diff options
author | Bjørn Christian Seime <bjorn.christian@seime.no> | 2018-05-15 15:44:18 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-05-15 15:44:18 +0200 |
commit | 8cabaa3da3bdf7a1de5cbf320772edd676763b26 (patch) | |
tree | 9b2665be08ee0bcd00056e2ac2764b2f4744f20f | |
parent | c415df6fe8911eca6596ffadfca4df6a05e64056 (diff) | |
parent | 361c71b0824189ac7457df3b8afdd86459a0bb62 (diff) |
Merge pull request #5877 from vespa-engine/mortent/add-parent-ips-to-iddoc
Append parent ips to identity document
2 files changed, 41 insertions, 16 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java index a5f143fe50a..55377862cfc 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java @@ -20,7 +20,9 @@ import java.security.PrivateKey; import java.security.Signature; import java.time.Instant; import java.util.Base64; +import java.util.HashSet; import java.util.Objects; +import java.util.Set; /** * @author mortent @@ -83,12 +85,21 @@ public class IdentityDocumentGenerator { allocation.membership().cluster().id().value(), allocation.membership().index()); + // TODO: Hack to allow access from docker containers to non-ipv6 services. + // Remove when yca-bridge is no longer needed + Set<String> ips = new HashSet<>(node.ipAddresses()); + if(node.parentHostname().isPresent()) { + String parentHostName = node.parentHostname().get(); + nodeRepository.getNode(parentHostName) + .map(Node::ipAddresses) + .ifPresent(ips::addAll); + } return new IdentityDocument( providerUniqueId, HostName.getLocalhost(), node.hostname(), Instant.now(), - node.ipAddresses()); + ips); } private static String toZoneDnsSuffix(Zone zone, String dnsSuffix) { diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGeneratorTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGeneratorTest.java index 4e84fefbe53..8b4c06c2867 100644 --- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGeneratorTest.java +++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGeneratorTest.java @@ -24,6 +24,7 @@ import com.yahoo.vespa.hosted.provision.NodeRepository; import com.yahoo.vespa.hosted.provision.node.Allocation; import com.yahoo.vespa.hosted.provision.node.Generation; import com.yahoo.vespa.hosted.provision.testutils.MockNodeFlavors; +import org.hamcrest.Matchers; import org.junit.Test; import java.util.HashSet; @@ -31,6 +32,7 @@ import java.util.Optional; import static com.yahoo.vespa.hosted.athenz.instanceproviderservice.TestUtils.getAthenzProviderConfig; import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertThat; import static org.junit.Assert.assertTrue; import static org.mockito.Matchers.eq; import static org.mockito.Mockito.mock; @@ -44,35 +46,43 @@ public class IdentityDocumentGeneratorTest { @Test public void generates_valid_identity_document() throws Exception { - String hostname = "x.y.com"; + String parentHostname = "docker-host"; + String containerHostname = "docker-container"; ApplicationId appid = ApplicationId.from( TenantName.from("tenant"), ApplicationName.from("application"), InstanceName.from("default")); Allocation allocation = new Allocation(appid, - ClusterMembership.from("container/default/0/0", Version.fromString("1.2.3")), - Generation.inital(), - false); - Node n = Node.create("ostkid", - ImmutableSet.of("127.0.0.1"), - new HashSet<>(), - hostname, - Optional.empty(), - new MockNodeFlavors().getFlavorOrThrow("default"), - NodeType.tenant) + ClusterMembership.from("container/default/0/0", Version.fromString("1.2.3")), + Generation.inital(), + false); + Node parentNode = Node.create("ostkid", + ImmutableSet.of("127.0.0.1"), + new HashSet<>(), + parentHostname, + Optional.empty(), + new MockNodeFlavors().getFlavorOrThrow("default"), + NodeType.host); + Node containerNode = Node.createDockerNode("docker-1", + ImmutableSet.of("::1"), + new HashSet<>(), + containerHostname, + Optional.of(parentHostname), + new MockNodeFlavors().getFlavorOrThrow("default"), + NodeType.tenant) .with(allocation); - NodeRepository nodeRepository = mock(NodeRepository.class); - when(nodeRepository.getNode(eq(hostname))).thenReturn(Optional.of(n)); + when(nodeRepository.getNode(eq(parentHostname))).thenReturn(Optional.of(parentNode)); + when(nodeRepository.getNode(eq(containerHostname))).thenReturn(Optional.of(containerNode)); AutoGeneratedKeyProvider keyProvider = new AutoGeneratedKeyProvider(); String dnsSuffix = "vespa.dns.suffix"; AthenzProviderServiceConfig config = getAthenzProviderConfig("domain", "service", dnsSuffix, ZONE); IdentityDocumentGenerator identityDocumentGenerator = new IdentityDocumentGenerator(config, nodeRepository, ZONE, keyProvider); - SignedIdentityDocument signedIdentityDocument = identityDocumentGenerator.generateSignedIdentityDocument(hostname); + SignedIdentityDocument signedIdentityDocument = identityDocumentGenerator.generateSignedIdentityDocument(containerHostname); // Verify attributes - assertEquals(hostname, signedIdentityDocument.identityDocument.instanceHostname); + assertEquals(containerHostname, signedIdentityDocument.identityDocument.instanceHostname); String environment = "dev"; String region = "us-north-1"; @@ -83,9 +93,13 @@ public class IdentityDocumentGeneratorTest { new ProviderUniqueId("tenant", "application", environment, region, "default", "default", 0); assertEquals(expectedProviderUniqueId, signedIdentityDocument.identityDocument.providerUniqueId); + // Validate that both parent and container ips are present + assertThat(signedIdentityDocument.identityDocument.ipAddresses, Matchers.containsInAnyOrder("127.0.0.1", "::1")); + // Validate signature assertTrue("Message", InstanceValidator.isSignatureValid(keyProvider.getPublicKey(0), signedIdentityDocument.rawIdentityDocument, signedIdentityDocument.signature)); + } } |