diff options
author | Andreas Eriksen <andreer@yahooinc.com> | 2022-06-30 12:26:17 +0200 |
---|---|---|
committer | Andreas Eriksen <andreer@yahooinc.com> | 2022-06-30 13:45:35 +0200 |
commit | 99ef071161f2417a8e7f8a57dc890a66388165b5 (patch) | |
tree | 109b3fa15b58bb123811b874d4f2c826d882138e | |
parent | ffb3159411f5d967011385d59826d76c6068875f (diff) |
log certificate version in each run
11 files changed, 60 insertions, 24 deletions
diff --git a/config-model-api/src/main/java/com/yahoo/config/model/api/EndpointCertificateSecrets.java b/config-model-api/src/main/java/com/yahoo/config/model/api/EndpointCertificateSecrets.java index 952a0562f1d..38c947504ce 100644 --- a/config-model-api/src/main/java/com/yahoo/config/model/api/EndpointCertificateSecrets.java +++ b/config-model-api/src/main/java/com/yahoo/config/model/api/EndpointCertificateSecrets.java @@ -3,9 +3,9 @@ package com.yahoo.config.model.api; public class EndpointCertificateSecrets { public static final EndpointCertificateSecrets MISSING = new EndpointCertificateSecrets(); - private final String certificate; private final String key; + private final int version; private EndpointCertificateSecrets() { this(null, null); @@ -14,6 +14,13 @@ public class EndpointCertificateSecrets { public EndpointCertificateSecrets(String certificate, String key) { this.certificate = certificate; this.key = key; + this.version = -1; + } + + public EndpointCertificateSecrets(String certificate, String key, int version) { + this.certificate = certificate; + this.key = key; + this.version = version; } public String certificate() { @@ -24,7 +31,15 @@ public class EndpointCertificateSecrets { return key; } + public int version() { + return version; + } + + public static EndpointCertificateSecrets missing(int version) { + return new EndpointCertificateSecrets(null, null, version); + } + public boolean isMissing() { - return this == MISSING; + return this == MISSING || certificate == null || key == null; } } diff --git a/config-model/src/main/java/com/yahoo/vespa/model/application/validation/EndpointCertificateSecretsValidator.java b/config-model/src/main/java/com/yahoo/vespa/model/application/validation/EndpointCertificateSecretsValidator.java index 338c3a71e44..21025c38c13 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/application/validation/EndpointCertificateSecretsValidator.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/application/validation/EndpointCertificateSecretsValidator.java @@ -1,7 +1,6 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.model.application.validation; -import com.yahoo.config.model.api.EndpointCertificateSecrets; import com.yahoo.config.model.deploy.DeployState; import com.yahoo.config.provision.CertificateNotReadyException; import com.yahoo.vespa.model.VespaModel; @@ -11,9 +10,9 @@ public class EndpointCertificateSecretsValidator extends Validator { /** This check is delayed until validation to allow node provisioning to complete while we are waiting for cert */ @Override public void validate(VespaModel model, DeployState deployState) { - if (deployState.endpointCertificateSecrets().isPresent() && deployState.endpointCertificateSecrets().get() == EndpointCertificateSecrets.MISSING) { - throw new CertificateNotReadyException("TLS enabled, but could not yet retrieve certificate for application " + deployState.getProperties().applicationId().serializedForm()); + if (deployState.endpointCertificateSecrets().isPresent() && deployState.endpointCertificateSecrets().get().isMissing()) { + throw new CertificateNotReadyException("TLS enabled, but could not yet retrieve certificate version %s for application %s" + .formatted(deployState.endpointCertificateSecrets().get().version(), deployState.getProperties().applicationId().serializedForm())); } } - } diff --git a/config-model/src/test/java/com/yahoo/vespa/model/application/validation/EndpointCertificateSecretsValidatorTest.java b/config-model/src/test/java/com/yahoo/vespa/model/application/validation/EndpointCertificateSecretsValidatorTest.java index 51aa6cb6e42..991606a8e32 100644 --- a/config-model/src/test/java/com/yahoo/vespa/model/application/validation/EndpointCertificateSecretsValidatorTest.java +++ b/config-model/src/test/java/com/yahoo/vespa/model/application/validation/EndpointCertificateSecretsValidatorTest.java @@ -44,11 +44,11 @@ public class EndpointCertificateSecretsValidatorTest { @Test public void missing_certificate_fails_validation() throws Exception { - DeployState deployState = deployState(servicesXml(), deploymentXml(), Optional.of(EndpointCertificateSecrets.MISSING)); + DeployState deployState = deployState(servicesXml(), deploymentXml(), Optional.of(EndpointCertificateSecrets.missing(1))); VespaModel model = new VespaModel(new NullConfigModelRegistry(), deployState); exceptionRule.expect(CertificateNotReadyException.class); - exceptionRule.expectMessage("TLS enabled, but could not yet retrieve certificate for application default:default:default"); + exceptionRule.expectMessage("TLS enabled, but could not yet retrieve certificate version 1 for application default:default:default"); new EndpointCertificateSecretsValidator().validate(model, deployState); } diff --git a/configserver/src/main/java/com/yahoo/vespa/config/server/tenant/EndpointCertificateRetriever.java b/configserver/src/main/java/com/yahoo/vespa/config/server/tenant/EndpointCertificateRetriever.java index a3ddae8f7aa..4a1e81b9058 100644 --- a/configserver/src/main/java/com/yahoo/vespa/config/server/tenant/EndpointCertificateRetriever.java +++ b/configserver/src/main/java/com/yahoo/vespa/config/server/tenant/EndpointCertificateRetriever.java @@ -19,13 +19,7 @@ import java.util.logging.Logger; * * @author andreer */ -public class EndpointCertificateRetriever { - - private final SecretStore secretStore; - - public EndpointCertificateRetriever(SecretStore secretStore) { - this.secretStore = secretStore; - } +public record EndpointCertificateRetriever(SecretStore secretStore) { private static final Logger log = Logger.getLogger(EndpointCertificateRetriever.class.getName()); @@ -40,11 +34,11 @@ public class EndpointCertificateRetriever { verifyKeyMatchesCertificate(endpointCertificateMetadata, cert, key); - return new EndpointCertificateSecrets(cert, key); + return new EndpointCertificateSecrets(cert, key, endpointCertificateMetadata.version()); } catch (RuntimeException e) { log.log(Level.WARNING, "Exception thrown during certificate retrieval", e); // Assume not ready yet - return EndpointCertificateSecrets.MISSING; + return EndpointCertificateSecrets.missing(endpointCertificateMetadata.version()); } } diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java index e48ad7596ea..389e931fb98 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java @@ -446,7 +446,7 @@ public class ApplicationController { } /** Deploys an application package for an existing application instance. */ - public ActivateResult deploy(JobId job, boolean deploySourceVersions) { + public ActivateResult deploy(JobId job, boolean deploySourceVersions, Consumer<String> deployLogger) { if (job.application().instance().isTester()) throw new IllegalArgumentException("'" + job.application() + "' is a tester application!"); @@ -479,6 +479,7 @@ public class ApplicationController { applicationPackage = applicationPackage.withTrustedCertificate(run.testerCertificate().get()); endpointCertificateMetadata = endpointCertificates.getMetadata(instance, zone, applicationPackage.deploymentSpec()); + containerEndpoints = controller.routing().of(deployment).prepare(application); } // Release application lock while doing the deployment, which is a lengthy task. @@ -487,6 +488,8 @@ public class ApplicationController { ActivateResult result = deploy(job.application(), applicationPackage, zone, platform, containerEndpoints, endpointCertificateMetadata, run.isDryRun()); + endpointCertificateMetadata.ifPresent(e -> deployLogger.accept("Using CA signed certificate version %s".formatted(e.version()))); + // Record the quota usage for this application var quotaUsage = deploymentQuotaUsage(zone, job.application()); diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/deployment/InternalStepRunner.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/deployment/InternalStepRunner.java index 813e3454e80..50e6951f8be 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/deployment/InternalStepRunner.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/deployment/InternalStepRunner.java @@ -174,7 +174,7 @@ public class InternalStepRunner implements StepRunner { private Optional<RunStatus> deployReal(RunId id, boolean setTheStage, DualLogger logger) { Optional<X509Certificate> testerCertificate = controller.jobController().run(id).testerCertificate(); - return deploy(() -> controller.applications().deploy(id.job(), setTheStage), + return deploy(() -> controller.applications().deploy(id.job(), setTheStage, logger::log), controller.jobController().run(id) .stepInfo(setTheStage ? deployInitialReal : deployReal).get() .startTime().get(), diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/responses/dev-us-east-1-log-first-part.json b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/responses/dev-us-east-1-log-first-part.json index 63869ecfba8..9b391196d55 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/responses/dev-us-east-1-log-first-part.json +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/responses/dev-us-east-1-log-first-part.json @@ -11,6 +11,11 @@ { "at": 0, "type": "info", + "message": "Using CA signed certificate version 0" + }, + { + "at": 0, + "type": "info", "message": "Deployment successful." }, { @@ -49,7 +54,7 @@ } ] }, - "lastId": 7, + "lastId": 8, "steps": { "deployReal": { "status": "succeeded", diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/responses/dev-us-east-1-log-second-part.json b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/responses/dev-us-east-1-log-second-part.json index 175c45eb2cd..4ffac2bf738 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/responses/dev-us-east-1-log-second-part.json +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/responses/dev-us-east-1-log-second-part.json @@ -6,6 +6,11 @@ { "at": 0, "type": "info", + "message": "Found endpoints:" + }, + { + "at": 0, + "type": "info", "message": "- dev.us-east-1" }, { @@ -20,7 +25,7 @@ } ] }, - "lastId": 11, + "lastId": 12, "steps": { "deployReal": { "status": "succeeded", diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/responses/staging-test-log.json b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/responses/staging-test-log.json index ba65b962a73..a2f62621f5b 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/responses/staging-test-log.json +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/responses/staging-test-log.json @@ -85,6 +85,11 @@ { "at": 14503000, "type": "info", + "message": "Using CA signed certificate version 0" + }, + { + "at": 14503000, + "type": "info", "message": "Deployment successful." }, { @@ -160,7 +165,7 @@ } ] }, - "lastId": 29, + "lastId": 30, "steps": { "deployTester": { "status": "succeeded", diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/responses/system-test-details.json b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/responses/system-test-details.json index 3b505bc11fd..a691762c40b 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/responses/system-test-details.json +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/responses/system-test-details.json @@ -105,6 +105,11 @@ { "at": 1600000000000, "type": "info", + "message": "Using CA signed certificate version 1" + }, + { + "at": 1600000000000, + "type": "info", "message": "Deployment successful." }, { @@ -354,7 +359,7 @@ } ] }, - "lastId": 66, + "lastId": 67, "steps": { "deployTester": { "status": "succeeded", diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/responses/system-test-log.json b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/responses/system-test-log.json index 5bf6822baff..4e8737d5f67 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/responses/system-test-log.json +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/responses/system-test-log.json @@ -100,6 +100,11 @@ { "at": 0, "type": "info", + "message": "Using CA signed certificate version 0" + }, + { + "at": 0, + "type": "info", "message": "Deployment successful." }, { @@ -349,7 +354,7 @@ } ] }, - "lastId": 66, + "lastId": 67, "steps": { "deployTester": { "status": "succeeded", |