oracle
diff --git a/‎electron/app/js/wdtDiscovery.js
+43-20 b/‎electron/app/js/wdtDiscovery.js
+43-20
diff --git a/‎electron/app/locales/en/webui.json
+26-1 b/‎electron/app/locales/en/webui.json
+26-1
diff --git a/‎webui/package-lock.json
+7-7 b/‎webui/package-lock.json
+7-7
diff --git a/‎webui/package.json
+1-1 b/‎webui/package.json
+1-1
diff --git a/‎webui/src/js/models/k8s-domain-definition.js
+22 b/‎webui/src/js/models/k8s-domain-definition.js
+22
diff --git a/‎webui/src/js/models/wdt-model-definition.js
+33-4 b/‎webui/src/js/models/wdt-model-definition.js
+33-4
@@ -49,6 +49,7 @@ async function _runDiscover(targetWindow, discoverConfig, online) {
   const discoverType = online ? 'online' : 'offline';
   logger.info(`start ${discoverType} discover: ${discoverConfig['oracleHome']}`);
 
+  let isRemote = false;
   let projectFile = discoverConfig['projectFile'];
   let projectDir = path.dirname(projectFile);
 
@@ -66,46 +67,68 @@ async function _runDiscover(targetWindow, discoverConfig, online) {
   argList.push('-java_home');
   argList.push(discoverConfig['javaHome']);
 
-  addArgumentIfPresent(discoverConfig['domainHome'], '-domain_home', argList);
-
   argList.push('-domain_type');
   argList.push(discoverConfig['domainType']);
 
+  argList.push('-model_file');
+  argList.push(modelFile);
+  argList.push('-variable_file');
+  argList.push(propertiesFile);
+
   if (online) {
     argList.push('-admin_url');
     argList.push(discoverConfig['adminUrl']);
     argList.push('-admin_user');
     argList.push(discoverConfig['adminUser']);
     argList.push('-admin_pass');
     argList.push(discoverConfig['adminPass']);
-  }
 
-  addArgumentIfPresent(discoverConfig['sshHost'], '-ssh_host', argList);
-  addArgumentIfPresent(discoverConfig['sshPort'], '-ssh_port', argList);
-  addArgumentIfPresent(discoverConfig['sshUser'], '-ssh_user', argList);
-  addArgumentIfPresent(discoverConfig['sshPassword'], '-ssh_pass', argList);
-  addArgumentIfPresent(discoverConfig['sshPrivateKey'], '-ssh_private_key', argList);
-  addArgumentIfPresent(discoverConfig['sshPrivateKeyPassphrase'], '-ssh_private_key_pass', argList);
+    addArgumentIfPresent(discoverConfig['sshHost'], '-ssh_host', argList);
+    addArgumentIfPresent(discoverConfig['sshPort'], '-ssh_port', argList);
+    addArgumentIfPresent(discoverConfig['sshUser'], '-ssh_user', argList);
+    addArgumentIfPresent(discoverConfig['sshPassword'], '-ssh_pass', argList);
+    addArgumentIfPresent(discoverConfig['sshPrivateKey'], '-ssh_private_key', argList);
+    addArgumentIfPresent(discoverConfig['sshPrivateKeyPassphrase'], '-ssh_private_key_pass', argList);
+
+    const useRemote = discoverConfig['isRemote'];
+    if (!useRemote) {
+      argList.push('-archive_file');
+      argList.push(archiveFile);
+    } else {
+      isRemote = true;
+      argList.push('-remote');
+    }
+
+    if (discoverConfig['discoverPasswords']) {
+      argList.push('-discover_passwords');
+    }
+    if (discoverConfig['discoverSecurityProviderData'] && discoverConfig['discoverSecurityProviderDataArgument']) {
+      argList.push('-discover_security_provider_data');
+      argList.push(discoverConfig['discoverSecurityProviderDataArgument']);
+    }
+    if (discoverConfig['discoverOPSSWallet'] && discoverConfig['discoverOPSSWalletPassphrase']) {
+      argList.push('-discover_opss_wallet');
+      argList.push('-opss_wallet_passphrase');
+      argList.push(discoverConfig['discoverOPSSWalletPassphrase']);
+    }
+    addArgumentIfPresent(discoverConfig['discoverWdtPassphrase'], '-passphrase', argList);
+  } else {
+    // offline
+    addArgumentIfPresent(discoverConfig['domainHome'], '-domain_home', argList);
 
-  const isRemote = discoverConfig['isRemote'];
-  if (!isRemote) {
     argList.push('-archive_file');
     argList.push(archiveFile);
   }
 
-  argList.push('-model_file');
-  argList.push(modelFile);
-  argList.push('-variable_file');
-  argList.push(propertiesFile);
-
-  if (isRemote) {
-    argList.push('-remote');
-  }
-
   const env = {
     JAVA_HOME: process.env.JAVA_HOME || discoverConfig['javaHome']
   };
 
+  const additionalProperties = discoverConfig['additionalProperties'];
+  if (additionalProperties && additionalProperties.length > 0) {
+    env['WLSDEPLOY_PROPERTIES'] = additionalProperties;
+  }
+
   let resultsDirectory = null;
   let resultsFile = null;
   if (isRemote) {
 
@@ -1097,8 +1097,12 @@
   "discover-dialog-domain-type-label": "Domain Type",
   "discover-dialog-wls-domain-type-label": "WebLogic Server",
   "discover-dialog-restricted-jrf-domain-type-label": "Restricted JRF",
-  "discover-dialog-jrf-domain-type-label": "Fusion Middleware (JRF)",
+  "discover-dialog-jrf-domain-type-label": "Fusion Middleware Infrastructure (JRF)",
+  "discover-dialog-oam-domain-type-label": "Oracle Access Manager (OAM)",
+  "discover-dialog-oig-domain-type-label": "Oracle Identity Governance (OIG)",
   "discover-dialog-domain-type-help": "Specifies the type of Oracle Fusion Middleware domain to be discovered.",
+  "discover-dialog-additional-properties-label": "Additional Properties",
+  "discover-dialog-additional-properties-help": "Additional Properties to pass to the WebLogic Deploy Tooling's Discover Domain Tool.",
   "discover-dialog-admin-url-label": "Administration Server URL",
   "discover-dialog-admin-url-help": "The URL of the Administration Server of the domain. Format should be similar to t3://wls.host:7001",
   "discover-dialog-admin-user-label": "Administration Server User",
@@ -1133,6 +1137,23 @@
   "discover-dialog-ssh-credential-type-password-label": "Use password",
   "discover-dialog-ssh-credential-type-label": "SSH Credential Type",
   "discover-dialog-ssh-credential-type-help": "Choose an option for specifying SSH credentials",
+  "discover-dialog-discover-security-features-title": "Security-Related Discovery Features",
+  "discover-dialog-discover-passwords-label": "Discover Passwords",
+  "discover-dialog-discover-passwords-help": "Discover passwords from the source domain and encrypt them using WDT encryption.",
+  "discover-dialog-discover-security-provider-data-label": "Discover Security Provider Data",
+  "discover-dialog-discover-security-provider-data-help": "Discover security provider data from the source domain and encrypt any passwords found using WDT encryption.",
+  "discover-dialog-discover-opss-wallet-label": "Discover OPSS Wallet",
+  "discover-dialog-discover-opss-wallet-help": "Discover OPSS encryption key from the source domain and encrypt it with the OPSS Wallet Passphrase.",
+  "discover-dialog-discover-opss-wallet-passphrase-label": "OPSS Wallet Passphrase",
+  "discover-dialog-discover-opss-wallet-passphrase-help": "The wallet passphrase to use when exporting the OPSS encryption key into a wallet.",
+  "discover-dialog-security-provider-type-all-label": "All Supported Providers",
+  "discover-dialog-security-provider-type-default-authenticator-label": "Default Authenticator",
+  "discover-dialog-security-provider-type-xacml-authorizer-label": "XACML Authorizer",
+  "discover-dialog-security-provider-type-xacml-role-mapper-label": "XACML Role Mapper",
+  "discover-dialog-security-provider-type-default-credential-mapper-label": "Default Credential Mapper",
+  "discover-dialog-security-provider-scope-label": "Providers to Discover",
+  "discover-dialog-discover-wdt-encryption-passphrase-label": "WDT Model Encryption Passphrase",
+  "discover-dialog-discover-wdt-encryption-passphrase-help": "The WDT model encryption passphrase that will be used to encrypt any discovered credentials.",
 
   "discover-result-dialog-title": "Discover Domain Result",
   "discover-result-dialog-archive-message": "The following files need to be collected from the remote system and placed in the archive file at the specified paths",
@@ -1494,6 +1515,8 @@
   "wko-uninstaller-uninstall-failed-error-message":"Unable to uninstall WebLogic Kubernetes Operator {{operatorName}} from Kubernetes namespace {{operatorNamespace}}: {{error}}.",
   "wko-uninstaller-uninstall-catch-all-error-message": "WebLogic Kubernetes Operator uninstall failed with an unexpected error: {{error}}",
 
+  "k8s-domain-definition-encrypted-credential-message": "Found secret {{secretName}} with WDT encrypted key {{secretKey}}",
+  "k8s-domain-deployer-update-admin-user-password-in-progress": "Updating Password for User {{adminUserName}}",
   "k8s-domain-deployer-aborted-error-title": "Deploying WebLogic Domain to Kubernetes Aborted",
   "k8s-domain-deployer-kubectl-exe-invalid-error-message": "Unable to deploy WebLogic Domain to Kubernetes because the Kubernetes client executable is invalid: {{error}}.",
   "k8s-domain-deployer-helm-exe-invalid-error-message": "Unable to deploy WebLogic domain to Kubernetes because the Helm executable is invalid: {{error}}.",
@@ -1514,6 +1537,8 @@
   "k8s-domain-deployer-create-wallet-password-secret-error-message": "Unable to deploy WebLogic domain to Kubernetes due to an error creating the OPSS wallet password secret {{secretName}} in the Kubernetes namespace {{namespace}}: {{error}}",
   "k8s-domain-deployer-create-wl-secret-in-progress": "Creating secret {{secretName}} for WebLogic domain {{domainName}} in Kubernetes namespace {{namespace}}",
   "k8s-domain-deployer-create-wl-secret-failed-error-message": "Failed to create WebLogic credentials secret {{secretName}} in Kubernetes namespace {{namespace}}: {{error}}",
+  "k8s-domain-deployer-create-wdt-secret-in-progress": "Creating secret {{secretName}} for WebLogic domain {{domainName}} in Kubernetes namespace {{namespace}}",
+  "k8s-domain-deployer-create-wdt-secret-failed-error-message": "Failed to create WebLogic credentials secret {{secretName}} in Kubernetes namespace {{namespace}}: {{error}}",
   "k8s-domain-deployer-create-secrets-in-progress": "Creating secrets for WebLogic domain {{domainName}} in Kubernetes namespace {{namespace}}",
   "k8s-domain-deployer-create-secret-failed-error-message": "Failed to create secret {{secretName}} in Kubernetes namespace {{namespace}}: {{error}}",
   "k8s-domain-deployer-create-config-map-in-progress": "Creating Kubernetes config map for WebLogic domain {{domainName}} in Kubernetes namespace {{domainNamespace}}",
 
@@ -12,7 +12,7 @@
   "dependencies": {
     "@oracle/oraclejet": "~16.0.2",
     "@oracle/oraclejet-core-pack": "~16.0.2",
-    "@oracle/wrc-jet-pack": "~2.4.8",
+    "@oracle/wrc-jet-pack": "~2.4.10",
     "ace-builds": "^1.33.0",
     "i18next": "^23.11.2",
     "jquery": "^3.7.1",
 
@@ -123,6 +123,28 @@ define(['knockout', 'utils/observable-properties', 'utils/common-utilities', 'ut
           }
         };
 
+        this.requiresWDTEncryptionPassphrase = ko.computed(() => {
+          for (const secret of this.secrets.observable()) {
+            for (const key of secret.keys) {
+              if (key.value.toUpperCase().startsWith('{AES}')) {
+                wktLogger.debug('k8s-domain-definition-encrypted-credential-message', { secretName: secret.name, secretKey: key.key });
+                return true;
+              }
+            }
+          }
+          return false;
+        }, this);
+
+        /** The name of the WDT encryption secret, if needed. */
+        this.wdtEncryptionSecretName = ko.computed(() => {
+          let wdtEncryptionSecret;
+
+          if (this.requiresWDTEncryptionPassphrase() && wdtModel.wdtPassphrase.observable()) {
+            wdtEncryptionSecret = `${wdtModel.domainName()}-wdt-encryption-secret`;
+          }
+          return wdtEncryptionSecret;
+        }, this);
+
         this.replicas = props.createProperty(2);
         // TODO - can a WebLogic server really run with 64MB?  If not, raise minimum limit...
         this.minimumHeapSize = props.createProperty('64m');
 
@@ -32,6 +32,9 @@ define(['knockout', 'utils/observable-properties', 'js-yaml', 'utils/validation-
         /** The locations of the archive files. */
         this.archiveFiles = props.createArrayProperty();
 
+        /** Model encryption passphrase. */
+        this.wdtPassphrase = props.createProperty();
+
         /** The contents of the first model file. */
         this.modelContent = ko.observable('');
 
@@ -163,10 +166,7 @@ define(['knockout', 'utils/observable-properties', 'js-yaml', 'utils/validation-
               //                         user:
               //                             Value: '@@SECRET:mydomain-jdbc-myds:username@@'
               //
-              let secretKey = secretName;
-              if (secretEnvVar) {
-                secretKey = secretName.startsWith('-') ? `${secretEnvVar}${secretName}` : `${secretEnvVar}-${secretName}`;
-              }
+              const secretKey = this.getModelSecretKey(secretEnvVar, secretName);
 
               let secretData;
               if (secretsMap.has(secretKey)) {
@@ -186,6 +186,35 @@ define(['knockout', 'utils/observable-properties', 'js-yaml', 'utils/validation-
           return [...secretsMap.values()];
         };
 
+        this.getModelSecretKey = (secretEnvVar, secretName) => {
+          let secretKey = secretName;
+          if (secretEnvVar) {
+            secretKey = secretName.startsWith('-') ? `${secretEnvVar}${secretName}` : `${secretEnvVar}-${secretName}`;
+          }
+          return secretKey;
+        };
+
+        this.getAdminUserTopologySecurityUserSecretKey = (userName) => {
+          let result;
+          try {
+            const yaml = jsYaml.load(this.modelContent());
+
+            const modelValue = getElement(yaml, `topology.Security.User.${userName}.Password`);
+            if (modelValue) {
+              matches = modelValue.match(SECRET_PATTERN);
+              if (matches) {
+                const secretName = matches.groups.name;
+                const secretEnvVar = matches.groups.envvar;
+
+                result = this.getModelSecretKey(secretEnvVar, secretName);
+              }
+            }
+          } catch (e) {
+            // unable to parse model, just return undefined
+          }
+          return result;
+        };
+
         /** Returns a property for editing the model properties */
         this.getModelPropertiesObject = function() {
           return this.internal.propertiesContent;