diff options
author | Morten Tokle <mortent@yahooinc.com> | 2023-09-08 11:58:35 +0200 |
---|---|---|
committer | Morten Tokle <mortent@yahooinc.com> | 2023-09-08 11:58:35 +0200 |
commit | baf05b2bafc89c4993040da6f8ee15d5d35edb2e (patch) | |
tree | da3fd22da9c005d499ff9520acf37ca9cd0f266f | |
parent | 124f4892ae45f19d49b3ca9adaa779c0f2851bfd (diff) |
Add token endpoints to proxy config
5 files changed, 33 insertions, 5 deletions
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/DataplaneProxy.java b/config-model/src/main/java/com/yahoo/vespa/model/container/DataplaneProxy.java index 13aa65909bd..3361793ec1a 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/DataplaneProxy.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/DataplaneProxy.java @@ -5,19 +5,23 @@ import com.yahoo.cloud.config.DataplaneProxyConfig; import com.yahoo.container.jdisc.DataplaneProxyConfigurator; import com.yahoo.vespa.model.container.component.SimpleComponent; +import java.util.Set; + public class DataplaneProxy extends SimpleComponent implements DataplaneProxyConfig.Producer { private final int mtlsPort; private final int tokenPort; private final String serverCertificate; private final String serverKey; + private final Set<String> tokenEndpoints; - public DataplaneProxy(int mtlsPort, int tokenPort, String serverCertificate, String serverKey) { + public DataplaneProxy(int mtlsPort, int tokenPort, String serverCertificate, String serverKey, Set<String> tokenEndpoints) { super(DataplaneProxyConfigurator.class.getName()); this.mtlsPort = mtlsPort; this.tokenPort = tokenPort; this.serverCertificate = serverCertificate; this.serverKey = serverKey; + this.tokenEndpoints = tokenEndpoints; } @Override @@ -26,6 +30,7 @@ public class DataplaneProxy extends SimpleComponent implements DataplaneProxyCon builder.tokenPort(tokenPort); builder.serverCertificate(serverCertificate); builder.serverKey(serverKey); + builder.tokenEndpoints(tokenEndpoints); } } diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java index 459c54a2805..2baf8f053c9 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java @@ -627,9 +627,16 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> { private void addCloudTokenSupport(DeployState state, ApplicationContainerCluster cluster) { var server = cluster.getHttp().getHttpServer().get(); + Set<String> tokenEndpoints = state.getEndpoints().stream() + .filter(endpoint -> endpoint.authMethod() == ApplicationClusterEndpoint.AuthMethod.token) + .map(ContainerEndpoint::names) + .flatMap(Collection::stream) + .collect(Collectors.toSet()); + boolean enableTokenSupport = state.isHosted() && state.zone().system().isPublic() && state.featureFlags().enableDataplaneProxy() - && cluster.getClients().stream().anyMatch(c -> !c.tokens().isEmpty()); + && cluster.getClients().stream().anyMatch(c -> !c.tokens().isEmpty()) + && ! tokenEndpoints.isEmpty(); if (!enableTokenSupport) return; var endpointCert = state.endpointCertificateSecrets().orElseThrow(); int tokenPort = getTokenDataplanePort(state).orElseThrow(); @@ -641,7 +648,8 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> { getMtlsDataplanePort(state), tokenPort, endpointCert.certificate(), - endpointCert.key()); + endpointCert.key(), + tokenEndpoints); cluster.addComponent(dataplaneProxy); // Setup dedicated connector diff --git a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/CloudTokenDataPlaneFilterTest.java b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/CloudTokenDataPlaneFilterTest.java index 15e1d61c951..b4e2f53bb87 100644 --- a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/CloudTokenDataPlaneFilterTest.java +++ b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/CloudTokenDataPlaneFilterTest.java @@ -1,6 +1,8 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.model.container.xml; +import com.yahoo.config.model.api.ApplicationClusterEndpoint; +import com.yahoo.config.model.api.ContainerEndpoint; import com.yahoo.config.model.api.EndpointCertificateSecrets; import com.yahoo.config.model.builder.xml.test.DomBuilderTest; import com.yahoo.config.model.deploy.DeployState; @@ -27,6 +29,8 @@ import java.time.Instant; import java.util.Collection; import java.util.List; import java.util.Optional; +import java.util.OptionalInt; +import java.util.Set; import static com.yahoo.vespa.model.container.xml.CloudDataPlaneFilterTest.createCertificate; import static org.junit.jupiter.api.Assertions.assertEquals; @@ -99,6 +103,7 @@ public class CloudTokenDataPlaneFilterTest extends ContainerModelBuilderTestBase new DataplaneToken.Version("myfingerprint2", "myaccesshash2", Optional.of(Instant.EPOCH.plus(Duration.ofDays(100000)))))))) .setHostedVespa(true)) .zone(new Zone(SystemName.PublicCd, Environment.dev, RegionName.defaultName())) + .endpoints(Set.of(new ContainerEndpoint("cluster", ApplicationClusterEndpoint.Scope.zone, List.of("name"), OptionalInt.empty(), ApplicationClusterEndpoint.RoutingMethod.exclusive, ApplicationClusterEndpoint.AuthMethod.token))) .build(); return createModel(root, state, null, clusterElem); } diff --git a/configdefinitions/src/vespa/dataplane-proxy.def b/configdefinitions/src/vespa/dataplane-proxy.def index dd1d734a91c..eff5ae8c3a9 100644 --- a/configdefinitions/src/vespa/dataplane-proxy.def +++ b/configdefinitions/src/vespa/dataplane-proxy.def @@ -8,3 +8,6 @@ mtlsPort int # Server certificate and key to be used when creating server socket serverCertificate string serverKey string + +# Host names that should be considered token endpoints +tokenEndpoints[] string diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/DataplaneProxyService.java b/container-disc/src/main/java/com/yahoo/container/jdisc/DataplaneProxyService.java index 74e6954e1e1..ed3149d5406 100644 --- a/container-disc/src/main/java/com/yahoo/container/jdisc/DataplaneProxyService.java +++ b/container-disc/src/main/java/com/yahoo/container/jdisc/DataplaneProxyService.java @@ -11,10 +11,12 @@ import java.nio.file.Files; import java.nio.file.Path; import java.nio.file.Paths; import java.nio.file.StandardCopyOption; +import java.util.List; import java.util.concurrent.ScheduledThreadPoolExecutor; import java.util.concurrent.TimeUnit; import java.util.logging.Level; import java.util.logging.Logger; +import java.util.stream.Collectors; /** * Configures a data plane proxy. Currently using Nginx. @@ -105,8 +107,8 @@ public class DataplaneProxyService extends AbstractComponent { serverKeyFile, config.mtlsPort(), config.tokenPort(), - root - )); + config.tokenEndpoints(), + root)); if (configChanged && state == NginxState.RUNNING) { changeState(NginxState.RELOAD_REQUIRED); } @@ -194,6 +196,7 @@ public class DataplaneProxyService extends AbstractComponent { Path serverKey, int vespaMtlsPort, int vespaTokenPort, + List<String> tokenEndpoints, Path root) { try { @@ -205,6 +208,10 @@ public class DataplaneProxyService extends AbstractComponent { nginxTemplate = replace(nginxTemplate, "vespa_mtls_port", Integer.toString(vespaMtlsPort)); nginxTemplate = replace(nginxTemplate, "vespa_token_port", Integer.toString(vespaTokenPort)); nginxTemplate = replace(nginxTemplate, "prefix", root.toString()); + String tokenmapping = tokenEndpoints.stream() + .map(" %s vespatoken;"::formatted) + .collect(Collectors.joining("\n")); + nginxTemplate = replace(nginxTemplate, "vespa_token_endpoints", tokenmapping); // TODO: verify that all template vars have been expanded return nginxTemplate; |