of the dynamic server
    * @param machineName machine name of the dynamic server
+   * @param adminPort administration port if administration port is enabled
    * @param networkAccessPoints network access points or channels configured for this dynamic server
    */
   private WlsDynamicServerConfig(
@@ -92,8 +94,16 @@ private WlsDynamicServerConfig(
       String listenAddress,
       Integer sslListenPort,
       String machineName,
+      Integer adminPort,
       List<NetworkAccessPoint> networkAccessPoints) {
-    super(name, listenAddress, machineName, listenPort, sslListenPort, null, networkAccessPoints);
+    super(
+        name,
+        listenAddress,
+        machineName,
+        listenPort,
+        sslListenPort,
+        adminPort,
+        networkAccessPoints);
   }
 
   /**

operator/src/main/java/oracle/kubernetes/operator/wlsconfig/WlsServerConfig.java

@@ -203,6 +203,31 @@ public Integer getLocalAdminProtocolChannelPort() {
     return adminProtocolPort;
   }
 
+  public boolean isLocalAdminProtocolChannelSecure() {
+    boolean adminProtocolPortSecure = false;
+    boolean adminProtocolPortFound = false;
+    if (networkAccessPoints != null) {
+      for (NetworkAccessPoint nap : networkAccessPoints) {
+        if (nap.isAdminProtocol()) {
+          adminProtocolPortFound = true;
+          adminProtocolPortSecure = true;
+          break;
+        }
+      }
+    }
+    if (!adminProtocolPortFound) {
+      if (adminPort != null) {
+        adminProtocolPortSecure = true;
+      } else if (sslListenPort != null) {
+        adminProtocolPortSecure = true;
+      } else if (listenPort != null) {
+        adminProtocolPortSecure = false;
+      }
+    }
+
+    return adminProtocolPortSecure;
+  }
+
   /**
    * Creates a WLSServerConfig object using an "servers" or "serverTemplates" item parsed from JSON
    * result from WLS REST call.

operator/src/main/resources/scripts/introspectDomain.py

@@ -583,6 +583,9 @@ def addServer(self, server):
     self.writeln("  listenAddress: " + self.quote(self.env.toDNS1123Legal(self.env.getDomainUID() + "-" + server.getName())))
     if server.isAdministrationPortEnabled():
       self.writeln("  adminPort: " + str(server.getAdministrationPort()))
+    else:
+      if self.env.getDomain().isAdministrationPortEnabled():
+        self.writeln("  adminPort: " + str(self.env.getDomain().getAdministrationPort()))
     self.addSSL(server)
     self.addNetworkAccessPoints(server)
 

operator/src/main/resources/scripts/startNodeManager.sh

@@ -26,6 +26,7 @@
 #                          ${DOMAIN_UID}/${SERVER_NAME}_nodemanager.out
 #                       Default:
 #                          Use LOG_HOME.  If LOG_HOME not set, use NODEMGR_HOME.
+#   ADMIN_PORT_SECURE = "true" if the admin protocol is secure. Default is false
 #
 # If SERVER_NAME is set, then this NM is for a WL Server and these must also be set:
 # 
@@ -51,6 +52,7 @@ export WL_HOME="${WL_HOME:-/u01/oracle/wlserver}"
 stm_script=${WL_HOME}/server/bin/startNodeManager.sh
 
 SERVER_NAME=${SERVER_NAME:-introspector}
+ADMIN_PORT_SECURE=${ADMIN_PORT_SECURE:-false}
 
 trace "Starting node manager for domain-uid='$DOMAIN_UID' and server='$SERVER_NAME'."
 
@@ -244,7 +246,11 @@ EOF
   [ ! $? -eq 0 ] && trace "Failed to create '${wl_props_file}'." && exit 1
 
   if [ ! "${ADMIN_NAME}" = "${SERVER_NAME}" ]; then
-    echo "AdminURL=http\\://${AS_SERVICE_NAME}\\:${ADMIN_PORT}" >> ${wl_props_file}
+    admin_protocol="http"
+    if [ "${ADMIN_PORT_SECURE}" = "true" ]; then
+      admin_protocol="https"
+    fi  
+    echo "AdminURL=$admin_protocol\\://${AS_SERVICE_NAME}\\:${ADMIN_PORT}" >> ${wl_props_file}
   fi
 fi
 

operator/src/test/java/oracle/kubernetes/operator/helpers/PodHelperTestBase.java

@@ -365,6 +365,23 @@ public void whenPodCreated_readinessProbeHasDefinedTuning() {
         hasExpectedTuning(READINESS_INITIAL_DELAY, READINESS_TIMEOUT, READINESS_PERIOD));
   }
 
+  @Test
+  public void whenPodCreatedWithAdminPortEnabled_readinessProbeHasReadinessCommand() {
+    final Integer ADMIN_PORT = 9002;
+    domainTopology.getServerConfig(serverName).setAdminPort(ADMIN_PORT);
+    V1HTTPGetAction getAction = getCreatedPodSpecContainer().getReadinessProbe().getHttpGet();
+    assertThat(getAction.getPath(), equalTo("/weblogic/ready"));
+    assertThat(getAction.getPort().getIntValue(), equalTo(ADMIN_PORT));
+    assertThat(getAction.getScheme(), equalTo("HTTPS"));
+  }
+
+  @Test
+  public void whenPodCreatedWithAdminPortEnabled_adminPortSecureEnvVarIsTrue() {
+    final Integer ADMIN_PORT = 9002;
+    domainTopology.getServerConfig(serverName).setAdminPort(ADMIN_PORT);
+    assertThat(getCreatedPodSpecContainer().getEnv(), hasEnvVar("ADMIN_PORT_SECURE", "true"));
+  }
+
   @Test
   public void whenPodCreatedWithDomainV2Settings_livenessProbeHasConfiguredTuning() {
     configureServer()

operator/src/test/java/oracle/kubernetes/operator/wlsconfig/WlsDynamicServerConfigTest.java

@@ -4,6 +4,8 @@
 
 package oracle.kubernetes.operator.wlsconfig;
 
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.is;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNull;
 
@@ -84,4 +86,17 @@ public void testCreateWithCalculatedDefaultPorts() {
     assertEquals(new Integer(9102), networkAccessPoint1.getListenPort());
     assertNull(networkAccessPoint1.getPublicPort());
   }
+
+  @Test
+  public void verifyAdminPortIsSetOnServerConfigs() {
+    final int ADMIN_PORT = 9002;
+    List<NetworkAccessPoint> networkAccessPointList = new ArrayList<>();
+    WlsServerConfig template =
+        new WlsServerConfig("template1", null, null, null, null, 9002, networkAccessPointList);
+
+    WlsServerConfig wlsServerConfig =
+        WlsDynamicServerConfig.create("server1", 2, "cluster1", "domain1", true, template);
+
+    assertThat(wlsServerConfig.getAdminPort(), is(ADMIN_PORT));
+  }
 }

operator/src/test/java/oracle/kubernetes/operator/wlsconfig/WlsServerConfigTest.java

@@ -0,0 +1,86 @@
+// Copyright 2019, Oracle Corporation and/or its affiliates.  All rights reserved.
+// Licensed under the Universal Permissive License v 1.0 as shown at
+// http://oss.oracle.com/licenses/upl.
+
+package oracle.kubernetes.operator.wlsconfig;
+
+import static org.hamcrest.CoreMatchers.is;
+import static org.junit.Assert.*;
+
+import org.junit.Test;
+
+public class WlsServerConfigTest {
+
+  static final int LISTEN_PORT = 8001;
+  static final int SSL_LISTEN_PORT = 8002;
+  static final int ADMIN_PORT = 9002;
+  static final int NAP_ADMIN_PORT = 8082;
+  static final int NAP_NON_ADMIN_PORT = 8081;
+
+  @Test
+  public void verify_getLocalAdminProtocolChannelPort_returnsListenPort() {
+    WlsServerConfig wlsServerConfig = createConfigWithOnlyListenPort();
+    assertThat(wlsServerConfig.getLocalAdminProtocolChannelPort(), is(LISTEN_PORT));
+    assertThat(wlsServerConfig.isLocalAdminProtocolChannelSecure(), is(false));
+  }
+
+  @Test
+  public void verify_getLocalAdminProtocolChannelPort_returnsSslListenPort() {
+    WlsServerConfig wlsServerConfig = createConfigWithListenPortAndSslListenPort();
+    assertThat(wlsServerConfig.getLocalAdminProtocolChannelPort(), is(SSL_LISTEN_PORT));
+    assertThat(wlsServerConfig.isLocalAdminProtocolChannelSecure(), is(true));
+  }
+
+  @Test
+  public void verify_getLocalAdminProtocolChannelPort_returnsAdminPort() {
+    WlsServerConfig wlsServerConfig = createConfigWithAllListenPorts();
+    assertThat(wlsServerConfig.getLocalAdminProtocolChannelPort(), is(ADMIN_PORT));
+    assertThat(wlsServerConfig.isLocalAdminProtocolChannelSecure(), is(true));
+  }
+
+  @Test
+  public void verify_getLocalAdminProtocolChannelPort_withAdminNAP_returnsNapAdminPort() {
+    WlsServerConfig wlsServerConfig = createConfigWithAdminNAP();
+    assertThat(wlsServerConfig.getLocalAdminProtocolChannelPort(), is(NAP_ADMIN_PORT));
+    assertThat(wlsServerConfig.isLocalAdminProtocolChannelSecure(), is(true));
+  }
+
+  @Test
+  public void verify_getLocalAdminProtocolChannelPort_withNonAdminNAP_returnsAdminPort() {
+    WlsServerConfig wlsServerConfig = createConfigWithNonAdminNAP();
+    assertThat(wlsServerConfig.getLocalAdminProtocolChannelPort(), is(ADMIN_PORT));
+    assertThat(wlsServerConfig.isLocalAdminProtocolChannelSecure(), is(true));
+  }
+
+  WlsServerConfig createConfigWithOnlyListenPort() {
+    WlsServerConfig wlsServerConfig = new WlsServerConfig();
+    wlsServerConfig.setListenPort(LISTEN_PORT);
+    return wlsServerConfig;
+  }
+
+  WlsServerConfig createConfigWithListenPortAndSslListenPort() {
+    WlsServerConfig wlsServerConfig = createConfigWithOnlyListenPort();
+    wlsServerConfig.setSslListenPort(SSL_LISTEN_PORT);
+    return wlsServerConfig;
+  }
+
+  WlsServerConfig createConfigWithAllListenPorts() {
+    WlsServerConfig wlsServerConfig = createConfigWithListenPortAndSslListenPort();
+    wlsServerConfig.setAdminPort(ADMIN_PORT);
+    return wlsServerConfig;
+  }
+
+  WlsServerConfig createConfigWithAdminNAP() {
+    WlsServerConfig wlsServerConfig = createConfigWithAllListenPorts();
+    wlsServerConfig.addNetworkAccessPoint(
+        new NetworkAccessPoint("admin-channel", "admin", NAP_ADMIN_PORT, null));
+    return wlsServerConfig;
+  }
+
+  WlsServerConfig createConfigWithNonAdminNAP() {
+    WlsServerConfig wlsServerConfig = createConfigWithAllListenPorts();
+    wlsServerConfig.addNetworkAccessPoint(
+        new NetworkAccessPoint("non-admin-channel", "t3", NAP_NON_ADMIN_PORT, null));
+    return wlsServerConfig;
+  }
+}