Reprovision in enclave compatible clouds

author: Valerij Fredriksen <valerijf@yahooinc.com> 2023-05-12 19:51:44 +0200
committer: Valerij Fredriksen <valerijf@yahooinc.com> 2023-05-12 19:51:44 +0200
commit: 6b037ecce1d00faac709e5b46bcb246b9397aa2a (patch)
tree: 671ffcfda4152bd28ff7178a82c25e95c1f25326
parent: 34ba37735c74efd222f57ac61f9cac60053d768a (diff)
8 files changed, 24 insertions, 17 deletions
diff --git a/config-provisioning/src/main/java/com/yahoo/config/provision/Cloud.java b/config-provisioning/src/main/java/com/yahoo/config/provision/Cloud.java
index ef2fceea1bd..94f01aba9e8 100644
--- a/config-provisioning/src/main/java/com/yahoo/config/provision/Cloud.java
+++ b/config-provisioning/src/main/java/com/yahoo/config/provision/Cloud.java
@@ -14,18 +14,20 @@ public class Cloud {
 
     private final boolean dynamicProvisioning;
     private final boolean allowHostSharing;
+    private final boolean allowEnclave;
     private final boolean requireAccessControl;
     private final CloudAccount account;
 
-    private Cloud(CloudName name, boolean dynamicProvisioning, boolean allowHostSharing, boolean requireAccessControl,
-                  CloudAccount account) {
+    private Cloud(CloudName name, boolean dynamicProvisioning, boolean allowHostSharing, boolean allowEnclave,
+                  boolean requireAccessControl, CloudAccount account) {
         this.name = Objects.requireNonNull(name);
         this.dynamicProvisioning = dynamicProvisioning;
         this.allowHostSharing = allowHostSharing;
+        this.allowEnclave = allowEnclave;
         this.requireAccessControl = requireAccessControl;
         this.account = Objects.requireNonNull(account);
-        if ((name.equals(CloudName.AWS) || name.equals(CloudName.GCP)) && account.isUnspecified()) {
-            throw new IllegalArgumentException("Account must be non-empty in cloud '" + name + "'");
+        if (allowEnclave && account.isUnspecified()) {
+            throw new IllegalArgumentException("Account must be non-empty in '" + name + "'");
         }
     }
 
@@ -42,6 +44,9 @@ public class Cloud {
     /** Returns whether this allows host sharing */
     public boolean allowHostSharing() { return allowHostSharing; }
 
+    /** Returns whether this allows deployments to enclave */
+    public boolean allowEnclave() { return allowEnclave; }
+
     /** Returns whether to require access control for all clusters in this */
     public boolean requireAccessControl() {
         return requireAccessControl;
@@ -66,6 +71,7 @@ public class Cloud {
         private CloudName name = CloudName.DEFAULT;
         private boolean dynamicProvisioning = false;
         private boolean allowHostSharing = true;
+        private boolean allowEnclave = false;
         private boolean requireAccessControl = false;
         private CloudAccount account = CloudAccount.empty;
 
@@ -86,6 +92,11 @@ public class Cloud {
             return this;
         }
 
+        public Builder allowEnclave(boolean allowEnclave) {
+            this.allowEnclave = allowEnclave;
+            return this;
+        }
+
         public Builder requireAccessControl(boolean requireAccessControl) {
             this.requireAccessControl = requireAccessControl;
             return this;
@@ -97,7 +108,7 @@ public class Cloud {
         }
 
         public Cloud build() {
-            return new Cloud(name, dynamicProvisioning, allowHostSharing, requireAccessControl, account);
+            return new Cloud(name, dynamicProvisioning, allowHostSharing, allowEnclave, requireAccessControl, account);
         }
 
     }
diff --git a/config-provisioning/src/main/java/com/yahoo/config/provision/Zone.java b/config-provisioning/src/main/java/com/yahoo/config/provision/Zone.java
index 97234056705..17010fe3fd3 100644
--- a/config-provisioning/src/main/java/com/yahoo/config/provision/Zone.java
+++ b/config-provisioning/src/main/java/com/yahoo/config/provision/Zone.java
@@ -1,8 +1,8 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.config.provision;
 
-import com.yahoo.component.annotation.Inject;
 import com.yahoo.cloud.config.ConfigserverConfig;
+import com.yahoo.component.annotation.Inject;
 import com.yahoo.config.provisioning.CloudConfig;
 
 import java.util.Objects;
@@ -27,6 +27,7 @@ public class Zone {
                   .name(CloudName.from(configserverConfig.cloud()))
                   .dynamicProvisioning(cloudConfig.dynamicProvisioning())
                   .allowHostSharing(cloudConfig.allowHostSharing())
+                  .allowEnclave(cloudConfig.dynamicProvisioning())
                   .requireAccessControl(cloudConfig.requireAccessControl())
                   .account(CloudAccount.from(cloudConfig.account()))
                   .build(),
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java
index 5106b786691..843ba240ce9 100644
--- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java
+++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java
@@ -2,7 +2,6 @@
 package com.yahoo.vespa.hosted.provision.node;
 
 import com.google.common.collect.ImmutableSet;
-import com.yahoo.config.provision.CloudName;
 import com.yahoo.config.provision.NodeType;
 import com.yahoo.config.provision.Zone;
 import com.yahoo.vespa.hosted.provision.Node;
@@ -97,7 +96,7 @@ public record NodeAcl(Node node,
                                                                      NodeType.proxyhost, NodeType.proxy),
                                                    RPC_PORTS));
                 trustedPorts.add(4443);
-                if (zone.system().isPublic() && zone.cloud().name().equals(CloudName.AWS)) {
+                if (zone.system().isPublic() && zone.cloud().allowEnclave()) {
                     trustedUdpPorts.add(WIREGUARD_PORT);
                 }
             }
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/provisioning/LoadBalancerProvisioner.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/provisioning/LoadBalancerProvisioner.java
index 61b0ae80c98..ae1edab7fad 100644
--- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/provisioning/LoadBalancerProvisioner.java
+++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/provisioning/LoadBalancerProvisioner.java
@@ -5,7 +5,6 @@ import com.yahoo.config.provision.ApplicationId;
 import com.yahoo.config.provision.ApplicationName;
 import com.yahoo.config.provision.ApplicationTransaction;
 import com.yahoo.config.provision.CloudAccount;
-import com.yahoo.config.provision.CloudName;
 import com.yahoo.config.provision.ClusterSpec;
 import com.yahoo.config.provision.HostName;
 import com.yahoo.config.provision.NodeType;
@@ -318,7 +317,7 @@ public class LoadBalancerProvisioner {
 
     /** Returns whether load balancer is provisioned in given account */
     private boolean inAccount(CloudAccount cloudAccount, LoadBalancer loadBalancer) {
-        return !nodeRepository.zone().cloud().name().equals(CloudName.AWS) || loadBalancer.instance().isEmpty() || loadBalancer.instance().get().cloudAccount().equals(cloudAccount);
+        return !nodeRepository.zone().cloud().allowEnclave() || loadBalancer.instance().isEmpty() || loadBalancer.instance().get().cloudAccount().equals(cloudAccount);
     }
 
     /** Find IP addresses reachable by the load balancer service */
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/provisioning/NodeAllocation.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/provisioning/NodeAllocation.java
index f3f4e85f4b2..7f0d201b3e4 100644
--- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/provisioning/NodeAllocation.java
+++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/provisioning/NodeAllocation.java
@@ -2,7 +2,6 @@
 package com.yahoo.vespa.hosted.provision.provisioning;
 
 import com.yahoo.config.provision.ApplicationId;
-import com.yahoo.config.provision.CloudName;
 import com.yahoo.config.provision.ClusterMembership;
 import com.yahoo.config.provision.ClusterSpec;
 import com.yahoo.config.provision.Flavor;
@@ -121,7 +120,7 @@ class NodeAllocation {
                 if ( candidate.state() == Node.State.active && allocation.removable()) continue; // don't accept; causes removal
                 if ( candidate.state() == Node.State.active && candidate.wantToFail()) continue; // don't accept; causes failing
                 if ( indexes.contains(membership.index())) continue; // duplicate index (just to be sure)
-                if (nodeRepository.zone().cloud().name().equals(CloudName.AWS) && candidate.parent.isPresent() && ! candidate.parent.get().cloudAccount().equals(requestedNodes.cloudAccount())) continue; // wrong account
+                if (nodeRepository.zone().cloud().allowEnclave() && candidate.parent.isPresent() && ! candidate.parent.get().cloudAccount().equals(requestedNodes.cloudAccount())) continue; // wrong account
 
                 boolean resizeable = requestedNodes.considerRetiring() && candidate.isResizable;
                 boolean acceptToRetire = acceptToRetire(candidate);
diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/maintenance/HostCapacityMaintainerTest.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/maintenance/HostCapacityMaintainerTest.java
index 3992401e29f..7f5bb79b20c 100644
--- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/maintenance/HostCapacityMaintainerTest.java
+++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/maintenance/HostCapacityMaintainerTest.java
@@ -460,7 +460,7 @@ public class HostCapacityMaintainerTest {
 
     @Test
     public void custom_cloud_account() {
-        DynamicProvisioningTester tester = new DynamicProvisioningTester(Cloud.builder().name(CloudName.AWS).dynamicProvisioning(true).account(CloudAccount.from("001122334455")).build(),
+        DynamicProvisioningTester tester = new DynamicProvisioningTester(Cloud.builder().name(CloudName.AWS).dynamicProvisioning(true).allowEnclave(true).account(CloudAccount.from("001122334455")).build(),
                                                                          new MockNameResolver().mockAnyLookup());
         ProvisioningTester provisioningTester = tester.provisioningTester;
         ApplicationId applicationId = ApplicationId.from("t1", "a1", "i1");
diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java
index 0f6962087a8..ab99a44cbab 100644
--- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java
+++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java
@@ -6,7 +6,6 @@ import com.yahoo.config.provision.ApplicationId;
 import com.yahoo.config.provision.Capacity;
 import com.yahoo.config.provision.Cloud;
 import com.yahoo.config.provision.CloudAccount;
-import com.yahoo.config.provision.CloudName;
 import com.yahoo.config.provision.ClusterResources;
 import com.yahoo.config.provision.Environment;
 import com.yahoo.config.provision.NodeResources;
@@ -120,7 +119,7 @@ public class AclProvisioningTest {
         assertEquals(Set.of(), nodeAcl.trustedUdpPorts());
 
         // WireGuard UDP port is trusted in Public AWS zones
-        var publicTester = new ProvisioningTester.Builder().zone(new Zone(Cloud.builder().name(CloudName.AWS).account(CloudAccount.from("000000000000")).build(), SystemName.Public, Environment.defaultEnvironment(), RegionName.defaultName())).build();
+        var publicTester = new ProvisioningTester.Builder().zone(new Zone(Cloud.builder().allowEnclave(true).account(CloudAccount.from("000000000000")).build(), SystemName.Public, Environment.defaultEnvironment(), RegionName.defaultName())).build();
         publicTester.makeConfigServers(3, "default", Version.fromString("6.123.456"));
         Node publicCfgNode = publicTester.nodeRepository().nodes().node("cfg1")
                 .orElseThrow(() -> new RuntimeException("Failed to find cfg1"));
diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/LoadBalancerProvisionerTest.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/LoadBalancerProvisionerTest.java
index 36fc2eb25a4..673e7610514 100644
--- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/LoadBalancerProvisionerTest.java
+++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/LoadBalancerProvisionerTest.java
@@ -7,7 +7,6 @@ import com.yahoo.config.provision.ApplicationId;
 import com.yahoo.config.provision.Capacity;
 import com.yahoo.config.provision.Cloud;
 import com.yahoo.config.provision.CloudAccount;
-import com.yahoo.config.provision.CloudName;
 import com.yahoo.config.provision.ClusterInfo;
 import com.yahoo.config.provision.ClusterResources;
 import com.yahoo.config.provision.ClusterSpec;
@@ -67,7 +66,7 @@ public class LoadBalancerProvisionerTest {
 
     private final InMemoryFlagSource flagSource = new InMemoryFlagSource();
     private final ProvisioningTester tester = new ProvisioningTester.Builder().flagSource(flagSource)
-            .zone(new Zone(Cloud.builder().name(CloudName.AWS).account(CloudAccount.from("001122334455")).build(), SystemName.main, Environment.prod, RegionName.defaultName())).build();
+            .zone(new Zone(Cloud.builder().allowEnclave(true).account(CloudAccount.from("001122334455")).build(), SystemName.main, Environment.prod, RegionName.defaultName())).build();
 
     @Test
     public void provision_load_balancer() {
author	Valerij Fredriksen <valerijf@yahooinc.com>	2023-05-12 19:51:44 +0200
committer	Valerij Fredriksen <valerijf@yahooinc.com>	2023-05-12 19:51:44 +0200
commit	6b037ecce1d00faac709e5b46bcb246b9397aa2a (patch)
tree	671ffcfda4152bd28ff7178a82c25e95c1f25326
parent	34ba37735c74efd222f57ac61f9cac60053d768a (diff)