Merge pull request #11821 from vespa-engine/bjorncs/additional-container-port-hosted-4443

Bjorncs/additional container port hosted 4443
author: Morten Tokle <mortent@verizonmedia.com> 2020-01-17 08:11:14 +0100
committer: GitHub <noreply@github.com> 2020-01-17 08:11:14 +0100
commit: 0d7939b7036d2b0f8960f43edcafe6eff5051f7a (patch)
tree: 2862449602323712ee32aed0f7c6d2c6ea204e4b
parent: 1b3b4b3722dcc0079bd62d4b631860bdc06dfcab (diff)
parent: d95ea7404aca7575009c56668eb519bc0db6a8b6 (diff)
2 files changed, 49 insertions, 19 deletions
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java
index d00ce3974fa..7a08a3c1a7b 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java
@@ -4,6 +4,7 @@ package com.yahoo.vespa.model.container.http.ssl;
 import com.yahoo.config.model.api.TlsSecrets;
 import com.yahoo.jdisc.http.ConnectorConfig;
 import com.yahoo.jdisc.http.ConnectorConfig.Ssl.ClientAuth;
+import com.yahoo.vespa.model.container.component.SimpleComponent;
 import com.yahoo.vespa.model.container.http.ConnectorFactory;
 
 import java.util.List;
@@ -19,16 +20,33 @@ public class HostedSslConnectorFactory extends ConnectorFactory {
 
     private final boolean enforceClientAuth;
 
-    public HostedSslConnectorFactory(String serverName, TlsSecrets tlsSecrets) {
-        this(serverName, tlsSecrets, null, false);
+    /**
+     * Create connector factory that uses a certificate provided by the config-model / configserver.
+     */
+    public static HostedSslConnectorFactory withProvidedCertificate(String serverName, TlsSecrets tlsSecrets) {
+        return new HostedSslConnectorFactory(createConfiguredDirectSslProvider(serverName, tlsSecrets, /*tlsCaCertificates*/null), false);
     }
 
-    public HostedSslConnectorFactory(String serverName, TlsSecrets tlsSecrets, String tlsCaCertificates, boolean enforceClientAuth) {
-        super("tls4443", 4443, createSslProvider(serverName, tlsSecrets, tlsCaCertificates));
+    /**
+     * Create connector factory that uses a certificate provided by the config-model / configserver and a truststore configured by the application.
+     */
+    public static HostedSslConnectorFactory withProvidedCertificateAndTruststore(String serverName, TlsSecrets tlsSecrets, String tlsCaCertificates) {
+        return new HostedSslConnectorFactory(createConfiguredDirectSslProvider(serverName, tlsSecrets, tlsCaCertificates), true);
+    }
+
+    /**
+     * Create connector factory that uses the default certificate and truststore provided by Vespa (through Vespa-global TLS configuration).
+     */
+    public static HostedSslConnectorFactory withDefaultCertificateAndTruststore(String serverName) {
+        return new HostedSslConnectorFactory(new DefaultSslProvider(serverName), true);
+    }
+
+    private HostedSslConnectorFactory(SimpleComponent sslProviderComponent, boolean enforceClientAuth) {
+        super("tls4443", 4443, sslProviderComponent);
         this.enforceClientAuth = enforceClientAuth;
     }
 
-    private static ConfiguredDirectSslProvider createSslProvider(
+    private static ConfiguredDirectSslProvider createConfiguredDirectSslProvider(
             String serverName, TlsSecrets tlsSecrets, String tlsCaCertificates) {
         return new ConfiguredDirectSslProvider(
                 serverName,
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
index 7dba9d7cfff..3da0b01f614 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
@@ -10,8 +10,10 @@ import com.yahoo.config.application.api.DeployLogger;
 import com.yahoo.config.application.api.DeploymentInstanceSpec;
 import com.yahoo.config.application.api.DeploymentSpec;
 import com.yahoo.config.model.ConfigModelContext;
+import com.yahoo.config.model.ConfigModelContext.ApplicationType;
 import com.yahoo.config.model.api.ConfigServerSpec;
 import com.yahoo.config.model.api.ContainerEndpoint;
+import com.yahoo.config.model.api.TlsSecrets;
 import com.yahoo.config.model.application.provider.IncludeDirs;
 import com.yahoo.config.model.builder.xml.ConfigModelBuilder;
 import com.yahoo.config.model.builder.xml.ConfigModelId;
@@ -187,7 +189,7 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> {
         cluster.addDefaultHandlersExceptStatus();
         addStatusHandlers(cluster, context.getDeployState().isHosted());
 
-        addHttp(deployState, spec, cluster);
+        addHttp(deployState, spec, cluster, context.getApplicationType(), deployState.getProperties().applicationId().instance().isTester());
 
         addAccessLogs(deployState, cluster, spec);
         addRoutingAliases(cluster, spec, deployState.zone().environment());
@@ -309,22 +311,38 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> {
     }
 
 
-    private void addHttp(DeployState deployState, Element spec, ApplicationContainerCluster cluster) {
+    private void addHttp(DeployState deployState, Element spec, ApplicationContainerCluster cluster, ApplicationType applicationType, boolean isTesterApplication) {
         Element httpElement = XML.getChild(spec, "http");
         if (httpElement != null) {
             cluster.setHttp(buildHttp(deployState, cluster, httpElement));
         }
+        if (deployState.isHosted() && applicationType == ApplicationType.DEFAULT && !isTesterApplication) {
+            addAdditionalHostedConnector(deployState, cluster);
+        }
+    }
+
+    private void addAdditionalHostedConnector(DeployState deployState, ApplicationContainerCluster cluster) {
+        addImplicitHttpIfNotPresent(cluster);
+        JettyHttpServer server = cluster.getHttp().getHttpServer();
+        String serverName = server.getComponentId().getName();
+
         // If the deployment contains certificate/private key reference, setup TLS port
         if (deployState.tlsSecrets().isPresent()) {
-            addTlsPort(deployState, cluster);
+            boolean authorizeClient = deployState.zone().system().isPublic();
+            if (authorizeClient && deployState.tlsClientAuthority().isEmpty()) {
+                throw new RuntimeException("Client certificate authority security/clients.pem is missing - see: https://cloud.vespa.ai/security-model#data-plane");
+            }
+            TlsSecrets tlsSecrets = deployState.tlsSecrets().get();
+            HostedSslConnectorFactory connectorFactory = authorizeClient
+                    ? HostedSslConnectorFactory.withProvidedCertificateAndTruststore(serverName, tlsSecrets, deployState.tlsClientAuthority().get())
+                    : HostedSslConnectorFactory.withProvidedCertificate(serverName, tlsSecrets);
+            server.addConnector(connectorFactory);
+        } else {
+            server.addConnector(HostedSslConnectorFactory.withDefaultCertificateAndTruststore(serverName));
         }
     }
 
-    private void addTlsPort(DeployState deployState, ApplicationContainerCluster cluster) {
-        boolean authorizeClient = deployState.zone().system().isPublic();
-        if (authorizeClient && deployState.tlsClientAuthority().isEmpty()) {
-            throw new RuntimeException("Client certificate authority security/clients.pem is missing - see: https://cloud.vespa.ai/security-model#data-plane");
-        }
+    private static void addImplicitHttpIfNotPresent(ApplicationContainerCluster cluster) {
         if(cluster.getHttp() == null) {
             Http http = new Http(Collections.emptyList());
             http.setFilterChains(new FilterChains(cluster));
@@ -335,12 +353,6 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> {
             cluster.getHttp().setHttpServer(defaultHttpServer);
             defaultHttpServer.addConnector(new ConnectorFactory("SearchServer", Defaults.getDefaults().vespaWebServicePort()));
         }
-        JettyHttpServer server = cluster.getHttp().getHttpServer();
-        String serverName = server.getComponentId().getName();
-        HostedSslConnectorFactory connectorFactory = authorizeClient
-                ? new HostedSslConnectorFactory(serverName, deployState.tlsSecrets().get(), deployState.tlsClientAuthority().get(), true)
-                : new HostedSslConnectorFactory(serverName, deployState.tlsSecrets().get());
-        server.addConnector(connectorFactory);
     }
 
     private Http buildHttp(DeployState deployState, ApplicationContainerCluster cluster, Element httpElement) {
author	Morten Tokle <mortent@verizonmedia.com>	2020-01-17 08:11:14 +0100
committer	GitHub <noreply@github.com>	2020-01-17 08:11:14 +0100
commit	0d7939b7036d2b0f8960f43edcafe6eff5051f7a (patch)
tree	2862449602323712ee32aed0f7c6d2c6ea204e4b
parent	1b3b4b3722dcc0079bd62d4b631860bdc06dfcab (diff)
parent	d95ea7404aca7575009c56668eb519bc0db6a8b6 (diff)