Include operator certs on deploy

author: Morten Tokle <mortent@verizonmedia.com> 2021-06-02 13:29:44 +0200
committer: Morten Tokle <mortent@verizonmedia.com> 2021-06-02 13:29:44 +0200
commit: 7d2a5bdb158bd3df776ebe58261ebdce306d0c59 (patch)
tree: ef29dcef66f8e4cbaa4476ee8bd298b8f61e16e9
parent: 1c3c58567c71251c37206cc1a4ac1fab67ebae14 (diff)
2 files changed, 15 insertions, 2 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/application/v4/model/DeploymentData.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/application/v4/model/DeploymentData.java
index d0b9653bbf3..55e1e879ef7 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/application/v4/model/DeploymentData.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/application/v4/model/DeploymentData.java
@@ -12,6 +12,7 @@ import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCe
 import com.yahoo.vespa.hosted.controller.api.integration.configserver.ContainerEndpoint;
 import com.yahoo.vespa.hosted.controller.api.integration.secrets.TenantSecretStore;
 
+import java.security.cert.X509Certificate;
 import java.util.List;
 import java.util.Optional;
 import java.util.Set;
@@ -36,6 +37,7 @@ public class DeploymentData {
     private final Optional<TenantRoles> tenantRoles;
     private final Quota quota;
     private final List<TenantSecretStore> tenantSecretStores;
+    private final List<X509Certificate> operatorCertificates;
 
     public DeploymentData(ApplicationId instance, ZoneId zone, byte[] applicationPackage, Version platform,
                           Set<ContainerEndpoint> containerEndpoints,
@@ -44,7 +46,8 @@ public class DeploymentData {
                           Optional<AthenzDomain> athenzDomain,
                           Optional<TenantRoles> tenantRoles,
                           Quota quota,
-                          List<TenantSecretStore> tenantSecretStores) {
+                          List<TenantSecretStore> tenantSecretStores,
+                          List<X509Certificate> operatorCertificates) {
         this.instance = requireNonNull(instance);
         this.zone = requireNonNull(zone);
         this.applicationPackage = requireNonNull(applicationPackage);
@@ -56,6 +59,7 @@ public class DeploymentData {
         this.tenantRoles = tenantRoles;
         this.quota = quota;
         this.tenantSecretStores = tenantSecretStores;
+        this.operatorCertificates = operatorCertificates;
     }
 
     public ApplicationId instance() {
@@ -102,4 +106,7 @@ public class DeploymentData {
         return tenantSecretStores;
     }
 
+    public List<X509Certificate> operatorCertificates() {
+        return operatorCertificates;
+    }
 }
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java
index 0f9188d1f65..cb3c84f5bd1 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java
@@ -63,6 +63,7 @@ import com.yahoo.vespa.hosted.controller.notification.NotificationSource;
 import com.yahoo.vespa.hosted.controller.persistence.CuratorDb;
 import com.yahoo.vespa.hosted.controller.security.AccessControl;
 import com.yahoo.vespa.hosted.controller.security.Credentials;
+import com.yahoo.vespa.hosted.controller.support.access.SupportAccessGrant;
 import com.yahoo.vespa.hosted.controller.tenant.AthenzTenant;
 import com.yahoo.vespa.hosted.controller.tenant.CloudTenant;
 import com.yahoo.vespa.hosted.controller.tenant.Tenant;
@@ -70,6 +71,7 @@ import com.yahoo.vespa.hosted.controller.versions.VespaVersion;
 import com.yahoo.yolean.Exceptions;
 
 import java.security.Principal;
+import java.security.cert.X509Certificate;
 import java.time.Clock;
 import java.time.Duration;
 import java.time.Instant;
@@ -88,6 +90,7 @@ import java.util.function.Consumer;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import java.util.stream.Collectors;
+import java.util.stream.Stream;
 
 import static com.yahoo.vespa.hosted.controller.api.integration.configserver.Node.State.active;
 import static com.yahoo.vespa.hosted.controller.api.integration.configserver.Node.State.reserved;
@@ -501,11 +504,14 @@ public class ApplicationController {
                     .filter(tenant-> tenant instanceof CloudTenant)
                     .map(tenant -> ((CloudTenant) tenant).tenantSecretStores())
                     .orElse(List.of());
+            List<X509Certificate> operatorCertificates = controller.supportAccess().activeGrantsFor(new DeploymentId(application, zone)).stream()
+                    .map(SupportAccessGrant::certificate)
+                    .collect(toList());
 
             ConfigServer.PreparedApplication preparedApplication =
                     configServer.deploy(new DeploymentData(application, zone, applicationPackage.zippedContent(), platform,
                                                            endpoints, endpointCertificateMetadata, dockerImageRepo, domain,
-                                                           tenantRoles, deploymentQuota, tenantSecretStores));
+                                                           tenantRoles, deploymentQuota, tenantSecretStores, operatorCertificates));
 
             return new ActivateResult(new RevisionId(applicationPackage.hash()), preparedApplication.prepareResponse(),
                                       applicationPackage.zippedContent().length);
author	Morten Tokle <mortent@verizonmedia.com>	2021-06-02 13:29:44 +0200
committer	Morten Tokle <mortent@verizonmedia.com>	2021-06-02 13:29:44 +0200
commit	7d2a5bdb158bd3df776ebe58261ebdce306d0c59 (patch)
tree	ef29dcef66f8e4cbaa4476ee8bd298b8f61e16e9
parent	1c3c58567c71251c37206cc1a4ac1fab67ebae14 (diff)