diff options
author | Martin Polden <mpolden@mpolden.no> | 2023-07-05 15:38:25 +0200 |
---|---|---|
committer | Martin Polden <mpolden@mpolden.no> | 2023-07-06 13:56:42 +0200 |
commit | e5b89c6a148d80cfef77baa52e383b642648e194 (patch) | |
tree | 5b3a2286703f2a1e63eacedc43c986534043ecf3 | |
parent | bd7356f18947ba1b08ef43e82e74018e664c0893 (diff) |
EndpointCertificateMetadata -> EndpointCertificate
29 files changed, 299 insertions, 299 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/application/v4/model/DeploymentData.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/application/v4/model/DeploymentData.java index b23b93cba78..f73aeb89f0e 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/application/v4/model/DeploymentData.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/application/v4/model/DeploymentData.java @@ -8,7 +8,7 @@ import com.yahoo.config.provision.DockerImage; import com.yahoo.config.provision.zone.ZoneId; import com.yahoo.vespa.athenz.api.AthenzDomain; import com.yahoo.vespa.hosted.controller.api.integration.billing.Quota; -import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateMetadata; +import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificate; import com.yahoo.vespa.hosted.controller.api.integration.configserver.ContainerEndpoint; import com.yahoo.vespa.hosted.controller.api.integration.dataplanetoken.DataplaneTokenVersions; import com.yahoo.vespa.hosted.controller.api.integration.secrets.TenantSecretStore; @@ -36,7 +36,7 @@ public class DeploymentData { private final Supplier<InputStream> applicationPackage; private final Version platform; private final Set<ContainerEndpoint> containerEndpoints; - private final Supplier<Optional<EndpointCertificateMetadata>> endpointCertificateMetadata; + private final Supplier<Optional<EndpointCertificate>> endpointCertificate; private final Optional<DockerImage> dockerImageRepo; private final Optional<AthenzDomain> athenzDomain; private final Supplier<Quota> quota; @@ -48,7 +48,7 @@ public class DeploymentData { public DeploymentData(ApplicationId instance, ZoneId zone, Supplier<InputStream> applicationPackage, Version platform, Set<ContainerEndpoint> containerEndpoints, - Supplier<Optional<EndpointCertificateMetadata>> endpointCertificateMetadata, + Supplier<Optional<EndpointCertificate>> endpointCertificate, Optional<DockerImage> dockerImageRepo, Optional<AthenzDomain> athenzDomain, Supplier<Quota> quota, @@ -62,7 +62,7 @@ public class DeploymentData { this.applicationPackage = requireNonNull(applicationPackage); this.platform = requireNonNull(platform); this.containerEndpoints = Set.copyOf(requireNonNull(containerEndpoints)); - this.endpointCertificateMetadata = new Memoized<>(requireNonNull(endpointCertificateMetadata)); + this.endpointCertificate = new Memoized<>(requireNonNull(endpointCertificate)); this.dockerImageRepo = requireNonNull(dockerImageRepo); this.athenzDomain = athenzDomain; this.quota = new Memoized<>(requireNonNull(quota)); @@ -93,8 +93,8 @@ public class DeploymentData { return containerEndpoints; } - public Optional<EndpointCertificateMetadata> endpointCertificateMetadata() { - return endpointCertificateMetadata.get(); + public Optional<EndpointCertificate> endpointCertificate() { + return endpointCertificate.get(); } public Optional<DockerImage> dockerImageRepo() { diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMetadata.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificate.java index 02afbb6ace6..53d807b0139 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMetadata.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificate.java @@ -5,20 +5,18 @@ import java.util.List; import java.util.Optional; /** - * This class is used for metadata about an application's endpoint certificate on the controller. - * <p> - * It has more properties than com.yahoo.config.model.api.EndpointCertificateMetadata. + * This holds information about an application's endpoint certificate. * * @author andreer */ -public record EndpointCertificateMetadata(String keyName, String certName, int version, long lastRequested, - String rootRequestId, // The id of the first request made for this certificate. Should not change. - Optional<String> leafRequestId, // The id of the last known request made for this certificate. Changes on refresh, may be outdated! - List<String> requestedDnsSans, String issuer, Optional<Long> expiry, - Optional<Long> lastRefreshed, Optional<String> randomizedId) { +public record EndpointCertificate(String keyName, String certName, int version, long lastRequested, + String rootRequestId, // The id of the first request made for this certificate. Should not change. + Optional<String> leafRequestId, // The id of the last known request made for this certificate. Changes on refresh, may be outdated! + List<String> requestedDnsSans, String issuer, Optional<Long> expiry, + Optional<Long> lastRefreshed, Optional<String> randomizedId) { - public EndpointCertificateMetadata withRandomizedId(String randomizedId) { - return new EndpointCertificateMetadata( + public EndpointCertificate withRandomizedId(String randomizedId) { + return new EndpointCertificate( this.keyName, this.certName, this.version, @@ -32,8 +30,8 @@ public record EndpointCertificateMetadata(String keyName, String certName, int v Optional.of(randomizedId)); } - public EndpointCertificateMetadata withKeyName(String keyName) { - return new EndpointCertificateMetadata( + public EndpointCertificate withKeyName(String keyName) { + return new EndpointCertificate( keyName, this.certName, this.version, @@ -47,8 +45,8 @@ public record EndpointCertificateMetadata(String keyName, String certName, int v this.randomizedId); } - public EndpointCertificateMetadata withCertName(String certName) { - return new EndpointCertificateMetadata( + public EndpointCertificate withCertName(String certName) { + return new EndpointCertificate( this.keyName, certName, this.version, @@ -62,8 +60,8 @@ public record EndpointCertificateMetadata(String keyName, String certName, int v this.randomizedId); } - public EndpointCertificateMetadata withVersion(int version) { - return new EndpointCertificateMetadata( + public EndpointCertificate withVersion(int version) { + return new EndpointCertificate( this.keyName, this.certName, version, @@ -77,8 +75,8 @@ public record EndpointCertificateMetadata(String keyName, String certName, int v this.randomizedId); } - public EndpointCertificateMetadata withLastRequested(long lastRequested) { - return new EndpointCertificateMetadata( + public EndpointCertificate withLastRequested(long lastRequested) { + return new EndpointCertificate( this.keyName, this.certName, this.version, @@ -92,8 +90,8 @@ public record EndpointCertificateMetadata(String keyName, String certName, int v this.randomizedId); } - public EndpointCertificateMetadata withLastRefreshed(long lastRefreshed) { - return new EndpointCertificateMetadata( + public EndpointCertificate withLastRefreshed(long lastRefreshed) { + return new EndpointCertificate( this.keyName, this.certName, this.version, @@ -107,8 +105,8 @@ public record EndpointCertificateMetadata(String keyName, String certName, int v this.randomizedId); } - public EndpointCertificateMetadata withRootRequestId(String rootRequestId) { - return new EndpointCertificateMetadata( + public EndpointCertificate withRootRequestId(String rootRequestId) { + return new EndpointCertificate( this.keyName, this.certName, this.version, @@ -122,8 +120,8 @@ public record EndpointCertificateMetadata(String keyName, String certName, int v this.randomizedId); } - public EndpointCertificateMetadata withLeafRequestId(Optional<String> leafRequestId) { - return new EndpointCertificateMetadata( + public EndpointCertificate withLeafRequestId(Optional<String> leafRequestId) { + return new EndpointCertificate( this.keyName, this.certName, this.version, diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateDetails.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateDetails.java index 3f5514dce8c..486a6f5b580 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateDetails.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateDetails.java @@ -9,23 +9,23 @@ import java.util.List; * @author andreer */ public record EndpointCertificateDetails( - String request_id, + String requestId, String requestor, String status, - String ticket_id, - String athenz_domain, - List<EndpointCertificateRequestMetadata.DnsNameStatus> dnsnames, - String duration_sec, + String ticketId, + String athenzDomain, + List<EndpointCertificateRequestMetadata.DnsNameStatus> dnsNames, + String durationSec, String expiry, - String private_key_kgname, - String private_key_keyname, - String private_key_version, - String cert_key_kgname, - String cert_key_keyname, - String cert_key_version, - String create_time, - boolean expiry_protection, - String public_key_algo, + String privateKeyKgname, + String privateKeyKeyname, + String privateKeyVersion, + String certKeyKgname, + String certKeyKeyname, + String certKeyVersion, + String createTime, + boolean expiryProtection, + String publicKeyAlgo, String issuer, String serial -) { }
\ No newline at end of file +) { } diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateException.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateException.java index a446a5382fb..7f4f22ced40 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateException.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateException.java @@ -1,6 +1,9 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.hosted.controller.api.integration.certificates; +/** + * @author andreer + */ public class EndpointCertificateException extends RuntimeException { private final Type type; diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateProvider.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateProvider.java index 7c5268ea353..cf86dcd2e4f 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateProvider.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateProvider.java @@ -11,7 +11,7 @@ import java.util.Optional; */ public interface EndpointCertificateProvider { - EndpointCertificateMetadata requestCaSignedCertificate(String endpointCertificatePrefix, List<String> dnsNames, Optional<EndpointCertificateMetadata> currentMetadata, String algo, boolean useAlternativeProvider); + EndpointCertificate requestCaSignedCertificate(String endpointCertificatePrefix, List<String> dnsNames, Optional<EndpointCertificate> currentCert, String algo, boolean useAlternativeProvider); List<EndpointCertificateRequestMetadata> listCertificates(); diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateProviderMock.java index a0448e41b68..53a6bad2032 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMock.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateProviderMock.java @@ -13,35 +13,35 @@ import java.util.UUID; * @author tokle * @author andreer */ -public class EndpointCertificateMock implements EndpointCertificateProvider { +public class EndpointCertificateProviderMock implements EndpointCertificateProvider { private final Map<String, List<String>> dnsNames = new HashMap<>(); - private final Map<String, EndpointCertificateMetadata> providerMetadata = new HashMap<>(); + private final Map<String, EndpointCertificate> certificates = new HashMap<>(); public List<String> dnsNamesOf(String rootRequestId) { return Collections.unmodifiableList(dnsNames.getOrDefault(rootRequestId, List.of())); } @Override - public EndpointCertificateMetadata requestCaSignedCertificate(String key, List<String> dnsNames, Optional<EndpointCertificateMetadata> currentMetadata, String algo, boolean useAlternativeProvider) { + public EndpointCertificate requestCaSignedCertificate(String key, List<String> dnsNames, Optional<EndpointCertificate> currentCert, String algo, boolean useAlternativeProvider) { String endpointCertificatePrefix = "vespa.tls.%s".formatted(key); long epochSecond = Instant.now().getEpochSecond(); long inAnHour = epochSecond + 3600; String requestId = UUID.randomUUID().toString(); this.dnsNames.put(requestId, dnsNames); - int version = currentMetadata.map(c -> currentMetadata.get().version()+1).orElse(0); - EndpointCertificateMetadata metadata = new EndpointCertificateMetadata(endpointCertificatePrefix + "-key", endpointCertificatePrefix + "-cert", version, 0, - currentMetadata.map(EndpointCertificateMetadata::rootRequestId).orElse(requestId), Optional.of(requestId), dnsNames, "mockCa", Optional.of(inAnHour), Optional.of(epochSecond), Optional.empty()); - currentMetadata.ifPresent(c -> providerMetadata.remove(c.leafRequestId().orElseThrow())); - providerMetadata.put(requestId, metadata); - return metadata; + int version = currentCert.map(c -> currentCert.get().version() + 1).orElse(0); + EndpointCertificate cert = new EndpointCertificate(endpointCertificatePrefix + "-key", endpointCertificatePrefix + "-cert", version, 0, + currentCert.map(EndpointCertificate::rootRequestId).orElse(requestId), Optional.of(requestId), dnsNames, "mockCa", Optional.of(inAnHour), Optional.of(epochSecond), Optional.empty()); + currentCert.ifPresent(c -> certificates.remove(c.leafRequestId().orElseThrow())); + certificates.put(requestId, cert); + return cert; } @Override public List<EndpointCertificateRequestMetadata> listCertificates() { - return providerMetadata.values().stream() - .map(p -> new EndpointCertificateRequestMetadata( + return certificates.values().stream() + .map(p -> new EndpointCertificateRequestMetadata( p.leafRequestId().orElse(p.rootRequestId()), "requestor", "ticketId", @@ -56,20 +56,20 @@ public class EndpointCertificateMock implements EndpointCertificateProvider { p.issuer(), "rsa_2048" )) - .toList(); + .toList(); } @Override public void deleteCertificate(String requestId) { dnsNames.remove(requestId); - providerMetadata.remove(requestId); + certificates.remove(requestId); } @Override public EndpointCertificateDetails certificateDetails(String requestId) { - var metadata = providerMetadata.get(requestId); + var metadata = certificates.get(requestId); - if(metadata==null) throw new RuntimeException("Unknown certificate request"); + if (metadata==null) throw new IllegalArgumentException("Unknown certificate request"); return new EndpointCertificateDetails(requestId, "requestor", @@ -91,4 +91,5 @@ public class EndpointCertificateMock implements EndpointCertificateProvider { "issuer", "serial"); } + } diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateValidator.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateValidator.java index 0952fe587f9..b6bc8b9f129 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateValidator.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateValidator.java @@ -5,6 +5,9 @@ import com.yahoo.config.provision.zone.ZoneId; import java.util.List; +/** + * @author andreer + */ public interface EndpointCertificateValidator { - void validate(EndpointCertificateMetadata endpointCertificateMetadata, String serializedInstanceId, ZoneId zone, List<String> requiredNamesForZone); + void validate(EndpointCertificate endpointCertificate, String serializedInstanceId, ZoneId zone, List<String> requiredNamesForZone); } diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateValidatorImpl.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateValidatorImpl.java index cff61f1a50a..e09e2d096c2 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateValidatorImpl.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateValidatorImpl.java @@ -31,9 +31,9 @@ public class EndpointCertificateValidatorImpl implements EndpointCertificateVali } @Override - public void validate(EndpointCertificateMetadata endpointCertificateMetadata, String serializedInstanceId, ZoneId zone, List<String> requiredNamesForZone) { + public void validate(EndpointCertificate endpointCertificate, String serializedInstanceId, ZoneId zone, List<String> requiredNamesForZone) { try { - var pemEncodedEndpointCertificate = secretStore.getSecret(endpointCertificateMetadata.certName(), endpointCertificateMetadata.version()); + var pemEncodedEndpointCertificate = secretStore.getSecret(endpointCertificate.certName(), endpointCertificate.version()); if (pemEncodedEndpointCertificate == null) throw new EndpointCertificateException(EndpointCertificateException.Type.CERT_NOT_AVAILABLE, "Secret store returned null for certificate"); diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateValidatorMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateValidatorMock.java index 6bdf9037dc1..428058315c9 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateValidatorMock.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateValidatorMock.java @@ -12,7 +12,7 @@ public class EndpointCertificateValidatorMock implements EndpointCertificateVali @Override public void validate( - EndpointCertificateMetadata endpointCertificateMetadata, + EndpointCertificate endpointCertificate, String serializedApplicationId, ZoneId zone, List<String> requiredNamesForZone) { diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java index fdb27ba49a3..54dcfa46188 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java @@ -33,7 +33,7 @@ import com.yahoo.vespa.hosted.controller.api.identifiers.InstanceId; import com.yahoo.vespa.hosted.controller.api.integration.billing.BillingController; import com.yahoo.vespa.hosted.controller.api.integration.billing.Plan; import com.yahoo.vespa.hosted.controller.api.integration.billing.Quota; -import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateMetadata; +import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificate; import com.yahoo.vespa.hosted.controller.api.integration.configserver.ApplicationReindexing; import com.yahoo.vespa.hosted.controller.api.integration.configserver.ConfigServer; import com.yahoo.vespa.hosted.controller.api.integration.configserver.ContainerEndpoint; @@ -525,9 +525,9 @@ public class ApplicationController { containerEndpoints = controller.routing().of(deployment).prepare(application); } // Release application lock while doing the deployment, which is a lengthy task. - Supplier<Optional<EndpointCertificateMetadata>> endpointCertificateMetadata = () -> { + Supplier<Optional<EndpointCertificate>> endpointCertificate = () -> { try (Mutex lock = lock(applicationId)) { - Optional<EndpointCertificateMetadata> data = endpointCertificates.getMetadata(instance, zone, applicationPackage.truncatedPackage().deploymentSpec()); + Optional<EndpointCertificate> data = endpointCertificates.get(instance, zone, applicationPackage.truncatedPackage().deploymentSpec()); data.ifPresent(e -> deployLogger.accept("Using CA signed certificate version %s".formatted(e.version()))); return data; } @@ -535,7 +535,7 @@ public class ApplicationController { // Carry out deployment without holding the application lock. DeploymentDataAndResult dataAndResult = deploy(job.application(), applicationPackage, zone, platform, containerEndpoints, - endpointCertificateMetadata, run.isDryRun(), run.testerCertificate()); + endpointCertificate, run.isDryRun(), run.testerCertificate()); // Record the quota usage for this application @@ -649,7 +649,7 @@ public class ApplicationController { private record DeploymentDataAndResult(DeploymentData data, DeploymentResult result) {} private DeploymentDataAndResult deploy(ApplicationId application, ApplicationPackageStream applicationPackage, ZoneId zone, Version platform, Set<ContainerEndpoint> endpoints, - Supplier<Optional<EndpointCertificateMetadata>> endpointCertificateMetadata, + Supplier<Optional<EndpointCertificate>> endpointCertificate, boolean dryRun, Optional<X509Certificate> testerCertificate) { DeploymentId deployment = new DeploymentId(application, zone); // Routing and metadata may have changed, so we need to refresh state after deployment, even if deployment fails. @@ -684,16 +684,16 @@ public class ApplicationController { } Supplier<Optional<CloudAccount>> cloudAccount = () -> decideCloudAccountOf(deployment, applicationPackage.truncatedPackage().deploymentSpec()); List<DataplaneTokenVersions> dataplaneTokenVersions = controller.dataplaneTokenService().listTokens(application.tenant()); - Supplier<Optional<EndpointCertificateMetadata>> endpointCertificateMetadataWrapper = () -> { - Optional<EndpointCertificateMetadata> data = endpointCertificateMetadata.get(); + Supplier<Optional<EndpointCertificate>> endpointCertificateWrapper = () -> { + Optional<EndpointCertificate> data = endpointCertificate.get(); // TODO(mpolden): Pass these endpoints to config server as part of the deploy call. This will let the // application know which endpoints are mTLS and which are token-based - data.flatMap(EndpointCertificateMetadata::randomizedId) + data.flatMap(EndpointCertificate::randomizedId) .ifPresent(applicationPart -> generatedEndpoints.addAll(controller.routing().generateEndpoints(applicationPart, deployment.applicationId()))); return data; }; DeploymentData deploymentData = new DeploymentData(application, zone, applicationPackage::zipStream, platform, - endpoints, endpointCertificateMetadataWrapper, dockerImageRepo, domain, + endpoints, endpointCertificateWrapper, dockerImageRepo, domain, deploymentQuota, tenantSecretStores, operatorCertificates, cloudAccount, dataplaneTokenVersions, dryRun); ConfigServer.PreparedApplication preparedApplication = configServer.deploy(deploymentData); diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/application/pkg/ApplicationPackage.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/application/pkg/ApplicationPackage.java index 3ebaebf680a..3ec79b03ee8 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/application/pkg/ApplicationPackage.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/application/pkg/ApplicationPackage.java @@ -163,7 +163,7 @@ public class ApplicationPackage { deploymentFile, DeploymentSpec.empty.xmlForm().getBytes(UTF_8)))); } - /** Returns a zip containing meta data about deployments of this package by the given job. */ + /** Returns a zip containing metadata about deployments of this package by the given job. */ public byte[] metaDataZip() { return cacheZip(); } diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/certificate/AssignedCertificate.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/certificate/AssignedCertificate.java index 0c8c64827fb..7d3bcf8bdaa 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/certificate/AssignedCertificate.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/certificate/AssignedCertificate.java @@ -2,7 +2,7 @@ package com.yahoo.vespa.hosted.controller.certificate; import com.yahoo.config.provision.InstanceName; -import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateMetadata; +import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificate; import com.yahoo.vespa.hosted.controller.application.TenantAndApplicationId; import java.util.Optional; @@ -15,9 +15,9 @@ import java.util.Optional; */ public record AssignedCertificate(TenantAndApplicationId application, Optional<InstanceName> instance, - EndpointCertificateMetadata certificate) { + EndpointCertificate certificate) { - public AssignedCertificate with(EndpointCertificateMetadata certificate) { + public AssignedCertificate with(EndpointCertificate certificate) { return new AssignedCertificate(application, instance, certificate); } diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificates.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificates.java index 13703c25f15..5d0ee7b74c5 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificates.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificates.java @@ -17,7 +17,7 @@ import com.yahoo.vespa.flags.StringFlag; import com.yahoo.vespa.hosted.controller.Controller; import com.yahoo.vespa.hosted.controller.Instance; import com.yahoo.vespa.hosted.controller.api.identifiers.DeploymentId; -import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateMetadata; +import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificate; import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateProvider; import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateValidator; import com.yahoo.vespa.hosted.controller.api.integration.secrets.GcpSecretStore; @@ -39,7 +39,7 @@ import java.util.stream.Collectors; import static com.yahoo.vespa.hosted.controller.certificate.UnassignedCertificate.*; /** - * Looks up stored endpoint certificate metadata, provisions new certificates if none is found, + * Looks up stored endpoint certificate, provisions new certificates if none is found, * and re-provisions the certificate if the deploying-to zone is not covered. * * See also {@link com.yahoo.vespa.hosted.controller.maintenance.EndpointCertificateMaintainer}, which handles @@ -73,45 +73,44 @@ public class EndpointCertificates { this.certificateValidator = certificateValidator; } - /** Returns certificate metadata for endpoints of given instance and zone */ - public Optional<EndpointCertificateMetadata> getMetadata(Instance instance, ZoneId zone, DeploymentSpec deploymentSpec) { + /** Returns a suitable certificate for endpoints of given instance and zone */ + public Optional<EndpointCertificate> get(Instance instance, ZoneId zone, DeploymentSpec deploymentSpec) { Instant start = clock.instant(); - Optional<EndpointCertificateMetadata> metadata = getOrProvision(instance, zone, deploymentSpec); + Optional<EndpointCertificate> cert = getOrProvision(instance, zone, deploymentSpec); Duration duration = Duration.between(start, clock.instant()); if (duration.toSeconds() > 30) - log.log(Level.INFO, Text.format("Getting endpoint certificate metadata for %s took %d seconds!", instance.id().serializedForm(), duration.toSeconds())); + log.log(Level.INFO, Text.format("Getting endpoint certificate for %s took %d seconds!", instance.id().serializedForm(), duration.toSeconds())); if (controller.zoneRegistry().zones().all().in(CloudName.GCP).ids().contains(zone)) { // Until CKMS is available from GCP - if (metadata.isPresent()) { - // Validate metadata before copying cert to GCP. This will ensure we don't bug out on the first deployment, but will take more time - certificateValidator.validate(metadata.get(), instance.id().serializedForm(), zone, controller.routing().certificateDnsNames(new DeploymentId(instance.id(), zone), deploymentSpec)); - var m = metadata.get(); + if (cert.isPresent()) { + // Validate before copying cert to GCP. This will ensure we don't bug out on the first deployment, but will take more time + certificateValidator.validate(cert.get(), instance.id().serializedForm(), zone, controller.routing().certificateDnsNames(new DeploymentId(instance.id(), zone), deploymentSpec)); GcpSecretStore gcpSecretStore = controller.serviceRegistry().gcpSecretStore(); - String mangledCertName = "endpointCert_" + m.certName().replace('.', '_') + "-v" + m.version(); // Google cloud does not accept dots in secrets, but they accept underscores - String mangledKeyName = "endpointCert_" + m.keyName().replace('.', '_') + "-v" + m.version(); // Google cloud does not accept dots in secrets, but they accept underscores + String mangledCertName = "endpointCert_" + cert.get().certName().replace('.', '_') + "-v" + cert.get().version(); // Google cloud does not accept dots in secrets, but they accept underscores + String mangledKeyName = "endpointCert_" + cert.get().keyName().replace('.', '_') + "-v" + cert.get().version(); // Google cloud does not accept dots in secrets, but they accept underscores if (gcpSecretStore.getLatestSecretVersion(mangledCertName) == null) { gcpSecretStore.setSecret(mangledCertName, Optional.of(GCP_CERTIFICATE_EXPIRY_TIME), "endpoint-cert-accessor"); gcpSecretStore.addSecretVersion(mangledCertName, - controller.secretStore().getSecret(m.certName(), m.version())); + controller.secretStore().getSecret(cert.get().certName(), cert.get().version())); } if (gcpSecretStore.getLatestSecretVersion(mangledKeyName) == null) { gcpSecretStore.setSecret(mangledKeyName, Optional.of(GCP_CERTIFICATE_EXPIRY_TIME), "endpoint-cert-accessor"); gcpSecretStore.addSecretVersion(mangledKeyName, - controller.secretStore().getSecret(m.keyName(), m.version())); + controller.secretStore().getSecret(cert.get().keyName(), cert.get().version())); } - return Optional.of(m.withVersion(1).withKeyName(mangledKeyName).withCertName(mangledCertName)); + return Optional.of(cert.get().withVersion(1).withKeyName(mangledKeyName).withCertName(mangledCertName)); } } - return metadata; + return cert; } - private EndpointCertificateMetadata assignFromPool(Instance instance, ZoneId zone) { + private EndpointCertificate assignFromPool(Instance instance, ZoneId zone) { // Assign certificate per instance only in manually deployed environments. In other environments, we share the // certificate because application endpoints can span instances Optional<InstanceName> instanceName = zone.environment().isManuallyDeployed() ? Optional.of(instance.name()) : Optional.empty(); @@ -139,7 +138,7 @@ public class EndpointCertificates { } } - private Optional<EndpointCertificateMetadata> getOrProvision(Instance instance, ZoneId zone, DeploymentSpec deploymentSpec) { + private Optional<EndpointCertificate> getOrProvision(Instance instance, ZoneId zone, DeploymentSpec deploymentSpec) { if (useRandomizedCert.with(FetchVector.Dimension.APPLICATION_ID, instance.id().serializedForm()).value()) { return Optional.of(assignFromPool(instance, zone)); } @@ -147,12 +146,12 @@ public class EndpointCertificates { DeploymentId deployment = new DeploymentId(instance.id(), zone); if (assignedCertificate.isEmpty()) { - var provisionedCertificateMetadata = provisionEndpointCertificate(deployment, Optional.empty(), deploymentSpec); + var provisionedCertificate = provisionEndpointCertificate(deployment, Optional.empty(), deploymentSpec); // We do not verify the certificate if one has never existed before - because we do not want to // wait for it to be available before we deploy. This allows the config server to start // provisioning nodes ASAP, and the risk is small for a new deployment. - curator.writeAssignedCertificate(new AssignedCertificate(TenantAndApplicationId.from(instance.id()), Optional.of(instance.id().instance()), provisionedCertificateMetadata)); - return Optional.of(provisionedCertificateMetadata); + curator.writeAssignedCertificate(new AssignedCertificate(TenantAndApplicationId.from(instance.id()), Optional.of(instance.id().instance()), provisionedCertificate)); + return Optional.of(provisionedCertificate); } else { AssignedCertificate updated = assignedCertificate.get().with(assignedCertificate.get().certificate().withLastRequested(clock.instant().getEpochSecond())); curator.writeAssignedCertificate(updated); @@ -160,28 +159,28 @@ public class EndpointCertificates { // Re-provision certificate if it is missing SANs for the zone we are deploying to // Skip this validation for now if the cert has a randomized id - Optional<EndpointCertificateMetadata> currentCertificateMetadata = assignedCertificate.map(AssignedCertificate::certificate); - var requiredSansForZone = currentCertificateMetadata.get().randomizedId().isEmpty() ? + Optional<EndpointCertificate> currentCertificate = assignedCertificate.map(AssignedCertificate::certificate); + var requiredSansForZone = currentCertificate.get().randomizedId().isEmpty() ? controller.routing().certificateDnsNames(deployment, deploymentSpec) : List.<String>of(); - if (!currentCertificateMetadata.get().requestedDnsSans().containsAll(requiredSansForZone)) { - var reprovisionedCertificateMetadata = - provisionEndpointCertificate(deployment, currentCertificateMetadata, deploymentSpec) - .withRootRequestId(currentCertificateMetadata.get().rootRequestId()); // We're required to keep the original request ID - curator.writeAssignedCertificate(assignedCertificate.get().with(reprovisionedCertificateMetadata)); + if (!currentCertificate.get().requestedDnsSans().containsAll(requiredSansForZone)) { + var reprovisionedCertificate = + provisionEndpointCertificate(deployment, currentCertificate, deploymentSpec) + .withRootRequestId(currentCertificate.get().rootRequestId()); // We're required to keep the original request ID + curator.writeAssignedCertificate(assignedCertificate.get().with(reprovisionedCertificate)); // Verification is unlikely to succeed in this case, as certificate must be available first - controller will retry - certificateValidator.validate(reprovisionedCertificateMetadata, instance.id().serializedForm(), zone, requiredSansForZone); - return Optional.of(reprovisionedCertificateMetadata); + certificateValidator.validate(reprovisionedCertificate, instance.id().serializedForm(), zone, requiredSansForZone); + return Optional.of(reprovisionedCertificate); } - certificateValidator.validate(currentCertificateMetadata.get(), instance.id().serializedForm(), zone, requiredSansForZone); - return currentCertificateMetadata; + certificateValidator.validate(currentCertificate.get(), instance.id().serializedForm(), zone, requiredSansForZone); + return currentCertificate; } - private EndpointCertificateMetadata provisionEndpointCertificate(DeploymentId deployment, - Optional<EndpointCertificateMetadata> currentMetadata, - DeploymentSpec deploymentSpec) { + private EndpointCertificate provisionEndpointCertificate(DeploymentId deployment, + Optional<EndpointCertificate> currentCert, + DeploymentSpec deploymentSpec) { List<ZoneId> zonesInSystem = controller.zoneRegistry().zones().controllerUpgraded().ids(); Set<ZoneId> requiredZones = new LinkedHashSet<>(); requiredZones.add(deployment.zoneId()); @@ -201,7 +200,7 @@ public class EndpointCertificates { .collect(Collectors.toCollection(LinkedHashSet::new)); // Preserve any currently present names that are still valid - List<String> currentNames = currentMetadata.map(EndpointCertificateMetadata::requestedDnsSans) + List<String> currentNames = currentCert.map(EndpointCertificate::requestedDnsSans) .orElseGet(List::of); zonesInSystem.stream() .map(zone -> controller.routing().certificateDnsNames(new DeploymentId(deployment.applicationId(), zone), deploymentSpec)) @@ -213,10 +212,10 @@ public class EndpointCertificates { boolean useAlternativeProvider = useAlternateCertProvider.with(FetchVector.Dimension.APPLICATION_ID, deployment.applicationId().serializedForm()).value(); String keyPrefix = deployment.applicationId().toFullString(); var t0 = Instant.now(); - EndpointCertificateMetadata endpointCertificateMetadata = certificateProvider.requestCaSignedCertificate(keyPrefix, List.copyOf(requiredNames), currentMetadata, algo, useAlternativeProvider); + EndpointCertificate endpointCertificate = certificateProvider.requestCaSignedCertificate(keyPrefix, List.copyOf(requiredNames), currentCert, algo, useAlternativeProvider); var t1 = Instant.now(); log.log(Level.INFO, String.format("Endpoint certificate request for application %s returned after %s", deployment.applicationId().serializedForm(), Duration.between(t0, t1))); - return endpointCertificateMetadata; + return endpointCertificate; } } diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/certificate/UnassignedCertificate.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/certificate/UnassignedCertificate.java index 2fbff02ffa9..3a8580b7eb5 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/certificate/UnassignedCertificate.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/certificate/UnassignedCertificate.java @@ -1,6 +1,6 @@ package com.yahoo.vespa.hosted.controller.certificate; -import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateMetadata; +import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificate; /** * An unassigned certificate, which exists in a pre-provisioned pool of certificates. Once assigned to an application, @@ -11,7 +11,7 @@ import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCe * * @author andreer */ -public record UnassignedCertificate(EndpointCertificateMetadata certificate, UnassignedCertificate.State state) { +public record UnassignedCertificate(EndpointCertificate certificate, UnassignedCertificate.State state) { public UnassignedCertificate { if (certificate.randomizedId().isEmpty()) { diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/CertificatePoolMaintainer.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/CertificatePoolMaintainer.java index 46d19b627cc..9e2933f60fd 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/CertificatePoolMaintainer.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/CertificatePoolMaintainer.java @@ -12,7 +12,7 @@ import com.yahoo.vespa.flags.IntFlag; import com.yahoo.vespa.flags.PermanentFlags; import com.yahoo.vespa.flags.StringFlag; import com.yahoo.vespa.hosted.controller.Controller; -import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateMetadata; +import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificate; import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateProvider; import com.yahoo.vespa.hosted.controller.application.Endpoint; import com.yahoo.vespa.hosted.controller.application.GeneratedEndpoint; @@ -103,13 +103,13 @@ public class CertificatePoolMaintainer extends ControllerMaintainer { curator.readAssignedCertificates().stream() .map(AssignedCertificate::certificate) - .map(EndpointCertificateMetadata::randomizedId) + .map(EndpointCertificate::randomizedId) .forEach(id -> id.ifPresent(existingNames::add)); String id = generateRandomId(); while (existingNames.contains(id)) id = generateRandomId(); - EndpointCertificateMetadata f = endpointCertificateProvider.requestCaSignedCertificate( + EndpointCertificate f = endpointCertificateProvider.requestCaSignedCertificate( "preprovisioned.%s".formatted(id), List.of( "*.%s.z%s".formatted(id, dnsSuffix), @@ -119,7 +119,7 @@ public class CertificatePoolMaintainer extends ControllerMaintainer { Optional.empty(), endpointCertificateAlgo.value(), useAlternateCertProvider.value()) - .withRandomizedId(id); + .withRandomizedId(id); UnassignedCertificate certificate = new UnassignedCertificate(f, UnassignedCertificate.State.requested); curator.writeUnassignedCertificate(certificate); diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/EndpointCertificateMaintainer.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/EndpointCertificateMaintainer.java index 935d562a8c2..e8e48bfccee 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/EndpointCertificateMaintainer.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/EndpointCertificateMaintainer.java @@ -11,8 +11,8 @@ import com.yahoo.transaction.Mutex; import com.yahoo.transaction.NestedTransaction; import com.yahoo.vespa.hosted.controller.Application; import com.yahoo.vespa.hosted.controller.Controller; +import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificate; import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateDetails; -import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateMetadata; import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateProvider; import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateRequestMetadata; import com.yahoo.vespa.hosted.controller.certificate.UnassignedCertificate; @@ -156,7 +156,7 @@ public class EndpointCertificateMaintainer extends ControllerMaintainer { }); } - private OptionalInt latestVersionInSecretStore(EndpointCertificateMetadata originalCertificateMetadata) { + private OptionalInt latestVersionInSecretStore(EndpointCertificate originalCertificateMetadata) { try { var certVersions = new HashSet<>(secretStore.listSecretVersions(originalCertificateMetadata.certName())); var keyVersions = new HashSet<>(secretStore.listSecretVersions(originalCertificateMetadata.keyName())); @@ -169,7 +169,7 @@ public class EndpointCertificateMaintainer extends ControllerMaintainer { private void deleteUnusedCertificates() { var oneMonthAgo = clock.instant().minus(30, ChronoUnit.DAYS); curator.readAssignedCertificates().forEach(assignedCertificate -> { - EndpointCertificateMetadata certificate = assignedCertificate.certificate(); + EndpointCertificate certificate = assignedCertificate.certificate(); var lastRequested = Instant.ofEpochSecond(certificate.lastRequested()); if (lastRequested.isBefore(oneMonthAgo) && hasNoDeployments(assignedCertificate.application())) { try (Mutex lock = lock(assignedCertificate.application())) { @@ -200,11 +200,11 @@ public class EndpointCertificateMaintainer extends ControllerMaintainer { } private void deleteOrReportUnmanagedCertificates() { - List<EndpointCertificateRequestMetadata> endpointCertificateMetadata = endpointCertificateProvider.listCertificates(); + List<EndpointCertificateRequestMetadata> requests = endpointCertificateProvider.listCertificates(); List<AssignedCertificate> assignedCertificates = curator.readAssignedCertificates(); List<String> leafRequestIds = assignedCertificates.stream().map(AssignedCertificate::certificate).flatMap(m -> m.leafRequestId().stream()).toList(); - List<String> rootRequestIds = assignedCertificates.stream().map(AssignedCertificate::certificate).map(EndpointCertificateMetadata::rootRequestId).toList(); + List<String> rootRequestIds = assignedCertificates.stream().map(AssignedCertificate::certificate).map(EndpointCertificate::rootRequestId).toList(); List<UnassignedCertificate> unassignedCertificates = curator.readUnassignedCertificates(); List<String> certPoolRootIds = unassignedCertificates.stream().map(p -> p.certificate().leafRequestId()).flatMap(Optional::stream).toList(); List<String> certPoolLeafIds = unassignedCertificates.stream().map(p -> p.certificate().rootRequestId()).toList(); @@ -215,21 +215,21 @@ public class EndpointCertificateMaintainer extends ControllerMaintainer { managedIds.addAll(certPoolRootIds); managedIds.addAll(certPoolLeafIds); - for (var providerCertificateMetadata : endpointCertificateMetadata) { - if (!managedIds.contains(providerCertificateMetadata.requestId())) { + for (var request : requests) { + if (!managedIds.contains(request.requestId())) { // It could just be a refresh we're not aware of yet. See if it matches the cert/keyname of any known cert - EndpointCertificateDetails unknownCertDetails = endpointCertificateProvider.certificateDetails(providerCertificateMetadata.requestId()); + EndpointCertificateDetails unknownCertDetails = endpointCertificateProvider.certificateDetails(request.requestId()); boolean matchFound = false; for (AssignedCertificate assignedCertificate : assignedCertificates) { - if (assignedCertificate.certificate().certName().equals(unknownCertDetails.cert_key_keyname())) { + if (assignedCertificate.certificate().certName().equals(unknownCertDetails.certKeyKeyname())) { matchFound = true; try (Mutex lock = lock(assignedCertificate.application())) { if (unchanged(assignedCertificate, lock)) { log.log(Level.INFO, "Cert for app " + asString(assignedCertificate.application(), assignedCertificate.instance()) - + " has a new leafRequestId " + unknownCertDetails.request_id() + ", updating in ZK"); + + " has a new leafRequestId " + unknownCertDetails.requestId() + ", updating in ZK"); try (NestedTransaction transaction = new NestedTransaction()) { - EndpointCertificateMetadata updated = assignedCertificate.certificate().withLeafRequestId(Optional.of(unknownCertDetails.request_id())); + EndpointCertificate updated = assignedCertificate.certificate().withLeafRequestId(Optional.of(unknownCertDetails.requestId())); curator.writeAssignedCertificate(assignedCertificate.with(updated), transaction); transaction.commit(); } @@ -241,11 +241,11 @@ public class EndpointCertificateMaintainer extends ControllerMaintainer { if (!matchFound) { // The certificate is not known - however it could be in the process of being requested by us or another controller. // So we only delete if it was requested more than 7 days ago. - if (Instant.parse(providerCertificateMetadata.createTime()).isBefore(Instant.now().minus(7, ChronoUnit.DAYS))) { + if (Instant.parse(request.createTime()).isBefore(Instant.now().minus(7, ChronoUnit.DAYS))) { log.log(Level.INFO, String.format("Deleting unmaintained certificate with request_id %s and SANs %s", - providerCertificateMetadata.requestId(), - providerCertificateMetadata.dnsNames().stream().map(d -> d.dnsName).collect(Collectors.joining(", ")))); - endpointCertificateProvider.deleteCertificate(providerCertificateMetadata.requestId()); + request.requestId(), + request.dnsNames().stream().map(d -> d.dnsName).collect(Collectors.joining(", ")))); + endpointCertificateProvider.deleteCertificate(request.requestId()); } } } diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/persistence/CuratorDb.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/persistence/CuratorDb.java index 942d3167f7a..968befcd0a7 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/persistence/CuratorDb.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/persistence/CuratorDb.java @@ -619,7 +619,7 @@ public class CuratorDb { Path path = endpointCertificatePath(certificate.application(), certificate.instance()); curator.create(path); CuratorOperation operation = CuratorOperations.setData(path.getAbsolute(), - asJson(EndpointCertificateMetadataSerializer.toSlime(certificate.certificate()))); + asJson(EndpointCertificateSerializer.toSlime(certificate.certificate()))); transaction.add(CuratorTransaction.from(operation, curator)); } @@ -634,7 +634,7 @@ public class CuratorDb { public Optional<AssignedCertificate> readAssignedCertificate(TenantAndApplicationId application, Optional<InstanceName> instance) { return readSlime(endpointCertificatePath(application, instance)).map(Slime::get) - .map(EndpointCertificateMetadataSerializer::fromSlime) + .map(EndpointCertificateSerializer::fromSlime) .map(cert -> new AssignedCertificate(application, instance, cert)); } diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/persistence/EndpointCertificateMetadataSerializer.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/persistence/EndpointCertificateSerializer.java index 822efcc7163..fae9ea1e0e3 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/persistence/EndpointCertificateMetadataSerializer.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/persistence/EndpointCertificateSerializer.java @@ -6,20 +6,17 @@ import com.yahoo.slime.Inspector; import com.yahoo.slime.Slime; import com.yahoo.slime.SlimeUtils; import com.yahoo.slime.Type; -import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateMetadata; +import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificate; import java.util.Optional; import java.util.stream.IntStream; /** - * (de)serializes endpoint certificate metadata - * <p> - * A copy of package com.yahoo.vespa.config.server.tenant.EndpointCertificateMetadata, - * but with additional fields as we need to store some more information in the controller. + * Serializer for {@link EndpointCertificate}. * * @author andreer */ -public class EndpointCertificateMetadataSerializer { +public class EndpointCertificateSerializer { // WARNING: Since there are multiple servers in a ZooKeeper cluster, and they upgrade one by one // (and rewrite all nodes on startup), changes to the serialized format must be made @@ -40,33 +37,33 @@ public class EndpointCertificateMetadataSerializer { private final static String lastRefreshedField = "lastRefreshed"; private final static String randomizedIdField = "randomizedId"; - public static Slime toSlime(EndpointCertificateMetadata metadata) { + public static Slime toSlime(EndpointCertificate cert) { Slime slime = new Slime(); Cursor object = slime.setObject(); - toSlime(metadata, object); + toSlime(cert, object); return slime; } - public static void toSlime(EndpointCertificateMetadata metadata, Cursor object) { - object.setString(keyNameField, metadata.keyName()); - object.setString(certNameField, metadata.certName()); - object.setLong(versionField, metadata.version()); - object.setLong(lastRequestedField, metadata.lastRequested()); - object.setString(rootRequestIdField, metadata.rootRequestId()); - metadata.leafRequestId().ifPresent(leafRequestId -> object.setString(leafRequestIdField, leafRequestId)); + public static void toSlime(EndpointCertificate cert, Cursor object) { + object.setString(keyNameField, cert.keyName()); + object.setString(certNameField, cert.certName()); + object.setLong(versionField, cert.version()); + object.setLong(lastRequestedField, cert.lastRequested()); + object.setString(rootRequestIdField, cert.rootRequestId()); + cert.leafRequestId().ifPresent(leafRequestId -> object.setString(leafRequestIdField, leafRequestId)); var cursor = object.setArray(requestedDnsSansField); - metadata.requestedDnsSans().forEach(cursor::addString); - object.setString(issuerField, metadata.issuer()); - metadata.expiry().ifPresent(expiry -> object.setLong(expiryField, expiry)); - metadata.lastRefreshed().ifPresent(refreshTime -> object.setLong(lastRefreshedField, refreshTime)); - metadata.randomizedId().ifPresent(randomizedId -> object.setString(randomizedIdField, randomizedId)); + cert.requestedDnsSans().forEach(cursor::addString); + object.setString(issuerField, cert.issuer()); + cert.expiry().ifPresent(expiry -> object.setLong(expiryField, expiry)); + cert.lastRefreshed().ifPresent(refreshTime -> object.setLong(lastRefreshedField, refreshTime)); + cert.randomizedId().ifPresent(randomizedId -> object.setString(randomizedIdField, randomizedId)); } - public static EndpointCertificateMetadata fromSlime(Inspector inspector) { + public static EndpointCertificate fromSlime(Inspector inspector) { if (inspector.type() != Type.OBJECT) - throw new IllegalArgumentException("Unknown format encountered for endpoint certificate metadata!"); + throw new IllegalArgumentException("Invalid format encountered for endpoint certificate"); - return new EndpointCertificateMetadata( + return new EndpointCertificate( inspector.field(keyNameField).asString(), inspector.field(certNameField).asString(), Math.toIntExact(inspector.field(versionField).asLong()), @@ -87,7 +84,7 @@ public class EndpointCertificateMetadataSerializer { Optional.empty()); } - public static EndpointCertificateMetadata fromJsonString(String zkData) { + public static EndpointCertificate fromJsonString(String zkData) { return fromSlime(SlimeUtils.jsonToSlime(zkData).get()); } diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/persistence/UnassignedCertificateSerializer.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/persistence/UnassignedCertificateSerializer.java index 87778f1792f..2f8a0ea585c 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/persistence/UnassignedCertificateSerializer.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/persistence/UnassignedCertificateSerializer.java @@ -3,7 +3,7 @@ package com.yahoo.vespa.hosted.controller.persistence; import com.yahoo.slime.Cursor; import com.yahoo.slime.Slime; -import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateMetadata; +import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificate; import com.yahoo.vespa.hosted.controller.certificate.UnassignedCertificate; /** @@ -18,14 +18,14 @@ public class UnassignedCertificateSerializer { Slime slime = new Slime(); Cursor root = slime.setObject(); root.setString(stateKey, unassignedCertificate.state().name()); - EndpointCertificateMetadataSerializer.toSlime(unassignedCertificate.certificate(), root.setObject(certificateKey)); + EndpointCertificateSerializer.toSlime(unassignedCertificate.certificate(), root.setObject(certificateKey)); return slime; } public UnassignedCertificate fromSlime(Slime slime) { Cursor root = slime.get(); UnassignedCertificate.State state = UnassignedCertificate.State.valueOf(root.field(stateKey).asString()); - EndpointCertificateMetadata certificate = EndpointCertificateMetadataSerializer.fromSlime(root.field(certificateKey)); + EndpointCertificate certificate = EndpointCertificateSerializer.fromSlime(root.field(certificateKey)); return new UnassignedCertificate(certificate, state); } diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/certificate/EndpointCertificatesHandler.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/certificate/EndpointCertificatesHandler.java index 3980ef87613..c25b4e7e369 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/certificate/EndpointCertificatesHandler.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/certificate/EndpointCertificatesHandler.java @@ -13,13 +13,13 @@ import com.yahoo.vespa.flags.PermanentFlags; import com.yahoo.vespa.flags.StringFlag; import com.yahoo.vespa.hosted.controller.Controller; import com.yahoo.vespa.hosted.controller.api.integration.ServiceRegistry; -import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateMetadata; +import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificate; import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateProvider; import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateRequestMetadata; import com.yahoo.vespa.hosted.controller.application.TenantAndApplicationId; import com.yahoo.vespa.hosted.controller.certificate.AssignedCertificate; import com.yahoo.vespa.hosted.controller.persistence.CuratorDb; -import com.yahoo.vespa.hosted.controller.persistence.EndpointCertificateMetadataSerializer; +import com.yahoo.vespa.hosted.controller.persistence.EndpointCertificateSerializer; import java.util.List; import java.util.Optional; @@ -60,9 +60,9 @@ public class EndpointCertificatesHandler extends ThreadedHttpRequestHandler { } public HttpResponse listEndpointCertificates() { - List<EndpointCertificateRequestMetadata> endpointCertificateMetadata = endpointCertificateProvider.listCertificates(); + List<EndpointCertificateRequestMetadata> request = endpointCertificateProvider.listCertificates(); - String requestsWithNames = endpointCertificateMetadata.stream() + String requestsWithNames = request.stream() .map(metadata -> metadata.requestId() + " : " + String.join(", ", metadata.dnsNames().stream() .map(dnsNameStatus -> dnsNameStatus.dnsName) @@ -85,16 +85,16 @@ public class EndpointCertificatesHandler extends ThreadedHttpRequestHandler { boolean useAlternativeProvider = useAlternateCertProvider.with(FetchVector.Dimension.APPLICATION_ID, applicationId.serializedForm()).value(); String keyPrefix = applicationId.toFullString(); - EndpointCertificateMetadata reRequestedMetadata = endpointCertificateProvider.requestCaSignedCertificate( + EndpointCertificate cert = endpointCertificateProvider.requestCaSignedCertificate( keyPrefix, assignedCertificate.certificate().requestedDnsSans(), ignoreExistingMetadata ? Optional.empty() : Optional.of(assignedCertificate.certificate()), algo, useAlternativeProvider); - curator.writeAssignedCertificate(assignedCertificate.with(reRequestedMetadata)); + curator.writeAssignedCertificate(assignedCertificate.with(cert)); - return new StringResponse(EndpointCertificateMetadataSerializer.toSlime(reRequestedMetadata).toString()); + return new StringResponse(EndpointCertificateSerializer.toSlime(cert).toString()); } } } diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/ControllerTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/ControllerTest.java index 3a1cb322daf..3d2a66adc81 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/ControllerTest.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/ControllerTest.java @@ -24,7 +24,7 @@ import com.yahoo.vespa.hosted.controller.api.application.v4.model.DeploymentData import com.yahoo.vespa.hosted.controller.api.identifiers.DeploymentId; import com.yahoo.vespa.hosted.controller.api.integration.billing.PlanRegistryMock; import com.yahoo.vespa.hosted.controller.api.integration.billing.Quota; -import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateMetadata; +import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificate; import com.yahoo.vespa.hosted.controller.api.integration.configserver.ContainerEndpoint; import com.yahoo.vespa.hosted.controller.api.integration.deployment.ApplicationVersion; import com.yahoo.vespa.hosted.controller.api.integration.deployment.RevisionId; @@ -941,7 +941,7 @@ public class ControllerTest { @Test void testDeploySelectivelyProvisionsCertificate() { - Function<Instance, Optional<EndpointCertificateMetadata>> certificate = (application) -> tester.controller().curator().readAssignedCertificate(application.id()).map(AssignedCertificate::certificate); + Function<Instance, Optional<EndpointCertificate>> certificate = (application) -> tester.controller().curator().readAssignedCertificate(application.id()).map(AssignedCertificate::certificate); // Create app1 var context1 = tester.newDeploymentContext("tenant1", "app1", "default"); diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificatesTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificatesTest.java index 8c94bac35b1..9c84ab48229 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificatesTest.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificatesTest.java @@ -20,8 +20,8 @@ import com.yahoo.test.ManualClock; import com.yahoo.vespa.flags.Flags; import com.yahoo.vespa.hosted.controller.ControllerTester; import com.yahoo.vespa.hosted.controller.Instance; -import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateMetadata; -import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateMock; +import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificate; +import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateProviderMock; import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateValidatorImpl; import com.yahoo.vespa.hosted.controller.application.TenantAndApplicationId; import com.yahoo.vespa.hosted.controller.application.pkg.ApplicationPackage; @@ -58,9 +58,9 @@ public class EndpointCertificatesTest { private final SecretStoreMock secretStore = new SecretStoreMock(); private final CuratorDb mockCuratorDb = tester.curator(); private final ManualClock clock = tester.clock(); - private final EndpointCertificateMock endpointCertificateMock = new EndpointCertificateMock(); + private final EndpointCertificateProviderMock endpointCertificateProviderMock = new EndpointCertificateProviderMock(); private final EndpointCertificateValidatorImpl endpointCertificateValidator = new EndpointCertificateValidatorImpl(secretStore, clock); - private final EndpointCertificates endpointCertificates = new EndpointCertificates(tester.controller(), endpointCertificateMock, endpointCertificateValidator); + private final EndpointCertificates endpointCertificates = new EndpointCertificates(tester.controller(), endpointCertificateProviderMock, endpointCertificateValidator); private final KeyPair testKeyPair = KeyUtils.generateKeypair(KeyAlgorithm.EC, 192); private X509Certificate testCertificate; @@ -123,22 +123,22 @@ public class EndpointCertificatesTest { @Test void provisions_new_certificate_in_dev() { ZoneId testZone = tester.zoneRegistry().zones().all().routingMethod(RoutingMethod.exclusive).in(Environment.dev).zones().stream().findFirst().orElseThrow().getId(); - Optional<EndpointCertificateMetadata> endpointCertificateMetadata = endpointCertificates.getMetadata(instance, testZone, DeploymentSpec.empty); - assertTrue(endpointCertificateMetadata.isPresent()); - assertTrue(endpointCertificateMetadata.get().keyName().matches("vespa.tls.default.default.*-key")); - assertTrue(endpointCertificateMetadata.get().certName().matches("vespa.tls.default.default.*-cert")); - assertEquals(0, endpointCertificateMetadata.get().version()); - assertEquals(expectedDevSans, endpointCertificateMetadata.get().requestedDnsSans()); + Optional<EndpointCertificate> cert = endpointCertificates.get(instance, testZone, DeploymentSpec.empty); + assertTrue(cert.isPresent()); + assertTrue(cert.get().keyName().matches("vespa.tls.default.default.*-key")); + assertTrue(cert.get().certName().matches("vespa.tls.default.default.*-cert")); + assertEquals(0, cert.get().version()); + assertEquals(expectedDevSans, cert.get().requestedDnsSans()); } @Test void provisions_new_certificate_in_prod() { - Optional<EndpointCertificateMetadata> endpointCertificateMetadata = endpointCertificates.getMetadata(instance, prodZone, DeploymentSpec.empty); - assertTrue(endpointCertificateMetadata.isPresent()); - assertTrue(endpointCertificateMetadata.get().keyName().matches("vespa.tls.default.default.*-key")); - assertTrue(endpointCertificateMetadata.get().certName().matches("vespa.tls.default.default.*-cert")); - assertEquals(0, endpointCertificateMetadata.get().version()); - assertEquals(expectedSans, endpointCertificateMetadata.get().requestedDnsSans()); + Optional<EndpointCertificate> cert = endpointCertificates.get(instance, prodZone, DeploymentSpec.empty); + assertTrue(cert.isPresent()); + assertTrue(cert.get().keyName().matches("vespa.tls.default.default.*-key")); + assertTrue(cert.get().certName().matches("vespa.tls.default.default.*-cert")); + assertEquals(0, cert.get().version()); + assertEquals(expectedSans, cert.get().requestedDnsSans()); } private ControllerTester publicTester() { @@ -151,7 +151,7 @@ public class EndpointCertificatesTest { void provisions_new_certificate_in_public_prod() { ControllerTester tester = publicTester(); EndpointCertificateValidatorImpl endpointCertificateValidator = new EndpointCertificateValidatorImpl(secretStore, clock); - EndpointCertificates endpointCertificates = new EndpointCertificates(tester.controller(), endpointCertificateMock, endpointCertificateValidator); + EndpointCertificates endpointCertificates = new EndpointCertificates(tester.controller(), endpointCertificateProviderMock, endpointCertificateValidator); List<String> expectedSans = List.of( "vt2ktgkqme5zlnp4tj4ttyor7fj3v7q5o.internal.vespa-app.cloud", "default.default.g.vespa-app.cloud", @@ -163,61 +163,61 @@ public class EndpointCertificatesTest { "default.default.us-east-3.staging.z.vespa-app.cloud", "*.default.default.us-east-3.staging.z.vespa-app.cloud" ); - Optional<EndpointCertificateMetadata> endpointCertificateMetadata = endpointCertificates.getMetadata(instance, prodZone, DeploymentSpec.empty); - assertTrue(endpointCertificateMetadata.isPresent()); - assertTrue(endpointCertificateMetadata.get().keyName().matches("vespa.tls.default.default.*-key")); - assertTrue(endpointCertificateMetadata.get().certName().matches("vespa.tls.default.default.*-cert")); - assertEquals(0, endpointCertificateMetadata.get().version()); - assertEquals(expectedSans, endpointCertificateMetadata.get().requestedDnsSans()); + Optional<EndpointCertificate> cert = endpointCertificates.get(instance, prodZone, DeploymentSpec.empty); + assertTrue(cert.isPresent()); + assertTrue(cert.get().keyName().matches("vespa.tls.default.default.*-key")); + assertTrue(cert.get().certName().matches("vespa.tls.default.default.*-cert")); + assertEquals(0, cert.get().version()); + assertEquals(expectedSans, cert.get().requestedDnsSans()); } @Test - void reuses_stored_certificate_metadata() { - mockCuratorDb.writeAssignedCertificate(assignedCertificate(instance.id(), new EndpointCertificateMetadata(testKeyName, testCertName, 7, 0, "request_id", Optional.of("leaf-request-uuid"), - List.of("vt2ktgkqme5zlnp4tj4ttyor7fj3v7q5o.vespa.oath.cloud", + void reuses_stored_certificate() { + mockCuratorDb.writeAssignedCertificate(assignedCertificate(instance.id(), new EndpointCertificate(testKeyName, testCertName, 7, 0, "request_id", Optional.of("leaf-request-uuid"), + List.of("vt2ktgkqme5zlnp4tj4ttyor7fj3v7q5o.vespa.oath.cloud", "default.default.global.vespa.oath.cloud", "*.default.default.global.vespa.oath.cloud", "default.default.aws-us-east-1a.vespa.oath.cloud", "*.default.default.aws-us-east-1a.vespa.oath.cloud"), - "", Optional.empty(), Optional.empty(), Optional.empty()))); + "", Optional.empty(), Optional.empty(), Optional.empty()))); secretStore.setSecret(testKeyName, KeyUtils.toPem(testKeyPair.getPrivate()), 7); secretStore.setSecret(testCertName, X509CertificateUtils.toPem(testCertificate) + X509CertificateUtils.toPem(testCertificate), 7); - Optional<EndpointCertificateMetadata> endpointCertificateMetadata = endpointCertificates.getMetadata(instance, prodZone, DeploymentSpec.empty); - assertTrue(endpointCertificateMetadata.isPresent()); - assertEquals(testKeyName, endpointCertificateMetadata.get().keyName()); - assertEquals(testCertName, endpointCertificateMetadata.get().certName()); - assertEquals(7, endpointCertificateMetadata.get().version()); + Optional<EndpointCertificate> cert = endpointCertificates.get(instance, prodZone, DeploymentSpec.empty); + assertTrue(cert.isPresent()); + assertEquals(testKeyName, cert.get().keyName()); + assertEquals(testCertName, cert.get().certName()); + assertEquals(7, cert.get().version()); } @Test void reprovisions_certificate_when_necessary() { - mockCuratorDb.writeAssignedCertificate(assignedCertificate(instance.id(), new EndpointCertificateMetadata(testKeyName, testCertName, -1, 0, "root-request-uuid", Optional.of("leaf-request-uuid"), List.of(), "issuer", Optional.empty(), Optional.empty(), Optional.empty()))); + mockCuratorDb.writeAssignedCertificate(assignedCertificate(instance.id(), new EndpointCertificate(testKeyName, testCertName, -1, 0, "root-request-uuid", Optional.of("leaf-request-uuid"), List.of(), "issuer", Optional.empty(), Optional.empty(), Optional.empty()))); secretStore.setSecret("vespa.tls.default.default.default-key", KeyUtils.toPem(testKeyPair.getPrivate()), 0); secretStore.setSecret("vespa.tls.default.default.default-cert", X509CertificateUtils.toPem(testCertificate) + X509CertificateUtils.toPem(testCertificate), 0); - Optional<EndpointCertificateMetadata> endpointCertificateMetadata = endpointCertificates.getMetadata(instance, prodZone, DeploymentSpec.empty); - assertTrue(endpointCertificateMetadata.isPresent()); - assertEquals(0, endpointCertificateMetadata.get().version()); - assertEquals(endpointCertificateMetadata, mockCuratorDb.readAssignedCertificate(instance.id()).map(AssignedCertificate::certificate)); + Optional<EndpointCertificate> cert = endpointCertificates.get(instance, prodZone, DeploymentSpec.empty); + assertTrue(cert.isPresent()); + assertEquals(0, cert.get().version()); + assertEquals(cert, mockCuratorDb.readAssignedCertificate(instance.id()).map(AssignedCertificate::certificate)); } @Test void reprovisions_certificate_with_added_sans_when_deploying_to_new_zone() { ZoneId testZone = ZoneId.from("prod.ap-northeast-1"); - mockCuratorDb.writeAssignedCertificate(assignedCertificate(instance.id(), new EndpointCertificateMetadata(testKeyName, testCertName, -1, 0, "original-request-uuid", Optional.of("leaf-request-uuid"), expectedSans, "mockCa", Optional.empty(), Optional.empty(), Optional.empty()))); + mockCuratorDb.writeAssignedCertificate(assignedCertificate(instance.id(), new EndpointCertificate(testKeyName, testCertName, -1, 0, "original-request-uuid", Optional.of("leaf-request-uuid"), expectedSans, "mockCa", Optional.empty(), Optional.empty(), Optional.empty()))); secretStore.setSecret("vespa.tls.default.default.default-key", KeyUtils.toPem(testKeyPair.getPrivate()), -1); secretStore.setSecret("vespa.tls.default.default.default-cert", X509CertificateUtils.toPem(testCertificate) + X509CertificateUtils.toPem(testCertificate), -1); secretStore.setSecret("vespa.tls.default.default.default-key", KeyUtils.toPem(testKeyPair.getPrivate()), 0); secretStore.setSecret("vespa.tls.default.default.default-cert", X509CertificateUtils.toPem(testCertificate2) + X509CertificateUtils.toPem(testCertificate2), 0); - Optional<EndpointCertificateMetadata> endpointCertificateMetadata = endpointCertificates.getMetadata(instance, testZone, DeploymentSpec.empty); - assertTrue(endpointCertificateMetadata.isPresent()); - assertEquals(0, endpointCertificateMetadata.get().version()); - assertEquals(endpointCertificateMetadata, mockCuratorDb.readAssignedCertificate(instance.id()).map(AssignedCertificate::certificate)); - assertEquals("original-request-uuid", endpointCertificateMetadata.get().rootRequestId()); - assertNotEquals(Optional.of("leaf-request-uuid"), endpointCertificateMetadata.get().leafRequestId()); - assertEquals(Set.copyOf(expectedCombinedSans), Set.copyOf(endpointCertificateMetadata.get().requestedDnsSans())); + Optional<EndpointCertificate> cert = endpointCertificates.get(instance, testZone, DeploymentSpec.empty); + assertTrue(cert.isPresent()); + assertEquals(0, cert.get().version()); + assertEquals(cert, mockCuratorDb.readAssignedCertificate(instance.id()).map(AssignedCertificate::certificate)); + assertEquals("original-request-uuid", cert.get().rootRequestId()); + assertNotEquals(Optional.of("leaf-request-uuid"), cert.get().leafRequestId()); + assertEquals(Set.copyOf(expectedCombinedSans), Set.copyOf(cert.get().requestedDnsSans())); } @Test @@ -236,12 +236,12 @@ public class EndpointCertificatesTest { ); ZoneId testZone = tester.zoneRegistry().zones().all().in(Environment.staging).zones().stream().findFirst().orElseThrow().getId(); - Optional<EndpointCertificateMetadata> endpointCertificateMetadata = endpointCertificates.getMetadata(instance, testZone, deploymentSpec); - assertTrue(endpointCertificateMetadata.isPresent()); - assertTrue(endpointCertificateMetadata.get().keyName().matches("vespa.tls.default.default.*-key")); - assertTrue(endpointCertificateMetadata.get().certName().matches("vespa.tls.default.default.*-cert")); - assertEquals(0, endpointCertificateMetadata.get().version()); - assertEquals(Set.copyOf(expectedCombinedSans), Set.copyOf(endpointCertificateMetadata.get().requestedDnsSans())); + Optional<EndpointCertificate> cert = endpointCertificates.get(instance, testZone, deploymentSpec); + assertTrue(cert.isPresent()); + assertTrue(cert.get().keyName().matches("vespa.tls.default.default.*-key")); + assertTrue(cert.get().certName().matches("vespa.tls.default.default.*-cert")); + assertEquals(0, cert.get().version()); + assertEquals(Set.copyOf(expectedCombinedSans), Set.copyOf(cert.get().requestedDnsSans())); } @Test @@ -266,7 +266,7 @@ public class EndpointCertificatesTest { zone2.region().value(), Map.of(InstanceName.from("main"), 2))) .build(); EndpointCertificateValidatorImpl endpointCertificateValidator = new EndpointCertificateValidatorImpl(secretStore, clock); - EndpointCertificates endpointCertificates = new EndpointCertificates(tester.controller(), endpointCertificateMock, endpointCertificateValidator); + EndpointCertificates endpointCertificates = new EndpointCertificates(tester.controller(), endpointCertificateProviderMock, endpointCertificateValidator); List<String> expectedSans = Stream.of( "vlfms2wpoa4nyrka2s5lktucypjtxkqhv.internal.vespa-app.cloud", "a1.t1.g.vespa-app.cloud", @@ -280,12 +280,12 @@ public class EndpointCertificatesTest { "a1.t1.us-east-3.staging.z.vespa-app.cloud", "*.a1.t1.us-east-3.staging.z.vespa-app.cloud" ).sorted().toList(); - Optional<EndpointCertificateMetadata> endpointCertificateMetadata = endpointCertificates.getMetadata(instance, zone1, applicationPackage.deploymentSpec()); - assertTrue(endpointCertificateMetadata.isPresent()); - assertTrue(endpointCertificateMetadata.get().keyName().matches("vespa.tls.t1.a1.*-key")); - assertTrue(endpointCertificateMetadata.get().certName().matches("vespa.tls.t1.a1.*-cert")); - assertEquals(0, endpointCertificateMetadata.get().version()); - assertEquals(expectedSans, endpointCertificateMetadata.get().requestedDnsSans().stream().sorted().toList()); + Optional<EndpointCertificate> cert = endpointCertificates.get(instance, zone1, applicationPackage.deploymentSpec()); + assertTrue(cert.isPresent()); + assertTrue(cert.get().keyName().matches("vespa.tls.t1.a1.*-key")); + assertTrue(cert.get().certName().matches("vespa.tls.t1.a1.*-cert")); + assertEquals(0, cert.get().version()); + assertEquals(expectedSans, cert.get().requestedDnsSans().stream().sorted().toList()); } @Test @@ -293,15 +293,15 @@ public class EndpointCertificatesTest { tester.flagSource().withBooleanFlag(Flags.RANDOMIZED_ENDPOINT_NAMES.id(), true); try { addCertificateToPool("pool-cert-1", UnassignedCertificate.State.requested); - endpointCertificates.getMetadata(instance, prodZone, DeploymentSpec.empty); + endpointCertificates.get(instance, prodZone, DeploymentSpec.empty); fail("Expected exception as certificate is not ready"); } catch (IllegalArgumentException ignored) {} { // prod String certId = "pool-cert-1"; addCertificateToPool(certId, UnassignedCertificate.State.ready); - Optional<EndpointCertificateMetadata> endpointCertificateMetadata = endpointCertificates.getMetadata(instance, prodZone, DeploymentSpec.empty); - assertEquals(certId, endpointCertificateMetadata.get().randomizedId().get()); + Optional<EndpointCertificate> cert = endpointCertificates.get(instance, prodZone, DeploymentSpec.empty); + assertEquals(certId, cert.get().randomizedId().get()); assertEquals(certId, tester.curator().readAssignedCertificate(TenantAndApplicationId.from(instance.id()), Optional.empty()).get().certificate().randomizedId().get(), "Certificate is assigned at application-level"); assertTrue(tester.controller().curator().readUnassignedCertificate(certId).isEmpty(), "Certificate is removed from pool"); } @@ -310,25 +310,25 @@ public class EndpointCertificatesTest { String certId = "pool-cert-2"; addCertificateToPool(certId, UnassignedCertificate.State.ready); ZoneId devZone = tester.zoneRegistry().zones().all().routingMethod(RoutingMethod.exclusive).in(Environment.dev).zones().stream().findFirst().orElseThrow().getId(); - Optional<EndpointCertificateMetadata> endpointCertificateMetadata = endpointCertificates.getMetadata(instance, devZone, DeploymentSpec.empty); - assertEquals(certId, endpointCertificateMetadata.get().randomizedId().get()); + Optional<EndpointCertificate> cert = endpointCertificates.get(instance, devZone, DeploymentSpec.empty); + assertEquals(certId, cert.get().randomizedId().get()); assertEquals(certId, tester.curator().readAssignedCertificate(instance.id()).get().certificate().randomizedId().get(), "Certificate is assigned at instance-level"); assertTrue(tester.controller().curator().readUnassignedCertificate(certId).isEmpty(), "Certificate is removed from pool"); } } private void addCertificateToPool(String id, UnassignedCertificate.State state) { - EndpointCertificateMetadata cert = new EndpointCertificateMetadata(testKeyName, testCertName, 1, 0, - "request-id", - Optional.of("leaf-request-uuid"), - List.of("name1", "name2"), - "", Optional.empty(), - Optional.empty(), Optional.of(id)); + EndpointCertificate cert = new EndpointCertificate(testKeyName, testCertName, 1, 0, + "request-id", + Optional.of("leaf-request-uuid"), + List.of("name1", "name2"), + "", Optional.empty(), + Optional.empty(), Optional.of(id)); UnassignedCertificate pooledCert = new UnassignedCertificate(cert, state); tester.controller().curator().writeUnassignedCertificate(pooledCert); } - private static AssignedCertificate assignedCertificate(ApplicationId instance, EndpointCertificateMetadata certificate) { + private static AssignedCertificate assignedCertificate(ApplicationId instance, EndpointCertificate certificate) { return new AssignedCertificate(TenantAndApplicationId.from(instance), Optional.of(instance.instance()), certificate); } diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/integration/ConfigServerMock.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/integration/ConfigServerMock.java index fe74e305b63..0862496275a 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/integration/ConfigServerMock.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/integration/ConfigServerMock.java @@ -409,7 +409,7 @@ public class ConfigServerMock extends AbstractComponent implements ConfigServer applications.put(id, new Application(id.applicationId(), lastPrepareVersion, appPackage)); ClusterSpec.Id cluster = ClusterSpec.Id.from("default"); - deployment.endpointCertificateMetadata(); // Supplier with side effects >_< + deployment.endpointCertificate(); // Supplier with side effects >_< if (nodeRepository().list(id.zoneId(), NodeFilter.all().applications(id.applicationId())).isEmpty()) provision(id.zoneId(), id.applicationId(), cluster); diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/integration/ServiceRegistryMock.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/integration/ServiceRegistryMock.java index 02b4d6de5ac..d90344ceb1f 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/integration/ServiceRegistryMock.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/integration/ServiceRegistryMock.java @@ -24,7 +24,7 @@ import com.yahoo.vespa.hosted.controller.api.integration.billing.BillingDatabase import com.yahoo.vespa.hosted.controller.api.integration.billing.MockBillingController; import com.yahoo.vespa.hosted.controller.api.integration.billing.PlanRegistry; import com.yahoo.vespa.hosted.controller.api.integration.billing.PlanRegistryMock; -import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateMock; +import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateProviderMock; import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateValidator; import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateValidatorMock; import com.yahoo.vespa.hosted.controller.api.integration.dns.MemoryNameService; @@ -69,7 +69,7 @@ public class ServiceRegistryMock extends AbstractComponent implements ServiceReg private final MemoryNameService memoryNameService = new MemoryNameService(); private final MockVpcEndpointService vpcEndpointService = new MockVpcEndpointService(clock, memoryNameService); private final MockMailer mockMailer = new MockMailer(); - private final EndpointCertificateMock endpointCertificateMock = new EndpointCertificateMock(); + private final EndpointCertificateProviderMock endpointCertificateProviderMock = new EndpointCertificateProviderMock(); private final EndpointCertificateValidatorMock endpointCertificateValidatorMock = new EndpointCertificateValidatorMock(); private final MockContactRetriever mockContactRetriever = new MockContactRetriever(); private final MockIssueHandler mockIssueHandler = new MockIssueHandler(); @@ -141,8 +141,8 @@ public class ServiceRegistryMock extends AbstractComponent implements ServiceReg } @Override - public EndpointCertificateMock endpointCertificateProvider() { - return endpointCertificateMock; + public EndpointCertificateProviderMock endpointCertificateProvider() { + return endpointCertificateProviderMock; } @Override @@ -303,8 +303,8 @@ public class ServiceRegistryMock extends AbstractComponent implements ServiceReg return mockContactRetriever; } - public EndpointCertificateMock endpointCertificateMock() { - return endpointCertificateMock; + public EndpointCertificateProviderMock endpointCertificateMock() { + return endpointCertificateProviderMock; } public RoleMaintainerMock roleMaintainerMock() { diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/maintenance/CertificatePoolMaintainerTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/maintenance/CertificatePoolMaintainerTest.java index a371677b82b..bfd407c312d 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/maintenance/CertificatePoolMaintainerTest.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/maintenance/CertificatePoolMaintainerTest.java @@ -4,7 +4,7 @@ package com.yahoo.vespa.hosted.controller.maintenance; import com.yahoo.jdisc.test.MockMetric; import com.yahoo.vespa.flags.Flags; import com.yahoo.vespa.hosted.controller.ControllerTester; -import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateMock; +import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateProviderMock; import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateRequestMetadata.DnsNameStatus; import org.junit.jupiter.api.Test; @@ -34,19 +34,19 @@ public class CertificatePoolMaintainerTest { void cert_contains_expected_names() { tester.flagSource().withIntFlag(Flags.CERT_POOL_SIZE.id(), 1); assertNumCerts(1); - EndpointCertificateMock endpointCertificateProvider = (EndpointCertificateMock) tester.controller().serviceRegistry().endpointCertificateProvider(); + EndpointCertificateProviderMock endpointCertificateProvider = (EndpointCertificateProviderMock) tester.controller().serviceRegistry().endpointCertificateProvider(); - var metadata = endpointCertificateProvider.listCertificates().get(0); + var request = endpointCertificateProvider.listCertificates().get(0); assertEquals( List.of( new DnsNameStatus("*.f5549014.z.vespa.oath.cloud", "done"), new DnsNameStatus("*.f5549014.g.vespa.oath.cloud", "done"), new DnsNameStatus("*.f5549014.a.vespa.oath.cloud", "done") - ), metadata.dnsNames()); + ), request.dnsNames()); - assertEquals("vespa.tls.preprovisioned.f5549014-cert", endpointCertificateProvider.certificateDetails(metadata.requestId()).cert_key_keyname()); - assertEquals("vespa.tls.preprovisioned.f5549014-key", endpointCertificateProvider.certificateDetails(metadata.requestId()).private_key_keyname()); + assertEquals("vespa.tls.preprovisioned.f5549014-cert", endpointCertificateProvider.certificateDetails(request.requestId()).certKeyKeyname()); + assertEquals("vespa.tls.preprovisioned.f5549014-key", endpointCertificateProvider.certificateDetails(request.requestId()).privateKeyKeyname()); } private void assertNumCerts(int n) { diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/maintenance/EndpointCertificateMaintainerTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/maintenance/EndpointCertificateMaintainerTest.java index 247ffe1de00..3f26b0c7b1f 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/maintenance/EndpointCertificateMaintainerTest.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/maintenance/EndpointCertificateMaintainerTest.java @@ -8,8 +8,8 @@ import com.yahoo.config.provision.zone.ZoneId; import com.yahoo.jdisc.test.MockMetric; import com.yahoo.vespa.flags.Flags; import com.yahoo.vespa.hosted.controller.ControllerTester; -import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateMetadata; -import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateMock; +import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificate; +import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateProviderMock; import com.yahoo.vespa.hosted.controller.api.integration.deployment.JobType; import com.yahoo.vespa.hosted.controller.api.integration.deployment.RevisionId; import com.yahoo.vespa.hosted.controller.application.Deployment; @@ -49,18 +49,18 @@ public class EndpointCertificateMaintainerTest { private final SecretStoreMock secretStore = (SecretStoreMock) tester.controller().secretStore(); private final EndpointCertificateMaintainer maintainer = new EndpointCertificateMaintainer(tester.controller(), Duration.ofHours(1)); private final CertificatePoolMaintainer certificatePoolMaintainer = new CertificatePoolMaintainer(tester.controller(), new MockMetric(), Duration.ofHours(1)); - private final EndpointCertificateMetadata exampleMetadata = new EndpointCertificateMetadata("keyName", "certName", 0, 0, "root-request-uuid", Optional.of("leaf-request-uuid"), List.of(), "issuer", Optional.empty(), Optional.empty(), Optional.empty()); + private final EndpointCertificate exampleCert = new EndpointCertificate("keyName", "certName", 0, 0, "root-request-uuid", Optional.of("leaf-request-uuid"), List.of(), "issuer", Optional.empty(), Optional.empty(), Optional.empty()); @Test void old_and_unused_cert_is_deleted() { - tester.curator().writeAssignedCertificate(assignedCertificate(ApplicationId.defaultId(), exampleMetadata)); + tester.curator().writeAssignedCertificate(assignedCertificate(ApplicationId.defaultId(), exampleCert)); assertEquals(0.0, maintainer.maintain(), 0.0000001); assertTrue(tester.curator().readAssignedCertificate(ApplicationId.defaultId()).isEmpty()); } @Test void unused_but_recently_used_cert_is_not_deleted() { - EndpointCertificateMetadata recentlyRequestedCert = exampleMetadata.withLastRequested(tester.clock().instant().minusSeconds(3600).getEpochSecond()); + EndpointCertificate recentlyRequestedCert = exampleCert.withLastRequested(tester.clock().instant().minusSeconds(3600).getEpochSecond()); tester.curator().writeAssignedCertificate(assignedCertificate(ApplicationId.defaultId(), recentlyRequestedCert)); assertEquals(0.0, maintainer.maintain(), 0.0000001); assertEquals(Optional.of(recentlyRequestedCert), tester.curator().readAssignedCertificate(ApplicationId.defaultId()).map(AssignedCertificate::certificate)); @@ -68,11 +68,11 @@ public class EndpointCertificateMaintainerTest { @Test void refreshed_certificate_is_updated() { - EndpointCertificateMetadata recentlyRequestedCert = exampleMetadata.withLastRequested(tester.clock().instant().minusSeconds(3600).getEpochSecond()); + EndpointCertificate recentlyRequestedCert = exampleCert.withLastRequested(tester.clock().instant().minusSeconds(3600).getEpochSecond()); tester.curator().writeAssignedCertificate(assignedCertificate(ApplicationId.defaultId(), recentlyRequestedCert)); - secretStore.setSecret(exampleMetadata.keyName(), "foo", 1); - secretStore.setSecret(exampleMetadata.certName(), "bar", 1); + secretStore.setSecret(exampleCert.keyName(), "foo", 1); + secretStore.setSecret(exampleCert.certName(), "bar", 1); assertEquals(0.0, maintainer.maintain(), 0.0000001); @@ -96,8 +96,8 @@ public class EndpointCertificateMaintainerTest { deploymentContext.submit(applicationPackage).runJob(systemTest).runJob(stagingTest).runJob(productionUsWest1); assertEquals(0.0, maintainer.maintain(), 0.0000001); - var metadata = tester.curator().readAssignedCertificate(appId).orElseThrow().certificate(); - tester.controller().serviceRegistry().endpointCertificateProvider().certificateDetails(metadata.rootRequestId()); // cert should not be deleted, the app is deployed! + var cert = tester.curator().readAssignedCertificate(appId).orElseThrow().certificate(); + tester.controller().serviceRegistry().endpointCertificateProvider().certificateDetails(cert.rootRequestId()); // cert should not be deleted, the app is deployed! } @Test @@ -127,9 +127,9 @@ public class EndpointCertificateMaintainerTest { // We should now pick up the new key and cert version + uuid, but not force trigger deployment yet assertEquals(0.0, maintainer.maintain(), 0.0000001); deploymentContext.assertNotRunning(productionUsWest1); - var updatedMetadata = tester.curator().readAssignedCertificate(appId).orElseThrow().certificate(); - assertNotEquals(assignedCertificate.certificate().leafRequestId().orElseThrow(), updatedMetadata.leafRequestId().orElseThrow()); - assertEquals(updatedMetadata.version(), assignedCertificate.certificate().version() + 1); + var updatedCert = tester.curator().readAssignedCertificate(appId).orElseThrow().certificate(); + assertNotEquals(assignedCertificate.certificate().leafRequestId().orElseThrow(), updatedCert.leafRequestId().orElseThrow()); + assertEquals(updatedCert.version(), assignedCertificate.certificate().version() + 1); // after another 4 days, we should force trigger deployment if it hasn't already happened tester.clock().advance(Duration.ofDays(4).plusSeconds(1)); @@ -155,20 +155,19 @@ public class EndpointCertificateMaintainerTest { @Test void unmaintained_cert_is_deleted() { - EndpointCertificateMock endpointCertificateProvider = (EndpointCertificateMock) tester.controller().serviceRegistry().endpointCertificateProvider(); + EndpointCertificateProviderMock endpointCertificateProvider = (EndpointCertificateProviderMock) tester.controller().serviceRegistry().endpointCertificateProvider(); - ApplicationId unknown = ApplicationId.fromSerializedForm("applicationid:is:unknown"); - var metadata = endpointCertificateProvider.requestCaSignedCertificate("something", List.of("a", "b", "c"), Optional.empty(), "rsa_2048", false);// Unknown to controller! + var cert = endpointCertificateProvider.requestCaSignedCertificate("something", List.of("a", "b", "c"), Optional.empty(), "rsa_2048", false);// Unknown to controller! assertEquals(0.0, maintainer.maintain(), 0.0000001); - assertTrue(endpointCertificateProvider.dnsNamesOf(metadata.rootRequestId()).isEmpty()); + assertTrue(endpointCertificateProvider.dnsNamesOf(cert.rootRequestId()).isEmpty()); assertTrue(endpointCertificateProvider.listCertificates().isEmpty()); } @Test void cert_pool_is_not_deleted() { - EndpointCertificateMock endpointCertificateProvider = (EndpointCertificateMock) tester.controller().serviceRegistry().endpointCertificateProvider(); + EndpointCertificateProviderMock endpointCertificateProvider = (EndpointCertificateProviderMock) tester.controller().serviceRegistry().endpointCertificateProvider(); tester.flagSource().withIntFlag(Flags.CERT_POOL_SIZE.id(), 3); assertEquals(0.0, certificatePoolMaintainer.maintain(), 0.0000001); @@ -177,7 +176,7 @@ public class EndpointCertificateMaintainerTest { assertNotEquals(List.of(), endpointCertificateProvider.listCertificates()); } - private static AssignedCertificate assignedCertificate(ApplicationId instance, EndpointCertificateMetadata certificate) { + private static AssignedCertificate assignedCertificate(ApplicationId instance, EndpointCertificate certificate) { return new AssignedCertificate(TenantAndApplicationId.from(instance), Optional.of(instance.instance()), certificate); } diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/persistence/EndpointCertificateMetadataSerializerTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/persistence/EndpointCertificateSerializerTest.java index 133b1a37cdb..4d14376034f 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/persistence/EndpointCertificateMetadataSerializerTest.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/persistence/EndpointCertificateSerializerTest.java @@ -1,7 +1,7 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.hosted.controller.persistence; -import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateMetadata; +import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificate; import org.junit.jupiter.api.Test; import java.util.List; @@ -12,33 +12,33 @@ import static org.junit.jupiter.api.Assertions.assertEquals; /** * @author andreer */ -public class EndpointCertificateMetadataSerializerTest { +public class EndpointCertificateSerializerTest { - private final EndpointCertificateMetadata sampleWithOptionalFieldsSet = - new EndpointCertificateMetadata("keyName", "certName", 1, 0, "rootRequestId", Optional.of("leafRequestId"), List.of("SAN1", "SAN2"), "issuer", java.util.Optional.of(1628000000L), Optional.of(1612000000L), Optional.empty()); + private final EndpointCertificate sampleWithOptionalFieldsSet = + new EndpointCertificate("keyName", "certName", 1, 0, "rootRequestId", Optional.of("leafRequestId"), List.of("SAN1", "SAN2"), "issuer", java.util.Optional.of(1628000000L), Optional.of(1612000000L), Optional.empty()); - private final EndpointCertificateMetadata sampleWithoutOptionalFieldsSet = - new EndpointCertificateMetadata("keyName", "certName", 1, 0, "rootRequestId", Optional.empty(), List.of("SAN1", "SAN2"), "issuer", Optional.empty(), Optional.empty(), Optional.empty()); + private final EndpointCertificate sampleWithoutOptionalFieldsSet = + new EndpointCertificate("keyName", "certName", 1, 0, "rootRequestId", Optional.empty(), List.of("SAN1", "SAN2"), "issuer", Optional.empty(), Optional.empty(), Optional.empty()); @Test void serialize_with_optional_fields() { assertEquals( "{\"keyName\":\"keyName\",\"certName\":\"certName\",\"version\":1,\"lastRequested\":0,\"requestId\":\"rootRequestId\",\"leafRequestId\":\"leafRequestId\",\"requestedDnsSans\":[\"SAN1\",\"SAN2\"],\"issuer\":\"issuer\",\"expiry\":1628000000,\"lastRefreshed\":1612000000}", - EndpointCertificateMetadataSerializer.toSlime(sampleWithOptionalFieldsSet).toString()); + EndpointCertificateSerializer.toSlime(sampleWithOptionalFieldsSet).toString()); } @Test void serialize_without_optional_fields() { assertEquals( "{\"keyName\":\"keyName\",\"certName\":\"certName\",\"version\":1,\"lastRequested\":0,\"requestId\":\"rootRequestId\",\"requestedDnsSans\":[\"SAN1\",\"SAN2\"],\"issuer\":\"issuer\"}", - EndpointCertificateMetadataSerializer.toSlime(sampleWithoutOptionalFieldsSet).toString()); + EndpointCertificateSerializer.toSlime(sampleWithoutOptionalFieldsSet).toString()); } @Test void deserialize_from_json_with_optional_fields() { assertEquals( sampleWithOptionalFieldsSet, - EndpointCertificateMetadataSerializer.fromJsonString( + EndpointCertificateSerializer.fromJsonString( "{\"keyName\":\"keyName\",\"certName\":\"certName\",\"version\":1,\"lastRequested\":0,\"requestId\":\"rootRequestId\",\"leafRequestId\":\"leafRequestId\",\"requestedDnsSans\":[\"SAN1\",\"SAN2\"],\"issuer\":\"issuer\",\"expiry\":1628000000,\"lastRefreshed\":1612000000}")); } @@ -46,7 +46,7 @@ public class EndpointCertificateMetadataSerializerTest { void deserialize_from_json_without_optional_fields() { assertEquals( sampleWithoutOptionalFieldsSet, - EndpointCertificateMetadataSerializer.fromJsonString( + EndpointCertificateSerializer.fromJsonString( "{\"keyName\":\"keyName\",\"certName\":\"certName\",\"version\":1,\"lastRequested\":0,\"requestId\":\"rootRequestId\",\"requestedDnsSans\":[\"SAN1\",\"SAN2\"],\"issuer\":\"issuer\"}")); } } diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/persistence/UnassignedCertificateSerializerTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/persistence/UnassignedCertificateSerializerTest.java index 3dcfbc4ae44..606b7e19b19 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/persistence/UnassignedCertificateSerializerTest.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/persistence/UnassignedCertificateSerializerTest.java @@ -1,6 +1,6 @@ package com.yahoo.vespa.hosted.controller.persistence; -import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateMetadata; +import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificate; import com.yahoo.vespa.hosted.controller.certificate.UnassignedCertificate; import org.junit.jupiter.api.Test; @@ -16,10 +16,10 @@ class UnassignedCertificateSerializerTest { @Test public void serialization() { - EndpointCertificateMetadata certificate = new EndpointCertificateMetadata("keyName", "certName", 1, 0, - "rootRequestId", Optional.of("leafRequestId"), - List.of("SAN1", "SAN2"), "issuer", Optional.of(3L), - Optional.of(4L), Optional.of("my-id")); + EndpointCertificate certificate = new EndpointCertificate("keyName", "certName", 1, 0, + "rootRequestId", Optional.of("leafRequestId"), + List.of("SAN1", "SAN2"), "issuer", Optional.of(3L), + Optional.of(4L), Optional.of("my-id")); UnassignedCertificate unassignedCertificate = new UnassignedCertificate(certificate, UnassignedCertificate.State.ready); UnassignedCertificateSerializer serializer = new UnassignedCertificateSerializer(); assertEquals(unassignedCertificate, serializer.fromSlime(serializer.toSlime(unassignedCertificate))); diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/routing/RoutingPoliciesTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/routing/RoutingPoliciesTest.java index 783629c8f4a..f6ea43f9dd9 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/routing/RoutingPoliciesTest.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/routing/RoutingPoliciesTest.java @@ -19,7 +19,7 @@ import com.yahoo.vespa.flags.Flags; import com.yahoo.vespa.hosted.controller.ControllerTester; import com.yahoo.vespa.hosted.controller.Instance; import com.yahoo.vespa.hosted.controller.api.identifiers.DeploymentId; -import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateMetadata; +import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificate; import com.yahoo.vespa.hosted.controller.api.integration.configserver.LoadBalancer; import com.yahoo.vespa.hosted.controller.api.integration.dns.Record; import com.yahoo.vespa.hosted.controller.api.integration.dns.Record.Type; @@ -1045,12 +1045,12 @@ public class RoutingPoliciesTest { } private void addCertificateToPool(String id, UnassignedCertificate.State state, RoutingPoliciesTester tester) { - EndpointCertificateMetadata cert = new EndpointCertificateMetadata("testKey", "testCert", 1, 0, - "request-id", - Optional.of("leaf-request-uuid"), - List.of("name1", "name2"), - "", Optional.empty(), - Optional.empty(), Optional.of(id)); + EndpointCertificate cert = new EndpointCertificate("testKey", "testCert", 1, 0, + "request-id", + Optional.of("leaf-request-uuid"), + List.of("name1", "name2"), + "", Optional.empty(), + Optional.empty(), Optional.of(id)); UnassignedCertificate pooledCert = new UnassignedCertificate(cert, state); tester.controllerTester().controller().curator().writeUnassignedCertificate(pooledCert); } |