Prepare for operator 3.3.2

Author: rjeberhard

documentation/3.3/content/_index.md

@@ -31,7 +31,7 @@ using the operator to deploy and run a WebLogic domain container-packaged web ap
 #### Current production release
 
 The [current release of the operator](https://github.com/oracle/weblogic-kubernetes-operator/releases) is 3.3.2.
-This release was published on September 1, 2021. See the [operator prerequisites]({{< relref "/userguide/prerequisites/introduction.md" >}}) and [supported environments]({{< relref "/userguide/platforms/environments.md" >}}).
+This release was published on September 24, 2021. See the [operator prerequisites]({{< relref "/userguide/prerequisites/introduction.md" >}}) and [supported environments]({{< relref "/userguide/platforms/environments.md" >}}).
 
 ***
 

documentation/3.3/content/faq/external-clients.md

@@ -547,6 +547,8 @@ please see [Meet Kubernetes resource name restrictions]({{< relref "/userguide/m
 
 - You can configure a custom channel with a secure protocol and two-way SSL to help prevent external access by unwanted applications. See [When is a WebLogic custom channel needed?](#when-is-a-weblogic-custom-channel-needed).
 
+- For a detailed description of external network access security, see [External network access security]({{< relref "/security/domain-security/weblogic-channels.md" >}}).
+
 #### Optional reading
 
 - For a description of the WebLogic URL syntax for JMS, EJB, and JNDI applications

documentation/3.3/content/faq/security-validation.md

@@ -21,3 +21,8 @@ Warnings may be at the level of the JDK, or that SSL is not enabled. Some warnin
 - For Domain in Image, create a new image with the recommended changes or use [configuration overrides]({{< relref "/userguide/managing-domains/configoverrides/_index.md" >}}).
 
 - For Model in Image, supply model files with the recommended changes in its image's `modelHome` directory or use [runtime updates]({{< relref "/userguide/managing-domains/model-in-image/runtime-updates.md" >}}).
+
+{{% notice note %}}
+For information about handling file permission warnings on the OpenShift Kubernetes Platform, see the [OpenShift chapter]({{<relref "/security/openshift.md">}}) in the Security section.
+{{% /notice %}}
+

documentation/3.3/content/release-notes.md

@@ -8,7 +8,7 @@ draft: false
 
 | Date | Version | Introduces backward incompatibilities? | Change |
 | --- | --- | --- | --- |
-| September 1, 2021 | v3.3.2 | no | Enhanced liveness and readiness probe customization to support customizing failure thresholds. |
+| September 24, 2021 | v3.3.2 | no | Istio 1.10 support, enhanced liveness and readiness probe customization to support customizing failure thresholds, and additional validations. |
 | August 23, 2021 | v3.3.1 | no | Resolved an issue related to managed Coherence cluster formation when using Istio and another issue related to Secret and ConfigMap validation. |
 | July 20, 2021 | v3.3.0 | no | Auxiliary image support. |
 | June 21, 2021 | v3.2.5 | no | Updated Oracle Linux libraries and resolved an issue related to repeated introspection. |
@@ -47,7 +47,11 @@ draft: false
 
 #### Operator 3.3.2
 
+* Support for the networking changes included with Istio 1.10 ([#2538](https://github.com/oracle/weblogic-kubernetes-operator/pull/2538)).
+* Support for accessing the WebLogic Server Administration Console through `kubectl port-forward` ([#2520](https://github.com/oracle/weblogic-kubernetes-operator/pull/2520)).
+* Prevent insecure file system warnings related to the "umask 027" requirement ([#2533](https://github.com/oracle/weblogic-kubernetes-operator/pull/2533)).
 * Enhanced [liveness and readiness probe customization](https://oracle.github.io/weblogic-kubernetes-operator/userguide/managing-domains/domain-lifecycle/liveness-readiness-probe-customization/) to support customizing failure thresholds ([#2521](https://github.com/oracle/weblogic-kubernetes-operator/pull/2521)).
+* Additional validation for container port names and WebLogic Network Access Point (NAP) names that will be used as container ports ([#2542](https://github.com/oracle/weblogic-kubernetes-operator/pull/2542)).
 
 #### Operator 3.3.1
 

documentation/3.3/content/security/domain-security/weblogic-channels.md

@@ -1,21 +1,90 @@
 ---
-title: "Channels"
+title: "External network access security"
 date: 2019-03-08T19:07:36-05:00
 weight: 2
-description: "WebLogic channels"
+description: "Remote access security"
 ---
 
-#### WebLogic T3 channels
+#### WebLogic T3 and administrative channels
 
 {{% notice warning %}}
 Oracle recommends _not_ exposing any administrative, RMI, or T3 channels outside the Kubernetes cluster
-unless absolutely necessary. If exposing any of these channels, limit access using
-controls like security lists or set up a Bastion to provide access.
+unless absolutely necessary.
 {{% /notice %}}
 
-When accessing T3 or RMI based channels, the preferred approach is to `kubectl exec` into
-the Kubernetes Pod and then run `wlst`, or set up Bastion access and then run
-`wlst` from the Bastion host to connect to the Kubernetes cluster.
+If exposing an administrative, RMI, EJB, JMS, or T3 capable
+channel using a load balancer,
+port forwarding, `NodePorts`, or similar,
+then limit access by using a custom
+dedicated WebLogic Server port that you have configured
+with the T3 or administration protocol (a network access point)
+instead of relaying the traffic to a default port,
+leverage two-way SSL, use controls like security lists,
+and/or set up a Bastion to provide access. A custom channel
+is preferred over a default channel because a default port supports
+multiple protocols.
 
-Also, consider a private VPN if you need use cross-domain T3 access
-between clouds, data centers, and such.
+When accessing T3 or RMI based channels for administrative purposes,
+such as running WLST, the preferred approach is to `kubectl exec` into
+the Kubernetes Pod and then run `wlst.sh`, or set up Bastion access and then run
+`java weblogic.WLST` or `$ORACLE_HOME/oracle_common/common/bin/wlst.sh`
+from the Bastion host to connect to the Kubernetes cluster
+(some cloud environments use the term Jump Host or Jump Server instead of Bastion).
+
+Also, if you need to use cross-domain T3 access
+between clouds, data centers, and such, consider a private VPN.
+
+#### WebLogic HTTP channels
+
+When providing remote access to HTTP using a load balancer,
+port forwarding, `NodePorts`, or similar,
+Oracle recommends relaying the traffic to a dedicated
+WebLogic Server port that you have configured
+using a custom HTTP channel (network access point)
+instead of relaying the traffic to a default port.
+This helps ensure that external
+traffic is limited to the HTTP protocol. A custom HTTP channel
+is preferred over a default port because a default port supports
+multiple protocols.
+
+Do not enable tunneling on an HTTP channel
+that is exposed for remote access unless you specifically
+intend to allow it to handle T3 traffic
+(tunneling allows T3 to tunnel through the channel using HTTP)
+and you perform the additional steps that may be necessary
+to further secure access, as described
+in [WebLogic T3 and administrative channels](#weblogic-t3-and-administrative-channels).
+
+#### Limit use of Kubernetes NodePorts
+
+Although Kubernetes `NodePorts` are good for use in demos and getting-started guides,
+they are typically not suited for production systems for multiple reasons, including:
+
+- With some cloud providers, a `NodePort` may implicitly expose a port to the public Internet.
+- They bypass almost all network security in Kubernetes.
+- They allow all protocols (load balancers can limit to the HTTP protocol).
+- They cannot expose standard, low-numbered ports like 80 and 443 (or even 8080 and 8443).
+- Some Kubernetes cloud environments cannot expose usable `NodePorts` because their Kubernetes clusters run on a private network that cannot be reached by external clients.
+
+#### General advice
+
+1. _Set up administration ports_: Configure an administration port on WebLogic, or an administrative channel, to prevent
+   all other channels from accepting administration-privileged traffic
+   (this includes preventing administration-privileged traffic from a WebLogic console over HTTP).
+
+1. _Be aware of anonymous defaults_:
+   If an externally available port supports a protocol suitable for WebLogic
+   JNDI, EJB/RMI, or JMS clients,
+   then note that _by default_:
+   - WebLogic enables anonymous users to access such a port.
+   - JNDI entries, EJB/RMI applications, and JMS are open to anonymous users.
+
+1. _Configure SSL_:
+   You can configure two-way SSL to help prevent external access by unwanted applications
+   (often SSL is setup between the caller and the load balancer, and plain-text
+   traffic flows internally from the load balancer to WebLogic).
+
+#### See also
+
+- [External WebLogic clients]({{< relref "/faq/external-clients.md" >}})
+- [Remote Console, Administration Console, WLST, and Port Forwarding access]({{< relref "/userguide/managing-domains/accessing-the-domain/_index.md" >}})

documentation/3.3/content/security/openshift.md

@@ -116,3 +116,6 @@ see [OpenShift]({{<relref  "/userguide/platforms/environments#openshift">}}).
 #### Using a dedicated namespace
 
 When the user that installs an individual instance of the operator does not have the required privileges to create resources at the Kubernetes cluster level, a dedicated namespace can be used for the operator instance and all the WebLogic domains that it manages. For more details about the `dedicated` setting, please refer to [Operator Helm configuration values]({{< relref "/userguide/managing-operators/using-helm#operator-helm-configuration-values" >}}).
+
+#### Set the Helm chart property `kubernetesPlatorm` to `OpenShift`
+Beginning with operator version 3.3.2, set the operator `kubernetesPlatform` Helm chart property to `OpenShift`. This property accommodates OpenShift security requirements. For more information, see [Operator Helm configuration values]({{<relref "/userguide/managing-operators/using-helm#operator-helm-configuration-values">}}).

documentation/3.3/content/userguide/istio/istio.md

@@ -142,6 +142,38 @@ If the WebLogic administration port is enabled on the Administration Server:
 Additionally, when Istio support is enabled for a domain, the operator
 ensures that the Istio sidecar is not injected into the introspector job's pods.
 
+#### Support for network changes in Istio v1.10 and later
+ 
+Starting with Istio 1.10, the networking behavior was changed in that the proxy no longer redirects 
+the traffic to the localhost interface, but instead forwards it to the network interface associated
+with the pod's IP.  
+
+To learn more about changes to Istio networking beginning with Istio 1.10, see [Upcoming networking changes in Istio 1.10](https://istio.io/latest/blog/2021/upcoming-networking-changes/).
+
+In order to support Istio v1.10 and later, as well as previous releases, the
+operator will:
+    
+* Add an additional WebLogic HTTP protocol network channel for the readiness probe that is bound to the localhost network interface.
+* Add additional WebLogic network channels, bound to the localhost network interface, for each defined custom network channel.  
+* Continue to automatically add the network channels described above in [How Istio-enabled domains differ from regular domains](#how-istio-enabled-domains-differ-from-regular-domains)
+
+When adding additional WebLogic network channels for the readiness probe and any defined custom channels,
+the name of the additional channel will be appended with '-lhNN', where NN represents
+a two digit value for uniqueness.
+
+For example, the additional WebLogic HTTP protocol network channel for the readiness probe would be
+defined as follows:
+
+|Name|Port|Listening address|Protocol|Exposed as a container port|
+|----|----|----|--------|-----|
+|`http-probe-lh01`|From configuration Istio `readinessPort` | `127.0.0.1` | `http`| No |
+
+As another example, for a custom WebLogic network channel defined as `T3Channel` with port `5556`
+and protocol `t3`, the additional channel would be defined as follows: 
+
+|Name|Port|Listening address|Protocol|Exposed as a container port|
+|----|----|----|--------|-----|
+|`T3Channel-lh01`| `5556` | `127.0.0.1` | `t3`| Yes |
 
 ### Apply the Domain YAML file
 

documentation/3.3/content/userguide/managing-domains/accessing-the-domain/admin-console.md

@@ -7,6 +7,7 @@ description: "Use the WebLogic Remote Console to manage a domain running in Kube
 ---
 
 The WebLogic Remote Console is a lightweight, open source console that does not need to be collocated with a WebLogic Server domain.
+It is an _alternative_ to the WebLogic Server Administration Console.
 You can install and run the Remote Console anywhere. For an introduction, read the blog, ["The NEW WebLogic Remote Console"](https://blogs.oracle.com/weblogicserver/new-weblogic-server-remote-console).
 For detailed documentation, see the [WebLogic Remote Console](https://github.com/oracle/weblogic-remote-console) GitHub project.
 
@@ -16,13 +17,20 @@ or [OSDC](https://edelivery.oracle.com/osdc/faces/Home.jspx;jsessionid=LchBX6sgz
 Slim installers reduce the size of WebLogic Server downloads, installations, container images, and Kubernetes pods.
 For example, a WebLogic Server 12.2.1.4 slim installer download is approximately 180 MB smaller.
 
-
 The Remote Console is deployed as a standalone Java program, which can connect to multiple WebLogic Server Administration Servers using REST APIs.
 You connect to the Remote Console and, when prompted, supply the WebLogic Server login credentials
 along with the URL of the WebLogic Server Administration Server's administration port to which you want to connect.
 
 **Note**:  An Administration Server administration port typically is the same as its default port unless either an SSL port or an administration port is configured and enabled.
 
+{{% notice warning %}}
+Externally exposing administrative, RMI, or T3 capable WebLogic channels
+using a Kubernetes `NodePort`, load balancer,
+port forwarding, or a similar method can create an insecure configuration.
+For more information, see [External network access security]({{<relref "/security/domain-security/weblogic-channels.md">}}).
+{{% /notice %}}
+
+
 ### Setup
 
 To set up access to WebLogic Server domains running in Kubernetes using the Remote Console:
@@ -32,29 +40,31 @@ To set up access to WebLogic Server domains running in Kubernetes using the Remo
    **NOTE**: These instructions assume that you are installing and running the Remote Console Java program externally to your Kubernetes cluster.
 
 1. When you first connect your browser to the Remote Console, which is at `http://localhost:8012` by default, the console will prompt you with a login dialog for a WebLogic Server Administration Server URL. To give the Remote Console access to an Administration Server running in Kubernetes, you can:
-
    * Use an [Administration Server `NodePort`](#use-an-administration-server-nodeport).
 
    * Deploy a load balancer with [ingress path routing rules](#configure-ingress-path-routing-rules).
 
+   * [Use a `kubectl port-forward` connection](#use-a-kubectl-port-forward-connection).
+
+   **Note**: If you want to customize the Remote Console listen address,
+     then see [Specify a Listen Address for the Remote Console Host](https://github.com/oracle/weblogic-remote-console/blob/master/site/install_config.md#remote). This is useful if you want to run the Remote Console
+     on a different machine than your browser, or if you want the Remote Console to use SSL.
+
 
 #### Use an Administration Server `NodePort`
 
-For the Remote Console to connect to the Kubernetes WebLogic Server Administration Server’s `NodePort`, use the URL:
+For the Remote Console to connect to the Kubernetes WebLogic Server Administration Server’s `NodePort`, use the following URL after you have connected to the Remote Console
+with your browser and it
+prompts for the location of your WebLogic Server Administration Server:
 
 ```
 http://hostname:adminserver-NodePort/
 ```
 
 The `adminserver-NodePort` is the port number of the Administration Server outside the Kubernetes cluster.
 For information about the `NodePort` Service on an Administration Server, see the [Domain resource](https://github.com/oracle/weblogic-kubernetes-operator/blob/main/documentation/domains/Domain.md) document.
-
-{{% notice warning %}}
-Exposing administrative, RMI, or T3 capable channels using a Kubernetes `NodePort`
-can create an insecure configuration. In general, only HTTP protocols should be made available externally and this exposure
-is usually accomplished by setting up an external load balancer that can access internal (non-`NodePort`) services.
-For more information, see [T3 channels]({{<relref "/security/domain-security/weblogic-channels#weblogic-t3-channels">}}).
-{{% /notice %}}
+For an example of setting up the `NodePort` on an Administration Server,
+see [Use a `NodePort` for WLST]({{< relref "/userguide/managing-domains/accessing-the-domain/wlst#use-a-nodeport" >}}).
 
 #### Configure ingress path routing rules
 
@@ -81,7 +91,11 @@ For more information, see [T3 channels]({{<relref "/security/domain-security/web
          port: 7001
    ```
 
-1. For the Remote Console to connect to the Kubernetes WebLogic Server Administration Server, supply a URL that resolves to the load balancer host and ingress that you supplied in the previous step. For example:
+
+1. After you have connected to the Remote Console with your browser,
+   it will prompt for the location of your WebLogic Server Administration
+   Server.
+   For the Remote Console to connect to the Kubernetes WebLogic Server Administration Server, supply a URL that resolves to the load balancer host and ingress that you supplied in the previous step. For example:
 
    ```
    http://${HOSTNAME}:${LB_PORT}/
@@ -94,10 +108,42 @@ For more information, see [T3 channels]({{<relref "/security/domain-security/web
 
         `$ export LB_PORT=$(kubectl -n traefik get service traefik-operator -o jsonpath='{.spec.ports[?(@.name=="web")].nodePort}')`
 
+#### Use a `kubectl port-forward` connection
+
+1. Forward a local port (that is external to
+   Kubernetes) to the administration port of the
+   Administration Server Pod according to these
+   [instructions]({{< relref "/userguide/managing-domains/accessing-the-domain/port-forward.md" >}}).
+
+   **NOTE:** If you plan to run the Remote Console Java program
+   on a different machine than the port forwarding command,
+   then the port forwarding command needs to specify a `--address` parameter
+   with the IP address of the machine that is hosting the command.
+
+1. After you have connected to the Remote Console with your browser,
+   it will prompt you for the location of your WebLogic Server Administration
+   Server.
+   Supply a URL using the local hostname or IP address
+   from the `port-forward` command in the first step, plus the local port from
+   this same command. For example:
+
+   ```
+   http://${LOCAL_HOSTNAME}:${LOCAL_PORT}/
+   ```
+   Where:
+
+     * `${LOCAL_HOSTNAME}` is the hostname or the defined IP address of the machine
+       where the `kubectl port-forward` command is running. This is
+       customizable on the `port-forward` command and is `localhost`
+       or `127.0.0.1`, by default.
+
+     * `${LOCAL_PORT}` is the local port where the `kubectl port-forward` command is running.
+       This is specified on the `port-forward` command.
+
 ### Test
 
-To verify that your WebLogic Server Administration Server URL is correct, and to verify that that your load balancer
-or `NodePort` are working as expected, run the following curl commands at the same location as your browser:
+To verify that your WebLogic Server Administration Server URL is correct, and to verify that that your load balancer,
+`NodePort`, or `kubectl port-forward` are working as expected, run the following curl commands at the same location as your browser:
 
 
 ```