support model encryption in domain on pv

Author: jshum2479

documentation/domains/Domain.json

@@ -735,6 +735,10 @@
           "description": "An optional field that describes the configuration to create a PersistentVolume for `Domain on PV` domain. Omit this section if you have manually created a persistent volume. The operator will perform this one-time create operation only if the persistent volume does not already exist. The operator will not recreate or update the PersistentVolume when it exists. More info: https://oracle.github.io/weblogic-kubernetes-operator/managing-domains/domain-on-pv-initialization#pv",
           "$ref": "#/definitions/PersistentVolume"
         },
+        "wdtModelEncryptionPassphraseSecret": {
+          "description": "Specifies the secret name of the WebLogic Deployment Tool encryption passphrase if the WDT models provided in the \u0027domainCreationImages\u0027 or \u0027domainCreationConfigMap\u0027 are encrypted using the WebLogic Deployment Tool \u0027encryptModel\u0027 command. The secret must use the key \u0027passphrase\u0027 containing the actual passphrase for decryption.",
+          "type": "string"
+        },
         "domain": {
           "description": "Describes the configuration for creating an initial WebLogic Domain in persistent volume (`Domain in PV`). The operator will not recreate or update the domain if it already exists. Required.",
           "$ref": "#/definitions/DomainOnPV"

documentation/domains/Domain.md

@@ -249,6 +249,7 @@ The current status of the operation of the WebLogic domain. Updated automaticall
 | `runDomainInitContainerAsRoot` | Boolean | Specifies whether the operator will run the domain initialization init container in the introspector job as root. This may be needed in some environments to create the domain home directory on PV. Defaults to false. |
 | `setDefaultSecurityContextFsGroup` | Boolean | Specifies whether the operator will set the default 'fsGroup' in the introspector job pod security context. This is needed to create the domain home directory on PV in some environments. If the 'fsGroup' is specified as part of 'spec.introspector.serverPod.podSecurityContext', then the operator will use that 'fsGroup' instead of the default 'fsGroup'. Defaults to true. |
 | `waitForPvcToBind` | Boolean | Specifies whether the operator will wait for the PersistentVolumeClaim to be bound before proceeding with the domain creation. Defaults to true. |
+| `wdtModelEncryptionPassphraseSecret` | string | Specifies the secret name of the WebLogic Deployment Tool encryption passphrase if the WDT models provided in the 'domainCreationImages' or 'domainCreationConfigMap' are encrypted using the WebLogic Deployment Tool 'encryptModel' command. The secret must use the key 'passphrase' containing the actual passphrase for decryption. |
 
 ### Model
 

documentation/site/content/managing-domains/domain-on-pv/usage.md

@@ -29,6 +29,7 @@ To use this feature, provide the following information:
 - [Domain information](#domain-information) - This describes the domain type and whether the operator should create the RCU schema.
 - [Domain WDT models](#domain-creation-models) - This is where the WDT Home, WDT model, WDT archive, and WDT variables files reside.
 - [Optional WDT models ConfigMap](#optional-wdt-models-configmap) - Optional, WDT model, WDT variables files.
+- [Using WDT model encryption](#using-wdt-model-encryption) - Optional, using WDT model encryption.
 - [Domain resource YAML file]({{< relref "/reference/domain-resource.md">}}) - This is for deploying the domain in WebLogic Kubernetes Operator.
 
 
@@ -113,6 +114,21 @@ those in `domainCreationImages`.
 
 The files inside this ConfigMap must have file extensions, `.yaml`, `.properties`, or `.zip`.
 
+#### Using WDT model encryption
+
+Staring in WebLogic Kubernetes Operator version 4.2.18.  If the provided WDT models are encrypted using the WDT `encryptModel`
+command.  You can specify the encryption passphrase as a secret in the domain resource YAML. WDT will use the value in the
+secret to decrypt the models for domain creation.
+
+```yaml
+   initializeDomainOnPV:
+      wdtModelEncryptionPassphraseSecret: model-encryption-secret
+```
+
+The secret must have a key `passphrase` containing the value of the WDT encryption passphrase used to encrypt the models.
+
+`kubectl create secret generic model-encrypion-secret --from-literal=passphrase=<encryption passphrase value>`
+
 #### Volumes and VolumeMounts information
 
 You must provide the `volumes` and `volumeMounts` information in `domain.spec.serverPod`. This allows the pod to mount the persistent

kubernetes/crd/domain-crd.yaml

@@ -5,7 +5,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    weblogic.sha256: 93876ffc518d2d133a9ece2860ee9e02131ae3341f4d69e2b15e0b7697a00a15
+    weblogic.sha256: d4d20a0a6c4d30fb25539595ecbb553264ab5ac1647009db79c696579f049197
   name: domains.weblogic.oracle
 spec:
   group: weblogic.oracle
@@ -276,6 +276,14 @@ spec:
                                 type: object
                             type: object
                         type: object
+                      wdtModelEncryptionPassphraseSecret:
+                        description: Specifies the secret name of the WebLogic Deployment
+                          Tool encryption passphrase if the WDT models provided in
+                          the 'domainCreationImages' or 'domainCreationConfigMap'
+                          are encrypted using the WebLogic Deployment Tool 'encryptModel'
+                          command. The secret must use the key 'passphrase' containing
+                          the actual passphrase for decryption.
+                        type: string
                       domain:
                         description: Describes the configuration for creating an initial
                           WebLogic Domain in persistent volume (`Domain in PV`). The

operator/src/main/java/oracle/kubernetes/operator/helpers/JobStepContext.java

@@ -239,6 +239,9 @@ String getRuntimeEncryptionSecretName() {
     return getDomain().getRuntimeEncryptionSecret();
   }
 
+  String getWdtModelEncryptionSecretName() {
+    return getDomain().getWdtModelEncryptionSecret();
+  }
 
   // ----------------------- step methods ------------------------------
 
@@ -603,11 +606,18 @@ protected V1PodSpec createPodSpec() {
       podSpec.addVolumesItem(new V1Volume().name(OPSS_KEYPASSPHRASE_VOLUME).secret(
           getOpssWalletPasswordSecretVolume()));
     }
+
     if (getOpssWalletFileSecretName() != null) {
       podSpec.addVolumesItem(new V1Volume().name(OPSS_WALLETFILE_VOLUME).secret(
               getOpssWalletFileSecretVolume()));
     }
 
+    if (getWdtModelEncryptionSecretVolume() != null) {
+      podSpec.addVolumesItem(new V1Volume().name(WDT_MODEL_ENCRYPTION_PASSPHRASE_VOLUME).secret(
+              getWdtModelEncryptionSecretVolume()
+      ));
+    }
+
     podSpec.setImagePullSecrets(info.getDomain().getSpec().getImagePullSecrets());
 
     for (V1Volume additionalVolume : getAdditionalVolumes()) {
@@ -730,7 +740,12 @@ protected V1Container createPrimaryContainer() {
     if (getOpssWalletFileSecretVolume() != null) {
       container.addVolumeMountsItem(readOnlyVolumeMount(OPSS_WALLETFILE_VOLUME, OPSS_WALLETFILE_MOUNT_PATH));
     }
-    
+
+    if (getWdtModelEncryptionSecretVolume() != null) {
+      container.addVolumeMountsItem(readOnlyVolumeMount(WDT_MODEL_ENCRYPTION_PASSPHRASE_VOLUME,
+              WDT_MODEL_ENCRYPTION_PASSPHRASE_MOUNT_PATH));
+    }
+
     for (V1VolumeMount additionalVolumeMount : getAdditionalVolumeMounts()) {
       container.addVolumeMountsItem(additionalVolumeMount);
     }
@@ -886,6 +901,17 @@ private V1SecretVolumeSource getOpssWalletFileSecretVolume() {
     return null;
   }
 
+  private V1SecretVolumeSource getWdtModelEncryptionSecretVolume() {
+    if (getWdtModelEncryptionSecretName() != null) {
+      V1SecretVolumeSource result =  new V1SecretVolumeSource()
+              .secretName(getWdtModelEncryptionSecretName())
+              .defaultMode(420);
+      result.setOptional(true);
+      return result;
+    }
+    return null;
+  }
+
   private V1ConfigMapVolumeSource getConfigMapVolumeSource() {
     return new V1ConfigMapVolumeSource()
           .name(KubernetesConstants.SCRIPT_CONFIG_MAP_NAME)

operator/src/main/java/oracle/kubernetes/operator/helpers/StepContextConstants.java

@@ -1,4 +1,4 @@
-// Copyright (c) 2018, 2024, Oracle and/or its affiliates.
+// Copyright (c) 2018, 2025, Oracle and/or its affiliates.
 // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 package oracle.kubernetes.operator.helpers;
@@ -11,6 +11,7 @@ public interface StepContextConstants {
   String DEBUG_CM_VOLUME = "weblogic-domain-debug-cm-volume";
   String INTROSPECTOR_VOLUME = "weblogic-domain-introspect-cm-volume";
   String RUNTIME_ENCRYPTION_SECRET_VOLUME = "weblogic-domain-runtime-encryption-volume";
+  String WDT_MODEL_ENCRYPTION_PASSPHRASE_VOLUME = "wdt-encryption-passphrase-volume";
   String FLUENTD_CONFIGMAP_VOLUME = "weblogic-fluentd-configmap-volume";
   String OLD_FLUENTD_CONFIGMAP_NAME = "weblogic-fluentd-configmap";
   String FLUENTD_CONFIGMAP_NAME_SUFFIX = "-" + OLD_FLUENTD_CONFIGMAP_NAME;
@@ -23,6 +24,7 @@ public interface StepContextConstants {
   String FLUENTBIT_CONFIGMAP_NAME_SUFFIX = "-" + "weblogic-fluentbit-configmap";
   String SECRETS_MOUNT_PATH = "/weblogic-operator/secrets";
   String OPSS_KEY_MOUNT_PATH = "/weblogic-operator/opss-walletkey-secret";
+  String WDT_MODEL_ENCRYPTION_PASSPHRASE_MOUNT_PATH = "/weblogic-operator/wdt-encryption-passphrase";
   String RUNTIME_ENCRYPTION_SECRET_MOUNT_PATH = "/weblogic-operator/model-runtime-secret";
   String OVERRIDE_SECRETS_MOUNT_PATH = "/weblogic-operator/config-overrides-secrets";
   String OVERRIDES_CM_MOUNT_PATH = "/weblogic-operator/config-overrides";

operator/src/main/java/oracle/kubernetes/weblogic/domain/model/DomainResource.java

@@ -1,4 +1,4 @@
-// Copyright (c) 2017, 2024, Oracle and/or its affiliates.
+// Copyright (c) 2017, 2025, Oracle and/or its affiliates.
 // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 package oracle.kubernetes.weblogic.domain.model;
@@ -449,6 +449,14 @@ public String getModelOpssWalletPasswordSecret() {
     return spec.getModelOpssWalletPasswordSecret();
   }
 
+  /**
+   * Reference to secret name of the wdt encryption passphrase for domain on pv.
+   * @return wdt model encryption passphrase secret name
+   */
+  public String getWdtModelEncryptionSecret() {
+    return spec.getWdtModelEncryptionSecret();
+  }
+
   /**
    * Reference to runtime encryption secret.
    *

operator/src/main/java/oracle/kubernetes/weblogic/domain/model/DomainSpec.java

@@ -1,4 +1,4 @@
-// Copyright (c) 2017, 2024, Oracle and/or its affiliates.
+// Copyright (c) 2017, 2025, Oracle and/or its affiliates.
 // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 package oracle.kubernetes.weblogic.domain.model;
@@ -982,6 +982,12 @@ private String getModelOpssWalletFileSecret() {
         .orElse(null);
   }
 
+  String getWdtModelEncryptionSecret() {
+    return Optional.ofNullable(getInitializeDomainOnPV())
+            .map(InitializeDomainOnPV::getWdtModelEncryptionPassphraseSecret)
+            .orElse(null);
+  }
+
   private String getInitializeDomainOnPVOpssWalletFileSecret() {
     return Optional.ofNullable(getInitializeDomainOnPV())
         .map(InitializeDomainOnPV::getDomain)

operator/src/main/java/oracle/kubernetes/weblogic/domain/model/InitializeDomainOnPV.java

@@ -1,4 +1,4 @@
-// Copyright (c) 2023, Oracle and/or its affiliates.
+// Copyright (c) 2025, Oracle and/or its affiliates.
 // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 package oracle.kubernetes.weblogic.domain.model;
@@ -52,6 +52,12 @@ public class InitializeDomainOnPV {
       + " will use that 'fsGroup' instead of the default 'fsGroup'. Defaults to true.")
   Boolean setDefaultSecurityContextFsGroup;
 
+  @Description("Specifies the secret name of the WebLogic Deployment Tool encryption passphrase if the WDT models "
+      + "provided in the 'domainCreationImages' or 'domainCreationConfigMap' are encrypted using the "
+      + "WebLogic Deployment Tool 'encryptModel' command. "
+      + "The secret must use the key 'passphrase' containing the actual passphrase for decryption.")
+  String wdtModelEncryptionPassphraseSecret;
+
   public PersistentVolume getPersistentVolume() {
     return persistentVolume;
   }
@@ -106,14 +112,24 @@ public InitializeDomainOnPV setDefaultFsGroup(Boolean setDefaultFsGroup) {
     return this;
   }
 
+  public String getWdtModelEncryptionPassphraseSecret() {
+    return wdtModelEncryptionPassphraseSecret;
+  }
+
+  public InitializeDomainOnPV  wdtModelEncryptionPassphraseSecret(String wdtModelEncryptionPassphraseSecret) {
+    this.wdtModelEncryptionPassphraseSecret = wdtModelEncryptionPassphraseSecret;
+    return this;
+  }
+
   @Override
   public String toString() {
     ToStringBuilder builder =
         new ToStringBuilder(this)
             .append("persistentVolume", persistentVolume)
             .append("persistentVolumeClaim", persistentVolumeClaim)
             .append("domain", domain)
-            .append("waitForPvcToBind", waitForPvcToBind);
+            .append("waitForPvcToBind", waitForPvcToBind)
+            .append("runDomainInitContainerAsRoot", runDomainInitContainerAsRoot);
 
     return builder.toString();
   }
@@ -124,7 +140,8 @@ public int hashCode() {
         .append(persistentVolume)
         .append(persistentVolumeClaim)
         .append(domain)
-        .append(waitForPvcToBind);
+        .append(waitForPvcToBind)
+        .append(runDomainInitContainerAsRoot);
 
     return builder.toHashCode();
   }
@@ -143,7 +160,8 @@ public boolean equals(Object other) {
             .append(persistentVolume, rhs.persistentVolume)
             .append(persistentVolumeClaim, rhs.persistentVolumeClaim)
             .append(domain, rhs.domain)
-            .append(waitForPvcToBind, rhs.waitForPvcToBind);
+            .append(waitForPvcToBind, rhs.waitForPvcToBind)
+            .append(wdtModelEncryptionPassphraseSecret, rhs.wdtModelEncryptionPassphraseSecret);
 
     return builder.isEquals();
   }

operator/src/main/resources/scripts/createDomainOnPV.sh

@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-# Copyright (c) 2023, 2024, Oracle and/or its affiliates.
+# Copyright (c) 2023, 2025, Oracle and/or its affiliates.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 #
 # This script contains the all the function of creating domain on pv
@@ -12,6 +12,9 @@ source ${SCRIPTPATH}/wdt_common.sh
 # we export the opss password file location because it's also used by introspectDomain.py
 export OPSS_KEY_PASSPHRASE="/weblogic-operator/opss-walletkey-secret/walletPassword"
 OPSS_KEY_B64EWALLET="/weblogic-operator/opss-walletfile-secret/walletFile"
+WDT_MODEL_ENCRYPTION_PASSPHRASE_ROOT="/weblogic-operator/wdt-encryption-passphrase"
+WDT_MODEL_ENCRYPTION_PASSPHRASE="${WDT_MODEL_ENCRYPTION_PASSPHRASE_ROOT}/passphrase"
+
 IMG_MODELS_HOME="/auxiliary/models"
 IMG_MODELS_ROOTDIR="${IMG_MODELS_HOME}"
 IMG_ARCHIVES_ROOTDIR="${IMG_MODELS_HOME}"
@@ -210,6 +213,16 @@ createDomainFromWDTModel() {
     cp /weblogic-operator/scripts/dopv-filters.json "${WDT_CUSTOM_CONFIG}/model_filters.json" || exitOrLoop
   fi
 
+  if [ -d "${WDT_MODEL_ENCRYPTION_PASSPHRASE_ROOT}" ]; then
+    if [ ! -f "${WDT_MODEL_ENCRYPTION_PASSPHRASE}" ]; then
+      trace SEVERE "Domain Source Type is 'DomainOnPV' and you have specified " \
+      " 'initializeDomainOnPV.wdtModelEncryptionPassphraseSecret' but this secret does not have the required key " \
+      " 'passphrase', update the secret and rerun the introspector job."
+      exitOrLoop
+    fi
+    wdtArgs+=" -passphrase_file ${WDT_MODEL_ENCRYPTION_PASSPHRASE}"
+  fi
+
   if [ -z "${OPSS_FLAGS}" ]; then
 
     # Determine run rcu or not