Disable REST endpoint by default (#3958)

* Disable REST endpoint by default

Author: rjeberhard

documentation/4.0/content/managing-domains/domain-lifecycle/scaling.md

@@ -228,6 +228,10 @@ operations on a cluster. These policies monitor one or more types of WebLogic Se
 in a policy is met, the policy is triggered, and the corresponding scaling action is executed.  The WebLogic Kubernetes Operator project provides a shell script, [`scalingAction.sh`](https://github.com/oracle/weblogic-kubernetes-operator/blob/{{< latestMinorVersion >}}/operator/scripts/scaling/scalingAction.sh),
 for use as a Script Action, which illustrates how to issue a request to the operator’s REST endpoint.
 
+{{% notice note %}}
+Beginning with operator version 4.0.5, the operator's REST endpoint is disabled by default. Install the operator with the Helm install option `--set "enableRest=true"` to enable the REST endpoint.
+{{% /notice %}}
+
 ##### Configure automatic scaling of WebLogic clusters in Kubernetes with WLDF
 The following steps are provided as a guideline on how to configure a WLDF Policy and Script Action component for issuing scaling requests to the operator's REST endpoint:
 

documentation/4.0/content/managing-operators/the-rest-api.md

@@ -15,6 +15,10 @@ or for getting certain aspects of a domain's status (for example, instead of cal
 You also can use the REST API as an alternative approach for initiating scaling operations
 (instead of using the Kubernetes API or command line to alter a domain resource's `replicas` values).
 
+{{% notice note %}}
+Beginning with operator version 4.0.5, the operator's REST endpoint is disabled by default. Install the operator with the Helm install option `--set "enableRest=true"` to enable the REST endpoint.
+{{% /notice %}}
+
 ### Configure the operator's external REST HTTPS interface
 
 The operator can expose an external REST HTTPS interface which can be accessed from outside the Kubernetes cluster. As with the operator's internal REST interface, the external REST interface requires an SSL/TLS certificate and private key that the operator will use as the identity of the external REST interface.

documentation/4.0/content/managing-operators/using-helm.md

@@ -493,8 +493,16 @@ The REST interface configuration options are advanced settings for configuring t
 
 For usage information, see the operator [REST Services]({{<relref "/managing-operators/the-rest-api.md">}}).
 
+##### `enableRest`
+Determines whether the operator's REST endpoint is enabled.
+
+Beginning with operator version 4.0.5, the operator's REST endpoint is disabled by default.
+
+Defaults to `false`.
+
 ##### `externalRestEnabled`
-Determines whether the operator's REST interface will be exposed outside the Kubernetes cluster using a node port.
+Determines whether the operator's REST interface will be exposed outside the Kubernetes cluster using a node port. This
+value is ignored if `enableRest` is not `true`.
 
 See also `externalRestHttpsPort` for customizing the port number.
 

integration-tests/src/test/java/oracle/weblogic/kubernetes/ItDiagnosticsCompleteAvailableCondition.java

@@ -1,4 +1,4 @@
-// Copyright (c) 2022, Oracle and/or its affiliates.
+// Copyright (c) 2022, 2023, Oracle and/or its affiliates.
 // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 package oracle.weblogic.kubernetes;
@@ -33,7 +33,7 @@
 import static oracle.weblogic.kubernetes.actions.TestActions.getServiceNodePort;
 import static oracle.weblogic.kubernetes.actions.TestActions.imageTag;
 import static oracle.weblogic.kubernetes.actions.TestActions.patchClusterCustomResource;
-import static oracle.weblogic.kubernetes.actions.TestActions.scaleClusterWithRestApi;
+import static oracle.weblogic.kubernetes.actions.TestActions.scaleCluster;
 import static oracle.weblogic.kubernetes.actions.impl.Domain.patchDomainCustomResource;
 import static oracle.weblogic.kubernetes.assertions.TestAssertions.verifyRollingRestartOccurred;
 import static oracle.weblogic.kubernetes.utils.CommonMiiTestUtils.createMiiDomainAndVerify;
@@ -43,8 +43,6 @@
 import static oracle.weblogic.kubernetes.utils.DomainUtils.verifyDomainStatusConditionTypeDoesNotExist;
 import static oracle.weblogic.kubernetes.utils.ImageUtils.createBaseRepoSecret;
 import static oracle.weblogic.kubernetes.utils.ImageUtils.imageRepoLoginAndPushImageToRegistry;
-import static oracle.weblogic.kubernetes.utils.OKDUtils.createRouteForOKD;
-import static oracle.weblogic.kubernetes.utils.OKDUtils.setTlsTerminationForRoute;
 import static oracle.weblogic.kubernetes.utils.OperatorUtils.installAndVerifyOperator;
 import static oracle.weblogic.kubernetes.utils.PodUtils.checkPodDoesNotExist;
 import static oracle.weblogic.kubernetes.utils.PodUtils.getPodCreationTime;
@@ -107,13 +105,6 @@ public static void initAll(@Namespaces(2) List<String> namespaces) {
     installAndVerifyOperator(opNamespace, opServiceAccount, true, 0, domainNamespace1);
     externalRestHttpsPort = getServiceNodePort(opNamespace, "external-weblogic-operator-svc");
 
-    // This test uses the operator restAPI to scale the domain. To do this in OKD cluster,
-    // we need to expose the external service as route and set tls termination to  passthrough
-    logger.info("Create a route for the operator external service - only for OKD");
-    createRouteForOKD("external-weblogic-operator-svc", opNamespace);
-    // Patch the route just created to set tls termination to passthrough
-    setTlsTerminationForRoute("external-weblogic-operator-svc", opNamespace);
-
     // create pull secrets for WebLogic image when running in non Kind Kubernetes cluster
     // this secret is used only for non-kind cluster
     createBaseRepoSecret(domainNamespace1);
@@ -512,7 +503,7 @@ void testCompleteAvailableConditionWithScaleUpDownCluster() {
     // scale down the cluster
     int newReplicaCount = 1;
     assertDoesNotThrow(() ->
-        scaleClusterWithRestApi(domainUid, cluster1Name, 1, externalRestHttpsPort, opNamespace, opServiceAccount));
+        scaleCluster(clusterResName, domainNamespace1, 1));
 
     // verify the admin server service exists
     checkPodReadyAndServiceExists(adminServerPodName, domainUid, domainNamespace1);
@@ -544,7 +535,7 @@ void testCompleteAvailableConditionWithScaleUpDownCluster() {
     // scale up the cluster
     newReplicaCount = 2;
     assertDoesNotThrow(() ->
-        scaleClusterWithRestApi(domainUid, cluster1Name, 2, externalRestHttpsPort, opNamespace, opServiceAccount));
+        scaleCluster(clusterResName, domainNamespace1, 2));
 
     // verify the admin server service exists
     checkPodReadyAndServiceExists(adminServerPodName, domainUid, domainNamespace1);

integration-tests/src/test/java/oracle/weblogic/kubernetes/ItKubernetesDomainEvents.java

@@ -61,7 +61,7 @@
 import static oracle.weblogic.kubernetes.actions.TestActions.getServiceNodePort;
 import static oracle.weblogic.kubernetes.actions.TestActions.getServicePort;
 import static oracle.weblogic.kubernetes.actions.TestActions.now;
-import static oracle.weblogic.kubernetes.actions.TestActions.scaleClusterWithRestApi;
+import static oracle.weblogic.kubernetes.actions.TestActions.scaleCluster;
 import static oracle.weblogic.kubernetes.actions.TestActions.shutdownDomain;
 import static oracle.weblogic.kubernetes.actions.impl.Cluster.listClusterCustomResources;
 import static oracle.weblogic.kubernetes.actions.impl.Domain.patchDomainCustomResource;
@@ -70,7 +70,6 @@
 import static oracle.weblogic.kubernetes.utils.ClusterUtils.createClusterResource;
 import static oracle.weblogic.kubernetes.utils.ClusterUtils.createClusterResourceAndAddReferenceToDomain;
 import static oracle.weblogic.kubernetes.utils.ClusterUtils.removeReplicasSettingAndVerify;
-import static oracle.weblogic.kubernetes.utils.ClusterUtils.scaleCluster;
 import static oracle.weblogic.kubernetes.utils.CommonTestUtils.checkPodReadyAndServiceExists;
 import static oracle.weblogic.kubernetes.utils.CommonTestUtils.checkServiceExists;
 import static oracle.weblogic.kubernetes.utils.CommonTestUtils.getNextFreePort;
@@ -104,8 +103,6 @@
 import static oracle.weblogic.kubernetes.utils.K8sEvents.checkDomainFailedEventWithReason;
 import static oracle.weblogic.kubernetes.utils.K8sEvents.getDomainEventCount;
 import static oracle.weblogic.kubernetes.utils.K8sEvents.getOpGeneratedEventCount;
-import static oracle.weblogic.kubernetes.utils.OKDUtils.createRouteForOKD;
-import static oracle.weblogic.kubernetes.utils.OKDUtils.setTlsTerminationForRoute;
 import static oracle.weblogic.kubernetes.utils.OperatorUtils.installAndVerifyOperator;
 import static oracle.weblogic.kubernetes.utils.PatchDomainUtils.patchDomainResource;
 import static oracle.weblogic.kubernetes.utils.PersistentVolumeUtils.createPV;
@@ -162,6 +159,7 @@ class ItKubernetesDomainEvents {
   static String managedServerPodNamePrefix = domainUid + "-" + managedServerNameBase;
   static final int managedServerPort = 8001;
   static int replicaCount = 2;
+  String clusterRes2Name = cluster2Name;
   String clusterRes1Name = cluster1Name;
 
   static final String pvName1 = getUniqueName(domainUid + "-pv-");
@@ -219,13 +217,6 @@ public static void initAll(@Namespaces(6) List<String> namespaces) {
             domainNamespace4, domainNamespace5);
     externalRestHttpsPort = getServiceNodePort(opNamespace, "external-weblogic-operator-svc");
 
-    // This test uses the operator restAPI to scale the domain. To do this in OKD cluster,
-    // we need to expose the external service as route and set tls termination to  passthrough
-    logger.info("Create a route for the operator external service - only for OKD");
-    String opExternalSvc = createRouteForOKD("external-weblogic-operator-svc", opNamespace);
-    // Patch the route just created to set tls termination to passthrough
-    setTlsTerminationForRoute("external-weblogic-operator-svc", opNamespace);
-
     createDomain(domainNamespace3, domainUid, pvName3, pvcName3);
   }
 
@@ -394,8 +385,7 @@ void testK8SEventsMultiClusterEvents() {
     createNewCluster();
     OffsetDateTime timestamp2 = now();
     logger.info("Scale the newly-added cluster");
-    scaleClusterWithRestApi(domainUid, cluster2Name, 1,
-            externalRestHttpsPort, opNamespace, opServiceAccount);
+    scaleCluster(clusterRes2Name, domainNamespace3, 1);
     logger.info("verify the Domain_Available event is generated");
     checkEvent(opNamespace, domainNamespace3, domainUid,
             DOMAIN_AVAILABLE, "Normal", timestamp);

integration-tests/src/test/java/oracle/weblogic/kubernetes/ItManageNameSpace.java

@@ -1,4 +1,4 @@
-// Copyright (c) 2020, 2022, Oracle and/or its affiliates.
+// Copyright (c) 2020, 2023, Oracle and/or its affiliates.
 // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 package oracle.weblogic.kubernetes;
@@ -52,7 +52,7 @@
 import static oracle.weblogic.kubernetes.actions.TestActions.deleteNamespace;
 import static oracle.weblogic.kubernetes.actions.TestActions.deleteSecret;
 import static oracle.weblogic.kubernetes.actions.TestActions.getServiceNodePort;
-import static oracle.weblogic.kubernetes.actions.TestActions.scaleClusterWithRestApi;
+import static oracle.weblogic.kubernetes.actions.TestActions.scaleCluster;
 import static oracle.weblogic.kubernetes.actions.TestActions.uninstallOperator;
 import static oracle.weblogic.kubernetes.utils.CleanupUtil.deleteNamespacedArtifacts;
 import static oracle.weblogic.kubernetes.utils.ClusterUtils.createClusterResourceAndAddReferenceToDomain;
@@ -249,13 +249,7 @@ void testNameSpaceManageByRegularExpression() {
     //verify domain is started
     createSecrets(manageByLabelNS);
     assertTrue(createDomainResourceAndVerifyDomainIsRunning(manageByLabelNS,manageByLabelDomainUid));
-    checkOperatorCanScaleDomain(opNamespaces[1],manageByLabelDomainUid);
-
-    //check operator can't manage anymore manageByExp1NS
-    assertTrue(isOperatorFailedToScaleDomain(opNamespaces[1], manageByExpDomain1Uid,
-        manageByExp1NS), "Operator can still manage domain "
-        + manageByExp1NS + " in the namespace " + manageByExp1NS);
-
+    checkOperatorCanScaleDomain(manageByLabelNS, manageByLabelDomainUid);
   }
 
   /**
@@ -299,7 +293,7 @@ void testNameSpaceManagedByLabelSelector() {
         "Failed to create domain CRD or "
         + "verify that domain " + domainsUid[1]
         + " is running in namespace " + domainNamespaces[1]);
-    checkOperatorCanScaleDomain(opNamespaces[0], domainsUid[1]);
+    checkOperatorCanScaleDomain(domainNamespaces[1], domainsUid[1]);
 
     //check that with specific Selector default namespace is not under operator management
     checkDomainNotStartedInDefaultNS();
@@ -325,11 +319,7 @@ void testNameSpaceManagedByLabelSelector() {
     //verify domain is started in namespace with name starting with weblogic* and operator can scale it.
     createSecrets(manageByExpDomainNS);
     assertTrue(createDomainResourceAndVerifyDomainIsRunning(manageByExpDomainNS,manageByExpDomainUid));
-    checkOperatorCanScaleDomain(opNamespaces[0],manageByExpDomainUid);
-    //verify operator can't manage anymore domain running in the namespace with label
-    assertTrue(isOperatorFailedToScaleDomain(opNamespaces[0], domainsUid[0], domainNamespaces[0]),
-        "Operator can still manage domain "
-            + domainsUid[0] + " in the namespace " + domainNamespaces[0]);
+    checkOperatorCanScaleDomain(manageByExpDomainNS, manageByExpDomainUid);
 
     checkUpgradeFailedToAddNSManagedByAnotherOperator();
   }
@@ -374,7 +364,7 @@ void testNameSpaceWithOperatorRbacFalse() {
 
     assertTrue(upgradeAndVerifyOperator(opNamespaces[3], opParams));
     assertTrue(createDomainResourceAndVerifyDomainIsRunning(manageByLabelDomainNS, manageByLabelDomainUid));
-    checkOperatorCanScaleDomain(opNamespaces[3], manageByLabelDomainUid);
+    checkOperatorCanScaleDomain(manageByLabelDomainNS, manageByLabelDomainUid);
   }
 
   private void checkUpgradeFailedToAddNSManagedByAnotherOperator() {
@@ -411,7 +401,7 @@ private HelmParams installAndVerifyOperatorCanManageDomainBySelector(Map<String,
           createSecrets(domainNS);
           assertTrue(createDomainResourceAndVerifyDomainIsRunning(domainNS, domainUid),
               "can't start or verify domain in namespace " + domainNS);
-          checkOperatorCanScaleDomain(opNamespace, domainUid);
+          checkOperatorCanScaleDomain(domainNS, domainUid);
         }
     );
     if (domainNamespacesValue != null) {
@@ -429,15 +419,13 @@ private HelmParams installAndVerifyOperatorCanManageDomainBySelector(Map<String,
     return opHelmParam;
   }
 
-  private boolean isOperatorFailedToScaleDomain(String opNamespace, String domainUid, String domainNamespace) {
+  private boolean isOperatorFailedToScaleDomain(String domainUid, String domainNamespace) {
     try {
       //check operator can't manage domainNamespace by trying to scale domain
-      int externalRestHttpsPort = getServiceNodePort(opNamespace, "external-weblogic-operator-svc");
       String managedServerPodNamePrefix = domainUid + "-managed-server";
-      String opServiceAccount = OPERATOR_RELEASE_NAME + "-sa";
       scaleAndVerifyCluster("cluster-1", domainUid, domainNamespace,
           managedServerPodNamePrefix, 2, 1,
-          true, externalRestHttpsPort, opNamespace, opServiceAccount,
+          false, 0, null, null,
           false, "", "scaleDown", 1, "", "", null, null);
       return false;
     } catch (TimeoutException ex) {
@@ -454,10 +442,8 @@ private static void setLabelToNamespace(String domainNS, Map<String, String> lab
     assertDoesNotThrow(() -> Kubernetes.replaceNamespace(namespaceObject1));
   }
 
-  private void checkOperatorCanScaleDomain(String opNamespace, String domainUid) {
-    int externalRestHttpsPort = getServiceNodePort(opNamespace, "external-weblogic-operator-svc");
-    assertTrue(scaleClusterWithRestApi(domainUid, clusterName, 3,
-        externalRestHttpsPort, opNamespace, OPERATOR_RELEASE_NAME + "-sa"),
+  private void checkOperatorCanScaleDomain(String domainNamespace, String domainUid) {
+    assertTrue(scaleCluster(domainUid + "-" +  clusterName, domainNamespace, 3),
         "Domain " + domainUid + " scaling operation failed");
   }