Merge pull request #27474 from vespa-engine/hakonhall/avoid-forward-resolving-to-ipv4-in-exclave-gcp

Avoid forward resolving to IPv4 in exclave GCP
author: Valerij Fredriksen <freva@users.noreply.github.com> 2023-06-19 17:01:36 +0200
committer: GitHub <noreply@github.com> 2023-06-19 17:01:36 +0200
commit: 51b0219f5c67ccc187f247ad8979e032a006c75b (patch)
tree: feb2598fed7fc495af011d9434d5c102a4b37a7d
parent: 9227813c2fbe13a7b5f50c0518d9a3411c31c1f6 (diff)
parent: 0401a185b98e094625017e89d51f15579da088b9 (diff)
4 files changed, 49 insertions, 20 deletions
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/maintenance/HostResumeProvisioner.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/maintenance/HostResumeProvisioner.java
index ad3c98d4512..26b83b37b9c 100644
--- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/maintenance/HostResumeProvisioner.java
+++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/maintenance/HostResumeProvisioner.java
@@ -1,7 +1,6 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.hosted.provision.maintenance;
 
-import com.yahoo.config.provision.CloudName;
 import com.yahoo.config.provision.NodeType;
 import com.yahoo.jdisc.Metric;
 import com.yahoo.vespa.hosted.provision.Node;
@@ -78,15 +77,9 @@ public class HostResumeProvisioner extends NodeRepositoryMaintainer {
 
     /** Verify DNS configuration of given node */
     private void verifyDns(Node node, IP.Config ipConfig) {
-        for (var ipAddress : ipConfig.primary()) {
-            IP.verifyDns(node.hostname(), ipAddress, nodeRepository().nameResolver(), verifyPtr(node, ipAddress));
+        for (String ipAddress : ipConfig.primary()) {
+            IP.verifyDns(node.hostname(), ipAddress, node.type(), nodeRepository().nameResolver(), node.cloudAccount(), nodeRepository().zone());
         }
     }
 
-    private boolean verifyPtr(Node node, String address) {
-        if (node.cloudAccount().isEnclave(nodeRepository().zone())) return false;
-        if (nodeRepository().zone().cloud().name().equals(CloudName.GCP) && IP.isV6(address)) return false;
-        return true;
-    }
-
 }
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/IP.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/IP.java
index 549fce92a5c..7a2508729ed 100644
--- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/IP.java
+++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/IP.java
@@ -3,7 +3,11 @@ package com.yahoo.vespa.hosted.provision.node;
 
 import com.google.common.net.InetAddresses;
 import com.google.common.primitives.UnsignedBytes;
+import com.yahoo.config.provision.CloudAccount;
+import com.yahoo.config.provision.CloudName;
 import com.yahoo.config.provision.HostName;
+import com.yahoo.config.provision.NodeType;
+import com.yahoo.config.provision.Zone;
 import com.yahoo.vespa.hosted.provision.LockedNodeList;
 import com.yahoo.vespa.hosted.provision.Node;
 import com.yahoo.vespa.hosted.provision.NodeList;
@@ -13,6 +17,7 @@ import com.yahoo.vespa.hosted.provision.persistence.NameResolver.RecordType;
 import java.net.InetAddress;
 import java.util.Collections;
 import java.util.Comparator;
+import java.util.EnumSet;
 import java.util.HashSet;
 import java.util.LinkedHashSet;
 import java.util.List;
@@ -398,15 +403,45 @@ public record IP() {
         }
     }
 
+    public enum DnsRecordType { FORWARD, PUBLIC_FORWARD, REVERSE }
+
+    /** Returns the set of DNS record types for a host and its children and the given version (ipv6), host type, etc. */
+    public static Set<DnsRecordType> dnsRecordTypesFor(boolean ipv6, NodeType hostType, CloudName cloudName, boolean exclave) {
+        if (cloudName == CloudName.AWS)
+            return exclave ?
+                   EnumSet.of(DnsRecordType.FORWARD, DnsRecordType.PUBLIC_FORWARD) :
+                   EnumSet.of(DnsRecordType.FORWARD, DnsRecordType.PUBLIC_FORWARD, DnsRecordType.REVERSE);
+
+        if (cloudName == CloudName.GCP) {
+            if (exclave) {
+                return ipv6 ?
+                       EnumSet.of(DnsRecordType.FORWARD, DnsRecordType.PUBLIC_FORWARD) :
+                       EnumSet.noneOf(DnsRecordType.class);
+            } else {
+                return hostType == confighost && ipv6 ?
+                       EnumSet.of(DnsRecordType.FORWARD, DnsRecordType.REVERSE, DnsRecordType.PUBLIC_FORWARD) :
+                       EnumSet.of(DnsRecordType.FORWARD, DnsRecordType.REVERSE);
+            }
+        }
+
+        throw new IllegalArgumentException("Does not manage DNS for cloud " + cloudName);
+    }
+
     /** Verify DNS configuration of given hostname and IP address */
-    public static void verifyDns(String hostname, String ipAddress, NameResolver resolver, boolean hasPtr) {
-        RecordType recordType = isV6(ipAddress) ? RecordType.AAAA : RecordType.A;
-        Set<String> addresses = resolver.resolve(hostname, recordType);
-        if (!addresses.equals(Set.of(ipAddress)))
-            throw new IllegalArgumentException("Expected " + hostname + " to resolve to " + ipAddress +
-                                               ", but got " + addresses);
-
-        if (hasPtr) {
+    public static void verifyDns(String hostname, String ipAddress, NodeType nodeType, NameResolver resolver,
+                                 CloudAccount cloudAccount, Zone zone) {
+        boolean ipv6 = isV6(ipAddress);
+        Set<DnsRecordType> recordTypes = dnsRecordTypesFor(ipv6, nodeType, zone.cloud().name(), cloudAccount.isEnclave(zone));
+
+        if (recordTypes.contains(DnsRecordType.FORWARD)) {
+            RecordType recordType = ipv6 ? RecordType.AAAA : RecordType.A;
+            Set<String> addresses = resolver.resolve(hostname, recordType);
+            if (!addresses.equals(Set.of(ipAddress)))
+                throw new IllegalArgumentException("Expected " + hostname + " to resolve to " + ipAddress +
+                                                   ", but got " + addresses);
+        }
+
+        if (recordTypes.contains(DnsRecordType.REVERSE)) {
             Optional<String> reverseHostname = resolver.resolveHostname(ipAddress);
             if (reverseHostname.isEmpty())
                 throw new IllegalArgumentException(ipAddress + " did not resolve to a hostname");
diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/maintenance/HostCapacityMaintainerTest.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/maintenance/HostCapacityMaintainerTest.java
index 8c9d43eb164..66d4b67c7c2 100644
--- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/maintenance/HostCapacityMaintainerTest.java
+++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/maintenance/HostCapacityMaintainerTest.java
@@ -380,7 +380,7 @@ public class HostCapacityMaintainerTest {
             default -> throw new IllegalArgumentException("Unexpected config server host like node type: " + hostType);
         }
 
-        Cloud cloud = Cloud.builder().dynamicProvisioning(true).build();
+        Cloud cloud = Cloud.builder().name(CloudName.AWS).dynamicProvisioning(true).build();
         DynamicProvisioningTester dynamicProvisioningTester = new DynamicProvisioningTester(cloud, new MockNameResolver().mockAnyLookup());
         ProvisioningTester tester = dynamicProvisioningTester.provisioningTester;
         dynamicProvisioningTester.hostProvisioner.setHostFlavor("default");
@@ -686,7 +686,7 @@ public class HostCapacityMaintainerTest {
         private final InfraDeployerImpl infraDeployer;
 
         public DynamicProvisioningTester() {
-            this(Cloud.builder().dynamicProvisioning(true).build(), new MockNameResolver());
+            this(Cloud.builder().name(CloudName.AWS).dynamicProvisioning(true).build(), new MockNameResolver());
         }
 
         public DynamicProvisioningTester(Cloud cloud, MockNameResolver nameResolver) {
diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/maintenance/HostResumeProvisionerTest.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/maintenance/HostResumeProvisionerTest.java
index 8280c0e33fc..f7c9d46801c 100644
--- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/maintenance/HostResumeProvisionerTest.java
+++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/maintenance/HostResumeProvisionerTest.java
@@ -4,6 +4,7 @@ package com.yahoo.vespa.hosted.provision.maintenance;
 import com.yahoo.component.Version;
 import com.yahoo.config.provision.Capacity;
 import com.yahoo.config.provision.Cloud;
+import com.yahoo.config.provision.CloudName;
 import com.yahoo.config.provision.ClusterResources;
 import com.yahoo.config.provision.ClusterSpec;
 import com.yahoo.config.provision.Environment;
@@ -38,7 +39,7 @@ public class HostResumeProvisionerTest {
 
     private final List<Flavor> flavors = FlavorConfigBuilder.createDummies("default").getFlavors();
     private final MockNameResolver nameResolver = new MockNameResolver();
-    private final Zone zone = new Zone(Cloud.builder().dynamicProvisioning(true).allowHostSharing(false).build(),
+    private final Zone zone = new Zone(Cloud.builder().name(CloudName.AWS).dynamicProvisioning(true).allowHostSharing(false).build(),
                                        SystemName.defaultSystem(),
                                        Environment.dev,
                                        RegionName.defaultName());
author	Valerij Fredriksen <freva@users.noreply.github.com>	2023-06-19 17:01:36 +0200
committer	GitHub <noreply@github.com>	2023-06-19 17:01:36 +0200
commit	51b0219f5c67ccc187f247ad8979e032a006c75b (patch)
tree	feb2598fed7fc495af011d9434d5c102a4b37a7d
parent	9227813c2fbe13a7b5f50c0518d9a3411c31c1f6 (diff)
parent	0401a185b98e094625017e89d51f15579da088b9 (diff)