diff options
| author | Andreas Eriksen <andreer@verizonmedia.com> | 2019-08-27 10:05:53 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-08-27 10:05:53 +0200 |
| commit | a6441b5c9ac6cdb89aafe8d62bbf6222dd7d8dd0 (patch) | |
| tree | 54cf633f84cba9ff38fcabcef407e5b08b0ccc58 | |
| parent | 51593be34396d641219550017282f6e41403a809 (diff) | |
| parent | 67135e7405b1576ab06f79e9f9f4856281fbc1be (diff) | |
Merge pull request #10422 from vespa-engine/revert-10419-revert-10414-andreer/only-provision-cert-for-directly-routed-zones
Revert "Revert "provision certificates for directly routed zones""
3 files changed, 19 insertions, 15 deletions
diff --git a/configserver/src/main/java/com/yahoo/vespa/config/server/tenant/TlsSecretsKeys.java b/configserver/src/main/java/com/yahoo/vespa/config/server/tenant/TlsSecretsKeys.java index eaa4916d8fc..78d39ef996b 100644 --- a/configserver/src/main/java/com/yahoo/vespa/config/server/tenant/TlsSecretsKeys.java +++ b/configserver/src/main/java/com/yahoo/vespa/config/server/tenant/TlsSecretsKeys.java @@ -59,17 +59,15 @@ public class TlsSecretsKeys { } private Optional<TlsSecrets> readFromSecretStore(Optional<String> secretKeyname) { - if(secretKeyname.isEmpty()) return Optional.empty(); - TlsSecrets tlsSecretParameters = TlsSecrets.MISSING; + if (secretKeyname.isEmpty()) return Optional.empty(); try { String cert = secretStore.getSecret(secretKeyname.get() + "-cert"); String key = secretStore.getSecret(secretKeyname.get() + "-key"); - tlsSecretParameters = new TlsSecrets(cert, key); + return Optional.of(new TlsSecrets(cert, key)); } catch (RuntimeException e) { // Assume not ready yet -// log.log(LogLevel.DEBUG, "Could not fetch certificate/key with prefix: " + secretKeyname.get(), e); + return Optional.of(TlsSecrets.MISSING); } - return Optional.of(tlsSecretParameters); } /** Returns a transaction which deletes these tls secrets key if they exist */ diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java index b2093d7e9bd..d7a0465a8df 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java @@ -10,6 +10,7 @@ import com.yahoo.config.provision.ApplicationId; import com.yahoo.config.provision.ClusterSpec; import com.yahoo.config.provision.Environment; import com.yahoo.config.provision.TenantName; +import com.yahoo.config.provision.zone.ZoneApi; import com.yahoo.config.provision.zone.ZoneId; import com.yahoo.vespa.athenz.api.AthenzDomain; import com.yahoo.vespa.athenz.api.AthenzIdentity; @@ -338,8 +339,13 @@ public class ApplicationController { .flatMap(Collection::stream) .collect(Collectors.toSet()); - // Get application certificate (provisions a new certificate if missing) - applicationCertificate = getApplicationCertificate(application.get()); + if (controller.zoneRegistry().zones().directlyRouted().ids().contains(zone)) { + // Get application certificate (provisions a new certificate if missing) + List<? extends ZoneApi> zones = controller.zoneRegistry().zones().all().zones(); + applicationCertificate = getApplicationCertificate(application.get()); + } else { + applicationCertificate = Optional.empty(); + } // Update application with information from application package if ( ! preferOldestVersion @@ -500,17 +506,17 @@ public class ApplicationController { } private Optional<ApplicationCertificate> getApplicationCertificate(Application application) { + boolean provisionCertificate = provisionApplicationCertificate.with(FetchVector.Dimension.APPLICATION_ID, + application.id().serializedForm()).value(); + if (!provisionCertificate) { + return Optional.empty(); + } + // Re-use certificate if already provisioned Optional<ApplicationCertificate> applicationCertificate = curator.readApplicationCertificate(application.id()); if(applicationCertificate.isPresent()) return applicationCertificate; - // TODO(tokle): Verify that the application is deploying to a zone where certificate provisioning is enabled - boolean provisionCertificate = provisionApplicationCertificate.with(FetchVector.Dimension.APPLICATION_ID, - application.id().serializedForm()).value(); - if (!provisionCertificate) { - return Optional.empty(); - } ApplicationCertificate newCertificate = applicationCertificateProvider.requestCaSignedCertificate(application.id()); curator.writeApplicationCertificate(application.id(), newCertificate); diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/ControllerTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/ControllerTest.java index 0d2d9ae68bd..210b94737b0 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/ControllerTest.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/ControllerTest.java @@ -696,7 +696,7 @@ public class ControllerTest { } @Test - public void testDeployProvisionsCertificate() { + public void testDeploySelectivelyProvisionsCertificate() { ((InMemoryFlagSource) tester.controller().flagSource()).withBooleanFlag(Flags.PROVISION_APPLICATION_CERTIFICATE.id(), true); Function<Application, Optional<ApplicationCertificate>> certificate = (application) -> tester.controller().curator().readApplicationCertificate(application.id()); @@ -722,7 +722,7 @@ public class ControllerTest { tester.controller().applications().deploy(app2.id(), zone, Optional.of(applicationPackage), DeployOptions.none()); assertTrue("Application deployed and activated", tester.controllerTester().configServer().application(app2.id()).get().activated()); - assertTrue("Provisions certificate in " + Environment.dev, certificate.apply(app2).isPresent()); + assertFalse("Does not provision certificate in " + Environment.dev, certificate.apply(app2).isPresent()); } @Test |