Password encryption and multi resource sharing (#611)

* Add resource sharing impl. * Add suffixes to LTPA Role/RoleBinding * Update Role/RoleBinding ref * Remove ownerReference from mirrored password encryption key * Update ltpa_keys_sharing.go * Remove /tree folder and early status/annotation update * Prevent resource deletion in finalizer, revert 1.3.3 operand version * Remove annotations/refs when resource sharing is off * Switch to rand/v2 package for suffix generation * Update tree_test.go * Remove ownerReference on LTPA Job and ConfigMap * Rebase on k8s-128 (#608) * Set resource tracker to autodetect operand version * Remove unused param * Update bundle manifests
OpenLiberty · Aug 30, 2024 · 1efc67f · 1efc67f
1 parent 8838700
commit 1efc67f
Show file tree

Hide file tree

Showing 35 changed files with 4,601 additions and 434 deletions.
diff --git a/api/v1/openlibertyapplication_types.go b/api/v1/openlibertyapplication_types.go
@@ -54,102 +54,106 @@ type OpenLibertyApplicationSpec struct {
 	// +operator-sdk:csv:customresourcedefinitions:order=8,type=spec,displayName="Expose",xDescriptors="urn:alm:descriptor:com.tectonic.ui:booleanSwitch"
 	Expose *bool `json:"expose,omitempty"`
 
+	// Enable management of password encryption key sharing amongst Liberty containers. Defaults to false.
+	// +operator-sdk:csv:customresourcedefinitions:order=9,type=spec,displayName="Manage Password Encryption",xDescriptors="urn:alm:descriptor:com.tectonic.ui:booleanSwitch"
+	ManagePasswordEncryption *bool `json:"managePasswordEncryption,omitempty"`
+
 	// Enable management of LTPA key sharing amongst Liberty containers. Defaults to false.
-	// +operator-sdk:csv:customresourcedefinitions:order=9,type=spec,displayName="Manage LTPA",xDescriptors="urn:alm:descriptor:com.tectonic.ui:booleanSwitch"
+	// +operator-sdk:csv:customresourcedefinitions:order=10,type=spec,displayName="Manage LTPA",xDescriptors="urn:alm:descriptor:com.tectonic.ui:booleanSwitch"
 	ManageLTPA *bool `json:"manageLTPA,omitempty"`
 
 	// Enable management of TLS certificates. Defaults to true.
-	// +operator-sdk:csv:customresourcedefinitions:order=10,type=spec,displayName="Manage TLS",xDescriptors="urn:alm:descriptor:com.tectonic.ui:booleanSwitch"
+	// +operator-sdk:csv:customresourcedefinitions:order=11,type=spec,displayName="Manage TLS",xDescriptors="urn:alm:descriptor:com.tectonic.ui:booleanSwitch"
 	ManageTLS *bool `json:"manageTLS,omitempty"`
 
 	// Number of pods to create. Defaults to 1. Not applicable when .spec.autoscaling or .spec.createKnativeService is specified.
-	// +operator-sdk:csv:customresourcedefinitions:order=11,type=spec,displayName="Replicas",xDescriptors="urn:alm:descriptor:com.tectonic.ui:podCount"
+	// +operator-sdk:csv:customresourcedefinitions:order=12,type=spec,displayName="Replicas",xDescriptors="urn:alm:descriptor:com.tectonic.ui:podCount"
 	Replicas *int32 `json:"replicas,omitempty"`
 
-	// +operator-sdk:csv:customresourcedefinitions:order=12,type=spec,displayName="Auto Scaling"
+	// +operator-sdk:csv:customresourcedefinitions:order=13,type=spec,displayName="Auto Scaling"
 	Autoscaling *OpenLibertyApplicationAutoScaling `json:"autoscaling,omitempty"`
 
 	// Resource requests and limits for the application container.
-	// +operator-sdk:csv:customresourcedefinitions:order=13,type=spec,displayName="Resource Requirements",xDescriptors="urn:alm:descriptor:com.tectonic.ui:resourceRequirements"
+	// +operator-sdk:csv:customresourcedefinitions:order=14,type=spec,displayName="Resource Requirements",xDescriptors="urn:alm:descriptor:com.tectonic.ui:resourceRequirements"
 	Resources *corev1.ResourceRequirements `json:"resources,omitempty"`
 
-	// +operator-sdk:csv:customresourcedefinitions:order=14,type=spec,displayName="Probes"
+	// +operator-sdk:csv:customresourcedefinitions:order=15,type=spec,displayName="Probes"
 	Probes *OpenLibertyApplicationProbes `json:"probes,omitempty"`
 
-	// +operator-sdk:csv:customresourcedefinitions:order=15,type=spec,displayName="Deployment"
+	// +operator-sdk:csv:customresourcedefinitions:order=16,type=spec,displayName="Deployment"
 	Deployment *OpenLibertyApplicationDeployment `json:"deployment,omitempty"`
 
-	// +operator-sdk:csv:customresourcedefinitions:order=16,type=spec,displayName="StatefulSet"
+	// +operator-sdk:csv:customresourcedefinitions:order=17,type=spec,displayName="StatefulSet"
 	StatefulSet *OpenLibertyApplicationStatefulSet `json:"statefulSet,omitempty"`
 
-	// +operator-sdk:csv:customresourcedefinitions:order=17,type=spec,displayName="Service"
+	// +operator-sdk:csv:customresourcedefinitions:order=18,type=spec,displayName="Service"
 	Service *OpenLibertyApplicationService `json:"service,omitempty"`
 
-	// +operator-sdk:csv:customresourcedefinitions:order=18,type=spec,displayName="Route"
+	// +operator-sdk:csv:customresourcedefinitions:order=19,type=spec,displayName="Route"
 	Route *OpenLibertyApplicationRoute `json:"route,omitempty"`
 
 	// Configures the Semeru Cloud Compiler to handle Just-In-Time (JIT) compilation requests from the application.
-	// +operator-sdk:csv:customresourcedefinitions:order=19,type=spec,displayName="Semeru Cloud Compiler"
+	// +operator-sdk:csv:customresourcedefinitions:order=20,type=spec,displayName="Semeru Cloud Compiler"
 	SemeruCloudCompiler *OpenLibertyApplicationSemeruCloudCompiler `json:"semeruCloudCompiler,omitempty"`
 
-	// +operator-sdk:csv:customresourcedefinitions:order=20,type=spec,displayName="Network Policy"
+	// +operator-sdk:csv:customresourcedefinitions:order=21,type=spec,displayName="Network Policy"
 	NetworkPolicy *OpenLibertyApplicationNetworkPolicy `json:"networkPolicy,omitempty"`
 
-	// +operator-sdk:csv:customresourcedefinitions:order=21,type=spec,displayName="Serviceability"
+	// +operator-sdk:csv:customresourcedefinitions:order=22,type=spec,displayName="Serviceability"
 	Serviceability *OpenLibertyApplicationServiceability `json:"serviceability,omitempty"`
 
-	// +operator-sdk:csv:customresourcedefinitions:order=22,type=spec,displayName="Single Sign-On"
+	// +operator-sdk:csv:customresourcedefinitions:order=23,type=spec,displayName="Single Sign-On"
 	SSO *OpenLibertyApplicationSSO `json:"sso,omitempty"`
 
-	// +operator-sdk:csv:customresourcedefinitions:order=23,type=spec,displayName="Monitoring"
+	// +operator-sdk:csv:customresourcedefinitions:order=24,type=spec,displayName="Monitoring"
 	Monitoring *OpenLibertyApplicationMonitoring `json:"monitoring,omitempty"`
 
 	// An array of environment variables for the application container.
 	// +listType=map
 	// +listMapKey=name
-	// +operator-sdk:csv:customresourcedefinitions:order=24,type=spec,displayName="Environment Variables"
+	// +operator-sdk:csv:customresourcedefinitions:order=25,type=spec,displayName="Environment Variables"
 	Env []corev1.EnvVar `json:"env,omitempty"`
 
 	// List of sources to populate environment variables in the application container.
 	// +listType=atomic
-	// +operator-sdk:csv:customresourcedefinitions:order=25,type=spec,displayName="Environment Variables from Sources"
+	// +operator-sdk:csv:customresourcedefinitions:order=26,type=spec,displayName="Environment Variables from Sources"
 	EnvFrom []corev1.EnvFromSource `json:"envFrom,omitempty"`
 
 	// Represents a volume with data that is accessible to the application container.
 	// +listType=map
 	// +listMapKey=name
-	// +operator-sdk:csv:customresourcedefinitions:order=26,type=spec,displayName="Volumes"
+	// +operator-sdk:csv:customresourcedefinitions:order=27,type=spec,displayName="Volumes"
 	Volumes []corev1.Volume `json:"volumes,omitempty"`
 
 	// Represents where to mount the volumes into the application container.
 	// +listType=atomic
-	// +operator-sdk:csv:customresourcedefinitions:order=27,type=spec,displayName="Volume Mounts"
+	// +operator-sdk:csv:customresourcedefinitions:order=28,type=spec,displayName="Volume Mounts"
 	VolumeMounts []corev1.VolumeMount `json:"volumeMounts,omitempty"`
 
 	// List of containers to run before other containers in a pod.
 	// +listType=map
 	// +listMapKey=name
-	// +operator-sdk:csv:customresourcedefinitions:order=28,type=spec,displayName="Init Containers"
+	// +operator-sdk:csv:customresourcedefinitions:order=29,type=spec,displayName="Init Containers"
 	InitContainers []corev1.Container `json:"initContainers,omitempty"`
 
 	// List of sidecar containers. These are additional containers to be added to the pods.
 	// +listType=map
 	// +listMapKey=name
-	// +operator-sdk:csv:customresourcedefinitions:order=29,type=spec,displayName="Sidecar Containers"
+	// +operator-sdk:csv:customresourcedefinitions:order=30,type=spec,displayName="Sidecar Containers"
 	SidecarContainers []corev1.Container `json:"sidecarContainers,omitempty"`
 
-	// +operator-sdk:csv:customresourcedefinitions:order=30,type=spec,displayName="Affinity"
+	// +operator-sdk:csv:customresourcedefinitions:order=31,type=spec,displayName="Affinity"
 	Affinity *OpenLibertyApplicationAffinity `json:"affinity,omitempty"`
 
 	// Security context for the application container.
-	// +operator-sdk:csv:customresourcedefinitions:order=31,type=spec,displayName="Security Context"
+	// +operator-sdk:csv:customresourcedefinitions:order=32,type=spec,displayName="Security Context"
 	SecurityContext *corev1.SecurityContext `json:"securityContext,omitempty"`
 
-	// +operator-sdk:csv:customresourcedefinitions:order=32,type=spec,displayName="Topology Spread Constraints"
+	// +operator-sdk:csv:customresourcedefinitions:order=33,type=spec,displayName="Topology Spread Constraints"
 	TopologySpreadConstraints *OpenLibertyApplicationTopologySpreadConstraints `json:"topologySpreadConstraints,omitempty"`
 
 	// Disable information about services being injected into the application pod's environment variables. Default to false.
-	// +operator-sdk:csv:customresourcedefinitions:order=33,type=spec,displayName="Disable Service Links",xDescriptors="urn:alm:descriptor:com.tectonic.ui:booleanSwitch"
+	// +operator-sdk:csv:customresourcedefinitions:order=34,type=spec,displayName="Disable Service Links",xDescriptors="urn:alm:descriptor:com.tectonic.ui:booleanSwitch"
 	DisableServiceLinks *bool `json:"disableServiceLinks,omitempty"`
 
 	// Tolerations to be added to application pods. Tolerations allow the scheduler to schedule pods on nodes with matching taints.
@@ -769,6 +773,11 @@ func (cr *OpenLibertyApplication) GetExpose() *bool {
 	return cr.Spec.Expose
 }
 
+// GetManagePasswordEncryption returns the Password Encryption key sharing status
+func (cr *OpenLibertyApplication) GetManagePasswordEncryption() *bool {
+	return cr.Spec.ManagePasswordEncryption
+}
+
 // GetManageLTPA returns the LTPA key sharing status
 func (cr *OpenLibertyApplication) GetManageLTPA() *bool {
 	return cr.Spec.ManageLTPA

diff --git a/api/v1/zz_generated.deepcopy.go b/api/v1/zz_generated.deepcopy.go
diff --git a/bundle/manifests/apps.openliberty.io_openlibertyapplications.yaml b/bundle/manifests/apps.openliberty.io_openlibertyapplications.yaml
@@ -2515,6 +2515,10 @@ spec:
                 description: Enable management of LTPA key sharing amongst Liberty
                   containers. Defaults to false.
                 type: boolean
+              managePasswordEncryption:
+                description: Enable management of password encryption key sharing
+                  amongst Liberty containers. Defaults to false.
+                type: boolean
               manageTLS:
                 description: Enable management of TLS certificates. Defaults to true.
                 type: boolean

diff --git a/bundle/manifests/open-liberty.clusterserviceversion.yaml b/bundle/manifests/open-liberty.clusterserviceversion.yaml
@@ -287,10 +287,10 @@ spec:
       - description: Specifies one or more scopes to request.
         displayName: Scope
         path: sso.oidc[0].scope
-      - description: Enable management of LTPA key sharing amongst Liberty containers.
-          Defaults to false.
-        displayName: Manage LTPA
-        path: manageLTPA
+      - description: Enable management of password encryption key sharing amongst
+          Liberty containers. Defaults to false.
+        displayName: Manage Password Encryption
+        path: managePasswordEncryption
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
       - description: The port exposed by the container.
@@ -301,9 +301,10 @@ spec:
       - description: Specifies the required authentication method.
         displayName: Token Endpoint Auth Method
         path: sso.oidc[0].tokenEndpointAuthMethod
-      - description: Enable management of TLS certificates. Defaults to true.
-        displayName: Manage TLS
-        path: manageTLS
+      - description: Enable management of LTPA key sharing amongst Liberty containers.
+          Defaults to false.
+        displayName: Manage LTPA
+        path: manageLTPA
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
       - displayName: Service Type
@@ -316,29 +317,29 @@ spec:
         path: sso.oidc[0].hostNameVerificationEnabled
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
-      - description: Number of pods to create. Defaults to 1. Not applicable when
-          .spec.autoscaling or .spec.createKnativeService is specified.
-        displayName: Replicas
-        path: replicas
+      - description: Enable management of TLS certificates. Defaults to true.
+        displayName: Manage TLS
+        path: manageTLS
         x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:podCount
+        - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
       - description: Node proxies this port into your service.
         displayName: Node Port
         path: service.nodePort
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:number
-      - displayName: Auto Scaling
-        path: autoscaling
+      - description: Number of pods to create. Defaults to 1. Not applicable when
+          .spec.autoscaling or .spec.createKnativeService is specified.
+        displayName: Replicas
+        path: replicas
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:podCount
       - description: The name for the port exposed by the container.
         displayName: Port Name
         path: service.portName
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:text
-      - description: Resource requests and limits for the application container.
-        displayName: Resource Requirements
-        path: resources
-        x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:resourceRequirements
+      - displayName: Auto Scaling
+        path: autoscaling
       - description: Annotations to be added to the service.
         displayName: Service Annotations
         path: service.annotations
@@ -349,104 +350,109 @@ spec:
         path: service.certificate.annotations
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:text
-      - displayName: Probes
-        path: probes
+      - description: Resource requests and limits for the application container.
+        displayName: Resource Requirements
+        path: resources
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:resourceRequirements
       - description: The port that the operator assigns to containers inside pods.
           Defaults to the value of .spec.service.port.
         displayName: Target Port
         path: service.targetPort
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:number
-      - displayName: Deployment
-        path: deployment
+      - displayName: Probes
+        path: probes
       - description: 'A name of a secret that already contains TLS key, certificate
           and CA to be mounted in the pod. The following keys are valid in the secret:
           ca.crt, tls.crt, and tls.key.'
         displayName: Certificate Secret Reference
         path: service.certificateSecretRef
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:text
+      - displayName: Deployment
+        path: deployment
       - description: Configure service certificate.
         displayName: Service Certificate
         path: service.certificate
+      - description: An array consisting of service ports.
+        displayName: Ports
+        path: service.ports
       - displayName: StatefulSet
         path: statefulSet
       - displayName: Service
         path: service
-      - description: An array consisting of service ports.
-        displayName: Ports
-        path: service.ports
-      - displayName: Route
-        path: route
       - description: Expose the application as a bindable service. Defaults to false.
         displayName: Bindable
         path: service.bindable
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
+      - displayName: Route
+        path: route
       - description: Configures the Semeru Cloud Compiler to handle Just-In-Time (JIT)
           compilation requests from the application.
         displayName: Semeru Cloud Compiler
         path: semeruCloudCompiler
-      - displayName: Network Policy
-        path: networkPolicy
       - description: Specifies the strategy to replace old deployment pods with new
           pods.
         displayName: Deployment Update Strategy
         path: deployment.updateStrategy
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:updateStrategy
+      - displayName: Network Policy
+        path: networkPolicy
       - displayName: Serviceability
         path: serviceability
       - displayName: Single Sign-On
         path: sso
-      - displayName: Monitoring
-        path: monitoring
       - description: Specifies the strategy to replace old StatefulSet pods with new
           pods.
         displayName: StatefulSet Update Strategy
         path: statefulSet.updateStrategy
+      - displayName: Monitoring
+        path: monitoring
+      - displayName: Storage
+        path: statefulSet.storage
       - description: An array of environment variables for the application container.
         displayName: Environment Variables
         path: env
-      - displayName: Storage
-        path: statefulSet.storage
-      - description: List of sources to populate environment variables in the application
-          container.
-        displayName: Environment Variables from Sources
-        path: envFrom
       - description: A convenient field to set the size of the persisted storage.
         displayName: Storage Size
         path: statefulSet.storage.size
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:text
+      - description: List of sources to populate environment variables in the application
+          container.
+        displayName: Environment Variables from Sources
+        path: envFrom
       - description: A convenient field to request the storage class of the persisted
           storage. The name can not be specified or updated after the storage is created.
         displayName: Storage Class Name
         path: statefulSet.storage.className
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:text
-      - description: Represents a volume with data that is accessible to the application
-          container.
-        displayName: Volumes
-        path: volumes
       - description: The directory inside the container where this persisted storage
           will be bound to.
         displayName: Storage Mount Path
         path: statefulSet.storage.mountPath
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:text
-      - description: Represents where to mount the volumes into the application container.
-        displayName: Volume Mounts
-        path: volumeMounts
-      - description: List of containers to run before other containers in a pod.
-        displayName: Init Containers
-        path: initContainers
+      - description: Represents a volume with data that is accessible to the application
+          container.
+        displayName: Volumes
+        path: volumes
       - description: A YAML object that represents a volumeClaimTemplate component
           of a StatefulSet.
         displayName: Storage Volume Claim Template
         path: statefulSet.storage.volumeClaimTemplate
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:PersistentVolumeClaim
+      - description: Represents where to mount the volumes into the application container.
+        displayName: Volume Mounts
+        path: volumeMounts
+      - description: List of containers to run before other containers in a pod.
+        displayName: Init Containers
+        path: initContainers
       - description: List of sidecar containers. These are additional containers to
           be added to the pods.
         displayName: Sidecar Containers