From bb33daffecbb1be82b07dc05b7fdb9bd94ee6eaa Mon Sep 17 00:00:00 2001 From: Ryan Eberhard Date: Wed, 13 Jan 2021 12:41:05 -0500 Subject: [PATCH 1/2] Separate authorization checks for the operator and domain namespaces --- docs/charts/index.yaml | 40 ++++----- docs/charts/weblogic-operator-3.2.0.tgz | Bin 11195 -> 11192 bytes .../templates/_domain-namespaces.tpl | 2 +- .../templates/_operator-role.tpl | 5 +- .../kubernetes/operator/DomainRecheck.java | 19 ++-- .../kubernetes/operator/NamespaceStatus.java | 10 +++ .../operator/helpers/HealthCheckHelper.java | 84 ++++++++++-------- .../helpers/HealthCheckHelperTest.java | 6 +- 8 files changed, 100 insertions(+), 66 deletions(-) diff --git a/docs/charts/index.yaml b/docs/charts/index.yaml index 03a90ce7ae0..90a62d4d3cd 100644 --- a/docs/charts/index.yaml +++ b/docs/charts/index.yaml @@ -3,9 +3,9 @@ entries: weblogic-operator: - apiVersion: v1 appVersion: 3.2.0 - created: "2021-01-04T15:48:07.645132-05:00" + created: "2021-01-13T12:37:48.514056-05:00" description: Helm chart for configuring the WebLogic operator. - digest: faeabc3c35c580909ff3d35b44b0467bd7cb4376bbd54689df92a44295d9b37f + digest: 77bf9ae96371e779d6fd6faae1966d057d54571f651ec11babd8bc1d86e590af name: weblogic-operator type: application urls: @@ -13,7 +13,7 @@ entries: version: 3.2.0 - apiVersion: v1 appVersion: 3.1.1 - created: "2021-01-04T15:48:07.64427-05:00" + created: "2021-01-13T12:37:48.513192-05:00" description: Helm chart for configuring the WebLogic operator. digest: 202d148fd3db1ce45d22d4eab3e84bea9bf774addd9e0bc65f9312207a6e4968 name: weblogic-operator @@ -23,7 +23,7 @@ entries: version: 3.1.1 - apiVersion: v1 appVersion: 3.1.0 - created: "2021-01-04T15:48:07.643256-05:00" + created: "2021-01-13T12:37:48.512149-05:00" description: Helm chart for configuring the WebLogic operator. digest: acf600d0951dc3d8a0b05b35f3b9b1e62d827ef483fa863b0e37054ebb61f853 name: weblogic-operator @@ -32,7 +32,7 @@ entries: - https://oracle.github.io/weblogic-kubernetes-operator/charts/weblogic-operator-3.1.0.tgz version: 3.1.0 - apiVersion: v1 - created: "2021-01-04T15:48:07.642209-05:00" + created: "2021-01-13T12:37:48.510828-05:00" description: Helm chart for configuring the WebLogic operator. digest: 5d3a79a55132c33afd5d2d30e398c3cc508d77c9352129f2e8e127db5f1dcf19 name: weblogic-operator @@ -40,7 +40,7 @@ entries: - https://oracle.github.io/weblogic-kubernetes-operator/charts/weblogic-operator-3.0.4.tgz version: 3.0.4 - apiVersion: v1 - created: "2021-01-04T15:48:07.641293-05:00" + created: "2021-01-13T12:37:48.510041-05:00" description: Helm chart for configuring the WebLogic operator. digest: c6aeefca88eaa0d431dba66ee5705391c92468f26b27c5af92815ec3c3000406 name: weblogic-operator @@ -48,7 +48,7 @@ entries: - https://oracle.github.io/weblogic-kubernetes-operator/charts/weblogic-operator-3.0.3.tgz version: 3.0.3 - apiVersion: v1 - created: "2021-01-04T15:48:07.640176-05:00" + created: "2021-01-13T12:37:48.508963-05:00" description: Helm chart for configuring the WebLogic operator. digest: 84b5989fe8f2392d2b3b0f721bdab1562566d7d885324beafd9fc9e658b13cd3 name: weblogic-operator @@ -56,7 +56,7 @@ entries: - https://oracle.github.io/weblogic-kubernetes-operator/charts/weblogic-operator-3.0.2.tgz version: 3.0.2 - apiVersion: v1 - created: "2021-01-04T15:48:07.639261-05:00" + created: "2021-01-13T12:37:48.508139-05:00" description: Helm chart for configuring the WebLogic operator. digest: e7654ad3f2168f54b3a4b133bf8a86ea12bc474e5ee1d3ab14e1cf53012e9772 name: weblogic-operator @@ -64,7 +64,7 @@ entries: - https://oracle.github.io/weblogic-kubernetes-operator/charts/weblogic-operator-3.0.1.tgz version: 3.0.1 - apiVersion: v1 - created: "2021-01-04T15:48:07.638382-05:00" + created: "2021-01-13T12:37:48.507336-05:00" description: Helm chart for configuring the WebLogic operator. digest: 5c7c0d3ae797e98592b6fd2191b104f515d6649d0060af0a3ffef215d4c69864 name: weblogic-operator @@ -72,7 +72,7 @@ entries: - https://oracle.github.io/weblogic-kubernetes-operator/charts/weblogic-operator-3.0.0.tgz version: 3.0.0 - apiVersion: v1 - created: "2021-01-04T15:48:07.637498-05:00" + created: "2021-01-13T12:37:48.506585-05:00" description: Helm chart for configuring the WebLogic operator. digest: 5f4cd8f4f3282b52b5e90a1169f26986e8272671845053606ade9c855fb04151 name: weblogic-operator @@ -80,7 +80,7 @@ entries: - https://oracle.github.io/weblogic-kubernetes-operator/charts/weblogic-operator-3.0.0-rc1.tgz version: 3.0.0-rc1 - apiVersion: v1 - created: "2021-01-04T15:48:07.636461-05:00" + created: "2021-01-13T12:37:48.505796-05:00" description: Helm chart for configuring the WebLogic operator. digest: d441888a8deae1b1339e7585e3b437dfd2533303e46e842d7378e16db665e234 name: weblogic-operator @@ -88,7 +88,7 @@ entries: - https://oracle.github.io/weblogic-kubernetes-operator/charts/weblogic-operator-2.6.0.tgz version: 2.6.0 - apiVersion: v1 - created: "2021-01-04T15:48:07.635531-05:00" + created: "2021-01-13T12:37:48.50504-05:00" description: Helm chart for configuring the WebLogic operator. digest: fe41421b7dc45dc8a3b2888d3a626a37f5d3c8e1fa292fb6699deedc5e1db33d name: weblogic-operator @@ -96,7 +96,7 @@ entries: - https://oracle.github.io/weblogic-kubernetes-operator/charts/weblogic-operator-2.5.0.tgz version: 2.5.0 - apiVersion: v1 - created: "2021-01-04T15:48:07.633853-05:00" + created: "2021-01-13T12:37:48.504032-05:00" description: Helm chart for configuring the WebLogic operator. digest: b36bd32083f67453a62d089a2c09ce38e6655d88ac8a7b38691230c55c40e672 name: weblogic-operator @@ -104,7 +104,7 @@ entries: - https://oracle.github.io/weblogic-kubernetes-operator/charts/weblogic-operator-2.4.0.tgz version: 2.4.0 - apiVersion: v1 - created: "2021-01-04T15:48:07.632814-05:00" + created: "2021-01-13T12:37:48.503154-05:00" description: Helm chart for configuring the WebLogic operator. digest: a3eafe4c2c6ff49384e56421201e59a3737d651af8d5b605b87a19eb1f6f1dc3 name: weblogic-operator @@ -112,7 +112,7 @@ entries: - https://oracle.github.io/weblogic-kubernetes-operator/charts/weblogic-operator-2.3.1.tgz version: 2.3.1 - apiVersion: v1 - created: "2021-01-04T15:48:07.630402-05:00" + created: "2021-01-13T12:37:48.49981-05:00" description: Helm chart for configuring the WebLogic operator. digest: cbc6caaa6eb28e3c7e906ede14b2ae511a0b35fc12a8e3ab629155b09993e8b2 name: weblogic-operator @@ -120,7 +120,7 @@ entries: - https://oracle.github.io/weblogic-kubernetes-operator/charts/weblogic-operator-2.3.0.tgz version: 2.3.0 - apiVersion: v1 - created: "2021-01-04T15:48:07.629526-05:00" + created: "2021-01-13T12:37:48.498485-05:00" description: Helm chart for configuring the WebLogic operator. digest: 23d5a1c554fa8211cc1e86b7ade09460917cb2069e68fb4bfdddafc8db44fdcd name: weblogic-operator @@ -128,7 +128,7 @@ entries: - https://oracle.github.io/weblogic-kubernetes-operator/charts/weblogic-operator-2.2.1.tgz version: 2.2.1 - apiVersion: v1 - created: "2021-01-04T15:48:07.628426-05:00" + created: "2021-01-13T12:37:48.497434-05:00" description: Helm chart for configuring the WebLogic operator. digest: bba303686cb55d84fe8c0d693a2436e7e686b028085b56e012f6381699a3911f name: weblogic-operator @@ -136,7 +136,7 @@ entries: - https://oracle.github.io/weblogic-kubernetes-operator/charts/weblogic-operator-2.2.0.tgz version: 2.2.0 - apiVersion: v1 - created: "2021-01-04T15:48:07.626313-05:00" + created: "2021-01-13T12:37:48.494398-05:00" description: Helm chart for configuring the WebLogic operator. digest: 391e23c0969ada5f0cd2a088ddc6f11f237f57521801ed3925db2149a8437a0d name: weblogic-operator @@ -144,11 +144,11 @@ entries: - https://oracle.github.io/weblogic-kubernetes-operator/charts/weblogic-operator-2.1.tgz version: "2.1" - apiVersion: v1 - created: "2021-01-04T15:48:07.6254-05:00" + created: "2021-01-13T12:37:48.493567-05:00" description: Helm chart for configuring the WebLogic operator. digest: 298acda78ab73db6b7ba6f2752311bfa40c65874e03fb196b70976192211c1a5 name: weblogic-operator urls: - https://oracle.github.io/weblogic-kubernetes-operator/charts/weblogic-operator-2.0.1.tgz version: 2.0.1 -generated: "2021-01-04T15:48:07.623889-05:00" +generated: "2021-01-13T12:37:48.491609-05:00" diff --git a/docs/charts/weblogic-operator-3.2.0.tgz b/docs/charts/weblogic-operator-3.2.0.tgz index 580e8ef132ebdfcba65ae1bb8c022164a407b421..c0ebc7afa7ecc6d5efeacd228402e991ff0ba4ad 100644 GIT binary patch delta 9244 zcmV+%B;(t=SGZS@O9Uj#cASw2ai>q+%vgwN`3*x z2~CD*aoE9WTKsw3Kk5%U5%7?aRH$1&Ks-mG6c99_423kAkZHz9GDTtr=zmujpG#pv zxiIxR37*3c)ugN=mMIJoPSco#SOV`X+;KlOVg8$3b^Tx9I0OEe24J=RAH95i^tz(| zCx=Iat^Pm7wS(T$bjiqcCeU8EkB$b1Uw6^b;OMZ6E*TDEKsbpGC__YWgeMac6D)xD zJ3Hu{gphEEP?ki%lm+-XA%9Yjag45j%?amZ0eL&LK!^PS!W{7#y-g4nXeLC;hX)6g z^FCFh^+P&8h;;{kkfm|I)7e2B*n))cCJbqo2*gte$%Ft`V@eZ)=tTVlss{IHxI;o9ahhyinuBb`l9LQ5J% zUDes1rZtTjIQ>iTyBzICFu_?Yb}RVwJ1)70C@?Jp$%}~2F-b0RKqH7Dlm>hx7#1*H zTHKk@TMuGf_0UrWA!9jLV8uH-nlD7?wsV}|DfH1fOmU2~X+oI65SiKSk5`0%9 zXqZ%tXrs8>y_4z!xdBI$qyt?@@Ap?LEJ#gSjG$PqxAa`aK>f~6X9u0$;dvUv5S{5h zd4i%c49)s(^T-9TL*+n29n?cX*(<2rI0~w|%7>lavq=O50Rd2xP6bMT zcUL8a-8}!m3{V0PL8Lr;D1|{w2TTbUY}rJ}+JrVv4JDREo|j{-5R%C#VTA{!b7B-Z zWpa42tmqy#y_Jfp$>_{zhB+DoB!~+g6C`MNzAV_=g4)j~_RayuTZm8X$R zk=-w)2;CA6T||T(%Xhpp8lvOF!QilCw9%~?DHX}MR&}Kkn&B&0DyWLE?lbLTM5%>> zN;)b7p!Lv`5g9x^we^QlaRm*3chDOtp~{R%lTnq{2ogcW5`{Ri@h=nj35{cVt9+~i zg7iCt&JHTw$$@^v5A-vBz<`T`DI{`w(94JH$=khr$UdJ{r1s1_(Nt9qU&c$c+3--N z0v7EWRZeAPm8O=76Lcn_2R`d}Y{<42#W!b(fT_+i){cC7{-ctA3e#TMIo+q< z@q)63is^JDFrS@m;OJvI<+6`oV(iS&JGv4Xg+RaK3_nCc4tn^i|H^~}5MwS#I8xE+ z50qEU$&7N5E1(VpO%D^#N+He?iTESnTSI1u0%y3sNyhqo5%!HI=}WT~*C*q#jmj)0 z*?cUy`_%K%mhB%$gMmbU^>@6$=X5$H$@Cl+GE;Og{U=^vDG5_05voBo7?b$@f@2an zh1Otn`pfC{Y0yQ%uWzm|&Mv-}KhG|{yOjUFy}bDDOx^kJ?BX>4_d3v#hWcalKInI< z*bNN`iMezzo}3r!^hm|bS!|`cmha~>ead2}roB2#&dre=z+a1hQ@vQ0s4_*~bmXSk zgnNn?Li~03rb#cQQBUG|up|GU7X&&xilKAqzeqBnY_6>fO|%Ek+wp#9$DXA!nRqfGi8Sdp z`Ar?y;ezxqv9k7m=8Z_ILUZk>ROJiZQg#zl9P!m0%d@5xJZr_V0`*qhvU0VYUr)xZ z9Mc|7q8?5J>E(A;@UEDi)F-D?zf(X|Jp4r~t;L@R#+g?5s+zww(JaryIq8>Vj*y2o zt`{!@N;wdNITi3u0>7XUNHf&R+qyi=Lujl`lLo3$w&G!b9n|YET{e%D$t{?_%QK!r z5?v+=osqyyWN8rrFYDq^eHo?uBe;VwQ|l0RP?iW1BNwG9Fcq<3A+Y3i9?b13R1+Ml z@nyiN@`@4xDR+#-l zr!7r%VJAyXwW51Cu7uQ%gS?~Kg$^ItS2$-cwF_E%$`TUALe{Hd*&_CCCT+_^#yi6y zIv)JvAOEmZw^bC_AayIJ-q~5Dkxwyo@6@cRM+rYXJd<1sB?9#%lY z1&y;g$lpO%n)w*;0wgQtz@W;YG!wZ)F;-{=d-_$*4p9&oU1wAZwxH~vbSy_4Ws?cH zYhXRs59_Z+GOkw`P=r%unT+$-b=;rN-pL!%`_|T#L?%(RFhRf5v1%jnzL1(y49I|I zvA~Ha+SqP(4BFAF3h>F-e`-A)4uxc6ltCFlT6QWXs@6vxys&~U-GtRrPmH4pS*Qqy z=z^#e^m3RAAZ;rnv+{x$`MfEe$x)1tiOa<<6=D;Pc6&B?cAFX|GGy!>_YeC6*(yS<76 zi>WuPlBt#Q^y>Hl@?;I(#A3J;?KzvzDkx2QjXy)(PBGEA;}Q82uB7ZHQg*OWn`~ z={$De6 zZVY47R>hcIcM)BPrS035@_?D7vm%$8S+Yc#!bDpQA3B^CtJ(-hkrdSu!vb^_KaV(> zD$q`&jN}n=>-C@Y^}hnxa)t94i8^%*Z)7s z^&Hm!{`FT+f2smW00l+lTU}Wbp#S_&)sjrm9%X0`{y=-V0tM%UivU$S)mAg?qo7#p z7VM)v>FWFCdbj(+R4w=S_j42xdV$%Lqv1Ewqr_PRD98kfc|VM40`GJI3A1H@`sf3i zFgpLgcpjr(+5ZNXvU~s9tO_i~w;Sn%O16`xO^+E=fA9@7tg=^uQ9D%UnU%)T3Smc0!NQ9bqwZ(=UK&~;cCjHQP)k*0NQ~9$IzEK|= zw9kwo^uk(_IQ$0fNv+LN6f6z{6j-(}kpJx~I$IKFL{TVF%*WD($i`CMkxc|6bJ@Bs zf6OF_;I3<7qaa$iRc#*9yGqKHwkZ}edF93P(?2pC6S3@#WiB{G-*nM8-*nO6zbRUb zK;#cqV!VgDXuRJ=cT#YRze|93gbPSQ7^1r_`um-0)Qq4>kuUM?&q3e_3*1*rVEH=v zsCPtx?irvxX)0Gshr(cn`4t11>j!@ie+=#G3Ngd{M_8^xbx(4u3aO@BD`e0z>Qzb4 zA9=@@w`$|~)y>iDzkky(-4|RL@`_n6n;+FWm{=sCS{C;vgh}O8aD3)vJv9}`8tqIB z7UKds`jC&huM+NcFg*-;DwcSd(uz;tY{sW=9+6KnxA{;e)qT=uQ=~T= zvSZ7QkID_>dp6=prO&6cXD>K}G>M$CEKd38uCkK1dfkT#L3lRif}umSCnLN)o{iC7 z3`q`qA06)R7X#JdnfHO77~UPpjo0;Mf)QQGlf@7$e|P4AE^$8}6*E{1mU)nFuP|i} zkc*36Lhu}dwEHX9XOTEGv__Z(;M{rOjqCZC2^j zJNh2KIPB%ohQ$iS5M}6o!Xljci+W~%Xd{1Jer+NRpDBB5KR@-$uI*L3R=)o&HusqY z42;H*f3ML|%U9aH4_2{pEWn{sH}wQ2`pZe@)_iq`&^sD^fjuJxDZ}!vK9izf+ln z_5#nCnr%p*S;2>@`kw1XEaOs5dA9%{@p>vvLkgzpMWyQ zDOb-Hz{cwS6hzQPft1r7{ChnrdWSey ze-LS;{)L510$X6#0=$HI5YuThw6;Lt4ni*!L!26%l8MTO)xnyBBA%E9ZP7a50*lO# zT~7XO6!&Fbo5z28hjzTdQowcb-_c<;{yTm-IN8R3PjP)o@!$7aGPkkcmmK>U^Yf|0 zz8sAwkN6A=RrT*PX5-pOt1N=vC;Y=He}OvziPQjYq}>zzs;zDLEoDN~c991MVop4C z-(awd+5})Vtm?Q_Y2)k&Xe5r>L!h^5R7P$JbA2Yp7v{$kvl&E*?CK%5apkAIHjn?x zf^^#ma83Mo^!o61HU4{j{Bj%rJ;n7U#eddYifsh=V^u(_L);|O+?{0e`}vOuxLQ4 zO?)A{U&BQ5HFtKaq2b^ib8^{a~iKRMoh|Nm*OFUbGD%O!H_`=7}7qc6<)7dGuP z@%tq{pU~x7MA>@#FYdaxfB)ZL8^GH2U$3hE|E2tA>;IqN`hxs_b@~6+`)|GfCf@(^ z*jZ4;<|BFjXTdh-z1RjDLtKWe3UZ!i1IT9_H{IL+Z?Ft(-TJSW$F=B8oe?$ z&CgvMRgGKoe)+Ptx4`Pu) zjbG$nId!I@&h(4mf3DgQ1-|BiGqxY1YTcc)D4sSicq<^S`CdwG7ETNA zj9eHSqhL;E^o^|_c?UJUT8!p=u2zrYe&%de>&hX%&+v!LltD2s7FDYV-e2IE$|Pq?+ntIgqRP}p>$D3>&-wGVURnc zhYhMPoTg2rMkt@U`t8Ki7p+P?dGe#aB-l@A1a5FCFZ*seE!j&@bxL?2eL#uKK@x$! zcHtJz-yKM*Mnc50e3svN&;a>o7Fj|5-bzt5hkDQPf7Fml{q!+GJ-Eu^_=?6PTw1Nm zo4$VP8<0|!{uPWd*IVArgxOT@F)e&ap{-6kNERhcis@WlonF6re|i1e#haf_M^|s& zo|f}L`V+|CF*+YwHxZi1XxWrEYxl3Pm<>_joSR-89MLrT)#W>d!N(YU)wsW$UVnQz zst-Fve}Vemg{SX7-~96CxAV*IzdyV9{ zv(fvr%im5f-h6w0`pyrIa6zayIM!Dl6*HJq0q-P<_$&+;j_y-|U33%0%0u6HXfAi?-^x~ZjHOG`^JcT5>OcczKz)WPR z4XR|uvf95a*i@S)wWdi_rIY8DL}*UKn_tgI-r4+g`S!=(emx)gL`AU7k`&JX~G9S zX;O7X%wrAeP$MbKo4__5+K*s%61E;7-+AcB9*!=PcsW!b$f+p;#5ZS&fGMlz_&IjY zP%)i4;0@|Ao%SNa`~&Mx=C9zVb>?DAf1?(Y1th@v6{BOYWg70v=tf_;Kdm^C9@6f$ ze!C>6GfLlWtd2UAMl#0Bk@`v#AEKjy)glE(XjD8q>DZJZA0K;nm{#aFV}CekW?)NM z>RH0Vg@e5nPsLRF2R=J%imOZ%go55A=o*PU$U*j{as}w$ZB2zoZdZuAKd?GIe}6N2 zfA)5C`sVuW55N6zIcjpO5MwS#I0DSV*$@*>-W`-EGyzs{ldgDzSSqg zqNk_Vhdk_V9#J!*MU?F`s9|1+8`e!vQvq$wD2>K@v$1k8Hg9OEK8+MRCifmzUf;LT z(04A@01ED}m##9vJQd4#gxM&}e<32-T!u-?X9snDZ>y2k)vo@R*X(hQt^E_{SjdAyZ$vXoOca@yBx_|IxLjLWB3-~r>!H3 zWhzn3XB*T?iz`ZUDP_5PZLxx)u+|K?$gQsgF+^VvzCN@Ha96atoe+fNTQG#zF z!zRUr0u$u}T~wOu2u_W#j-t1*-?=;sKhw_s=cM{L_J45vvS$B}kGJ;!DXwR4|Id=T z{lBjTFU0)wwcut^?%CCSO?a;~#(6sJ80=?ZwYJw|UG3~YqjCG={%hAd`+rnB|95cw zYJ2|ElU&c<{;TZ?$UW`%e-V!PZP;b@X?#HYL*I)pEN=AO#}-H8J^XY$@4vhpRPF!qtCMZ~|0LHJVgKu2sdvx*?SrZe)VKDb78~c?{q;>7>mPO$?@9z8 zZ?|B}@0C=xvai`Tzv^==l@;?J`83>C+Xo+izhGrcqP5}j%iCn{e=z$gw%Kp`jh%LT zT(@yXer@dk?~w+s&HqlS^}oZ{+w*^)=K7NSzb_3eeD%l32FE$@Pf{5C+`Qc;jwINc z>d)h9Xa99!;l35XweSC5SHJ&0czv|Z|DNP}_V(W_@oMqjNA20K9tNOeYTx^8&lv#u z_V6EJ8SGbf|69-ef1C6rtkpY7UuZR}@5nc}w+x^2Dxhyqz8S&%yLLCe#JSvzZ*{8g z#FsQdD>vdxVBUTBImw!PH0{EF!dbA8pdje=05Ztrcbo6`yr=N1};Z z&d@$Rt?yaN)Cx-F6KtCi`JI~F`mQUEe%+{7<%2OB^|cP0{}KdZ&1rg@$%B3++k*E_ z?%qaLtdoh>w=N>X7H#caJJeJ~?_>`TpzStJf#n^IxCjdLHrL!B-u%DH|<{!}$hlW~OB|AlVhEo|HzThEEL8i0)@?J<20e33pjz}m_pc(~v;~>Ri7U*|ZB^-gn z8`(qME!h_@MIkXW-bpbC6@ma&$< zHR(>1$R^y`M6!wjx|RRK$tkve8F1OR}0~_oUOF*+Xr{+5f2I8i6tvDAe6OWJ421=c@#5@~Ac`@dAo<9-wInHsIqe6@Wmo++$;;#1eY6^~P6p!}A} zX*Lo}wNzd5RUiETeL#Ydc?Fy3)EakBx#ZygB|!;)sX%NWeLx|dr#KV^R21CP`$!{H zC9A|B#G=tDRS~wJtrMLb0q?LqJJDN@;zviL(dS-+$XLSB?F?iDqGAsnaG)7p02%`% zg(x@4sBBps+sDOz69e_87q#_$HM;LW$RIX>5@F>a2~99t%5h`>L6csR#j!r|08OZD zbpy+PCiF`HKVW`AlZz~lf011+HB(;LuVqOsg0N;T1GW6Ml?I~P@1s3cmqPFd+7rtZ zE+>T*vRdt<;D03~{@(%G-`|W-zW^hXB@#0%w57@b(FwxpEH^SCp;{ZD2&PzUZbQ@< zH7*pyDqR@-kr4*bj}n@nJ~az<*i5@4%XIU9YXjSEaBLITXtiKCbhOO2ds6#@_t$UU zo(5((7iW7Mui91oaf3b9X3osjvTr^Oe34@1kbS0i^e{`~6U;L%&=?R7DuV=n z!=N@$4(xGwga3vhbs(n%%TZ)c&w_)IeWC#De-c&k_#*{UL<;spyhs}K~oWWp~hRQ z(g-n}Ou;e%FP!>`zFI0i(zq%2waNm2>{t4%QFWTc%lv4~n#w~Ab4UbVq56-hI|kiq z=%qOofCeM=snQ23IJtkjf8``B0$d0B{-dZaMqDtGOts!NDd`w<&>cpqwdeJ%Pt;Qe zs<_ZcfgVL8jaH$PbF~#-i#9mbk>4{#kG>+?TAY&N?4=Emx-?xLfSfwvZau|+#+1f@ zleQfERyW_Ag>sxt7}yH0MJt><*x#Rr8{m~Q@j>{tV`HKgSWSVo<>Q%dzBwN!F~#E5 z%S~9>3bjQmv^*2IKP&HpV9wJAA=*+kt-P}(SKk#qHfQV{r<*XfEpm&ti1}x6f9`IE zV9wV^K(r-yA<5<&y3f-jo42fg%r(~xUc@lPI;G?H&y3eQA}0u18KJh0m(ioE9zM&q`^ z61&Z-{$dT{mcMue%yS>|NHZvXO7jfz4N3V|bqvb-+j|@MG+=L zpEZ5>@FSydirREyaOIoT$@FsXm3f?1`F>cvY$HS$ZISfP=>9?5J+O2uX%E7-We}Gm zS-3?4tr=ftl=o+U{)UPC=IB;a`j$kkc6hiLY>IL{$$v2Ft7YORU{gR?mG`Uol0;DX zh$Pb(tZGHS(|JDwq&;)-lF~cpE>bIBr4>{kB$HWV448}JC45JQ6`*$&6iw#TYSHg> zz9WnaL_ zh$gzR23~>P?{v;4#d-q5QIf@RF(6_vrwicvmEjF6%k^cez?mg|8X%4t;An|b23!W3 zWEDC(ER)Y^9Le7uvvyQY1T#QmDrOayNIFWkbG?vOvAHrr;}Qtf@tpkXP>rEIb9dtrA2%dY*}PC}{#yp1arTx{J}lp0+L-ifm}t1OrgcxYID zPn&C);jh*yTL9kA2$y`1$&Fsfyvxz9!h9D^vP3oPBDj;urj{!r&|tez#nPaHAC8Q`A0?!G zDNwIWn9+`GR4P!eJ#a_3fT+}uLN7|C)yi6EkA7OvuOeDmqF#aeu&l4>pm9{8jJKn1 zS$*AHbaomha9eFyqozqS)gC?dW;%y%T<)GBrgd-MA!bfbWi>1-GRGb4m#N&pJ`sp==c7fhKGZbUMeMj{u0k0c>Lq~ z?|&b?te*dPa`bXr|9gt-xzztQDC?O$QO(7@>iI_BkyxF2tNvZr`0Wfc8Re>f*EP6Be z|NR-nb1j{ZG{zeHKR7-Hseb?AWN?!RD>i)XA_g%Q((J3_`^x(`i8?zdfvH|tyO%PU zkUNO#F9Yh*iL^~d<8^HpEW y)6Q3Y%E+|y)&KAGQ$~M>P;~kv0(`KwY1?aiZLjTBx&A8v0RR8?x?4#AMgaiaKtWvq delta 9191 zcmVxKNbS3u8a%J{?>o+Sk=irlMAQh7hs&w zWQZ1n4o=hJ&*R=vuiuG)hm52`-TDFIISQqKpb2Ftq{)O#Ge(jr5;H)*!hiT&3KPnO zsn<#H9EPYSWgW3hVTf>=#w5fNcxT~``>6@@-{h+6{{qJu@W(U&tM&irVeMy4}?_QHL1)E|6(fR6e{g9CKQa2Nx^NpwgVB7!44nUI)Z0le4Q zLFXidghPa~Bm$-^z|RShdVh>#bOmfqI429p+o1&-^!f;M#Aoz2L0F)f5GfxX9#YPG zRE^dP>HIL(9r$6E#=TBw2XSBv62hA>q*)>mPaz}|0$hzLO$?$F^?T$tB#FA4%l0l; zjd_YgKw^f4eA?M5o}*h5$0*}~1VwXv1Bk&N8F0bn4GHPTYz!;`0e>95xjIvL0h6?N zKLZqIT+lf%L^xu=Q<`uxjzODB23X{F(vKyV^CGJaqI=l%Rw}9{qcfu!=4cF%ATD%Fkf7c9vS4qQt6sYbSe4w`>FKIoQ17IK0`3H` z1jpCF#i^3ns6p2%l)FA1y+*Y=5fWRB4Yfibs`;8yCfwXX z#e+6dKM0ZXE6U^?E5s{9N*PgFu}ZCY zs#Jr|XckA(*x@*)IuXd#x|mgAEYn%tR8F#&rzR<8cn%_03oYHs?RcPjUv!&k6WP!(a_XWGSxQVRu@ zbW{dF>!BwjGI)Aw>kp&i3L1azpf^%Nl^KyHqbjWtB!Y+~3UOlNUncMq8prfj`B()6 z>30a79aOrLL;Z*!>Sz3r0T+i;NaXaOn-AHQx4Zd}JwB^Q?U{L^sj3{ljF)J$;h{_g zEZQ}yoXW~7O)V2A=uAS%E01UneAesOkZmoBZ_W|{Q=Mn59r^V9Mhl?e$T#$1qaq@vRw zD6g868Ra5ZKphC09wwfZLYyTM@khY7hRhHJ&Tu`GjP>{;>={qelV&ZhPsU>#m03)( z`B-xIspq3D+dq!_eTjeS?|6aF>2ykx={YQ9rs!b$PrSfV5~fNbRD)_TCh_|P$0TwJ zt-p({u>W|U;px3El zH#8t5=F-7+e=UDb^m<0(xltu zH+5Wx3(~{H%G!UMHzKJD&9$FWl`nKl*-cDw#8-1H&ze^7tQE%!)LU`O%GGjyJsG!h zOuIOVx;PP}o8MW%yJC7$pPWv;P61Kz@E5JL7JnibXIkN_YW~(lvpf&yq+gObLLS<< zUc3w_+&!Up|Lhi8mLCuiidx7P_M&u**sDvw_yG*&v*(+ zbeSl0MglXDr9}k1tcyeSWt8rZ;10q}twY#BSt3Y`T$HB3RK$jbz>?Q_Ft@8vO>nHn zmjS2BD@p{U+%X#0-33W_oh)3@{Vd3I(%eb;heqHE@3%Q?sTXC44YAlU)iW0(B*mgbHU#Oo8 z8fSBmzk>s5=3~GMkgSvggDQj4Oymy5SfLf{=~X#9L_uJ5olz;+g0g?ou^e%fO(x{7 zf%RNJtiKw`xL#pE5l)q5GR|MuaeqF0CvQmaTU%EWnMBdT1pQ9Os*S|^LTXAeAOoJo z0w8m@<+(=At5lqq%w=!xq4hR+FlK9O=alC7fOE_9_Z2 zrrxkhrdG<+tK$dAlQnn~i{VbR=WIT!pfu?<{tR_H#YE$dN90eqlCqmjRXW;GRUs2g zz!6QPp+w@AS_F{Er3q@siiDEdc}ZWby^`)Pril#i@;5FPBRLvFh^6_G^pW~6bwd}V z^VortKWh{#QW5Qc>srifsG4?^5I?+}XoU5N)0W#mu&R!jog&EG%D zJZEnT;z0R?0|go(l*+900D%biRT@;fRMq0Rhki~YEWoaRW4ELoyVVWO>u4;@a6Rc(Z$NQ!ESVF9{|pGTZb z6=9)$4x;F9$DQx$A$A27^~e+x5Rs zaXp9izkmII)s?D15Z zx&`}aPrCYEx!&!*FjdR_{rwz8gkE4as_TE!pae$h=Lw8pG-{Y4Q4Wf=Dp5Whqlb$Qg$O<>+l;Ckx-z3fs9Ka3ecVm zF!oWPrepr}3xz{fOKr)dTy7E^1T8uvTew2S5e8GZ(}ZmaqdPz=WHg^~AXUfAu}yO# zU>=|#up1kN36;8p+@Dt|V@ zH|k@9_SrFnURY}qhu@$*skK>(g2f;}fn^K>`QN^xvn6px6onGSd@OB=Y%Jv+*+ejZ zGMBCE!c39~?hY($6hsTRs?kGwTS>XpHpN0_ue^AE`bUOiB9`5;Oa_POn*;RCHwWnN z-xMuIAo7PQGv31oXuN-b?xf%rf0qF72p5oqFhq9;= zs8=ODf8-rs-l~n`S2stq|Nc$GbYE~~$SY>OY<^VhV1ki^YFXTy5GIvV!SR`w_0&`# zYqT>#Sd0tk=tDm0zRI}Q!SpcXsaWD+N-I8nvl*Yhc|<V+RF1mW433x)=0Peyoq zJR76E7?K?JJ{s)r7X#JdnHPed7~UPpjo0;Mf)QQHlfe)y1efN4u9NW)6I?^^9D=m_ zE7xb18LUW|oj*3rJ&|Rfny_;VjwJeO5M9=|&5<>%_ED1!10#x?8It(l;}v{rzJ=&!$g@5Dc#KQbyn!?sDB zkM!4HdPS~s-M z$@h$ADIcPL1;M{Ns91KS?&uRx<~Zf**#g*D-JgO84p1N`E&sihQH%Vc*M7=hdQp@7 zmF5p4h(X`dzd{-tMh5?0kBZ(Q&J{!&sefT1bHEmuwE%xFVIIbG+6=8N5V(WT3&jwp z2B&1AvSD?w=AeitWv?Dr+de#ZQK>aZ_Inf|>QYfWd91t(6@N zJk$*pj_ot2+?t5OZ`M9>V9|h7oA^R@zlMK_{Ads4v(osK%FEz&#^nvVRGV_!C|C_W$`OU6<=C0PFn!(d+8@e=m=>-~WG_ z>kIP#?{bOU`u->K{pbsG{)J8ZO#FU{&nI;G7E!j|{)@Zr?f*B}2C#Ph*Q=`kKY4$B zvR(i6B-a<@|EtUYx88s2{WtOcpU2LEDmEX<^FIr=Iq$_b*cjq6WL1#!G#fxZ%AY;S3#;*q{41xOa^gBg8e>qp)}O|KTCIiIW5qqyHWRnVPQ z>!CJ(6*U+3rq5@}(VBa&AGv?|TbqvE@_g#iHeU7K>ql<$fk@S%)fX2fHfs%4oeA$RZ4KXY{Z^^@Y>4iPQ+?Q&+#8c>1DMsV7f<)RzQ%35~!F zF6Cw4EvF@W391eW@1YMUkvT{r(AO^9!uh)cN!3V*SeDQ7I}aKl|I8vQ$lqNls^(1Z zIi4C)sh>V3s0UYB9AAIYn1oBKb$Qd*PkjSYs?xuLG3I*9yO}VX>OH1~FDbOuX$Q%o zq)9QI%d6AtH}5a6f4g||)9L8y&D+y*K1hE8`8!7EL+d6&6B#X=@@DP+6&AB03Y=rp zi-RMYM!&jzr!e>!gRdI*m(%NSFGuxZhbT~=yYTe==bK;N{C0nS`Th527vKMOe)`Ml zxu>_}>hE}g&*^kZlIb}tAoj5}hk7=8e|GuX>BXCG&rjd^!4WP9^#;fK%A;Zib1L8+ zjI-$ljo^y1YPrRk&h_a}m+w!1dw2Tn&)@%cb$R{1VK#ZPt^ofaL@EKVno^)aj(#3p zonE}Nq2`$KjHiE)M3;$zITDzOEVV(E%ve_Ymj#<@)1=lkiK=w++>!{*X?XMN`N%t) zpDy42_}j1NBcG@UmRXYG8KB(fWc6n7M+RJQSCGRrGdWV4U7Hr@L-A4a;OJ$49=J1? zo?}j#F(&%Auj|Xf(NCn(HzspZMWM+1((GJ4u8d}*s2hJ&@$rzrp|e8K3%fp()*~!v zoXz1U>6^I6()m)VuI^*=bT0cFGg6vVT@mwGgF4hm3iBqgO^5a)n4N^J2gr9GIN$RnoikKSrw(|7dQ7L?h%o=a`jh!9_-UQF*wU!QWC00q ze#Ph*Y?*(CyE3}bSME}fK zds4Xq^zXK&!XvjU#N8iQou0oLy+3<9I(>8f_J@Dpez+VpIaY`<7bF}3X5s7y%2zv8 z7wigu?SS?B>PD6o@u+@bVj17+lVQ=*)9XVXb~lfx8POuj_8HVLFT@S&rl+ZZwq}$@ z|I2IkUA_o6F9fbz|Ml{uTK_xhpY*r&zo)pKef{s$eVtT%9!`G)*!!-3 zO$_H&a6!X~zwbJ5>l3Yqz?p|B0peU?011@swD?tp= z*Zr>tRsrscR@XB~a5ACiDoXGzWZ0y*P+)(ee4vX;a~;8{5!O-kHugK0XW?hs+5enW zAIJXpk56j$|LACI|DWP|_V)iQsoVeiTJS>5KVJ)O7UiB@-PeS7OJkg;(~iM@7FKI} zJ=WFE{xcf4KkmPFt+W4wqw4vO{p0QakEgkwz5Q3)6Oen_?;{-Z+px>*)A)e)hrWLo zUs!Zc{Ck?S-nXvf`CaYpf3fH2(ZBz4(yyNXe*EfW8~;Da^+nkK`bX;BvwwS_Dg*Vc zeW=C8d3S$()5iLT9mTs6!N=Pz*z$WNm96Y+w#~2l97|=z{6{_wx7GH+$KNkl*^+2& zxcu@q**naBif#6req*QI9@lN8l3#xt`~Q2Sf$Q?WqnFkC-{AH3{NJa!z9j$eO9KmE z{V}q^aSr^G6b3&xZ?}mf3AU#C^SIjCe_dF(Zv}Ae`~TO~@4xq754QQ=lU&c<{+lIU zE#CX6J^R(e0CY_4d!Ow&10dfX{v#}d{mSlt>zRL(zJ#@UC+Q2VX7wHU2KRrK;d5RE z^zF$vBba~J?#7ommz(jePW7Gmk|t>7Mtlj(yAMAnS#yu3UHDJ9>(yGjX1UAtAkBNb z%M|~S!RP1BTG{`H9R9N2{vY?N=f4bIpB!!1e?7_d?CpPmy7`K)B#g6Y%{Rh|LqdCK zlWtaNv1hF?OQ`s)t2+`+)N+4@_UUOo&r+sVP%58b+liRVyFaI(WqUo^wKD$81c~_rgTJ-$-|@?%lgfYkpTVowC)@Qu zPjWqv`0wzmj@p!s7RBLAov#j!Wy(WCEv=HBqCCT?3=d!MkftEh*n8z~PPTp>7u-isxjSP^JdrD%IAIO3dHt4kHOB$iaDf7na&g z48+@vF-WZ08BhhjUCSI;%io%Gr%7ZJ?rb7i#Q@#P|KVh5Jw(75W&8k>{~a~~Rg*Rz z9)E}W$ay54to?XUJWk+tMxoPazgMBKikOxuUw=)`4=Bcb1L+%SZP+W1Bvs=WE%B1o59mrM zQ4NmLt^EeNUPDM(gmBG9qdg+ft+dKh5XM|Xgk}CFyQf@o@c)vagnv{Z zwvRrbkj_&aiUKMM?&*D`5vr0^Vi01{=#;7mThP{tPL6KRJOW-Wq%X;C4e6=zo5xQ7RSHHu9li9FYMQ{q!vL~Gnau{ z{@O|dQSJB9o~lbB_yg^UWeS&*!U|cf_EGS^5)%LK0PXK@MyOwak;xK?85Y`7Wq{}e zVRe=pnUGMe4NwGAEH<|xYK$5e3SyNm4F1RngXl*I%}<}2g&H)|?#MFT{D0cOwi_JV z#5Gzi7!DmRv+bVL{^0%fo42Qd8P3Jo9>=S86@T1dkF}XIbG7W7PXk}1SUF^$=^Z%^ zolL63uaH%Pf&p&C%$kxGf-;!38`|w~C^8)943%PXImvsM&B#Q`ZiSXs*RFLyNg=PO zY7jll()a}Pj0-ddgoDZ;!GAEQ4U_|W99|(;uUw4PYgC`e_@?4g$DLTAalyx#LXNhN z2_Cbt&V;A|wGh;e#%h~!PPq7d>_&U-dx6=M*Ye>CgB-JHf*l^KYI4pVZFNe#9IfO6 zi;NeEo+D_v-)PWOgkGre)~Yl@3@1~tOu!4Lexk3IijOpI%6+Y}0Dt?HK5JB+Ch;;q zTC=9|5W^f2!B?pMW9p7Uw;FnBP6eRBNPVjGfeKFU-|k;I35x*NfxiDJs*4d9j3iU7 zw@peq#vF8qk!tOEed`nTlz}QP^iZHj(MY3J=;T~&h1a4DPIct>OwpsK$hH=zq&RzN z1EelZmj@uHPPki7v41h8G2o;v2fx+LH)o+7XA=gt!fVkAClB`b=ivr;2qm4CVBn!$@0rdX$R{QjBo zdPn30K`SHF*6}iW)O@vl#+t{f4hJa7=3`*|07Xi=+z z^a}999llHizU$&7>V`ASa43LvWme^2Yg*@LC~?$9S$~=WL;qtf@@l;U4=DpZkypnB z==+;u321AA+nL}OF(hgQ1|&YamzTn0&@Clx_t74MDct>pML0vjfBXw~|Lk}F(d+*E zf4<0#=YC5A-rcmuU`Z5;K?o&KrDS0~1FlexsNe_cmx3Xa_8i2VGC*P`GXf>kYY?~m#Uo&z`;bSPLFrSPXOM45%D<{(P}bkx z+rTF`eZTJ`qi=t)5dBWa_eB4!>BEN~8GTdKrW1oJ->goimwT_wD58Cd5rCUjR5VkFYxE#sCEfQ$W_%frsKY#N#OyoC5x0=$oBx<$8!^L1zlY}iU&WUsg33oEnZ{sMD|(&I`xzkZnTwZ{-Z>v2wenS3LG?j0nKj0M zxhP)3cVt)rdRIZwWKOLXy-w#l!ni<0pgF!#F^N88A4R|gNw6BvLhwKWNe~ghuyltq zKz~?H(253yhtilpWN6B`s7t$&= zS4L=D0--v-v%uL4M1YIhTRijHjkC~wjelspK~t=hE%tpc>~3IrV86DLkSYOh<4Oe= zTlW>EMpuG&;_S^T3+4kJ8kXPF<{D=Bt98m2fcG=PCEsImqZcyoa3-$j!wQ4J3e z+{t89%M}r5hLb1;Eqw?Qp%hk7+LCd#MJze*JlWxmz1`Y<1+CUwWlgW46S#f9)PG5* zS>IFku(HHrX;8rrM@Ha}5>mbts9Pq?Xh$|G6)4vpxFcLZRO&~e7p2l_Wi7NvKP~82 z5v?pyuRwiR)>m}UII2*_+flcyzHTl$I}H=Ktv0Mt)1;YdkDhunokKS+ch3;hy0`BT zGpDDr8kQBAsFOn`asj%Nwk9h9Z?obi3;`2Mk~9%byxj{bDyq3}L{XGo_{gYfOC4b%$&mVaFfd#Z^QvA^ zkXqN_&DELtdWA&jEl%;6#6%F_J?l~aip_JFZ?!CH09W7Yd5%#pTYhSp++I(2)$M<8 z2Ju`==Oc}=#{Tz@Uj|mc|M0SZlLjj`eLX-7Vl1TDSI762_i+++c2ELSy|8vKWiTOk z5b0%Mf8Xz+%OqZ^bz!MS38lbLOcLmIdhbTRjRa-T=}n0^RR7n=cE0M3@lEHeo|vbd xuX>b`Y3Hl|-|3}{{tlt&^hgBwaBI`H*Y?_8+pBW@R{#J2|Nl>qNFV@40RZP$S(^X= diff --git a/kubernetes/charts/weblogic-operator/templates/_domain-namespaces.tpl b/kubernetes/charts/weblogic-operator/templates/_domain-namespaces.tpl index cfc5b8d0d48..08988c28dea 100644 --- a/kubernetes/charts/weblogic-operator/templates/_domain-namespaces.tpl +++ b/kubernetes/charts/weblogic-operator/templates/_domain-namespaces.tpl @@ -17,7 +17,7 @@ {{- $args := include "utils.cloneDictionary" . | fromYaml -}} {{- /* Split terms on commas not contained in parentheses. Unfortunately, the regular expression - support included with Helm tempalates does not include lookarounds. + support included with Helm templates does not include lookarounds. */ -}} {{- $working := dict "rejected" (list) "terms" (list $args.domainNamespaceLabelSelector) }} {{- if contains "," $args.domainNamespaceLabelSelector }} diff --git a/kubernetes/charts/weblogic-operator/templates/_operator-role.tpl b/kubernetes/charts/weblogic-operator/templates/_operator-role.tpl index 22cb6a26f7f..cb05180c987 100644 --- a/kubernetes/charts/weblogic-operator/templates/_operator-role.tpl +++ b/kubernetes/charts/weblogic-operator/templates/_operator-role.tpl @@ -12,6 +12,9 @@ metadata: weblogic.operatorName: {{ .Release.Namespace | quote }} rules: - apiGroups: [""] - resources: ["secrets", "configmaps", "events"] + resources: ["secrets", "configmaps"] + verbs: ["get", "list", "watch"] +- apiGroups: [""] + resources: ["events"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete", "deletecollection"] {{- end }} diff --git a/operator/src/main/java/oracle/kubernetes/operator/DomainRecheck.java b/operator/src/main/java/oracle/kubernetes/operator/DomainRecheck.java index a50f595dc68..ad5a7ae5340 100644 --- a/operator/src/main/java/oracle/kubernetes/operator/DomainRecheck.java +++ b/operator/src/main/java/oracle/kubernetes/operator/DomainRecheck.java @@ -10,6 +10,7 @@ import java.util.Objects; import java.util.Optional; import java.util.Set; +import java.util.concurrent.atomic.AtomicBoolean; import java.util.function.Function; import java.util.stream.Collectors; import javax.annotation.Nonnull; @@ -17,6 +18,7 @@ import io.kubernetes.client.openapi.models.V1Namespace; import io.kubernetes.client.openapi.models.V1NamespaceList; import io.kubernetes.client.openapi.models.V1ObjectMeta; +import io.kubernetes.client.openapi.models.V1SubjectRulesReviewStatus; import oracle.kubernetes.operator.calls.CallResponse; import oracle.kubernetes.operator.helpers.CallBuilder; import oracle.kubernetes.operator.helpers.EventHelper; @@ -61,11 +63,11 @@ class DomainRecheck { } NamespaceRulesReviewStep createOperatorNamespaceReview() { - return new NamespaceRulesReviewStep(getOperatorNamespace()); + return new NamespaceRulesReviewStep(getOperatorNamespace(), false); } NamespaceRulesReviewStep createNamespaceReview(String namespace) { - return new NamespaceRulesReviewStep(namespace); + return new NamespaceRulesReviewStep(namespace, true); } Step createReadNamespacesStep() { @@ -78,9 +80,11 @@ Step createReadNamespacesStep() { */ class NamespaceRulesReviewStep extends Step { private final String ns; + private final boolean isDomainNamespace; - private NamespaceRulesReviewStep(@Nonnull String ns) { + private NamespaceRulesReviewStep(@Nonnull String ns, boolean isDomainNamespace) { this.ns = ns; + this.isDomainNamespace = isDomainNamespace; } @Override @@ -93,19 +97,24 @@ public NextAction apply(Packet packet) { LoggingContext.LOGGING_CONTEXT_KEY, Component.createFor(new LoggingContext().namespace(ns))); - nss.getRulesReviewStatus().updateAndGet(prev -> { + V1SubjectRulesReviewStatus status = nss.getRulesReviewStatus().updateAndGet(prev -> { if (prev != null) { return prev; } try { - return HealthCheckHelper.getAccessAuthorizations(ns); + return HealthCheckHelper.getSelfSubjectRulesReviewStatus(ns); } catch (Throwable e) { LOGGER.warning(MessageKeys.EXCEPTION, e); } return null; }); + AtomicBoolean guard = isDomainNamespace ? nss.verifiedAsDomainNamespace() : nss.verifiedAsOperatorNamespace(); + if (!guard.getAndSet(true)) { + HealthCheckHelper.verifyAccess(status, ns, isDomainNamespace); + } + return doNext(packet); } diff --git a/operator/src/main/java/oracle/kubernetes/operator/NamespaceStatus.java b/operator/src/main/java/oracle/kubernetes/operator/NamespaceStatus.java index 457bcb6cc84..5443bfd4c5f 100644 --- a/operator/src/main/java/oracle/kubernetes/operator/NamespaceStatus.java +++ b/operator/src/main/java/oracle/kubernetes/operator/NamespaceStatus.java @@ -11,11 +11,21 @@ public class NamespaceStatus { private final AtomicBoolean isNamespaceStarting = new AtomicBoolean(false); private final AtomicReference rulesReviewStatus = new AtomicReference<>(); + private final AtomicBoolean verifiedAsOperatorNamespace = new AtomicBoolean(false); + private final AtomicBoolean verifiedAsDomainNamespace = new AtomicBoolean(false); public AtomicBoolean isNamespaceStarting() { return isNamespaceStarting; } + public AtomicBoolean verifiedAsOperatorNamespace() { + return verifiedAsOperatorNamespace; + } + + public AtomicBoolean verifiedAsDomainNamespace() { + return verifiedAsDomainNamespace; + } + public AtomicReference getRulesReviewStatus() { return rulesReviewStatus; } diff --git a/operator/src/main/java/oracle/kubernetes/operator/helpers/HealthCheckHelper.java b/operator/src/main/java/oracle/kubernetes/operator/helpers/HealthCheckHelper.java index 34d8fa7c0b8..58d14789552 100644 --- a/operator/src/main/java/oracle/kubernetes/operator/helpers/HealthCheckHelper.java +++ b/operator/src/main/java/oracle/kubernetes/operator/helpers/HealthCheckHelper.java @@ -6,6 +6,7 @@ import java.util.HashMap; import java.util.List; import java.util.Map; +import java.util.Optional; import javax.annotation.Nonnull; import io.kubernetes.client.openapi.models.V1ResourceRule; @@ -20,15 +21,15 @@ import oracle.kubernetes.operator.logging.LoggingFactory; import oracle.kubernetes.operator.logging.MessageKeys; -import static oracle.kubernetes.operator.helpers.NamespaceHelper.getOperatorNamespace; - /** A Helper Class for checking the health of the WebLogic Operator. */ public final class HealthCheckHelper { private static final LoggingFacade LOGGER = LoggingFactory.getLogger("Operator", "Operator"); private static final Map - namespaceAccessChecks = new HashMap<>(); + domainNamespaceAccessChecks = new HashMap<>(); + private static final Map + operatorNamespaceAccessChecks = new HashMap<>(); private static final Map clusterAccessChecks = new HashMap<>(); @@ -84,58 +85,71 @@ public final class HealthCheckHelper { clusterAccessChecks.put(Resource.NAMESPACES, glwOperations); clusterAccessChecks.put(Resource.CRDS, crdOperations); - namespaceAccessChecks.put(Resource.DOMAINS, glwupOperations); - namespaceAccessChecks.put(Resource.DOMAINSTATUSES, glwupOperations); - - namespaceAccessChecks.put(Resource.TOKENREVIEWS, cOperations); - namespaceAccessChecks.put(Resource.SELFSUBJECTRULESREVIEWS, cOperations); + domainNamespaceAccessChecks.put(Resource.DOMAINS, glwupOperations); + domainNamespaceAccessChecks.put(Resource.DOMAINSTATUSES, glwupOperations); - namespaceAccessChecks.put(Resource.SERVICES, crudOperations); - namespaceAccessChecks.put(Resource.CONFIGMAPS, crudOperations); - namespaceAccessChecks.put(Resource.PODS, crudOperations); - namespaceAccessChecks.put(Resource.EVENTS, crudOperations); + domainNamespaceAccessChecks.put(Resource.SELFSUBJECTRULESREVIEWS, cOperations); - namespaceAccessChecks.put(Resource.SECRETS, glwOperations); + domainNamespaceAccessChecks.put(Resource.SERVICES, crudOperations); + domainNamespaceAccessChecks.put(Resource.CONFIGMAPS, crudOperations); + domainNamespaceAccessChecks.put(Resource.PODS, crudOperations); + domainNamespaceAccessChecks.put(Resource.EVENTS, crudOperations); + domainNamespaceAccessChecks.put(Resource.JOBS, crudOperations); + domainNamespaceAccessChecks.put(Resource.SECRETS, glwOperations); - namespaceAccessChecks.put(Resource.LOGS, glOperations); - namespaceAccessChecks.put(Resource.EXEC, cOperations); + domainNamespaceAccessChecks.put(Resource.LOGS, glOperations); + domainNamespaceAccessChecks.put(Resource.EXEC, cOperations); - namespaceAccessChecks.put(Resource.JOBS, crudOperations); + operatorNamespaceAccessChecks.put(Resource.EVENTS, crudOperations); + operatorNamespaceAccessChecks.put(Resource.CONFIGMAPS, glwOperations); + operatorNamespaceAccessChecks.put(Resource.SECRETS, glwOperations); } private HealthCheckHelper() { } /** - * Verify Access. + * Access the self-subject rules review for the namespace. The namespace may be the operator's + * namespace, a domain namespace, or both. * - * @param namespace domain namespace - * @return self subject rules review for the domain namespace + * @param namespace namespace + * @return self-subject rules review for the namespace */ - public static V1SubjectRulesReviewStatus getAccessAuthorizations(@Nonnull String namespace) { - // Validate namespace - if (DEFAULT_NAMESPACE.equals(getOperatorNamespace())) { - LOGGER.fine(MessageKeys.NAMESPACE_IS_DEFAULT); - } + public static V1SubjectRulesReviewStatus getSelfSubjectRulesReviewStatus(@Nonnull String namespace) { + AuthorizationProxy ap = new AuthorizationProxy(); + return Optional.ofNullable(ap.review(namespace)).map(V1SelfSubjectRulesReview::getStatus).orElse(null); + } + /** + * Verify Access. + * + * @param status Self-subject rules review status + * @param namespace Namespace + * @param isDomainNamespace if true, verify domain namespace access; otherwise, verify operator-only namespaces access + */ + public static void verifyAccess(@Nonnull V1SubjectRulesReviewStatus status, @Nonnull String namespace, + boolean isDomainNamespace) { // Validate policies allow service account to perform required operations AuthorizationProxy ap = new AuthorizationProxy(); LOGGER.fine(MessageKeys.VERIFY_ACCESS_START, namespace); - V1SelfSubjectRulesReview review = ap.review(namespace); - if (review != null) { - V1SubjectRulesReviewStatus status = review.getStatus(); + if (status != null) { + List rules = status.getResourceRules(); - if (status != null) { - List rules = status.getResourceRules(); - - for (Resource r : namespaceAccessChecks.keySet()) { - for (Operation op : namespaceAccessChecks.get(r)) { + if (isDomainNamespace) { + for (Resource r : domainNamespaceAccessChecks.keySet()) { + for (Operation op : domainNamespaceAccessChecks.get(r)) { + check(rules, r, op, namespace); + } + } + } else { + for (Resource r : operatorNamespaceAccessChecks.keySet()) { + for (Operation op : operatorNamespaceAccessChecks.get(r)) { check(rules, r, op, namespace); } } - if (!Main.isDedicated() && getOperatorNamespace().equals(namespace)) { + if (!Main.isDedicated()) { for (Resource r : clusterAccessChecks.keySet()) { for (Operation op : clusterAccessChecks.get(r)) { check(rules, r, op, namespace); @@ -143,11 +157,7 @@ public static V1SubjectRulesReviewStatus getAccessAuthorizations(@Nonnull String } } } - - return status; } - - return null; } /** diff --git a/operator/src/test/java/oracle/kubernetes/operator/helpers/HealthCheckHelperTest.java b/operator/src/test/java/oracle/kubernetes/operator/helpers/HealthCheckHelperTest.java index f58b081aecf..edf4c2367ef 100644 --- a/operator/src/test/java/oracle/kubernetes/operator/helpers/HealthCheckHelperTest.java +++ b/operator/src/test/java/oracle/kubernetes/operator/helpers/HealthCheckHelperTest.java @@ -116,7 +116,8 @@ public void whenRulesReviewSupported_accessGrantedForEverything() { expectSelfSubjectRulesReview(); for (String ns : TARGET_NAMESPACES) { - HealthCheckHelper.getAccessAuthorizations(ns); + V1SubjectRulesReviewStatus status = HealthCheckHelper.getSelfSubjectRulesReviewStatus(ns); + HealthCheckHelper.verifyAccess(status, ns, true); } } @@ -126,7 +127,8 @@ public void whenRulesReviewSupportedAndNoNamespaceAccess_logWarning() { expectSelfSubjectRulesReview(); for (String ns : TARGET_NAMESPACES) { - HealthCheckHelper.getAccessAuthorizations(ns); + V1SubjectRulesReviewStatus status = HealthCheckHelper.getSelfSubjectRulesReviewStatus(ns); + HealthCheckHelper.verifyAccess(status, ns, true); } assertThat(logRecords, containsWarning(VERIFY_ACCESS_DENIED_WITH_NS)); From 1d6a2f8c4b974f045fa48efc1053ad64a5b2a05e Mon Sep 17 00:00:00 2001 From: Ryan Eberhard Date: Thu, 14 Jan 2021 09:37:08 -0500 Subject: [PATCH 2/2] Add unit-test --- .../operator/helpers/HealthCheckHelperTest.java | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/operator/src/test/java/oracle/kubernetes/operator/helpers/HealthCheckHelperTest.java b/operator/src/test/java/oracle/kubernetes/operator/helpers/HealthCheckHelperTest.java index edf4c2367ef..d1d565538d6 100644 --- a/operator/src/test/java/oracle/kubernetes/operator/helpers/HealthCheckHelperTest.java +++ b/operator/src/test/java/oracle/kubernetes/operator/helpers/HealthCheckHelperTest.java @@ -50,6 +50,7 @@ public class HealthCheckHelperTest { private static final String NS1 = "ns1"; private static final String NS2 = "ns2"; + private static final String OPERATOR_NAMESPACE = "op1"; private static final List TARGET_NAMESPACES = Arrays.asList(NS1, NS2); private static final List CRUD_RESOURCES = Arrays.asList( @@ -122,7 +123,7 @@ public void whenRulesReviewSupported_accessGrantedForEverything() { } @Test - public void whenRulesReviewSupportedAndNoNamespaceAccess_logWarning() { + public void whenRulesReviewSupportedAndNoDomainNamespaceAccess_logWarning() { accessChecks.setMayAccessNamespace(false); expectSelfSubjectRulesReview(); @@ -134,6 +135,19 @@ public void whenRulesReviewSupportedAndNoNamespaceAccess_logWarning() { assertThat(logRecords, containsWarning(VERIFY_ACCESS_DENIED_WITH_NS)); } + // HERE + + @Test + public void whenRulesReviewSupportedAndNoOperatorNamespaceAccess_logWarning() { + accessChecks.setMayAccessNamespace(false); + expectSelfSubjectRulesReview(); + + V1SubjectRulesReviewStatus status = HealthCheckHelper.getSelfSubjectRulesReviewStatus(OPERATOR_NAMESPACE); + HealthCheckHelper.verifyAccess(status, OPERATOR_NAMESPACE, false); + + assertThat(logRecords, containsWarning(VERIFY_ACCESS_DENIED_WITH_NS)); + } + private void expectSelfSubjectRulesReview() { testSupport .createCannedResponse("createSelfSubjectRulesReview")