Optimize LTPA creation and update (#678)

* Add securityUtility binary and decision tree cache

* Pull RCO dependency

* Remove /opt/ol/wlp ref

* Pull RCO dependency

* Update Dockerfile

* Revert operator-sdk update

* Update utils ResourceRequirements

* Resolve linter errors

* Update Dockerfile user 1001

* Update Dockerfile

Author: kabicin

.gitignore

@@ -81,4 +81,5 @@ tags
 .history
 # End of https://www.gitignore.io/api/go,vim,emacs,visualstudiocode
 bin
-vendor
+vendor
+liberty/**

Dockerfile

@@ -2,8 +2,9 @@
 FROM registry.access.redhat.com/ubi8-minimal:latest as builder
 ARG GO_PLATFORM=amd64
 ARG GO_VERSION_ARG
+ARG LIBERTY_VERSION=25.0.0.2
 ENV PATH=$PATH:/usr/local/go/bin
-RUN microdnf install tar gzip
+RUN microdnf install tar gzip unzip
 
 WORKDIR /workspace
 # Copy the Go Modules manifests
@@ -16,7 +17,14 @@ RUN if [ -z "${GO_VERSION_ARG}" ]; then \
       GO_VERSION=${GO_VERSION_ARG}; \
     fi; \
     rm -rf /usr/local/go; \
-    curl -L --output - "https://golang.org/dl/go${GO_VERSION}.linux-${GO_PLATFORM}.tar.gz" | tar -xz -C /usr/local/
+    curl -L --output - "https://golang.org/dl/go${GO_VERSION}.linux-${GO_PLATFORM}.tar.gz" | tar -xz -C /usr/local/; \
+    mkdir -p liberty; \
+    curl -L -o liberty.zip "https://repo1.maven.org/maven2/io/openliberty/openliberty-kernel/${LIBERTY_VERSION}/openliberty-kernel-${LIBERTY_VERSION}.zip"; \
+    unzip liberty.zip -d liberty; \
+    mv -f liberty/wlp/* liberty; \
+    rmdir liberty/wlp; \
+    rm -f liberty.zip; \
+    mkdir -p liberty/output;
 
 
 # cache deps before building and copying source so that we don't need to re-download as much
@@ -34,10 +42,10 @@ RUN CGO_ENABLED=0 GOOS=linux GO111MODULE=on go build -ldflags="-s -w" -a -o mana
 
 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
-FROM registry.access.redhat.com/ubi8/ubi-minimal:latest
+FROM icr.io/appcafe/ibm-semeru-runtimes:open-21-jre-ubi-minimal
 
-ARG USER_ID=65532
-ARG GROUP_ID=65532
+ARG USER_ID=1001
+ARG GROUP_ID=1001
 
 ARG VERSION_LABEL=1.4.2
 ARG RELEASE_LABEL=XX
@@ -64,6 +72,7 @@ COPY --chown=${USER_ID}:${GROUP_ID} LICENSE /licenses/
 WORKDIR /
 COPY --from=builder --chown=${USER_ID}:${GROUP_ID} /workspace/manager .
 COPY --from=builder --chown=${USER_ID}:${GROUP_ID} /workspace/internal/controller/assets/ /internal/controller/assets
+COPY --from=builder --chown=${USER_ID}:0 /workspace/liberty /liberty
 
 USER ${USER_ID}:${GROUP_ID}
 

Makefile

@@ -5,6 +5,7 @@
 # - use environment variables to overwrite this value (e.g export VERSION=0.0.2)
 VERSION ?= 1.4.2
 OPERATOR_SDK_RELEASE_VERSION ?= v1.37.0
+LIBERTY_VERSION ?= 25.0.0.2
 
 # CHANNELS define the bundle channels used in the bundle.
 # Add a new line here if you would like to change its default config. (E.g CHANNELS = "preview,fast,stable")
@@ -233,9 +234,25 @@ unit-test: ## Run unit tests
 	go test -v -mod=vendor -tags=unit github.com/OpenLiberty/open-liberty-operator/...
 
 .PHONY: run
-run: manifests generate fmt vet ## Run a controller against the configured Kubernetes cluster in ~/.kube/config from your host.
+run: manifests generate fmt vet install-secutil ## Run a controller against the configured Kubernetes cluster in ~/.kube/config from your host.
 	go run ./cmd/main.go
 
+.PHONY: install-secutil
+install-secutil:
+ifneq (found,$(shell test -e ./liberty/bin/securityUtility && echo -n found))
+	@mkdir -p ./liberty
+	@wget -O ./liberty.zip https://repo1.maven.org/maven2/io/openliberty/openliberty-kernel/$(LIBERTY_VERSION)/openliberty-kernel-$(LIBERTY_VERSION).zip
+	@unzip -d ./liberty ./liberty.zip
+	@mv -f ./liberty/wlp/* ./liberty
+	@rmdir ./liberty/wlp
+	@rm ./liberty.zip
+	@mkdir -p ./liberty/output
+	@echo "Liberty securityUtility has been installed!"
+else
+	@mkdir -p ./liberty/output
+	@echo "Liberty securityUtility is already installed!"
+endif 
+
 ##@ Deployment
 
 ifndef ignore-not-found

bundle/manifests/open-liberty.clusterserviceversion.yaml

@@ -1193,12 +1193,19 @@ spec:
                   runAsNonRoot: true
                   seccompProfile:
                     type: RuntimeDefault
+                volumeMounts:
+                - mountPath: /liberty/output
+                  name: scratch
+                  subPath: create-ltpa-keys
               securityContext:
                 runAsNonRoot: true
                 seccompProfile:
                   type: RuntimeDefault
               serviceAccountName: olo-controller-manager
               terminationGracePeriodSeconds: 10
+              volumes:
+              - emptyDir: {}
+                name: scratch
       permissions:
       - rules:
         - apiGroups:

config/manager/manager.yaml

@@ -90,6 +90,13 @@ spec:
           requests:
             cpu: 200m
             memory: 128Mi
+        volumeMounts:
+          - name: scratch
+            mountPath: /liberty/output
+            subPath: create-ltpa-keys
+      volumes:
+        - name: scratch
+          emptyDir: {}
       serviceAccountName: controller-manager
       terminationGracePeriodSeconds: 10
       affinity:

internal/controller/liberty_security_utility.go

@@ -0,0 +1,83 @@
+package controller
+
+import (
+	"fmt"
+	"os/exec"
+
+	"github.com/OpenLiberty/open-liberty-operator/utils"
+)
+
+const SECURITY_UTILITY_BINARY = "liberty/bin/securityUtility"
+const SECURITY_UTILITY_ENCODE = "encode"
+const SECURITY_UTILITY_CREATE_LTPA_KEYS = "createLTPAKeys"
+const SECURITY_UTILITY_OUTPUT_FOLDER = "liberty/output"
+
+func encode(password string, passwordKey *string) ([]byte, error) {
+	params := []string{}
+	params = append(params, SECURITY_UTILITY_ENCODE)
+	params = append(params, fmt.Sprintf("--encoding=%s", "aes"))
+	if passwordKey != nil && len(*passwordKey) > 0 {
+		params = append(params, fmt.Sprintf("--key=%s", *passwordKey))
+	}
+	params = append(params, password)
+	return callSecurityUtility(params)
+}
+
+func createLTPAKeys(password string, passwordKey *string) ([]byte, error) {
+	tmpFileName := fmt.Sprintf("ltpa-keys-%s.keys", utils.GetRandomAlphanumeric(15))
+	tmpFilePath := fmt.Sprintf("%s/%s", SECURITY_UTILITY_OUTPUT_FOLDER, tmpFileName)
+
+	// delete possible colliding file
+	callDeleteFile(tmpFilePath)
+
+	// mkdir if not exists
+	// callMkdir(SECURITY_UTILITY_OUTPUT_FOLDER)
+
+	// create the key
+	params := []string{}
+	params = append(params, SECURITY_UTILITY_CREATE_LTPA_KEYS)
+	params = append(params, fmt.Sprintf("--file=%s", tmpFilePath))
+	params = append(params, fmt.Sprintf("--passwordEncoding=%s", "aes")) // use aes encoding
+	if passwordKey != nil && len(*passwordKey) > 0 {
+		params = append(params, fmt.Sprintf("--passwordKey=%s", *passwordKey))
+	}
+	params = append(params, fmt.Sprintf("--password=%s", password))
+	callSecurityUtility(params)
+
+	// read the key
+	params = []string{}
+	params = append(params, "-c")
+	params = append(params, fmt.Sprintf("cat %s | base64", tmpFilePath))
+	bytesOut, err := callCommand("/bin/bash", params)
+
+	// delete the key
+	callDeleteFile(tmpFilePath)
+	return bytesOut, err
+}
+
+// func callMkdir(folderPath string) {
+// 	params := []string{}
+// 	params = append(params, "-c")
+// 	params = append(params, fmt.Sprintf("mkdir -p %s", folderPath))
+// 	callCommand("/bin/bash", params)
+// }
+
+func callDeleteFile(filePath string) {
+	params := []string{}
+	params = append(params, "-c")
+	params = append(params, fmt.Sprintf("rm -f %s", filePath))
+	callCommand("/bin/bash", params)
+}
+
+func callSecurityUtility(params []string) ([]byte, error) {
+	return callCommand(SECURITY_UTILITY_BINARY, params)
+}
+
+func callCommand(binary string, params []string) ([]byte, error) {
+	cmd := exec.Command(binary, params...)
+	stdout, err := cmd.Output()
+	if err != nil {
+		return []byte{}, err
+	}
+	return stdout, nil
+}