oracle
diff --git a/‎documentation/domains/Domain.json
Lines changed: 4 additions & 0 deletions b/‎documentation/domains/Domain.json
Lines changed: 4 additions & 0 deletions
diff --git a/‎documentation/domains/Domain.md
Lines changed: 1 addition & 0 deletions b/‎documentation/domains/Domain.md
Lines changed: 1 addition & 0 deletions
diff --git a/‎documentation/site/content/managing-domains/domain-on-pv/usage.md
Lines changed: 16 additions & 0 deletions b/‎documentation/site/content/managing-domains/domain-on-pv/usage.md
Lines changed: 16 additions & 0 deletions
diff --git a/‎integration-tests/src/test/java/oracle/weblogic/domain/InitializeDomainOnPV.java
Lines changed: 20 additions & 3 deletions b/‎integration-tests/src/test/java/oracle/weblogic/domain/InitializeDomainOnPV.java
Lines changed: 20 additions & 3 deletions
diff --git a/‎integration-tests/src/test/java/oracle/weblogic/kubernetes/ItSystemResOverrides.java
Lines changed: 116 additions & 7 deletions b/‎integration-tests/src/test/java/oracle/weblogic/kubernetes/ItSystemResOverrides.java
Lines changed: 116 additions & 7 deletions
@@ -743,6 +743,10 @@
           "description": "An optional field that describes the configuration for creating a PersistentVolumeClaim for `Domain on PV`. PersistentVolumeClaim is a user\u0027s request for and claim to a persistent volume. The operator will perform this one-time create operation only if the persistent volume claim does not already exist. Omit this section if you have manually created a persistent volume claim. If specified, the name must match one of the volumes under `serverPod.volumes` and the domain home must reside in the mount path of the volume using this claim. More info: https://oracle.github.io/weblogic-kubernetes-operator/managing-domains/domain-on-pv-initialization#pvc",
           "$ref": "#/definitions/PersistentVolumeClaim"
         },
+        "modelEncryptionPassphraseSecret": {
+          "description": "Specifies the secret name of the WebLogic Deployment Tool encryption passphrase if the WDT models provided in the \u0027domainCreationImages\u0027 or \u0027domainCreationConfigMap\u0027 are encrypted using the WebLogic Deployment Tool \u0027encryptModel\u0027 command. The secret must use the key \u0027passphrase\u0027 containing the actual passphrase for encryption.",
+          "type": "string"
+        },
         "setDefaultSecurityContextFsGroup": {
           "description": "Specifies whether the operator will set the default \u0027fsGroup\u0027 in the introspector job pod security context. This is needed to create the domain home directory on PV in some environments. If the \u0027fsGroup\u0027 is specified as part of \u0027spec.introspector.serverPod.podSecurityContext\u0027, then the operator will use that \u0027fsGroup\u0027 instead of the default \u0027fsGroup\u0027. Defaults to true.",
           "type": "boolean"
 
@@ -244,6 +244,7 @@ The current status of the operation of the WebLogic domain. Updated automaticall
 | Name | Type | Description |
 | --- | --- | --- |
 | `domain` | [Domain On PV](#domain-on-pv) | Describes the configuration for creating an initial WebLogic Domain in persistent volume (`Domain in PV`). The operator will not recreate or update the domain if it already exists. Required. |
+| `modelEncryptionPassphraseSecret` | string | Specifies the secret name of the WebLogic Deployment Tool encryption passphrase if the WDT models provided in the 'domainCreationImages' or 'domainCreationConfigMap' are encrypted using the WebLogic Deployment Tool 'encryptModel' command. The secret must use the key 'passphrase' containing the actual passphrase for encryption. |
 | `persistentVolume` | [Persistent Volume](#persistent-volume) | An optional field that describes the configuration to create a PersistentVolume for `Domain on PV` domain. Omit this section if you have manually created a persistent volume. The operator will perform this one-time create operation only if the persistent volume does not already exist. The operator will not recreate or update the PersistentVolume when it exists. More info: https://oracle.github.io/weblogic-kubernetes-operator/managing-domains/domain-on-pv-initialization#pv |
 | `persistentVolumeClaim` | [Persistent Volume Claim](#persistent-volume-claim) | An optional field that describes the configuration for creating a PersistentVolumeClaim for `Domain on PV`. PersistentVolumeClaim is a user's request for and claim to a persistent volume. The operator will perform this one-time create operation only if the persistent volume claim does not already exist. Omit this section if you have manually created a persistent volume claim. If specified, the name must match one of the volumes under `serverPod.volumes` and the domain home must reside in the mount path of the volume using this claim. More info: https://oracle.github.io/weblogic-kubernetes-operator/managing-domains/domain-on-pv-initialization#pvc |
 | `runDomainInitContainerAsRoot` | Boolean | Specifies whether the operator will run the domain initialization init container in the introspector job as root. This may be needed in some environments to create the domain home directory on PV. Defaults to false. |
 
@@ -29,6 +29,7 @@ To use this feature, provide the following information:
 - [Domain information](#domain-information) - This describes the domain type and whether the operator should create the RCU schema.
 - [Domain WDT models](#domain-creation-models) - This is where the WDT Home, WDT model, WDT archive, and WDT variables files reside.
 - [Optional WDT models ConfigMap](#optional-wdt-models-configmap) - Optional, WDT model, WDT variables files.
+- [Using WDT model encryption](#using-wdt-model-encryption) - Optional, using WDT model encryption.
 - [Domain resource YAML file]({{< relref "/reference/domain-resource.md">}}) - This is for deploying the domain in WebLogic Kubernetes Operator.
 
 
@@ -113,6 +114,21 @@ those in `domainCreationImages`.
 
 The files inside this ConfigMap must have file extensions, `.yaml`, `.properties`, or `.zip`.
 
+#### Using WDT model encryption
+
+Starting in WebLogic Kubernetes Operator version 4.2.16.  If the provided WDT models are encrypted using the WDT `encryptModel`
+command.  You can specify the encryption passphrase as a secret in the domain resource YAML. WDT will use the value in the
+secret to decrypt the models for domain creation.
+
+```yaml
+   initializeDomainOnPV:
+      modelEncryptionPassphraseSecret: model-encryption-secret
+```
+
+The secret must have a key `passphrase` containing the value of the WDT encryption passphrase used to encrypt the models.
+
+`kubectl create secret generic model-encrypion-secret --from-literal=passphrase=<encryption passphrase value>`
+
 #### Volumes and VolumeMounts information
 
 You must provide the `volumes` and `volumeMounts` information in `domain.spec.serverPod`. This allows the pod to mount the persistent
 
@@ -51,6 +51,13 @@ public class InitializeDomainOnPV {
       + " If the 'fsGroup' is specified as part of 'spec.introspector.serverPod.podSecurityContext', then the operator"
       + " will use that 'fsGroup' instead of the default 'fsGroup'. Defaults to true.")
   public Boolean setDefaultSecurityContextFsGroup;
+  
+  @ApiModelProperty("Specifies the secret name of the WebLogic Deployment Tool encryption passphrase if the WDT models "
+      + "provided in the 'domainCreationImages' or 'domainCreationConfigMap' are encrypted using the "
+      + "WebLogic Deployment Tool 'encryptModel' command. "
+      + "The secret must use the key 'passphrase' containing the actual passphrase for encryption.")
+  public String modelEncryptionPassphraseSecret;
+  
 
   public PersistentVolume getPersistentVolume() {
     return persistentVolume;
@@ -105,6 +112,15 @@ public InitializeDomainOnPV setDefaultFsGroup(Boolean setDefaultFsGroup) {
     this.setDefaultSecurityContextFsGroup = setDefaultFsGroup;
     return this;
   }
+  
+  public String getModelEncryptionPassphraseSecret() {
+    return modelEncryptionPassphraseSecret;
+  }
+
+  public InitializeDomainOnPV modelEncryptionPassphraseSecret(String modelEncryptionPassphraseSecret) {
+    this.modelEncryptionPassphraseSecret = modelEncryptionPassphraseSecret;
+    return this;
+  }  
 
   @Override
   public String toString() {
@@ -138,12 +154,13 @@ public boolean equals(Object other) {
     }
 
     InitializeDomainOnPV rhs = ((InitializeDomainOnPV) other);
-    EqualsBuilder builder =
-        new EqualsBuilder()
+    EqualsBuilder builder
+        = new EqualsBuilder()
             .append(persistentVolume, rhs.persistentVolume)
             .append(persistentVolumeClaim, rhs.persistentVolumeClaim)
             .append(domain, rhs.domain)
-            .append(waitForPvcToBind, rhs.waitForPvcToBind);
+            .append(waitForPvcToBind, rhs.waitForPvcToBind)
+            .append(modelEncryptionPassphraseSecret, rhs.modelEncryptionPassphraseSecret);
 
     return builder.isEquals();
   }
 
@@ -4,8 +4,11 @@
 package oracle.weblogic.kubernetes;
 
 import java.io.File;
+import java.io.FileOutputStream;
 import java.io.IOException;
 import java.net.http.HttpResponse;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.time.OffsetDateTime;
@@ -15,7 +18,9 @@
 import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Properties;
 import java.util.concurrent.Callable;
+import java.util.stream.Collectors;
 
 import io.kubernetes.client.custom.Quantity;
 import io.kubernetes.client.custom.V1Patch;
@@ -24,6 +29,7 @@
 import io.kubernetes.client.openapi.models.V1LocalObjectReference;
 import io.kubernetes.client.openapi.models.V1ObjectMeta;
 import io.kubernetes.client.openapi.models.V1PersistentVolumeClaimVolumeSource;
+import io.kubernetes.client.openapi.models.V1Secret;
 import io.kubernetes.client.openapi.models.V1Volume;
 import io.kubernetes.client.openapi.models.V1VolumeMount;
 import oracle.weblogic.domain.AdminServer;
@@ -38,6 +44,8 @@
 import oracle.weblogic.domain.DomainResource;
 import oracle.weblogic.domain.DomainSpec;
 import oracle.weblogic.domain.ServerPod;
+import oracle.weblogic.kubernetes.actions.impl.primitive.Command;
+import oracle.weblogic.kubernetes.actions.impl.primitive.CommandParams;
 import oracle.weblogic.kubernetes.actions.impl.primitive.WitParams;
 import oracle.weblogic.kubernetes.annotations.IntegrationTest;
 import oracle.weblogic.kubernetes.annotations.Namespaces;
@@ -59,19 +67,25 @@
 import static oracle.weblogic.kubernetes.TestConstants.IMAGE_PULL_POLICY;
 import static oracle.weblogic.kubernetes.TestConstants.K8S_NODEPORT_HOST;
 import static oracle.weblogic.kubernetes.TestConstants.OKE_CLUSTER;
+import static oracle.weblogic.kubernetes.TestConstants.RESULTS_ROOT;
+import static oracle.weblogic.kubernetes.TestConstants.RESULTS_TEMPFILE;
 import static oracle.weblogic.kubernetes.TestConstants.TRAEFIK_INGRESS_HTTP_HOSTPORT;
 import static oracle.weblogic.kubernetes.TestConstants.WEBLOGIC_IMAGE_TAG_DEFAULT;
 import static oracle.weblogic.kubernetes.TestConstants.WEBLOGIC_IMAGE_TO_USE_IN_SPEC;
 import static oracle.weblogic.kubernetes.actions.ActionConstants.APP_DIR;
+import static oracle.weblogic.kubernetes.actions.ActionConstants.DOWNLOAD_DIR;
 import static oracle.weblogic.kubernetes.actions.ActionConstants.MODEL_DIR;
 import static oracle.weblogic.kubernetes.actions.ActionConstants.RESOURCE_DIR;
+import static oracle.weblogic.kubernetes.actions.ActionConstants.WDT_DOWNLOAD_URL;
+import static oracle.weblogic.kubernetes.actions.TestActions.createSecret;
 import static oracle.weblogic.kubernetes.actions.TestActions.getNextIntrospectVersion;
 import static oracle.weblogic.kubernetes.actions.TestActions.getServiceNodePort;
 import static oracle.weblogic.kubernetes.actions.TestActions.getServicePort;
 import static oracle.weblogic.kubernetes.actions.TestActions.shutdownDomain;
 import static oracle.weblogic.kubernetes.actions.TestActions.startDomain;
 import static oracle.weblogic.kubernetes.actions.impl.Domain.patchDomainCustomResource;
 import static oracle.weblogic.kubernetes.assertions.TestAssertions.podStateNotChanged;
+import static oracle.weblogic.kubernetes.assertions.TestAssertions.secretExists;
 import static oracle.weblogic.kubernetes.utils.ApplicationUtils.verifyAdminServerRESTAccess;
 import static oracle.weblogic.kubernetes.utils.AuxiliaryImageUtils.createAndPushAuxiliaryImage;
 import static oracle.weblogic.kubernetes.utils.BuildApplication.buildApplication;
@@ -91,7 +105,6 @@
 import static oracle.weblogic.kubernetes.utils.ConfigMapUtils.createConfigMapFromFiles;
 import static oracle.weblogic.kubernetes.utils.DeployUtil.deployUsingWlst;
 import static oracle.weblogic.kubernetes.utils.DomainUtils.createDomainAndVerify;
-import static oracle.weblogic.kubernetes.utils.FileUtils.createWdtPropertyFile;
 import static oracle.weblogic.kubernetes.utils.FmwUtils.getConfiguration;
 import static oracle.weblogic.kubernetes.utils.ImageUtils.createBaseRepoSecret;
 import static oracle.weblogic.kubernetes.utils.JobUtils.createDomainJob;
@@ -152,6 +165,10 @@ class ItSystemResOverrides {
   static Path sitconfigAppPath;
   String overridecm = "configoverride-cm";
   LinkedHashMap<String, OffsetDateTime> podTimestamps;
+  
+  private static Path encryptModelScript;
+  private static final String passPhrase = "encryptPA55word";
+  private static final String encryptionSecret = "model-encryption-secret";
 
   private static LoggingFacade logger = null;
 
@@ -166,7 +183,7 @@ class ItSystemResOverrides {
    * @param namespaces injected by JUnit
    */
   @BeforeAll
-  public void initAll(@Namespaces(2) List<String> namespaces) {
+  public void initAll(@Namespaces(2) List<String> namespaces) throws IOException {
     logger = getLogger();
 
     logger.info("Assign a unique namespace for operator");
@@ -175,6 +192,9 @@ public void initAll(@Namespaces(2) List<String> namespaces) {
     logger.info("Assign a unique namespace for domain namspace");
     assertNotNull(namespaces.get(1), "Namespace is null");
     domainNamespace = namespaces.get(1);
+    
+    logger.info("installing WebLogic Deploy Tool");
+    downloadAndInstallWDT();
 
     // install operator and verify its running in ready state
     installAndVerifyOperator(opNamespace, domainNamespace);
@@ -391,7 +411,7 @@ private void verifyIntrospectorRuns() {
   }
 
   //create a standard WebLogic domain.
-  private void createDomain() {
+  private void createDomain() throws IOException {
     String uniqueDomainHome = "/shared/" + domainNamespace + "/domains/";
 
     // create pull secrets for WebLogic image when running in non Kind Kubernetes cluster
@@ -404,8 +424,17 @@ private void createDomain() {
     final String wlsModelFilePrefix = "sitconfig-dci-model";
     final String wlsModelFile = wlsModelFilePrefix + ".yaml";
     t3ChannelPort = getNextFreePort();
+    logger.info("Create WDT property file");
     File wlsModelPropFile = createWdtPropertyFile(wlsModelFilePrefix,
         K8S_NODEPORT_HOST, t3ChannelPort);
+    logger.info("Create WDT passphrase file"); 
+    File passphraseFile = createPassphraseFile(passPhrase);    
+    logger.info("Run encruptModel.sh script to encrypt clear text password in property file");    
+    encryptModel(encryptModelScript,
+        Path.of(MODEL_DIR, wlsModelFile),
+        wlsModelPropFile.toPath(), passphraseFile.toPath());
+    createSecretWithUsernamePassword(wlSecretName, opNamespace, clusterName, passPhrase);
+    createEncryptionSecret(encryptionSecret, domainNamespace);
 
     // create domainCreationImage
     String domainCreationImageName = DOMAIN_IMAGES_PREFIX + "wls-domain-on-pv-image";
@@ -437,10 +466,12 @@ private void createDomain() {
       configuration = getConfiguration(pvName, pvcName, pvCapacity, pvcRequest, storageClassName,
           ItSystemResOverrides.class.getSimpleName());
     }
-    configuration.getInitializeDomainOnPV().domain(new DomainOnPV()
-        .createMode(CreateIfNotExists.DOMAIN)
-        .domainCreationImages(Collections.singletonList(domainCreationImage))
-        .domainType(DomainOnPVType.WLS));
+    configuration.getInitializeDomainOnPV()
+        .modelEncryptionPassphraseSecret(encryptionSecret)
+        .domain(new DomainOnPV()
+            .createMode(CreateIfNotExists.DOMAIN)
+            .domainCreationImages(Collections.singletonList(domainCreationImage))
+            .domainType(DomainOnPVType.WLS));
     configuration.overrideDistributionStrategy("Dynamic");
 
     // create secrets
@@ -628,4 +659,82 @@ private void restartDomain() {
       checkPodReadyAndServiceExists(managedServerPodNamePrefix + i, domainUid, domainNamespace);
     }
   }
+  
+  public static File createWdtPropertyFile(String wlsModelFilePrefix, String nodePortHost, int t3Port) {
+    // create property file used with domain model file
+    Properties p = new Properties();
+    p.setProperty("WebLogicAdminUserName", ADMIN_USERNAME_DEFAULT);
+    p.setProperty("WebLogicAdminPassword", ADMIN_PASSWORD_DEFAULT);
+    p.setProperty("K8S_NODEPORT_HOST", nodePortHost);
+    p.setProperty("T3_CHANNEL_PORT", Integer.toString(t3Port));
+
+    // create a model property file
+    File domainPropertiesFile = assertDoesNotThrow(() ->
+            File.createTempFile(wlsModelFilePrefix, ".properties", new File(RESULTS_TEMPFILE)),
+        "Failed to create WLS model properties file");
+
+    // create the property file
+    assertDoesNotThrow(() ->
+            p.store(new FileOutputStream(domainPropertiesFile), "WLS properties file"),
+        "Failed to write WLS properties file");
+
+    return domainPropertiesFile;
+  }
+  
+  private static void downloadAndInstallWDT() throws IOException {
+    String wdtUrl = WDT_DOWNLOAD_URL + "/download/weblogic-deploy.zip";
+    Path destLocation = Path.of(DOWNLOAD_DIR, "wdt", "weblogic-deploy.zip");
+    encryptModelScript = Path.of(DOWNLOAD_DIR, "wdt", "weblogic-deploy", "bin", "encryptModel.sh");
+    if (!Files.exists(destLocation) && !Files.exists(encryptModelScript)) {
+      logger.info("Downloading WDT to {0}", destLocation);
+      Files.createDirectories(destLocation.getParent());
+      OracleHttpClient.downloadFile(wdtUrl, destLocation.toString(), null, null, 3);
+      String cmd = "cd " + destLocation.getParent() + ";unzip " + destLocation;
+      assertTrue(Command.withParams(new CommandParams().command(cmd)).execute(), "unzip command failed");
+    }
+    assertTrue(Files.exists(encryptModelScript), "could not find createDomain.sh script");
+  }
+  
+  private static File createPassphraseFile(String passPhrase) throws IOException {
+    // create pass phrase file used with domain model file
+    File passphraseFile = assertDoesNotThrow(()
+        -> File.createTempFile("passphrase", ".txt", new File(RESULTS_TEMPFILE)),
+        "Failed to create WLS model encrypt passphrase file");
+    Files.write(passphraseFile.toPath(), passPhrase.getBytes(StandardCharsets.UTF_8));
+    logger.info("passphrase file contents {0}", Files.readString(passphraseFile.toPath()));
+    return passphraseFile;
+  }
+  
+  private static void encryptModel(Path encryptModelScript, Path modelFile,
+      Path propertyFile, Path passphraseFile) throws IOException {
+    Path mwHome = Path.of(RESULTS_ROOT, "mwhome");
+    logger.info("Encrypting property file containing the secrets {0}", propertyFile.toString());
+    List<String> command = List.of(
+        encryptModelScript.toString(),
+        "-oracle_home", mwHome.toString(),
+        "-model_file", modelFile.toString(),
+        "-variable_file", propertyFile.toString(),
+        "-passphrase_file", passphraseFile.toString()
+    );
+    logger.info("running {0}", command);
+    assertTrue(Command.withParams(new CommandParams()
+        .command(command.stream().collect(Collectors.joining(" ")))).execute(),
+        "encryptModel.sh command failed");
+    logger.info("Encrypted passphrase file contents {0}", Files.readString(propertyFile));
+  }
+  
+  public static void createEncryptionSecret(String secretName, String namespace) {
+    Map<String, String> secretMap = new HashMap<>();
+    secretMap.put("passphrase", passPhrase);
+
+    if (!secretExists(secretName, namespace)) {
+      boolean secretCreated = assertDoesNotThrow(() -> createSecret(new V1Secret()
+          .metadata(new V1ObjectMeta()
+              .name(secretName)
+              .namespace(namespace))
+          .stringData(secretMap)), "Create secret failed with ApiException");
+
+      assertTrue(secretCreated, String.format("create secret failed for %s", secretName));
+    }
+  }
 }