diff options
author | Morten Tokle <mortent@verizonmedia.com> | 2020-01-17 08:11:14 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-01-17 08:11:14 +0100 |
commit | 0d7939b7036d2b0f8960f43edcafe6eff5051f7a (patch) | |
tree | 2862449602323712ee32aed0f7c6d2c6ea204e4b | |
parent | 1b3b4b3722dcc0079bd62d4b631860bdc06dfcab (diff) | |
parent | d95ea7404aca7575009c56668eb519bc0db6a8b6 (diff) |
Merge pull request #11821 from vespa-engine/bjorncs/additional-container-port-hosted-4443
Bjorncs/additional container port hosted 4443
2 files changed, 49 insertions, 19 deletions
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java index d00ce3974fa..7a08a3c1a7b 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java @@ -4,6 +4,7 @@ package com.yahoo.vespa.model.container.http.ssl; import com.yahoo.config.model.api.TlsSecrets; import com.yahoo.jdisc.http.ConnectorConfig; import com.yahoo.jdisc.http.ConnectorConfig.Ssl.ClientAuth; +import com.yahoo.vespa.model.container.component.SimpleComponent; import com.yahoo.vespa.model.container.http.ConnectorFactory; import java.util.List; @@ -19,16 +20,33 @@ public class HostedSslConnectorFactory extends ConnectorFactory { private final boolean enforceClientAuth; - public HostedSslConnectorFactory(String serverName, TlsSecrets tlsSecrets) { - this(serverName, tlsSecrets, null, false); + /** + * Create connector factory that uses a certificate provided by the config-model / configserver. + */ + public static HostedSslConnectorFactory withProvidedCertificate(String serverName, TlsSecrets tlsSecrets) { + return new HostedSslConnectorFactory(createConfiguredDirectSslProvider(serverName, tlsSecrets, /*tlsCaCertificates*/null), false); } - public HostedSslConnectorFactory(String serverName, TlsSecrets tlsSecrets, String tlsCaCertificates, boolean enforceClientAuth) { - super("tls4443", 4443, createSslProvider(serverName, tlsSecrets, tlsCaCertificates)); + /** + * Create connector factory that uses a certificate provided by the config-model / configserver and a truststore configured by the application. + */ + public static HostedSslConnectorFactory withProvidedCertificateAndTruststore(String serverName, TlsSecrets tlsSecrets, String tlsCaCertificates) { + return new HostedSslConnectorFactory(createConfiguredDirectSslProvider(serverName, tlsSecrets, tlsCaCertificates), true); + } + + /** + * Create connector factory that uses the default certificate and truststore provided by Vespa (through Vespa-global TLS configuration). + */ + public static HostedSslConnectorFactory withDefaultCertificateAndTruststore(String serverName) { + return new HostedSslConnectorFactory(new DefaultSslProvider(serverName), true); + } + + private HostedSslConnectorFactory(SimpleComponent sslProviderComponent, boolean enforceClientAuth) { + super("tls4443", 4443, sslProviderComponent); this.enforceClientAuth = enforceClientAuth; } - private static ConfiguredDirectSslProvider createSslProvider( + private static ConfiguredDirectSslProvider createConfiguredDirectSslProvider( String serverName, TlsSecrets tlsSecrets, String tlsCaCertificates) { return new ConfiguredDirectSslProvider( serverName, diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java index 7dba9d7cfff..3da0b01f614 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java @@ -10,8 +10,10 @@ import com.yahoo.config.application.api.DeployLogger; import com.yahoo.config.application.api.DeploymentInstanceSpec; import com.yahoo.config.application.api.DeploymentSpec; import com.yahoo.config.model.ConfigModelContext; +import com.yahoo.config.model.ConfigModelContext.ApplicationType; import com.yahoo.config.model.api.ConfigServerSpec; import com.yahoo.config.model.api.ContainerEndpoint; +import com.yahoo.config.model.api.TlsSecrets; import com.yahoo.config.model.application.provider.IncludeDirs; import com.yahoo.config.model.builder.xml.ConfigModelBuilder; import com.yahoo.config.model.builder.xml.ConfigModelId; @@ -187,7 +189,7 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> { cluster.addDefaultHandlersExceptStatus(); addStatusHandlers(cluster, context.getDeployState().isHosted()); - addHttp(deployState, spec, cluster); + addHttp(deployState, spec, cluster, context.getApplicationType(), deployState.getProperties().applicationId().instance().isTester()); addAccessLogs(deployState, cluster, spec); addRoutingAliases(cluster, spec, deployState.zone().environment()); @@ -309,22 +311,38 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> { } - private void addHttp(DeployState deployState, Element spec, ApplicationContainerCluster cluster) { + private void addHttp(DeployState deployState, Element spec, ApplicationContainerCluster cluster, ApplicationType applicationType, boolean isTesterApplication) { Element httpElement = XML.getChild(spec, "http"); if (httpElement != null) { cluster.setHttp(buildHttp(deployState, cluster, httpElement)); } + if (deployState.isHosted() && applicationType == ApplicationType.DEFAULT && !isTesterApplication) { + addAdditionalHostedConnector(deployState, cluster); + } + } + + private void addAdditionalHostedConnector(DeployState deployState, ApplicationContainerCluster cluster) { + addImplicitHttpIfNotPresent(cluster); + JettyHttpServer server = cluster.getHttp().getHttpServer(); + String serverName = server.getComponentId().getName(); + // If the deployment contains certificate/private key reference, setup TLS port if (deployState.tlsSecrets().isPresent()) { - addTlsPort(deployState, cluster); + boolean authorizeClient = deployState.zone().system().isPublic(); + if (authorizeClient && deployState.tlsClientAuthority().isEmpty()) { + throw new RuntimeException("Client certificate authority security/clients.pem is missing - see: https://cloud.vespa.ai/security-model#data-plane"); + } + TlsSecrets tlsSecrets = deployState.tlsSecrets().get(); + HostedSslConnectorFactory connectorFactory = authorizeClient + ? HostedSslConnectorFactory.withProvidedCertificateAndTruststore(serverName, tlsSecrets, deployState.tlsClientAuthority().get()) + : HostedSslConnectorFactory.withProvidedCertificate(serverName, tlsSecrets); + server.addConnector(connectorFactory); + } else { + server.addConnector(HostedSslConnectorFactory.withDefaultCertificateAndTruststore(serverName)); } } - private void addTlsPort(DeployState deployState, ApplicationContainerCluster cluster) { - boolean authorizeClient = deployState.zone().system().isPublic(); - if (authorizeClient && deployState.tlsClientAuthority().isEmpty()) { - throw new RuntimeException("Client certificate authority security/clients.pem is missing - see: https://cloud.vespa.ai/security-model#data-plane"); - } + private static void addImplicitHttpIfNotPresent(ApplicationContainerCluster cluster) { if(cluster.getHttp() == null) { Http http = new Http(Collections.emptyList()); http.setFilterChains(new FilterChains(cluster)); @@ -335,12 +353,6 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> { cluster.getHttp().setHttpServer(defaultHttpServer); defaultHttpServer.addConnector(new ConnectorFactory("SearchServer", Defaults.getDefaults().vespaWebServicePort())); } - JettyHttpServer server = cluster.getHttp().getHttpServer(); - String serverName = server.getComponentId().getName(); - HostedSslConnectorFactory connectorFactory = authorizeClient - ? new HostedSslConnectorFactory(serverName, deployState.tlsSecrets().get(), deployState.tlsClientAuthority().get(), true) - : new HostedSslConnectorFactory(serverName, deployState.tlsSecrets().get()); - server.addConnector(connectorFactory); } private Http buildHttp(DeployState deployState, ApplicationContainerCluster cluster, Element httpElement) { |