The credentials for the WebLogic domain are kept in a Kubernetes Secret
where the name of
the secret is specified using webLogicCredentialsSecret
in the WebLogic Domain
resource.
Also, the domain credentials secret must be created in the namespace where the Domain
will be running.
For an example of a WebLogic domain resource using webLogicCredentialsSecret
,
see Docker Image Protection.
The samples supplied with the operator use a naming convention that follows
the pattern <domainUID>-weblogic-credentials
, where <domainUID>
is
the unique identifier of the domain, for example, domain1-weblogic-credentials
.
If the WebLogic domain will be started in domain1-ns
and the <domainUID>
is domain1
,
an example of creating a Kubernetes generic secret
is as follows:
$ kubectl -n domain1-ns create secret generic domain1-weblogic-credentials \
--from-file=username --from-file=password
$ kubectl -n domain1-ns label secret domain1-weblogic-credentials \
weblogic.domainUID=domain1 weblogic.domainName=domain1
Oracle recommends that you not include unencrypted passwords on command lines. Passwords and other sensitive data can be prompted for or looked up by shell scripts and/or tooling. For more information about creating Kubernetes secrets, see the Kubernetes Secrets documentation.
The operator’s introspector job will expect the secret key names to be:
username
password
For example, here is what results when describing the Kubernetes Secret
:
$ kubectl -n domain1-ns describe secret domain1-weblogic-credentials
Name: domain1-weblogic-credentials
Namespace: domain1-ns
Labels: weblogic.domainName=domain1
weblogic.domainUID=domain1
Annotations: <none>
Type: Opaque
Data
====
password: 8 bytes
username: 8 bytes
The WebLogic domain that the operator manages can have images that are protected
in the registry. The imagePullSecrets
setting on the Domain
can be used to specify the
Kubernetes Secret
that holds the registry credentials.
For more information, see Docker Image Protection under Domain security.
The Helm chart for installing the operator has an option to specify the
image pull secret used for the operator’s image when using a private registry.
The Kubernetes Secret
of type docker-registry
should be created in the namespace
where the operator is deployed.
Here is an example of using the helm install
command to set the image name and image pull secret:
For Helm 2.x:
$ helm install kubernetes/charts/weblogic-operator \
--set "image=my.io/my-operator-image:1.0" \
--set "imagePullSecrets[0].name=my-operator-image-pull-secret" \
--name my-weblogic-operator --namespace weblogic-operator-ns \
--wait
For Helm 3.x:
$ helm install my-weblogic-operator kubernetes/charts/weblogic-operator \
--set "image=my.io/my-operator-image:1.0" \
--set "imagePullSecrets[0].name=my-operator-image-pull-secret" \
--namespace weblogic-operator-ns \
--wait
For more information, see Install the operator Helm chart under User Guide.
The operator supports embedding macros within configuration override templates
that reference Kubernetes secrets. These Kubernetes secrets can be created with any name in the
namespace where the Domain
will be running. The Kubernetes secret names are
specified using configOverrideSecrets
in the WebLogic Domain
resource.
For more information, see Configuration overrides under User Guide.
The operator can expose an external REST HTTPS interface which can be
accessed from outside the Kubernetes cluster. A Kubernetes tls secret
is used to hold the certificate(s) and private key.
For more information, see Certificates under Securty.
The operator exposes an internal REST HTTPS interface with a self-signed certificate.
The certificate is kept in a Kubernetes ConfigMap
with the name weblogic-operator-cm
using the key internalOperatorCert
.
The private key is kept in a Kubernetes Secret
with the name weblogic-operator-secrets
using the key internalOperatorKey
.
These Kubernetes objects are managed by the operator’s Helm chart and are part of the
namespace where the operator is installed.
For example, to see all the operator’s config maps and secrets when installed into
the Kubernetes namespace weblogic-operator-ns
, use:
$ kubectl -n weblogic-operator-ns get cm,secret