diff options
author | HÃ¥kon Hallingstad <hakon.hallingstad@gmail.com> | 2023-05-15 10:50:54 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-05-15 10:50:54 +0200 |
commit | 9dc5add04dbc9644f7cfd8abdf4679e9e1241ebc (patch) | |
tree | 98754cbca987a2781d272c5707565f0830591295 | |
parent | 51df69aa6d2adeef471e443f1b2200eb5d674160 (diff) | |
parent | 6b037ecce1d00faac709e5b46bcb246b9397aa2a (diff) |
Merge pull request #27102 from vespa-engine/freva/enforce-in-gcp
Reprovision in enclave compatible clouds
8 files changed, 24 insertions, 17 deletions
diff --git a/config-provisioning/src/main/java/com/yahoo/config/provision/Cloud.java b/config-provisioning/src/main/java/com/yahoo/config/provision/Cloud.java index ef2fceea1bd..94f01aba9e8 100644 --- a/config-provisioning/src/main/java/com/yahoo/config/provision/Cloud.java +++ b/config-provisioning/src/main/java/com/yahoo/config/provision/Cloud.java @@ -14,18 +14,20 @@ public class Cloud { private final boolean dynamicProvisioning; private final boolean allowHostSharing; + private final boolean allowEnclave; private final boolean requireAccessControl; private final CloudAccount account; - private Cloud(CloudName name, boolean dynamicProvisioning, boolean allowHostSharing, boolean requireAccessControl, - CloudAccount account) { + private Cloud(CloudName name, boolean dynamicProvisioning, boolean allowHostSharing, boolean allowEnclave, + boolean requireAccessControl, CloudAccount account) { this.name = Objects.requireNonNull(name); this.dynamicProvisioning = dynamicProvisioning; this.allowHostSharing = allowHostSharing; + this.allowEnclave = allowEnclave; this.requireAccessControl = requireAccessControl; this.account = Objects.requireNonNull(account); - if ((name.equals(CloudName.AWS) || name.equals(CloudName.GCP)) && account.isUnspecified()) { - throw new IllegalArgumentException("Account must be non-empty in cloud '" + name + "'"); + if (allowEnclave && account.isUnspecified()) { + throw new IllegalArgumentException("Account must be non-empty in '" + name + "'"); } } @@ -42,6 +44,9 @@ public class Cloud { /** Returns whether this allows host sharing */ public boolean allowHostSharing() { return allowHostSharing; } + /** Returns whether this allows deployments to enclave */ + public boolean allowEnclave() { return allowEnclave; } + /** Returns whether to require access control for all clusters in this */ public boolean requireAccessControl() { return requireAccessControl; @@ -66,6 +71,7 @@ public class Cloud { private CloudName name = CloudName.DEFAULT; private boolean dynamicProvisioning = false; private boolean allowHostSharing = true; + private boolean allowEnclave = false; private boolean requireAccessControl = false; private CloudAccount account = CloudAccount.empty; @@ -86,6 +92,11 @@ public class Cloud { return this; } + public Builder allowEnclave(boolean allowEnclave) { + this.allowEnclave = allowEnclave; + return this; + } + public Builder requireAccessControl(boolean requireAccessControl) { this.requireAccessControl = requireAccessControl; return this; @@ -97,7 +108,7 @@ public class Cloud { } public Cloud build() { - return new Cloud(name, dynamicProvisioning, allowHostSharing, requireAccessControl, account); + return new Cloud(name, dynamicProvisioning, allowHostSharing, allowEnclave, requireAccessControl, account); } } diff --git a/config-provisioning/src/main/java/com/yahoo/config/provision/Zone.java b/config-provisioning/src/main/java/com/yahoo/config/provision/Zone.java index 97234056705..17010fe3fd3 100644 --- a/config-provisioning/src/main/java/com/yahoo/config/provision/Zone.java +++ b/config-provisioning/src/main/java/com/yahoo/config/provision/Zone.java @@ -1,8 +1,8 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.config.provision; -import com.yahoo.component.annotation.Inject; import com.yahoo.cloud.config.ConfigserverConfig; +import com.yahoo.component.annotation.Inject; import com.yahoo.config.provisioning.CloudConfig; import java.util.Objects; @@ -27,6 +27,7 @@ public class Zone { .name(CloudName.from(configserverConfig.cloud())) .dynamicProvisioning(cloudConfig.dynamicProvisioning()) .allowHostSharing(cloudConfig.allowHostSharing()) + .allowEnclave(cloudConfig.dynamicProvisioning()) .requireAccessControl(cloudConfig.requireAccessControl()) .account(CloudAccount.from(cloudConfig.account())) .build(), diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java index 5106b786691..843ba240ce9 100644 --- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java +++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java @@ -2,7 +2,6 @@ package com.yahoo.vespa.hosted.provision.node; import com.google.common.collect.ImmutableSet; -import com.yahoo.config.provision.CloudName; import com.yahoo.config.provision.NodeType; import com.yahoo.config.provision.Zone; import com.yahoo.vespa.hosted.provision.Node; @@ -97,7 +96,7 @@ public record NodeAcl(Node node, NodeType.proxyhost, NodeType.proxy), RPC_PORTS)); trustedPorts.add(4443); - if (zone.system().isPublic() && zone.cloud().name().equals(CloudName.AWS)) { + if (zone.system().isPublic() && zone.cloud().allowEnclave()) { trustedUdpPorts.add(WIREGUARD_PORT); } } diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/provisioning/LoadBalancerProvisioner.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/provisioning/LoadBalancerProvisioner.java index 61b0ae80c98..ae1edab7fad 100644 --- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/provisioning/LoadBalancerProvisioner.java +++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/provisioning/LoadBalancerProvisioner.java @@ -5,7 +5,6 @@ import com.yahoo.config.provision.ApplicationId; import com.yahoo.config.provision.ApplicationName; import com.yahoo.config.provision.ApplicationTransaction; import com.yahoo.config.provision.CloudAccount; -import com.yahoo.config.provision.CloudName; import com.yahoo.config.provision.ClusterSpec; import com.yahoo.config.provision.HostName; import com.yahoo.config.provision.NodeType; @@ -318,7 +317,7 @@ public class LoadBalancerProvisioner { /** Returns whether load balancer is provisioned in given account */ private boolean inAccount(CloudAccount cloudAccount, LoadBalancer loadBalancer) { - return !nodeRepository.zone().cloud().name().equals(CloudName.AWS) || loadBalancer.instance().isEmpty() || loadBalancer.instance().get().cloudAccount().equals(cloudAccount); + return !nodeRepository.zone().cloud().allowEnclave() || loadBalancer.instance().isEmpty() || loadBalancer.instance().get().cloudAccount().equals(cloudAccount); } /** Find IP addresses reachable by the load balancer service */ diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/provisioning/NodeAllocation.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/provisioning/NodeAllocation.java index f3f4e85f4b2..7f0d201b3e4 100644 --- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/provisioning/NodeAllocation.java +++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/provisioning/NodeAllocation.java @@ -2,7 +2,6 @@ package com.yahoo.vespa.hosted.provision.provisioning; import com.yahoo.config.provision.ApplicationId; -import com.yahoo.config.provision.CloudName; import com.yahoo.config.provision.ClusterMembership; import com.yahoo.config.provision.ClusterSpec; import com.yahoo.config.provision.Flavor; @@ -121,7 +120,7 @@ class NodeAllocation { if ( candidate.state() == Node.State.active && allocation.removable()) continue; // don't accept; causes removal if ( candidate.state() == Node.State.active && candidate.wantToFail()) continue; // don't accept; causes failing if ( indexes.contains(membership.index())) continue; // duplicate index (just to be sure) - if (nodeRepository.zone().cloud().name().equals(CloudName.AWS) && candidate.parent.isPresent() && ! candidate.parent.get().cloudAccount().equals(requestedNodes.cloudAccount())) continue; // wrong account + if (nodeRepository.zone().cloud().allowEnclave() && candidate.parent.isPresent() && ! candidate.parent.get().cloudAccount().equals(requestedNodes.cloudAccount())) continue; // wrong account boolean resizeable = requestedNodes.considerRetiring() && candidate.isResizable; boolean acceptToRetire = acceptToRetire(candidate); diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/maintenance/HostCapacityMaintainerTest.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/maintenance/HostCapacityMaintainerTest.java index 3992401e29f..7f5bb79b20c 100644 --- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/maintenance/HostCapacityMaintainerTest.java +++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/maintenance/HostCapacityMaintainerTest.java @@ -460,7 +460,7 @@ public class HostCapacityMaintainerTest { @Test public void custom_cloud_account() { - DynamicProvisioningTester tester = new DynamicProvisioningTester(Cloud.builder().name(CloudName.AWS).dynamicProvisioning(true).account(CloudAccount.from("001122334455")).build(), + DynamicProvisioningTester tester = new DynamicProvisioningTester(Cloud.builder().name(CloudName.AWS).dynamicProvisioning(true).allowEnclave(true).account(CloudAccount.from("001122334455")).build(), new MockNameResolver().mockAnyLookup()); ProvisioningTester provisioningTester = tester.provisioningTester; ApplicationId applicationId = ApplicationId.from("t1", "a1", "i1"); diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java index 0f6962087a8..ab99a44cbab 100644 --- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java +++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java @@ -6,7 +6,6 @@ import com.yahoo.config.provision.ApplicationId; import com.yahoo.config.provision.Capacity; import com.yahoo.config.provision.Cloud; import com.yahoo.config.provision.CloudAccount; -import com.yahoo.config.provision.CloudName; import com.yahoo.config.provision.ClusterResources; import com.yahoo.config.provision.Environment; import com.yahoo.config.provision.NodeResources; @@ -120,7 +119,7 @@ public class AclProvisioningTest { assertEquals(Set.of(), nodeAcl.trustedUdpPorts()); // WireGuard UDP port is trusted in Public AWS zones - var publicTester = new ProvisioningTester.Builder().zone(new Zone(Cloud.builder().name(CloudName.AWS).account(CloudAccount.from("000000000000")).build(), SystemName.Public, Environment.defaultEnvironment(), RegionName.defaultName())).build(); + var publicTester = new ProvisioningTester.Builder().zone(new Zone(Cloud.builder().allowEnclave(true).account(CloudAccount.from("000000000000")).build(), SystemName.Public, Environment.defaultEnvironment(), RegionName.defaultName())).build(); publicTester.makeConfigServers(3, "default", Version.fromString("6.123.456")); Node publicCfgNode = publicTester.nodeRepository().nodes().node("cfg1") .orElseThrow(() -> new RuntimeException("Failed to find cfg1")); diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/LoadBalancerProvisionerTest.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/LoadBalancerProvisionerTest.java index 36fc2eb25a4..673e7610514 100644 --- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/LoadBalancerProvisionerTest.java +++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/LoadBalancerProvisionerTest.java @@ -7,7 +7,6 @@ import com.yahoo.config.provision.ApplicationId; import com.yahoo.config.provision.Capacity; import com.yahoo.config.provision.Cloud; import com.yahoo.config.provision.CloudAccount; -import com.yahoo.config.provision.CloudName; import com.yahoo.config.provision.ClusterInfo; import com.yahoo.config.provision.ClusterResources; import com.yahoo.config.provision.ClusterSpec; @@ -67,7 +66,7 @@ public class LoadBalancerProvisionerTest { private final InMemoryFlagSource flagSource = new InMemoryFlagSource(); private final ProvisioningTester tester = new ProvisioningTester.Builder().flagSource(flagSource) - .zone(new Zone(Cloud.builder().name(CloudName.AWS).account(CloudAccount.from("001122334455")).build(), SystemName.main, Environment.prod, RegionName.defaultName())).build(); + .zone(new Zone(Cloud.builder().allowEnclave(true).account(CloudAccount.from("001122334455")).build(), SystemName.main, Environment.prod, RegionName.defaultName())).build(); @Test public void provision_load_balancer() { |