andreer/remove cert deletion feature flag (#21627)

* default deleting certs to true * remove cert deletion feature flag
author: Andreas Eriksen <andreer@verizonmedia.com> 2022-03-10 12:50:01 +0100
committer: GitHub <noreply@github.com> 2022-03-10 12:50:01 +0100
commit: 2d1c767b22fee1676a9f2666ab10783f62f0613e (patch)
tree: fe8fc7b92a646ea59b1b62c63f4b2a9c25ea1a16
parent: f0cf22b5f0daf88f2ad72deea0cb6dff25eda7ae (diff)
1 files changed, 8 insertions, 22 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/EndpointCertificateMaintainer.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/EndpointCertificateMaintainer.java
index 783f34ec9ed..b996901c5d0 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/EndpointCertificateMaintainer.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/EndpointCertificateMaintainer.java
@@ -7,8 +7,6 @@ import com.yahoo.config.provision.ApplicationId;
 import com.yahoo.container.jdisc.secretstore.SecretNotFoundException;
 import com.yahoo.container.jdisc.secretstore.SecretStore;
 import com.yahoo.vespa.curator.Lock;
-import com.yahoo.vespa.flags.BooleanFlag;
-import com.yahoo.vespa.flags.Flags;
 import com.yahoo.vespa.hosted.controller.Controller;
 import com.yahoo.vespa.hosted.controller.Instance;
 import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateDetails;
@@ -49,7 +47,6 @@ public class EndpointCertificateMaintainer extends ControllerMaintainer {
     private final CuratorDb curator;
     private final SecretStore secretStore;
     private final EndpointCertificateProvider endpointCertificateProvider;
-    private final BooleanFlag deleteUnmaintainedCertificates = Flags.DELETE_UNMAINTAINED_CERTIFICATES.bindTo(controller().flagSource());
 
     @Inject
     public EndpointCertificateMaintainer(Controller controller, Duration interval) {
@@ -174,33 +171,22 @@ public class EndpointCertificateMaintainer extends ControllerMaintainer {
                         matchFound = true;
                         try (Lock lock = lock(storedApp)) {
                             if (Optional.of(storedAppMetadata).equals(curator.readEndpointCertificateMetadata(storedApp))) {
-                                if (deleteUnmaintainedCertificates.value()) {
-                                    log.log(Level.INFO, "Cert for app " + storedApp.serializedForm()
-                                            + " has a new leafRequestId " + unknownCertDetails.request_id() + ", updating in ZK");
-                                    curator.writeEndpointCertificateMetadata(storedApp, storedAppMetadata.withLeafRequestId(Optional.of(unknownCertDetails.request_id())));
-                                } else {
-                                    log.log(Level.INFO, "Cert for app " + storedApp.serializedForm()
-                                            + " has a new leafRequestId " + unknownCertDetails.request_id());
-                                }
+                                log.log(Level.INFO, "Cert for app " + storedApp.serializedForm()
+                                        + " has a new leafRequestId " + unknownCertDetails.request_id() + ", updating in ZK");
+                                curator.writeEndpointCertificateMetadata(storedApp, storedAppMetadata.withLeafRequestId(Optional.of(unknownCertDetails.request_id())));
                             }
                             break;
                         }
                     }
                 }
                 if (!matchFound) {
-                    if (deleteUnmaintainedCertificates.value()) {
-                        // The certificate is not known - however it could be in the process of being requested by us or another controller.
-                        // So we only delete if it was requested more than 7 days ago.
-                        if (Instant.parse(providerCertificateMetadata.createTime()).isBefore(Instant.now().minus(7, ChronoUnit.DAYS))) {
-                            log.log(Level.INFO, String.format("Deleting unmaintained certificate with request_id %s and SANs %s",
-                                    providerCertificateMetadata.requestId(),
-                                    providerCertificateMetadata.dnsNames().stream().map(d -> d.dnsName).collect(Collectors.joining(", "))));
-                            endpointCertificateProvider.deleteCertificate(ApplicationId.fromSerializedForm("applicationid:is:unknown"), providerCertificateMetadata.requestId());
-                        }
-                    } else {
-                        log.log(Level.INFO, () -> String.format("Found unmaintained certificate with request_id %s and SANs %s",
+                    // The certificate is not known - however it could be in the process of being requested by us or another controller.
+                    // So we only delete if it was requested more than 7 days ago.
+                    if (Instant.parse(providerCertificateMetadata.createTime()).isBefore(Instant.now().minus(7, ChronoUnit.DAYS))) {
+                        log.log(Level.INFO, String.format("Deleting unmaintained certificate with request_id %s and SANs %s",
                                 providerCertificateMetadata.requestId(),
                                 providerCertificateMetadata.dnsNames().stream().map(d -> d.dnsName).collect(Collectors.joining(", "))));
+                        endpointCertificateProvider.deleteCertificate(ApplicationId.fromSerializedForm("applicationid:is:unknown"), providerCertificateMetadata.requestId());
                     }
                 }
             }
author	Andreas Eriksen <andreer@verizonmedia.com>	2022-03-10 12:50:01 +0100
committer	GitHub <noreply@github.com>	2022-03-10 12:50:01 +0100
commit	2d1c767b22fee1676a9f2666ab10783f62f0613e (patch)
tree	fe8fc7b92a646ea59b1b62c63f4b2a9c25ea1a16
parent	f0cf22b5f0daf88f2ad72deea0cb6dff25eda7ae (diff)