Add feature flag for OCSP Stapling on application container clusters

author: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2021-12-20 14:29:35 +0100
committer: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2021-12-20 14:44:10 +0100
commit: f5942840a46d6e402265d0c4cabb0772c53e688e (patch)
tree: 93bc263cb117b0eaae5a17e7ceb5fccad5033979
parent: 13bfda97a5427c17789e7b70f7dee5df32aaeb51 (diff)
4 files changed, 29 insertions, 3 deletions
diff --git a/config-model-api/src/main/java/com/yahoo/config/model/api/ModelContext.java b/config-model-api/src/main/java/com/yahoo/config/model/api/ModelContext.java
index 6c70af8cbca..9fef9b4615d 100644
--- a/config-model-api/src/main/java/com/yahoo/config/model/api/ModelContext.java
+++ b/config-model-api/src/main/java/com/yahoo/config/model/api/ModelContext.java
@@ -113,6 +113,7 @@ public interface ModelContext {
         @ModelFeatureFlag(owners = {"baldersheim", "geirst", "toregge"}) default int maxCompactBuffers() { return 1; }
         @ModelFeatureFlag(owners = {"hmusum"}) default boolean failDeploymentWithInvalidJvmOptions() { return false; }
         @ModelFeatureFlag(owners = {"baldersheim"}) default double tlsSizeFraction() { throw new UnsupportedOperationException("TODO specify default value"); }
+        @ModelFeatureFlag(owners = {"bjorncs"}) default boolean enableServerOcspStapling() { return false; }
     }
 
     /** Warning: As elsewhere in this package, do not make backwards incompatible changes that will break old config models! */
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/ApplicationContainer.java b/config-model/src/main/java/com/yahoo/vespa/model/container/ApplicationContainer.java
index 9ad257fad04..8b6e7163b6b 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/ApplicationContainer.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/ApplicationContainer.java
@@ -23,6 +23,7 @@ public final class ApplicationContainer extends Container implements
     private static final String defaultHostedJVMArgs = "-XX:+SuppressFatalErrorMessage";
 
     private final boolean isHostedVespa;
+    private final boolean enableServerOcspStapling;
 
     public ApplicationContainer(AbstractConfigProducer<?> parent, String name, int index, DeployState deployState) {
         this(parent, name, false, index, deployState);
@@ -31,6 +32,7 @@ public final class ApplicationContainer extends Container implements
     public ApplicationContainer(AbstractConfigProducer<?> parent, String name, boolean retired, int index, DeployState deployState) {
         super(parent, name, retired, index, deployState);
         this.isHostedVespa = deployState.isHosted();
+        this.enableServerOcspStapling = deployState.featureFlags().enableServerOcspStapling();
 
         addComponent(new SimpleComponent("com.yahoo.container.jdisc.messagebus.NetworkMultiplexerHolder"));
         addComponent(new SimpleComponent("com.yahoo.container.jdisc.messagebus.NetworkMultiplexerProvider"));
@@ -64,10 +66,23 @@ public final class ApplicationContainer extends Container implements
     /** Returns the jvm arguments this should start with */
     @Override
     public String getJvmOptions() {
+        StringBuilder b = new StringBuilder();
+        if (isHostedVespa) {
+            if (hasDocproc()) {
+                b.append(ApplicationContainer.defaultHostedJVMArgs).append(' ');
+            }
+            if (enableServerOcspStapling) {
+                b.append("-Djdk.tls.server.enableStatusRequestExtension=true ")
+                        .append("-Djdk.tls.stapling.responseTimeout=2000 ")
+                        .append("-Djdk.tls.stapling.cacheSize=256 ")
+                        .append("-Djdk.tls.stapling.cacheLifetime=3600 ");
+            }
+        }
         String jvmArgs = super.getJvmOptions();
-        return isHostedVespa && hasDocproc()
-                ? ("".equals(jvmArgs) ? defaultHostedJVMArgs : defaultHostedJVMArgs + " " + jvmArgs)
-                : jvmArgs;
+        if (!jvmArgs.isBlank()) {
+             b.append(jvmArgs.trim()).append(' ');
+        }
+        return b.toString().trim();
     }
 
     private boolean hasDocproc() {
diff --git a/configserver/src/main/java/com/yahoo/vespa/config/server/deploy/ModelContextImpl.java b/configserver/src/main/java/com/yahoo/vespa/config/server/deploy/ModelContextImpl.java
index 063603fe8a8..d69fe4fba89 100644
--- a/configserver/src/main/java/com/yahoo/vespa/config/server/deploy/ModelContextImpl.java
+++ b/configserver/src/main/java/com/yahoo/vespa/config/server/deploy/ModelContextImpl.java
@@ -205,6 +205,7 @@ public class ModelContextImpl implements ModelContext {
         private final int maxCompactBuffers;
         private final boolean failDeploymentWithInvalidJvmOptions;
         private final double tlsSizeFraction;
+        private final boolean enableServerOcspStapling;
 
         public FeatureFlags(FlagSource source, ApplicationId appId) {
             this.defaultTermwiseLimit = flagValue(source, appId, Flags.DEFAULT_TERM_WISE_LIMIT);
@@ -248,6 +249,7 @@ public class ModelContextImpl implements ModelContext {
             this.maxCompactBuffers = flagValue(source, appId, Flags.MAX_COMPACT_BUFFERS);
             this.failDeploymentWithInvalidJvmOptions = flagValue(source, appId, Flags.FAIL_DEPLOYMENT_WITH_INVALID_JVM_OPTIONS);
             this.tlsSizeFraction = flagValue(source, appId, Flags.TLS_SIZE_FRACTION);
+            this.enableServerOcspStapling = flagValue(source, appId, Flags.ENABLE_SERVER_OCSP_STAPLING);
         }
 
         @Override public double defaultTermwiseLimit() { return defaultTermwiseLimit; }
@@ -293,6 +295,7 @@ public class ModelContextImpl implements ModelContext {
         @Override public boolean failDeploymentWithInvalidJvmOptions() { return failDeploymentWithInvalidJvmOptions; }
         @Override public int maxCompactBuffers() { return maxCompactBuffers; }
         @Override public double tlsSizeFraction() { return tlsSizeFraction; }
+        @Override public boolean enableServerOcspStapling() { return enableServerOcspStapling; }
 
         private static <V> V flagValue(FlagSource source, ApplicationId appId, UnboundFlag<? extends V, ?, ?> flag) {
             return flag.bindTo(source)
diff --git a/flags/src/main/java/com/yahoo/vespa/flags/Flags.java b/flags/src/main/java/com/yahoo/vespa/flags/Flags.java
index e4a32e792e8..f6f3bf29c3d 100644
--- a/flags/src/main/java/com/yahoo/vespa/flags/Flags.java
+++ b/flags/src/main/java/com/yahoo/vespa/flags/Flags.java
@@ -400,6 +400,13 @@ public class Flags {
             "Takes effect at redeployment",
             ZONE_ID, APPLICATION_ID);
 
+    public static final UnboundBooleanFlag ENABLE_SERVER_OCSP_STAPLING = defineFeatureFlag(
+            "enable-server-ocsp-stapling", false,
+            List.of("bjorncs"), "2021-12-17", "2022-06-01",
+            "Enable server OCSP stapling for jdisc containers",
+            "Takes effect on redeployment",
+            ZONE_ID, APPLICATION_ID);
+
     /** WARNING: public for testing: All flags should be defined in {@link Flags}. */
     public static UnboundBooleanFlag defineFeatureFlag(String flagId, boolean defaultValue, List<String> owners,
                                                        String createdAt, String expiresAt, String description,
author	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2021-12-20 14:29:35 +0100
committer	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2021-12-20 14:44:10 +0100
commit	f5942840a46d6e402265d0c4cabb0772c53e688e (patch)
tree	93bc263cb117b0eaae5a17e7ceb5fccad5033979
parent	13bfda97a5427c17789e7b70f7dee5df32aaeb51 (diff)