Include legacy endpoint in certificate in public

author: Martin Polden <mpolden@mpolden.no> 2021-05-10 14:22:24 +0200
committer: Martin Polden <mpolden@mpolden.no> 2021-05-10 14:22:24 +0200
commit: 75206c19fa16e85b368191241ae56c13e4461e68 (patch)
tree: 3dc3b970374358561daf0c648b586a2a503b1682
parent: 78c0cd94ad4e4e0fa6c5bff11ee487b7ef61791c (diff)
2 files changed, 41 insertions, 3 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/RoutingController.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/RoutingController.java
index 8d3eceec01d..12329351a59 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/RoutingController.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/RoutingController.java
@@ -173,11 +173,16 @@ public class RoutingController {
         builders.add(Endpoint.of(deployment.applicationId()).target(ClusterSpec.Id.from("default"), deployment.zoneId()));
         builders.add(Endpoint.of(deployment.applicationId()).wildcard(deployment.zoneId()));
 
+        // Build all endpoints
         for (var builder : builders) {
-            Endpoint endpoint = builder.routingMethod(RoutingMethod.exclusive)
-                                       .on(Port.tls())
-                                       .in(controller.system());
+            builder = builder.routingMethod(RoutingMethod.exclusive)
+                             .on(Port.tls());
+            Endpoint endpoint = builder.in(controller.system());
             endpointDnsNames.add(endpoint.dnsName());
+            if (controller.system().isPublic()) {
+                Endpoint legacyEndpoint = builder.legacy().in(controller.system());
+                endpointDnsNames.add(legacyEndpoint.dnsName());
+            }
         }
         return Collections.unmodifiableList(endpointDnsNames);
     }
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificatesTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificatesTest.java
index 40abb9ba319..22a41740b91 100644
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificatesTest.java
+++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificatesTest.java
@@ -5,6 +5,7 @@ import com.yahoo.config.application.api.DeploymentSpec;
 import com.yahoo.config.application.api.xml.DeploymentSpecXmlReader;
 import com.yahoo.config.provision.ApplicationId;
 import com.yahoo.config.provision.Environment;
+import com.yahoo.config.provision.SystemName;
 import com.yahoo.config.provision.zone.ZoneId;
 import com.yahoo.security.KeyAlgorithm;
 import com.yahoo.security.KeyUtils;
@@ -128,6 +129,38 @@ public class EndpointCertificatesTest {
     }
 
     @Test
+    public void provisions_new_certificate_in_public_prod() {
+        ControllerTester tester = new ControllerTester(SystemName.Public);
+        EndpointCertificateValidatorImpl endpointCertificateValidator = new EndpointCertificateValidatorImpl(secretStore, clock);
+        EndpointCertificates endpointCertificates = new EndpointCertificates(tester.controller(), endpointCertificateMock, endpointCertificateValidator);
+        List<String> expectedSans = List.of(
+                "vt2ktgkqme5zlnp4tj4ttyor7fj3v7q5o.public.vespa.oath.cloud",
+                "default.default.global.public.vespa.oath.cloud",
+                "default.default.g.vespa-app.cloud",
+                "*.default.default.global.public.vespa.oath.cloud",
+                "*.default.default.g.vespa-app.cloud",
+                "default.default.aws-us-east-1a.public.vespa.oath.cloud",
+                "default.default.aws-us-east-1a.z.vespa-app.cloud",
+                "*.default.default.aws-us-east-1a.public.vespa.oath.cloud",
+                "*.default.default.aws-us-east-1a.z.vespa-app.cloud",
+                "default.default.aws-us-east-1c.test.public.vespa.oath.cloud",
+                "default.default.aws-us-east-1c.test.z.vespa-app.cloud",
+                "*.default.default.aws-us-east-1c.test.public.vespa.oath.cloud",
+                "*.default.default.aws-us-east-1c.test.z.vespa-app.cloud",
+                "default.default.aws-us-east-1c.staging.public.vespa.oath.cloud",
+                "default.default.aws-us-east-1c.staging.z.vespa-app.cloud",
+                "*.default.default.aws-us-east-1c.staging.public.vespa.oath.cloud",
+                "*.default.default.aws-us-east-1c.staging.z.vespa-app.cloud"
+        );
+        Optional<EndpointCertificateMetadata> endpointCertificateMetadata = endpointCertificates.getMetadata(testInstance, testZone, Optional.empty());
+        assertTrue(endpointCertificateMetadata.isPresent());
+        assertTrue(endpointCertificateMetadata.get().keyName().matches("vespa.tls.default.default.*-key"));
+        assertTrue(endpointCertificateMetadata.get().certName().matches("vespa.tls.default.default.*-cert"));
+        assertEquals(0, endpointCertificateMetadata.get().version());
+        assertEquals(expectedSans, endpointCertificateMetadata.get().requestedDnsSans());
+    }
+
+    @Test
     public void reuses_stored_certificate_metadata() {
         mockCuratorDb.writeEndpointCertificateMetadata(testInstance.id(), new EndpointCertificateMetadata(testKeyName, testCertName, 7, 0, "request_id",
                 List.of("vt2ktgkqme5zlnp4tj4ttyor7fj3v7q5o.vespa.oath.cloud",
author	Martin Polden <mpolden@mpolden.no>	2021-05-10 14:22:24 +0200
committer	Martin Polden <mpolden@mpolden.no>	2021-05-10 14:22:24 +0200
commit	75206c19fa16e85b368191241ae56c13e4461e68 (patch)
tree	3dc3b970374358561daf0c648b586a2a503b1682
parent	78c0cd94ad4e4e0fa6c5bff11ee487b7ef61791c (diff)