Merge pull request #5877 from vespa-engine/mortent/add-parent-ips-to-iddoc

Append parent ips to identity document

2 files changed, 41 insertions, 16 deletions

diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java
index a5f143fe50a..55377862cfc 100644
--- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java
@@ -20,7 +20,9 @@ import java.security.PrivateKey;
 import java.security.Signature;
 import java.time.Instant;
 import java.util.Base64;
+import java.util.HashSet;
 import java.util.Objects;
+import java.util.Set;
 
 /**
  * @author mortent
@@ -83,12 +85,21 @@ public class IdentityDocumentGenerator {
                 allocation.membership().cluster().id().value(),
                 allocation.membership().index());
 
+        // TODO: Hack to allow access from docker containers to non-ipv6 services.
+        // Remove when yca-bridge is no longer needed
+        Set<String> ips = new HashSet<>(node.ipAddresses());
+        if(node.parentHostname().isPresent()) {
+            String parentHostName = node.parentHostname().get();
+            nodeRepository.getNode(parentHostName)
+                    .map(Node::ipAddresses)
+                    .ifPresent(ips::addAll);
+        }
         return new IdentityDocument(
                 providerUniqueId,
                 HostName.getLocalhost(),
                 node.hostname(),
                 Instant.now(),
-                node.ipAddresses());
+                ips);
     }
 
     private static String toZoneDnsSuffix(Zone zone, String dnsSuffix) {
diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGeneratorTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGeneratorTest.java
index 4e84fefbe53..8b4c06c2867 100644
--- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGeneratorTest.java
+++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGeneratorTest.java
@@ -24,6 +24,7 @@ import com.yahoo.vespa.hosted.provision.NodeRepository;
 import com.yahoo.vespa.hosted.provision.node.Allocation;
 import com.yahoo.vespa.hosted.provision.node.Generation;
 import com.yahoo.vespa.hosted.provision.testutils.MockNodeFlavors;
+import org.hamcrest.Matchers;
 import org.junit.Test;
 
 import java.util.HashSet;
@@ -31,6 +32,7 @@ import java.util.Optional;
 
 import static com.yahoo.vespa.hosted.athenz.instanceproviderservice.TestUtils.getAthenzProviderConfig;
 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertThat;
 import static org.junit.Assert.assertTrue;
 import static org.mockito.Matchers.eq;
 import static org.mockito.Mockito.mock;
@@ -44,35 +46,43 @@ public class IdentityDocumentGeneratorTest {
 
     @Test
     public void generates_valid_identity_document() throws Exception {
-        String hostname = "x.y.com";
+        String parentHostname = "docker-host";
+        String containerHostname = "docker-container";
 
         ApplicationId appid = ApplicationId.from(
                 TenantName.from("tenant"), ApplicationName.from("application"), InstanceName.from("default"));
         Allocation allocation = new Allocation(appid,
-                ClusterMembership.from("container/default/0/0", Version.fromString("1.2.3")),
-                Generation.inital(),
-                false);
-        Node n = Node.create("ostkid",
-                ImmutableSet.of("127.0.0.1"),
-                new HashSet<>(),
-                hostname,
-                Optional.empty(),
-                new MockNodeFlavors().getFlavorOrThrow("default"),
-                NodeType.tenant)
+                                               ClusterMembership.from("container/default/0/0", Version.fromString("1.2.3")),
+                                               Generation.inital(),
+                                               false);
+        Node parentNode = Node.create("ostkid",
+                                      ImmutableSet.of("127.0.0.1"),
+                                      new HashSet<>(),
+                                      parentHostname,
+                                      Optional.empty(),
+                                      new MockNodeFlavors().getFlavorOrThrow("default"),
+                                      NodeType.host);
+        Node containerNode = Node.createDockerNode("docker-1",
+                                                   ImmutableSet.of("::1"),
+                                                   new HashSet<>(),
+                                                   containerHostname,
+                                                   Optional.of(parentHostname),
+                                                   new MockNodeFlavors().getFlavorOrThrow("default"),
+                                                   NodeType.tenant)
                 .with(allocation);
-
         NodeRepository nodeRepository = mock(NodeRepository.class);
-        when(nodeRepository.getNode(eq(hostname))).thenReturn(Optional.of(n));
+        when(nodeRepository.getNode(eq(parentHostname))).thenReturn(Optional.of(parentNode));
+        when(nodeRepository.getNode(eq(containerHostname))).thenReturn(Optional.of(containerNode));
         AutoGeneratedKeyProvider keyProvider = new AutoGeneratedKeyProvider();
 
         String dnsSuffix = "vespa.dns.suffix";
         AthenzProviderServiceConfig config = getAthenzProviderConfig("domain", "service", dnsSuffix, ZONE);
         IdentityDocumentGenerator identityDocumentGenerator =
                 new IdentityDocumentGenerator(config, nodeRepository, ZONE, keyProvider);
-        SignedIdentityDocument signedIdentityDocument = identityDocumentGenerator.generateSignedIdentityDocument(hostname);
+        SignedIdentityDocument signedIdentityDocument = identityDocumentGenerator.generateSignedIdentityDocument(containerHostname);
 
         // Verify attributes
-        assertEquals(hostname, signedIdentityDocument.identityDocument.instanceHostname);
+        assertEquals(containerHostname, signedIdentityDocument.identityDocument.instanceHostname);
 
         String environment = "dev";
         String region = "us-north-1";
@@ -83,9 +93,13 @@ public class IdentityDocumentGeneratorTest {
                 new ProviderUniqueId("tenant", "application", environment, region, "default", "default", 0);
         assertEquals(expectedProviderUniqueId, signedIdentityDocument.identityDocument.providerUniqueId);
 
+        // Validate that both parent and container ips are present
+        assertThat(signedIdentityDocument.identityDocument.ipAddresses, Matchers.containsInAnyOrder("127.0.0.1", "::1"));
+
         // Validate signature
         assertTrue("Message", InstanceValidator.isSignatureValid(keyProvider.getPublicKey(0),
                                                                  signedIdentityDocument.rawIdentityDocument,
                                                                  signedIdentityDocument.signature));
+
     }
 }