diff options
author | Bjørn Christian Seime <bjorncs@oath.com> | 2018-06-14 16:43:04 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@oath.com> | 2018-06-14 16:43:22 +0200 |
commit | 960d1e9ac0ddc27ba93572e3d1f434cc96d2f534 (patch) | |
tree | 133270542c342b7ec42172eb22d9b2b2190c7fef | |
parent | 8b47b122003f768978acdc22f572e8db31c1e36e (diff) |
Allow bare metal tenant nodes with Calypso certificate
2 files changed, 23 insertions, 0 deletions
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifier.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifier.java index e78bcb6b5e8..49f8b704c5e 100644 --- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifier.java +++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifier.java @@ -97,6 +97,10 @@ class NodeIdentifier { } private String getHostFromVespaCertificate(List<SubjectAlternativeName> sans) { + // TODO Remove this branch once all BM nodes are gone + if (sans.stream().anyMatch(san -> san.getValue().endsWith("ostk.yahoo.cloud"))) { + return getHostFromCalypsoCertificate(sans); + } VespaUniqueInstanceId instanceId = VespaUniqueInstanceId.fromDottedString(getUniqueInstanceId(sans)); if (!zone.environment().value().equals(instanceId.environment())) throw new NodeIdentifierException("Invalid environment: " + instanceId.environment()); diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifierTest.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifierTest.java index 9c441e82a84..445d18bed7c 100644 --- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifierTest.java +++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifierTest.java @@ -201,6 +201,25 @@ public class NodeIdentifierTest { assertEquals(CONTROLLER_IDENTITY, identity.getHostIdentityName()); } + @Test + public void accepts_openstack_bm_tenant_certificate() { + NodeRepositoryTester nodeRepositoryDummy = new NodeRepositoryTester(); + nodeRepositoryDummy.addNode(OPENSTACK_ID, HOSTNAME, INSTANCE_ID, NodeType.tenant); + nodeRepositoryDummy.setNodeState(HOSTNAME, Node.State.active); + Pkcs10Csr csr = Pkcs10CsrBuilder + .fromKeypair(new X500Principal("CN=" + TENANT_DOCKER_CONTAINER_IDENTITY), KEYPAIR, SHA256_WITH_RSA) + .build(); + X509Certificate certificate = X509CertificateBuilder + .fromCsr(csr, ATHENZ_YAHOO_CA_CERT.getSubjectX500Principal(), Instant.EPOCH, Instant.EPOCH.plusSeconds(60), KEYPAIR.getPrivate(), SHA256_WITH_RSA, 1) + .addSubjectAlternativeName(OPENSTACK_ID + ".instanceid.athenz.ostk.yahoo.cloud") + .build(); + NodeIdentifier identifier = new NodeIdentifier(ZONE, nodeRepositoryDummy.nodeRepository()); + NodePrincipal identity = identifier.resolveNode(singletonList(certificate)); + assertTrue(identity.getHostname().isPresent()); + assertEquals(HOSTNAME, identity.getHostname().get()); + assertEquals(TENANT_DOCKER_CONTAINER_IDENTITY, identity.getHostIdentityName()); + } + private static Node createNode(String clusterId, int clusterIndex, String tenant, String application) { return Node .createDockerNode( |