changes to ItProductionSecureMode class to run in podman

Author: sankarpn

integration-tests/src/test/java/oracle/weblogic/kubernetes/ItProductionSecureMode.java

@@ -3,6 +3,8 @@
 
 package oracle.weblogic.kubernetes;
 
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
@@ -23,10 +25,13 @@
 import oracle.weblogic.domain.Model;
 import oracle.weblogic.domain.OnlineUpdate;
 import oracle.weblogic.domain.ServerPod;
+import oracle.weblogic.kubernetes.actions.ActionConstants;
 import oracle.weblogic.kubernetes.annotations.IntegrationTest;
 import oracle.weblogic.kubernetes.annotations.Namespaces;
 import oracle.weblogic.kubernetes.logging.LoggingFacade;
+import oracle.weblogic.kubernetes.utils.ExecCommand;
 import oracle.weblogic.kubernetes.utils.ExecResult;
+import org.junit.jupiter.api.AfterAll;
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.DisplayName;
@@ -38,14 +43,14 @@
 import static oracle.weblogic.kubernetes.TestConstants.DOMAIN_API_VERSION;
 import static oracle.weblogic.kubernetes.TestConstants.DOMAIN_VERSION;
 import static oracle.weblogic.kubernetes.TestConstants.IMAGE_PULL_POLICY;
+import static oracle.weblogic.kubernetes.TestConstants.KUBERNETES_CLI;
 import static oracle.weblogic.kubernetes.TestConstants.MANAGED_SERVER_NAME_BASE;
 import static oracle.weblogic.kubernetes.TestConstants.MII_BASIC_APP_DEPLOYMENT_NAME;
 import static oracle.weblogic.kubernetes.TestConstants.MII_BASIC_IMAGE_NAME;
 import static oracle.weblogic.kubernetes.TestConstants.MII_BASIC_IMAGE_TAG;
 import static oracle.weblogic.kubernetes.TestConstants.OKE_CLUSTER;
 import static oracle.weblogic.kubernetes.TestConstants.SSL_PROPERTIES;
 import static oracle.weblogic.kubernetes.TestConstants.TEST_IMAGES_REPO_SECRET_NAME;
-import static oracle.weblogic.kubernetes.TestConstants.WEBLOGIC_SLIM;
 import static oracle.weblogic.kubernetes.actions.ActionConstants.MODEL_DIR;
 import static oracle.weblogic.kubernetes.actions.ActionConstants.WORK_DIR;
 import static oracle.weblogic.kubernetes.actions.TestActions.createDomainCustomResource;
@@ -187,6 +192,25 @@ public static void initAll(@Namespaces(2) List<String> namespaces) {
         domainNamespace);
   }
 
+  @AfterAll
+  public static void cleanup() {
+    Path dstFile = Paths.get(TestConstants.RESULTS_ROOT, "traefik/traefik-ingress-rules-tcp.yaml");
+    assertDoesNotThrow(() -> {
+      String command = KUBERNETES_CLI + " delete -f " + dstFile;
+      logger.info("Running {0}", command);
+      ExecResult result;
+      try {
+        result = ExecCommand.exec(command, true);
+        String response = result.stdout().trim();
+        logger.info("exitCode: {0}, \nstdout: {1}, \nstderr: {2}",
+            result.exitValue(), response, result.stderr());
+        assertEquals(0, result.exitValue(), "Command didn't succeed");
+      } catch (IOException | InterruptedException ex) {
+        logger.severe(ex.getMessage());
+      }
+    });
+  }
+  
   /**
    * Verify all server pods are running.
    * Verify all k8s services for all servers are created.
@@ -251,49 +275,36 @@ void testVerifyProductionSecureMode() {
     logger.info("The hostAndPort is {0}", hostAndPort);
 
     String resourcePath = "/weblogic/ready";
-    if (!WEBLOGIC_SLIM) {
-      if (OKE_CLUSTER) {
-        ExecResult result = exeAppInServerPod(domainNamespace, adminServerPodName,7002, resourcePath);
-        logger.info("result in OKE_CLUSTER is {0}", result.toString());
-        assertEquals(0, result.exitValue(), "Failed to access WebLogic readyapp");
-      } else {
-        String curlCmd = "curl -g -sk --show-error --noproxy '*' "
-            + " https://" + hostAndPort
-            + "/weblogic/ready --write-out %{http_code} "
-            + " -o /dev/null";
-        logger.info("Executing default-admin nodeport curl command {0}", curlCmd);
-        assertTrue(callWebAppAndWaitTillReady(curlCmd, 10));
-      }
-      logger.info("WebLogic readyapp is accessible thru default-admin service");
-
-      String localhost = "localhost";
-      String forwardPort = startPortForwardProcess(localhost, domainNamespace, domainUid, 9002);
-      assertNotNull(forwardPort, "port-forward fails to assign local port");
-      logger.info("Forwarded admin-port is {0}", forwardPort);
-      String curlCmd = "curl -sk --show-error --noproxy '*' "
-          + " https://" + localhost + ":" + forwardPort
-          + "/weblogic/ready --write-out %{http_code} "
-          + " -o /dev/null";
-      logger.info("Executing default-admin port-fwd curl command {0}", curlCmd);
-      assertTrue(callWebAppAndWaitTillReady(curlCmd, 10));
-      logger.info("WebLogic readyapp is accessible thru admin port forwarding");
-
-      // When port-forwarding is happening on admin-port, port-forwarding will
-      // not work for SSL port i.e. 7002
-      forwardPort = startPortForwardProcess(localhost, domainNamespace, domainUid, 7002);
-      assertNotNull(forwardPort, "port-forward fails to assign local port");
-      logger.info("Forwarded ssl port is {0}", forwardPort);
-      curlCmd = "curl -g -sk --show-error --noproxy '*' "
-          + " https://" + localhost + ":" + forwardPort
-          + "/weblogic/ready --write-out %{http_code} "
-          + " -o /dev/null";
-      logger.info("Executing default-admin port-fwd curl command {0}", curlCmd);
-      assertFalse(callWebAppAndWaitTillReady(curlCmd, 10));
-      logger.info("WebLogic readyapp should not be accessible thru ssl port forwarding");
-      stopPortForwardProcess(domainNamespace);
-    } else {
-      logger.info("Skipping WebLogic reeadyapp check in WebLogic slim image");
-    }
+    ExecResult result = exeAppInServerPod(domainNamespace, adminServerPodName, 7002, resourcePath);
+    logger.info("result in OKE_CLUSTER is {0}", result.toString());
+    assertEquals(0, result.exitValue(), "Failed to access WebLogic readyapp");
+    logger.info("WebLogic readyapp is accessible thru default-admin service");
+
+    String localhost = "localhost";
+    String forwardPort = startPortForwardProcess(localhost, domainNamespace, domainUid, 9002);
+    assertNotNull(forwardPort, "port-forward fails to assign local port");
+    logger.info("Forwarded admin-port is {0}", forwardPort);
+    String curlCmd = "curl -sk --show-error --noproxy '*' "
+        + " https://" + localhost + ":" + forwardPort
+        + "/weblogic/ready --write-out %{http_code} "
+        + " -o /dev/null";
+    logger.info("Executing default-admin port-fwd curl command {0}", curlCmd);
+    assertTrue(callWebAppAndWaitTillReady(curlCmd, 10));
+    logger.info("WebLogic readyapp is accessible thru admin port forwarding");
+
+    // When port-forwarding is happening on admin-port, port-forwarding will
+    // not work for SSL port i.e. 7002
+    forwardPort = startPortForwardProcess(localhost, domainNamespace, domainUid, 7002);
+    assertNotNull(forwardPort, "port-forward fails to assign local port");
+    logger.info("Forwarded ssl port is {0}", forwardPort);
+    curlCmd = "curl -g -sk --show-error --noproxy '*' "
+        + " https://" + localhost + ":" + forwardPort
+        + "/weblogic/ready --write-out %{http_code} "
+        + " -o /dev/null";
+    logger.info("Executing default-admin port-fwd curl command {0}", curlCmd);
+    assertFalse(callWebAppAndWaitTillReady(curlCmd, 10));
+    logger.info("WebLogic readyapp should not be accessible thru ssl port forwarding");
+    stopPortForwardProcess(domainNamespace);
 
     int nodePort = getServiceNodePort(
         domainNamespace, getExternalServicePodName(adminServerPodName), "default");
@@ -337,6 +348,11 @@ void testMiiDynamicChangeWithSSLEnabled() {
     String introspectVersion = patchDomainResourceWithNewIntrospectVersion(domainUid, domainNamespace);
 
     verifyIntrospectorRuns(domainUid, domainNamespace);
+    String sslChannelName = "default-admin";
+    if (TestConstants.KIND_CLUSTER
+        && !TestConstants.WLSIMG_BUILDER.equals(TestConstants.WLSIMG_BUILDER_DEFAULT)) {
+      createTraefikIngressRoutingRules(domainNamespace);
+    }
 
     String resourcePath = "/management/weblogic/latest/domainRuntime/serverRuntimes/"
         + MANAGED_SERVER_NAME_BASE + "1"
@@ -356,7 +372,7 @@ void testMiiDynamicChangeWithSSLEnabled() {
                   + MANAGED_SERVER_NAME_BASE + "1"
                   + "/applicationRuntimes/" + MII_BASIC_APP_DEPLOYMENT_NAME
                   + "/workManagerRuntimes/newWM",
-              "200", true, "default-admin"),
+              "200", true, sslChannelName),
               logger, "work manager configuration to be updated.");
     }
 
@@ -423,4 +439,28 @@ private static void createDomainResource(
     assertTrue(domCreated, String.format("Create domain custom resource failed with ApiException "
                     + "for %s in namespace %s", domainUid, domNamespace));
   }
+
+  private static void createTraefikIngressRoutingRules(String domainNamespace) {
+    logger.info("Creating ingress rules for domain traffic routing");
+    Path srcFile = Paths.get(ActionConstants.RESOURCE_DIR, "traefik/traefik-ingress-rules-tcp.yaml");
+    Path dstFile = Paths.get(TestConstants.RESULTS_ROOT, "traefik/traefik-ingress-rules-tcp.yaml");
+    assertDoesNotThrow(() -> {
+      Files.deleteIfExists(dstFile);
+      Files.createDirectories(dstFile.getParent());
+      Files.write(dstFile, Files.readString(srcFile).replaceAll("@NS@", domainNamespace)
+          .getBytes(StandardCharsets.UTF_8));
+    });
+    String command = KUBERNETES_CLI + " create -f " + dstFile;
+    logger.info("Running {0}", command);
+    ExecResult result;
+    try {
+      result = ExecCommand.exec(command, true);
+      String response = result.stdout().trim();
+      logger.info("exitCode: {0}, \nstdout: {1}, \nstderr: {2}",
+          result.exitValue(), response, result.stderr());
+      assertEquals(0, result.exitValue(), "Command didn't succeed");
+    } catch (IOException | InterruptedException ex) {
+      logger.severe(ex.getMessage());
+    }
+  }
 }

integration-tests/src/test/java/oracle/weblogic/kubernetes/utils/CommonMiiTestUtils.java

@@ -4,6 +4,7 @@
 package oracle.weblogic.kubernetes.utils;
 
 import java.io.IOException;
+import java.net.InetAddress;
 import java.net.http.HttpResponse;
 import java.time.OffsetDateTime;
 import java.util.ArrayList;
@@ -18,6 +19,7 @@
 
 import io.kubernetes.client.custom.Quantity;
 import io.kubernetes.client.custom.V1Patch;
+import io.kubernetes.client.openapi.ApiException;
 import io.kubernetes.client.openapi.models.V1ConfigMap;
 import io.kubernetes.client.openapi.models.V1EnvVar;
 import io.kubernetes.client.openapi.models.V1Job;
@@ -70,6 +72,7 @@
 import static oracle.weblogic.kubernetes.TestConstants.OKD;
 import static oracle.weblogic.kubernetes.TestConstants.OKE_CLUSTER_PRIVATEIP;
 import static oracle.weblogic.kubernetes.TestConstants.TEST_IMAGES_REPO_SECRET_NAME;
+import static oracle.weblogic.kubernetes.TestConstants.TRAEFIK_INGRESS_HTTPS_HOSTPORT;
 import static oracle.weblogic.kubernetes.TestConstants.TRAEFIK_INGRESS_HTTP_HOSTPORT;
 import static oracle.weblogic.kubernetes.TestConstants.WEBLOGIC_IMAGE_NAME;
 import static oracle.weblogic.kubernetes.TestConstants.WEBLOGIC_IMAGE_TAG;
@@ -96,6 +99,7 @@
 import static oracle.weblogic.kubernetes.utils.CommonTestUtils.checkPodReadyAndServiceExists;
 import static oracle.weblogic.kubernetes.utils.CommonTestUtils.checkServiceExists;
 import static oracle.weblogic.kubernetes.utils.CommonTestUtils.createIngressHostRouting;
+import static oracle.weblogic.kubernetes.utils.CommonTestUtils.formatIPv6Host;
 import static oracle.weblogic.kubernetes.utils.CommonTestUtils.testUntil;
 import static oracle.weblogic.kubernetes.utils.CommonTestUtils.verifyCredentials;
 import static oracle.weblogic.kubernetes.utils.ConfigMapUtils.createConfigMapAndVerify;
@@ -1245,15 +1249,16 @@ public static boolean checkWeblogicMBean(String adminSvcExtHost,
     }
 
     String host = K8S_NODEPORT_HOST;
-    if (host.contains(":")) {
-      host = "[" + host + "]";
-    }
+    formatIPv6Host(host);
+    
     String hostAndPort = (OKD) ? adminSvcExtHost : host + ":" + adminServiceNodePort;
     logger.info("hostAndPort = {0} ", hostAndPort);
 
     if (TestConstants.KIND_CLUSTER
         && !TestConstants.WLSIMG_BUILDER.equals(TestConstants.WLSIMG_BUILDER_DEFAULT)) {
-      int port = getServicePort(domainNamespace, adminServerPodName, "internal-t3");
+      String channel = "internal-t3";
+      int port = getServicePort(domainNamespace, getExternalServicePodName(adminServerPodName),
+          sslChannelName.isEmpty() ? channel : sslChannelName);
       String domainName = adminServerPodName.split("-" + ADMIN_SERVER_NAME_BASE)[0];
       String serviceName = ADMIN_SERVER_NAME_BASE;
       String ingressName = domainNamespace + "-" + domainName + "-" + serviceName + "-" + port;
@@ -1262,19 +1267,21 @@ public static boolean checkWeblogicMBean(String adminSvcExtHost,
       try {
         List<String> ingresses = TestActions.listIngresses(domainNamespace);
         ingressFound = ingresses.stream().filter(ingress -> ingress.equals(ingressName)).findAny();
-        if (ingressFound.isEmpty()) {
+        if (ingressFound.isEmpty() && sslChannelName.isEmpty()) {
           createIngressHostRouting(domainNamespace, domainName, serviceName, port);
         } else {
-          logger.info("Ingress {0} found, skipping ingress resource creation...", ingressFound);
+          logger.info("Ingress {0} found or secure channel , skipping ingress resource creation...", ingressFound);
         }
-      } catch (Exception ex) {
+      } catch (ApiException ex) {
         logger.severe(ex.getMessage());
       }
-      hostAndPort = "localhost:" + TRAEFIK_INGRESS_HTTP_HOSTPORT;
+      hostAndPort = assertDoesNotThrow(()
+          -> formatIPv6Host(InetAddress.getLocalHost().getHostAddress()) + ":"
+          + (isSecureMode ? TRAEFIK_INGRESS_HTTPS_HOSTPORT : TRAEFIK_INGRESS_HTTP_HOSTPORT));
       Map<String, String> headers = new HashMap<>();
       headers.put("host", hostHeader);
       headers.put("Authorization", ADMIN_USERNAME_DEFAULT + ":" + ADMIN_PASSWORD_DEFAULT);
-      String url = "http://" + hostAndPort + resourcePath;
+      String url = (isSecureMode ? "https" : "http") + "://" + hostAndPort + resourcePath;
       HttpResponse<String> response;
       try {
         response = OracleHttpClient.get(url, headers, true);

integration-tests/src/test/java/oracle/weblogic/kubernetes/utils/CommonTestUtils.java

@@ -23,6 +23,7 @@
 import java.util.Date;
 import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
 import java.util.Optional;
 import java.util.Properties;
 import java.util.Random;
@@ -37,6 +38,7 @@
 import io.kubernetes.client.openapi.models.V1IngressBackend;
 import io.kubernetes.client.openapi.models.V1IngressRule;
 import io.kubernetes.client.openapi.models.V1IngressServiceBackend;
+import io.kubernetes.client.openapi.models.V1IngressTLS;
 import io.kubernetes.client.openapi.models.V1ServiceBackendPort;
 import oracle.weblogic.domain.ClusterSpec;
 import oracle.weblogic.domain.DomainCondition;
@@ -2356,10 +2358,26 @@ public static Callable<Boolean> isAppInServerPodReady(String domainNamespace,
    * @param domainUid domain resource name
    * @param serviceName name of the service for which to create ingress routing
    * @param port container port of the service
-   * @return hostheader
+   * @return hostheader host header
    */
   public static String createIngressHostRouting(String domainNamespace, String domainUid,
       String serviceName, int port) {
+    return createIngressHostRouting(domainNamespace, domainUid, serviceName, port, null, null, false);
+  }
+
+  /**
+   * Create ingress resource for a single service.
+   *
+   * @param domainNamespace namespace in which the service exists
+   * @param domainUid domain resource name
+   * @param serviceName name of the service for which to create ingress routing
+   * @param port container port of the service
+   * @param annoations ingress annotations
+   * @param tlsList list of tls secrets
+   * @return hostheader host header
+   */
+  public static String createIngressHostRouting(String domainNamespace, String domainUid,
+      String serviceName, int port, Map<String, String> annoations, List<V1IngressTLS> tlsList, boolean isSecureMode) {
     // create an ingress in domain namespace
     // set the ingress rule host
     String ingressHost = domainNamespace + "." + domainUid + "." + serviceName;
@@ -2383,17 +2401,18 @@ public static String createIngressHostRouting(String domainNamespace, String dom
     ingressRules.add(ingressRule);
 
     String ingressName = domainNamespace + "-" + domainUid + "-" + serviceName + "-" + port;
-    assertDoesNotThrow(() -> createIngress(ingressName, domainNamespace, null,
-        Files.readString(INGRESS_CLASS_FILE_NAME), ingressRules, null));
+    assertDoesNotThrow(() -> createIngress(ingressName, domainNamespace, annoations,
+        Files.readString(INGRESS_CLASS_FILE_NAME), ingressRules, tlsList));
 
     // check the ingress was found in the domain namespace
     assertThat(assertDoesNotThrow(() -> listIngresses(domainNamespace)))
         .as(String.format("Test ingress %s was found in namespace %s", ingressName, domainNamespace))
         .withFailMessage(String.format("Ingress %s was not found in namespace %s", ingressName, domainNamespace))
         .contains(ingressName);
-    String curlCmd = "curl -g --silent --show-error --noproxy '*' -H 'host: " + ingressHost
-        + "' http://localhost:" + TRAEFIK_INGRESS_HTTP_HOSTPORT
-        + "/weblogic/ready --write-out %{http_code} -o /dev/null";
+    String curlCmd = assertDoesNotThrow(() -> "curl -g -k --silent --show-error --noproxy '*' -H 'host: "
+        + ingressHost + "' " + (isSecureMode ? "https" : "http") + "://"
+        + formatIPv6Host(InetAddress.getLocalHost().getHostAddress()) + ":" + +TRAEFIK_INGRESS_HTTP_HOSTPORT
+        + "/weblogic/ready --write-out %{http_code} -o /dev/null");
     getLogger().info("Executing curl command {0}", curlCmd);
     assertTrue(callWebAppAndWaitTillReady(curlCmd, 60));