Fix mii wdt filterpy #2379
Fix mii wdt filterpy #2379
Conversation
…tio generated nap wil l have no default and failed validation
|
General comment #1: Does introspectDomain.py have a similar issue? |
|
General comment #2: IIRC, the default behavior changes based on whether security is enabled for the domain. Is that applicable here? |
No, introspectDomain.py still use the config override which reads config.xml and replace with real value. Mii no longer use config overrides. |
The change is for user not providing listenPort and/or ssl listenPort when it is enabled which causes the injected nap with no value - that becomes 0 which is not valid. |
| # Set the default if it is not provided to avoid nap default to 0 which fails validation. | ||
|
|
||
| if admin_server_port is None: | ||
| admin_server_port = 7001 |
There was a problem hiding this comment.
What happens if the domain is in SecuredMode?
There was a problem hiding this comment.
istio won't work with secure mode yet
There was a problem hiding this comment.
Oh! That seems like an issue. Do we have a JIRA to complete that support? I'd like to resolve that gap before the Verrazzano team hits it.
There was a problem hiding this comment.
@ddsharpe @jshum2479, what would be the correct behavior for secure mode? Does this "None" check let us differentiate between when the customer has left it blank or if the admin server's default port is disabled because of secure mode?
There was a problem hiding this comment.
Note: the filter code already have provision to setup the ssl port if the secure mode is enabled (line 423).
But, ultimately it will not work in istio environment.
- whenever admin port (same for secure mode) is enabled, the readiness probe /weblogic/ready is treated as management function because it started with /weblogic and it must be accessed directly read-address:adminport and not proxied it through localhost:adminport
- Istio always proxy it through unless there is annotation to forbid the rewrite the port traffic (essentially take it out of the mesh).
- operator current implementation always use the plain readiness port in the domain spec, while it can be fixed in PodStepContext but it won't fix (2).
There was a problem hiding this comment.
As for the correct behavior, I am not sure what's the correct behavior. If secure mode is enabled, does it mean regular listen port is disabled?
There was a problem hiding this comment.
There was a problem hiding this comment.
So the core should automatically disabled the listenPort. The question is whether the operator needs to do anything special about it. I suggest creating another issue to handle secure mode as I suspect there maybe issue in non-istio case. This PR is for missing listenPort only. For adminport/secure mode it's a dead end for istio for now.
We need to set the default listenPort/ssl listenPort if one is not provided, otherwise the istio nap injected will use 0 for the port, resulting in validation error during introspection.