Send cloud account on deploy

author: Martin Polden <mpolden@mpolden.no> 2022-05-11 10:38:23 +0200
committer: Martin Polden <mpolden@mpolden.no> 2022-05-11 12:28:53 +0200
commit: 1deb1498cdc6455c975e209e3fbc664fbc35a8d4 (patch)
tree: 296ab8e31bd26b6cde2df867ac6795436898f8e5
parent: 5da68e17038c1b9e2e78a0278a281630018bcb1f (diff)
3 files changed, 26 insertions, 21 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/application/v4/model/DeploymentData.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/application/v4/model/DeploymentData.java
index ad98197fa93..a35d01f6891 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/application/v4/model/DeploymentData.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/application/v4/model/DeploymentData.java
@@ -3,6 +3,7 @@ package com.yahoo.vespa.hosted.controller.api.application.v4.model;
 
 import com.yahoo.component.Version;
 import com.yahoo.config.provision.ApplicationId;
+import com.yahoo.config.provision.CloudAccount;
 import com.yahoo.config.provision.DockerImage;
 import com.yahoo.config.provision.zone.ZoneId;
 import com.yahoo.vespa.athenz.api.AthenzDomain;
@@ -13,6 +14,7 @@ import com.yahoo.vespa.hosted.controller.api.integration.secrets.TenantSecretSto
 
 import java.security.cert.X509Certificate;
 import java.util.List;
+import java.util.Objects;
 import java.util.Optional;
 import java.util.Set;
 
@@ -36,21 +38,9 @@ public class DeploymentData {
     private final Quota quota;
     private final List<TenantSecretStore> tenantSecretStores;
     private final List<X509Certificate> operatorCertificates;
+    private final Optional<CloudAccount> cloudAccount;
     private final boolean dryRun;
 
-    // TODO: Remove when users have been updated to use constructor below
-    public DeploymentData(ApplicationId instance, ZoneId zone, byte[] applicationPackage, Version platform,
-                          Set<ContainerEndpoint> containerEndpoints,
-                          Optional<EndpointCertificateMetadata> endpointCertificateMetadata,
-                          Optional<DockerImage> dockerImageRepo,
-                          Optional<AthenzDomain> athenzDomain,
-                          Quota quota,
-                          List<TenantSecretStore> tenantSecretStores,
-                          List<X509Certificate> operatorCertificates) {
-        this(instance, zone, applicationPackage, platform, containerEndpoints, endpointCertificateMetadata,
-             dockerImageRepo, athenzDomain, quota, tenantSecretStores, operatorCertificates, false);
-    }
-
     public DeploymentData(ApplicationId instance, ZoneId zone, byte[] applicationPackage, Version platform,
                           Set<ContainerEndpoint> containerEndpoints,
                           Optional<EndpointCertificateMetadata> endpointCertificateMetadata,
@@ -59,7 +49,7 @@ public class DeploymentData {
                           Quota quota,
                           List<TenantSecretStore> tenantSecretStores,
                           List<X509Certificate> operatorCertificates,
-                          boolean dryRun) {
+                          Optional<CloudAccount> cloudAccount, boolean dryRun) {
         this.instance = requireNonNull(instance);
         this.zone = requireNonNull(zone);
         this.applicationPackage = requireNonNull(applicationPackage);
@@ -71,6 +61,7 @@ public class DeploymentData {
         this.quota = quota;
         this.tenantSecretStores = List.copyOf(requireNonNull(tenantSecretStores));
         this.operatorCertificates = List.copyOf(requireNonNull(operatorCertificates));
+        this.cloudAccount = Objects.requireNonNull(cloudAccount);
         this.dryRun = dryRun;
     }
 
@@ -118,6 +109,10 @@ public class DeploymentData {
         return operatorCertificates;
     }
 
+    public Optional<CloudAccount> cloudAccount() {
+        return cloudAccount;
+    }
+
     public boolean isDryRun() { return dryRun; }
 
 }
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java
index 6907747646e..ab8ab659a0b 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java
@@ -7,6 +7,7 @@ import com.yahoo.config.application.api.DeploymentSpec;
 import com.yahoo.config.application.api.ValidationId;
 import com.yahoo.config.application.api.ValidationOverrides;
 import com.yahoo.config.provision.ApplicationId;
+import com.yahoo.config.provision.CloudAccount;
 import com.yahoo.config.provision.DockerImage;
 import com.yahoo.config.provision.InstanceName;
 import com.yahoo.config.provision.TenantName;
@@ -19,9 +20,9 @@ import com.yahoo.vespa.athenz.api.AthenzIdentity;
 import com.yahoo.vespa.athenz.api.AthenzPrincipal;
 import com.yahoo.vespa.athenz.api.AthenzService;
 import com.yahoo.vespa.athenz.api.AthenzUser;
-import com.yahoo.vespa.curator.Lock;
 import com.yahoo.vespa.flags.FetchVector;
 import com.yahoo.vespa.flags.FlagSource;
+import com.yahoo.vespa.flags.Flags;
 import com.yahoo.vespa.flags.ListFlag;
 import com.yahoo.vespa.flags.PermanentFlags;
 import com.yahoo.vespa.flags.StringFlag;
@@ -41,7 +42,6 @@ import com.yahoo.vespa.hosted.controller.api.integration.deployment.ApplicationS
 import com.yahoo.vespa.hosted.controller.api.integration.deployment.ApplicationVersion;
 import com.yahoo.vespa.hosted.controller.api.integration.deployment.ArtifactRepository;
 import com.yahoo.vespa.hosted.controller.api.integration.deployment.JobId;
-import com.yahoo.vespa.hosted.controller.api.integration.deployment.JobType;
 import com.yahoo.vespa.hosted.controller.api.integration.deployment.RevisionId;
 import com.yahoo.vespa.hosted.controller.api.integration.deployment.TesterId;
 import com.yahoo.vespa.hosted.controller.api.integration.noderepository.RestartFilter;
@@ -60,9 +60,7 @@ import com.yahoo.vespa.hosted.controller.certificate.EndpointCertificates;
 import com.yahoo.vespa.hosted.controller.concurrent.Once;
 import com.yahoo.vespa.hosted.controller.deployment.DeploymentTrigger;
 import com.yahoo.vespa.hosted.controller.deployment.JobStatus;
-import com.yahoo.vespa.hosted.controller.deployment.RevisionHistory;
 import com.yahoo.vespa.hosted.controller.deployment.Run;
-import com.yahoo.vespa.hosted.controller.deployment.RunStatus;
 import com.yahoo.vespa.hosted.controller.notification.Notification;
 import com.yahoo.vespa.hosted.controller.notification.NotificationSource;
 import com.yahoo.vespa.hosted.controller.persistence.CuratorDb;
@@ -85,7 +83,6 @@ import java.util.Collection;
 import java.util.Collections;
 import java.util.Comparator;
 import java.util.HashMap;
-import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Objects;
@@ -93,7 +90,6 @@ import java.util.Optional;
 import java.util.OptionalInt;
 import java.util.Set;
 import java.util.TreeMap;
-import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.concurrent.atomic.AtomicReference;
 import java.util.function.Consumer;
 import java.util.function.Predicate;
@@ -138,6 +134,8 @@ public class ApplicationController {
     private final ListFlag<String> incompatibleVersions;
     private final BillingController billingController;
 
+    private final StringFlag cloudAccountFlag;
+
     ApplicationController(Controller controller, CuratorDb curator, AccessControl accessControl, Clock clock,
                           FlagSource flagSource, BillingController billingController) {
         this.controller = Objects.requireNonNull(controller);
@@ -156,6 +154,7 @@ public class ApplicationController {
         endpointCertificates = new EndpointCertificates(controller,
                                                         controller.serviceRegistry().endpointCertificateProvider(),
                                                         controller.serviceRegistry().endpointCertificateValidator());
+         cloudAccountFlag = Flags.PROVISION_IN_EXTERNAL_ACCOUNT.bindTo(controller.flagSource());
 
         // Update serialization format of all applications
         Once.after(Duration.ofMinutes(1), () -> {
@@ -621,11 +620,16 @@ public class ApplicationController {
                                                                    .map(SupportAccessGrant::certificate)
                                                                    .collect(toList());
 
+            // TODO(mpolden): Read this from DeploymentSpec and validate it against the valid accounts for the tenant,
+            //                as defined by PermanentFlags.EXTERNAL_ACCOUNTS
+            Optional<CloudAccount> cloudAccount = Optional.of(cloudAccountFlag.with(APPLICATION_ID, application.serializedForm()).value())
+                                                          .filter(account -> !account.isEmpty())
+                                                          .map(CloudAccount::new);
             ConfigServer.PreparedApplication preparedApplication =
                     configServer.deploy(new DeploymentData(application, zone, applicationPackage.zippedContent(), platform,
                                                            endpoints, endpointCertificateMetadata, dockerImageRepo, domain,
                                                            deploymentQuota, tenantSecretStores, operatorCertificates,
-                                                           dryRun));
+                                                           cloudAccount, dryRun));
 
             return new ActivateResult(new com.yahoo.vespa.hosted.controller.api.identifiers.RevisionId(applicationPackage.hash()), preparedApplication.prepareResponse(),
                                       applicationPackage.zippedContent().length);
diff --git a/flags/src/main/java/com/yahoo/vespa/flags/PermanentFlags.java b/flags/src/main/java/com/yahoo/vespa/flags/PermanentFlags.java
index bc199f7160e..57b1ec4ada2 100644
--- a/flags/src/main/java/com/yahoo/vespa/flags/PermanentFlags.java
+++ b/flags/src/main/java/com/yahoo/vespa/flags/PermanentFlags.java
@@ -262,6 +262,12 @@ public class PermanentFlags {
             "Takes effect on next redeployment",
             ZONE_ID, APPLICATION_ID);
 
+    public static final UnboundListFlag<String> EXTERNAL_ACCOUNTS = defineListFlag(
+            "external-accounts", List.of(), String.class,
+            "A list of 12-digit AWS account IDs that are valid for the given tenant",
+            "Takes effect immediately",
+            TENANT_ID);
+
     private PermanentFlags() {}
 
     private static UnboundBooleanFlag defineFeatureFlag(
author	Martin Polden <mpolden@mpolden.no>	2022-05-11 10:38:23 +0200
committer	Martin Polden <mpolden@mpolden.no>	2022-05-11 12:28:53 +0200
commit	1deb1498cdc6455c975e209e3fbc664fbc35a8d4 (patch)
tree	296ab8e31bd26b6cde2df867ac6795436898f8e5
parent	5da68e17038c1b9e2e78a0278a281630018bcb1f (diff)