Skip to content

Owls 91143 - Move internal certificate initialization logic to operator initalization #2486

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 13 commits into from
Jul 30, 2021
Merged

Owls 91143 - Move internal certificate initialization logic to operator initalization #2486

merged 13 commits into from
Jul 30, 2021

Conversation

ankedia
Copy link
Member

@ankedia ankedia commented Jul 29, 2021

Changes to move the internal certificate initialization logic from bash script to the java code and with the rest of the operator's initialization. The key pair and certificate are generated using bouncycastle library. If the operator secret is created by the helm install, it'll be replaced with the new data containing the operator's internal key. Otherwise, a new secret will be created. The integration test run results are at - https://build.weblogick8s.org:8443/job/weblogic-kubernetes-operator-kind-new/5819/ (I'm rerunning the failed test).

lennyphan
lennyphan approved these changes Jul 29, 2021
View reviewed changes
Copy link
Member

@lennyphan lennyphan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a couple trivial comments, otherwise LGTM.

operator/src/main/java/oracle/kubernetes/operator/steps/InitializeInternalIdentityStep.java Outdated
KeyPair keyPair = createKeyPair();
String key = convertToPEM(keyPair.getPrivate());
writeToFile(key, new File(INTERNAL_CERTIFICATE_KEY));
X509Certificate cert = SelfSignedCertGenerator.generate(keyPair, SHA_256_WITH_RSA, COMMON_NAME, 3650);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we represent some of the key/cert parameters as statics, e.g. 3650 as CERTIFICATE_VALIDITY_DAYS ?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed.

rjeberhard
rjeberhard reviewed Jul 29, 2021
View reviewed changes
operator/src/main/java/oracle/kubernetes/operator/steps/InitializeInternalIdentityStep.java Outdated
Writer wr = Files.newBufferedWriter(path.toPath());
wr.write(content);
wr.flush();
wr.close();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same... Please use try-with-resources

@rjeberhard
Copy link
Member

rjeberhard commented Jul 29, 2021
edited by ankedia
Loading

@ankedia, the existing behavior is that the operator generates an internal certificate on start-up if the certificate and key don't already exist. That is, the key and certificate will be generated the first time that the operator is started. If the operator is killed and restarted then the operator will use the values already present in the config map and secret. Similarly, if the operator is upgraded then the operator will use the existing key and certificate.

I can't tell if the proposed code preserves this behavior.
@rjeberhard - I missed this part, will make the changes later today or tomorrow.

lennyphan
lennyphan approved these changes Jul 30, 2021
View reviewed changes
Copy link
Member

@lennyphan lennyphan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

lennyphan
lennyphan approved these changes Jul 30, 2021
View reviewed changes
Copy link
Member

@lennyphan lennyphan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@rjeberhard rjeberhard merged commit 0aca088 into main Jul 30, 2021
@ankedia ankedia deleted the owls_91143 branch July 30, 2021 21:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rjeberhard rjeberhard rjeberhard approved these changes

@lennyphan lennyphan lennyphan approved these changes

@doxiao doxiao Awaiting requested review from doxiao

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ankedia @rjeberhard @lennyphan