diff options
author | Andreas Eriksen <andreer@verizonmedia.com> | 2022-04-06 15:02:34 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-04-06 15:02:34 +0200 |
commit | d68a76ecb6c1f59c557f08a4278f340241e93ad6 (patch) | |
tree | af2fbe08ad95e8fd59d81d775c0cbc3d354434fd | |
parent | 7ac6ebd9fc7c3f1b42d374565149aec25fb61550 (diff) |
handler to re-request endpoint certificates (#22002)
5 files changed, 84 insertions, 7 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java index cc667175316..98c64a2a11e 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java @@ -228,8 +228,8 @@ enum PathGroup { hostedAccountant("/billing/v1/invoice/{*}", "/billing/v1/billing"), - /** Path used for listing endpoint certificate request info */ - endpointCertificateRequestInfo("/certificateRequests/"), + /** Path used for listing endpoint certificate request and re-requesting endpoint certificates */ + endpointCertificates("/endpointcertificates/"), /** Path used for secret store management */ secretStore(Matcher.tenant, "/application/v4/tenant/{tenant}/secret-store/{*}"), diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java index afecbf9d2e3..4d342e3b1ee 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java @@ -197,9 +197,9 @@ enum Policy { .on(PathGroup.hostedAccountant, PathGroup.accountant) .in(SystemName.PublicCd, SystemName.Public)), - /** Listing endpoint certificate request info */ - endpointCertificateRequestInfo(Privilege.grant(Action.read) - .on(PathGroup.endpointCertificateRequestInfo) + /** Listing endpoint certificates and re-requesting certificates */ + endpointCertificateApi(Privilege.grant(Action.all()) + .on(PathGroup.endpointCertificates) .in(SystemName.all())), /** Secret store operations */ diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificates.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificates.java index 5e19b014083..996b53cc6f5 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificates.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificates.java @@ -26,7 +26,7 @@ import java.util.stream.Collectors; /** * Looks up stored endpoint certificate metadata, provisions new certificates if none is found, - * re-provisions if zone is not covered, and uses refreshed certificates if a newer version is available. + * and re-provisions the certificate if the deploying-to zone is not covered. * * See also {@link com.yahoo.vespa.hosted.controller.maintenance.EndpointCertificateMaintainer}, which handles * refreshes, deletions and triggers deployments. diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificatesHandler.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificatesHandler.java new file mode 100644 index 00000000000..dc59f513509 --- /dev/null +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificatesHandler.java @@ -0,0 +1,77 @@ +package com.yahoo.vespa.hosted.controller.certificate; + +import com.yahoo.config.provision.ApplicationId; +import com.yahoo.container.jdisc.HttpRequest; +import com.yahoo.container.jdisc.HttpResponse; +import com.yahoo.container.jdisc.ThreadedHttpRequestHandler; +import com.yahoo.restapi.RestApiException; +import com.yahoo.restapi.StringResponse; +import com.yahoo.vespa.hosted.controller.api.integration.ServiceRegistry; +import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateMetadata; +import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateProvider; +import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateRequestMetadata; +import com.yahoo.vespa.hosted.controller.application.TenantAndApplicationId; +import com.yahoo.vespa.hosted.controller.persistence.CuratorDb; +import com.yahoo.vespa.hosted.controller.persistence.EndpointCertificateMetadataSerializer; + +import java.util.List; +import java.util.Optional; +import java.util.concurrent.Executor; +import java.util.stream.Collectors; + +import static com.yahoo.jdisc.http.HttpRequest.Method.GET; +import static com.yahoo.jdisc.http.HttpRequest.Method.POST; + +/** + * List all certificate requests for a system, with their requested DNS names. + * Used for debugging, and verifying basic functionality of Cameo client in CD. + * + * @author andreer + */ + +public class EndpointCertificatesHandler extends ThreadedHttpRequestHandler { + + private final EndpointCertificateProvider endpointCertificateProvider; + private final CuratorDb curator; + + public EndpointCertificatesHandler(Executor executor, ServiceRegistry serviceRegistry, CuratorDb curator) { + super(executor); + this.endpointCertificateProvider = serviceRegistry.endpointCertificateProvider(); + this.curator = curator; + } + + public HttpResponse handle(HttpRequest request) { + if (request.getMethod().equals(GET)) return listEndpointCertificates(); + if (request.getMethod().equals(POST)) return reRequestEndpointCertificateFor(request.getProperty("application")); + throw new RestApiException.MethodNotAllowed(request); + } + + public HttpResponse listEndpointCertificates() { + List<EndpointCertificateRequestMetadata> endpointCertificateMetadata = endpointCertificateProvider.listCertificates(); + + String requestsWithNames = endpointCertificateMetadata.stream() + .map(metadata -> metadata.requestId() + " : " + + String.join(", ", metadata.dnsNames().stream() + .map(dnsNameStatus -> dnsNameStatus.dnsName) + .collect(Collectors.joining(", ")))) + .collect(Collectors.joining("\n")); + + return new StringResponse(requestsWithNames); + } + + public StringResponse reRequestEndpointCertificateFor(String instanceId) { + ApplicationId applicationId = ApplicationId.fromFullString(instanceId); + + try (var lock = curator.lock(TenantAndApplicationId.from(applicationId))) { + EndpointCertificateMetadata endpointCertificateMetadata = curator.readEndpointCertificateMetadata(applicationId) + .orElseThrow(() -> new RestApiException.NotFound("No certificate found for application " + applicationId.serializedForm())); + + EndpointCertificateMetadata reRequestedMetadata = endpointCertificateProvider.requestCaSignedCertificate( + applicationId, endpointCertificateMetadata.requestedDnsSans(), Optional.of(endpointCertificateMetadata)); + + curator.writeEndpointCertificateMetadata(applicationId, reRequestedMetadata); + + return new StringResponse(EndpointCertificateMetadataSerializer.toSlime(reRequestedMetadata).toString()); + } + } +}
\ No newline at end of file diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/EndpointCertificateMaintainer.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/EndpointCertificateMaintainer.java index b996901c5d0..15f8d6380c0 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/EndpointCertificateMaintainer.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/EndpointCertificateMaintainer.java @@ -34,7 +34,7 @@ import java.util.stream.Collectors; /** * Updates refreshed endpoint certificates and triggers redeployment, and deletes unused certificates. * <p> - * See also EndpointCertificateManager, which provisions, reprovisions and validates certificates on deploy + * See also class EndpointCertificates, which provisions, reprovisions and validates certificates on deploy * * @author andreer */ |