diff options
author | Martin Polden <mpolden@mpolden.no> | 2022-05-11 10:38:23 +0200 |
---|---|---|
committer | Martin Polden <mpolden@mpolden.no> | 2022-05-11 12:28:53 +0200 |
commit | 1deb1498cdc6455c975e209e3fbc664fbc35a8d4 (patch) | |
tree | 296ab8e31bd26b6cde2df867ac6795436898f8e5 | |
parent | 5da68e17038c1b9e2e78a0278a281630018bcb1f (diff) |
Send cloud account on deploy
3 files changed, 26 insertions, 21 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/application/v4/model/DeploymentData.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/application/v4/model/DeploymentData.java index ad98197fa93..a35d01f6891 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/application/v4/model/DeploymentData.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/application/v4/model/DeploymentData.java @@ -3,6 +3,7 @@ package com.yahoo.vespa.hosted.controller.api.application.v4.model; import com.yahoo.component.Version; import com.yahoo.config.provision.ApplicationId; +import com.yahoo.config.provision.CloudAccount; import com.yahoo.config.provision.DockerImage; import com.yahoo.config.provision.zone.ZoneId; import com.yahoo.vespa.athenz.api.AthenzDomain; @@ -13,6 +14,7 @@ import com.yahoo.vespa.hosted.controller.api.integration.secrets.TenantSecretSto import java.security.cert.X509Certificate; import java.util.List; +import java.util.Objects; import java.util.Optional; import java.util.Set; @@ -36,21 +38,9 @@ public class DeploymentData { private final Quota quota; private final List<TenantSecretStore> tenantSecretStores; private final List<X509Certificate> operatorCertificates; + private final Optional<CloudAccount> cloudAccount; private final boolean dryRun; - // TODO: Remove when users have been updated to use constructor below - public DeploymentData(ApplicationId instance, ZoneId zone, byte[] applicationPackage, Version platform, - Set<ContainerEndpoint> containerEndpoints, - Optional<EndpointCertificateMetadata> endpointCertificateMetadata, - Optional<DockerImage> dockerImageRepo, - Optional<AthenzDomain> athenzDomain, - Quota quota, - List<TenantSecretStore> tenantSecretStores, - List<X509Certificate> operatorCertificates) { - this(instance, zone, applicationPackage, platform, containerEndpoints, endpointCertificateMetadata, - dockerImageRepo, athenzDomain, quota, tenantSecretStores, operatorCertificates, false); - } - public DeploymentData(ApplicationId instance, ZoneId zone, byte[] applicationPackage, Version platform, Set<ContainerEndpoint> containerEndpoints, Optional<EndpointCertificateMetadata> endpointCertificateMetadata, @@ -59,7 +49,7 @@ public class DeploymentData { Quota quota, List<TenantSecretStore> tenantSecretStores, List<X509Certificate> operatorCertificates, - boolean dryRun) { + Optional<CloudAccount> cloudAccount, boolean dryRun) { this.instance = requireNonNull(instance); this.zone = requireNonNull(zone); this.applicationPackage = requireNonNull(applicationPackage); @@ -71,6 +61,7 @@ public class DeploymentData { this.quota = quota; this.tenantSecretStores = List.copyOf(requireNonNull(tenantSecretStores)); this.operatorCertificates = List.copyOf(requireNonNull(operatorCertificates)); + this.cloudAccount = Objects.requireNonNull(cloudAccount); this.dryRun = dryRun; } @@ -118,6 +109,10 @@ public class DeploymentData { return operatorCertificates; } + public Optional<CloudAccount> cloudAccount() { + return cloudAccount; + } + public boolean isDryRun() { return dryRun; } } diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java index 6907747646e..ab8ab659a0b 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java @@ -7,6 +7,7 @@ import com.yahoo.config.application.api.DeploymentSpec; import com.yahoo.config.application.api.ValidationId; import com.yahoo.config.application.api.ValidationOverrides; import com.yahoo.config.provision.ApplicationId; +import com.yahoo.config.provision.CloudAccount; import com.yahoo.config.provision.DockerImage; import com.yahoo.config.provision.InstanceName; import com.yahoo.config.provision.TenantName; @@ -19,9 +20,9 @@ import com.yahoo.vespa.athenz.api.AthenzIdentity; import com.yahoo.vespa.athenz.api.AthenzPrincipal; import com.yahoo.vespa.athenz.api.AthenzService; import com.yahoo.vespa.athenz.api.AthenzUser; -import com.yahoo.vespa.curator.Lock; import com.yahoo.vespa.flags.FetchVector; import com.yahoo.vespa.flags.FlagSource; +import com.yahoo.vespa.flags.Flags; import com.yahoo.vespa.flags.ListFlag; import com.yahoo.vespa.flags.PermanentFlags; import com.yahoo.vespa.flags.StringFlag; @@ -41,7 +42,6 @@ import com.yahoo.vespa.hosted.controller.api.integration.deployment.ApplicationS import com.yahoo.vespa.hosted.controller.api.integration.deployment.ApplicationVersion; import com.yahoo.vespa.hosted.controller.api.integration.deployment.ArtifactRepository; import com.yahoo.vespa.hosted.controller.api.integration.deployment.JobId; -import com.yahoo.vespa.hosted.controller.api.integration.deployment.JobType; import com.yahoo.vespa.hosted.controller.api.integration.deployment.RevisionId; import com.yahoo.vespa.hosted.controller.api.integration.deployment.TesterId; import com.yahoo.vespa.hosted.controller.api.integration.noderepository.RestartFilter; @@ -60,9 +60,7 @@ import com.yahoo.vespa.hosted.controller.certificate.EndpointCertificates; import com.yahoo.vespa.hosted.controller.concurrent.Once; import com.yahoo.vespa.hosted.controller.deployment.DeploymentTrigger; import com.yahoo.vespa.hosted.controller.deployment.JobStatus; -import com.yahoo.vespa.hosted.controller.deployment.RevisionHistory; import com.yahoo.vespa.hosted.controller.deployment.Run; -import com.yahoo.vespa.hosted.controller.deployment.RunStatus; import com.yahoo.vespa.hosted.controller.notification.Notification; import com.yahoo.vespa.hosted.controller.notification.NotificationSource; import com.yahoo.vespa.hosted.controller.persistence.CuratorDb; @@ -85,7 +83,6 @@ import java.util.Collection; import java.util.Collections; import java.util.Comparator; import java.util.HashMap; -import java.util.HashSet; import java.util.List; import java.util.Map; import java.util.Objects; @@ -93,7 +90,6 @@ import java.util.Optional; import java.util.OptionalInt; import java.util.Set; import java.util.TreeMap; -import java.util.concurrent.atomic.AtomicBoolean; import java.util.concurrent.atomic.AtomicReference; import java.util.function.Consumer; import java.util.function.Predicate; @@ -138,6 +134,8 @@ public class ApplicationController { private final ListFlag<String> incompatibleVersions; private final BillingController billingController; + private final StringFlag cloudAccountFlag; + ApplicationController(Controller controller, CuratorDb curator, AccessControl accessControl, Clock clock, FlagSource flagSource, BillingController billingController) { this.controller = Objects.requireNonNull(controller); @@ -156,6 +154,7 @@ public class ApplicationController { endpointCertificates = new EndpointCertificates(controller, controller.serviceRegistry().endpointCertificateProvider(), controller.serviceRegistry().endpointCertificateValidator()); + cloudAccountFlag = Flags.PROVISION_IN_EXTERNAL_ACCOUNT.bindTo(controller.flagSource()); // Update serialization format of all applications Once.after(Duration.ofMinutes(1), () -> { @@ -621,11 +620,16 @@ public class ApplicationController { .map(SupportAccessGrant::certificate) .collect(toList()); + // TODO(mpolden): Read this from DeploymentSpec and validate it against the valid accounts for the tenant, + // as defined by PermanentFlags.EXTERNAL_ACCOUNTS + Optional<CloudAccount> cloudAccount = Optional.of(cloudAccountFlag.with(APPLICATION_ID, application.serializedForm()).value()) + .filter(account -> !account.isEmpty()) + .map(CloudAccount::new); ConfigServer.PreparedApplication preparedApplication = configServer.deploy(new DeploymentData(application, zone, applicationPackage.zippedContent(), platform, endpoints, endpointCertificateMetadata, dockerImageRepo, domain, deploymentQuota, tenantSecretStores, operatorCertificates, - dryRun)); + cloudAccount, dryRun)); return new ActivateResult(new com.yahoo.vespa.hosted.controller.api.identifiers.RevisionId(applicationPackage.hash()), preparedApplication.prepareResponse(), applicationPackage.zippedContent().length); diff --git a/flags/src/main/java/com/yahoo/vespa/flags/PermanentFlags.java b/flags/src/main/java/com/yahoo/vespa/flags/PermanentFlags.java index bc199f7160e..57b1ec4ada2 100644 --- a/flags/src/main/java/com/yahoo/vespa/flags/PermanentFlags.java +++ b/flags/src/main/java/com/yahoo/vespa/flags/PermanentFlags.java @@ -262,6 +262,12 @@ public class PermanentFlags { "Takes effect on next redeployment", ZONE_ID, APPLICATION_ID); + public static final UnboundListFlag<String> EXTERNAL_ACCOUNTS = defineListFlag( + "external-accounts", List.of(), String.class, + "A list of 12-digit AWS account IDs that are valid for the given tenant", + "Takes effect immediately", + TENANT_ID); + private PermanentFlags() {} private static UnboundBooleanFlag defineFeatureFlag( |