diff options
author | Arnstein Ressem <aressem@yahooinc.com> | 2023-09-11 15:29:31 +0200 |
---|---|---|
committer | Arnstein Ressem <aressem@yahooinc.com> | 2023-09-11 15:29:31 +0200 |
commit | 19132930725b9a127fd3ca0421e4c0ba2b3d9225 (patch) | |
tree | 82efcb53a3228d197bb968892f6a1250fe11cded | |
parent | b4b65919480d538ea099dc46ff116b2b4addf3ea (diff) | |
parent | 2206cbb78478c740675a1a470fd74f401c236fe6 (diff) |
Merged master
13 files changed, 68 insertions, 262 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/RoutingController.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/RoutingController.java index 8bba92f36e3..1272bf4d00d 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/RoutingController.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/RoutingController.java @@ -35,6 +35,8 @@ import com.yahoo.vespa.hosted.controller.routing.GeneratedEndpoints; import com.yahoo.vespa.hosted.controller.routing.PreparedEndpoints; import com.yahoo.vespa.hosted.controller.routing.RoutingId; import com.yahoo.vespa.hosted.controller.routing.RoutingPolicies; +import com.yahoo.vespa.hosted.controller.routing.RoutingPolicy; +import com.yahoo.vespa.hosted.controller.routing.RoutingPolicyList; import com.yahoo.vespa.hosted.controller.routing.context.DeploymentRoutingContext; import com.yahoo.vespa.hosted.controller.routing.context.DeploymentRoutingContext.ExclusiveDeploymentRoutingContext; import com.yahoo.vespa.hosted.controller.routing.context.DeploymentRoutingContext.SharedDeploymentRoutingContext; @@ -133,12 +135,20 @@ public class RoutingController { if (randomizedEndpointsEnabled(deployment.applicationId())) { // TODO(mpolden): Remove this guard once config-models < 8.220 are gone boolean includeTokenEndpoint = tokenEndpointEnabled(deployment.applicationId()); Map<ClusterSpec.Id, List<GeneratedEndpoint>> generatedEndpointsByCluster = new HashMap<>(); + RoutingPolicyList deploymentPolicies = policies().read(deployment); for (var container : services.containers()) { ClusterSpec.Id clusterId = ClusterSpec.Id.from(container.id()); boolean tokenSupported = includeTokenEndpoint && container.authMethods().contains(BasicServicesXml.Container.AuthMethod.token); - List<GeneratedEndpoint> generatedForCluster = certificate.flatMap(EndpointCertificate::randomizedId) - .map(id -> generateEndpoints(id, deployment.applicationId(), tokenSupported)) - .orElseGet(List::of); + // Use already existing generated endpoints, if any + List<GeneratedEndpoint> generatedForCluster = deploymentPolicies.cluster(clusterId) + .first() + .map(RoutingPolicy::generatedEndpoints) + .orElseGet(List::of); + if (generatedForCluster.isEmpty()) { + generatedForCluster = certificate.flatMap(EndpointCertificate::randomizedId) + .map(id -> generateEndpoints(id, deployment.applicationId(), tokenSupported)) + .orElseGet(List::of); + } if (!generatedForCluster.isEmpty()) { generatedEndpointsByCluster.put(clusterId, generatedForCluster); } diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/routing/RoutingPolicyList.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/routing/RoutingPolicyList.java index a5efc016c68..366c28a6be0 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/routing/RoutingPolicyList.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/routing/RoutingPolicyList.java @@ -3,6 +3,7 @@ package com.yahoo.vespa.hosted.controller.routing; import com.yahoo.collections.AbstractFilteringList; import com.yahoo.config.provision.ApplicationId; +import com.yahoo.config.provision.ClusterSpec; import com.yahoo.vespa.hosted.controller.api.identifiers.DeploymentId; import com.yahoo.vespa.hosted.controller.application.EndpointId; @@ -46,6 +47,11 @@ public class RoutingPolicyList extends AbstractFilteringList<RoutingPolicy, Rout return matching(policy -> policy.id().owner().equals(instance)); } + /** Returns the subset of policies applying to given cluster */ + public RoutingPolicyList cluster(ClusterSpec.Id cluster) { + return matching(policy -> policy.id().cluster().equals(cluster)); + } + /** Returns the subset of policies applying to given deployment */ public RoutingPolicyList deployment(DeploymentId deployment) { return matching(policy -> policy.appliesTo(deployment)); diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/routing/RoutingPoliciesTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/routing/RoutingPoliciesTest.java index d029987707f..b9da87771c0 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/routing/RoutingPoliciesTest.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/routing/RoutingPoliciesTest.java @@ -22,6 +22,7 @@ import com.yahoo.vespa.hosted.controller.ControllerTester; import com.yahoo.vespa.hosted.controller.Instance; import com.yahoo.vespa.hosted.controller.api.identifiers.DeploymentId; import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificate; +import com.yahoo.vespa.hosted.controller.api.integration.configserver.ContainerEndpoint; import com.yahoo.vespa.hosted.controller.api.integration.configserver.LoadBalancer; import com.yahoo.vespa.hosted.controller.api.integration.dns.Record; import com.yahoo.vespa.hosted.controller.api.integration.dns.Record.Type; @@ -1091,6 +1092,7 @@ public class RoutingPoliciesTest { assertEquals(2, generated.cluster(cluster1).size()); assertEquals(1, generated.cluster(cluster1).authMethod(AuthMethod.token).size()); } + Map<DeploymentId, Set<ContainerEndpoint>> containerEndpointsInProd = tester.containerEndpoints(Environment.prod); // Ordinary endpoints point to expected targets tester.assertTargets(context.instanceId(), EndpointId.of("foo"), cluster0, 0, @@ -1109,6 +1111,7 @@ public class RoutingPoliciesTest { // Next deployment does not change generated names context.submit(applicationPackage).deferLoadBalancerProvisioningIn(Environment.prod).deploy(); assertEquals(expectedRecords, tester.recordNames()); + assertEquals(containerEndpointsInProd, tester.containerEndpoints(Environment.prod)); } private void addCertificateToPool(String id, UnassignedCertificate.State state, RoutingPoliciesTester tester) { @@ -1200,6 +1203,12 @@ public class RoutingPoliciesTest { } } + public Map<DeploymentId, Set<ContainerEndpoint>> containerEndpoints(Environment environment) { + return tester.controllerTester().configServer().containerEndpoints().entrySet().stream() + .filter(kv -> kv.getKey().zoneId().environment() == environment) + .collect(Collectors.toMap(Map.Entry::getKey, Map.Entry::getValue)); + } + public RoutingPolicies routingPolicies() { return tester.controllerTester().controller().routing().policies(); } diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/container/ContainerEngine.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/container/ContainerEngine.java index 2aa1d12c491..68dab0b32fb 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/container/ContainerEngine.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/container/ContainerEngine.java @@ -7,6 +7,7 @@ import com.yahoo.vespa.hosted.node.admin.container.image.Image; import com.yahoo.vespa.hosted.node.admin.nodeagent.ContainerData; import com.yahoo.vespa.hosted.node.admin.nodeagent.NodeAgentContext; import com.yahoo.vespa.hosted.node.admin.task.util.file.UnixUser; +import com.yahoo.vespa.hosted.node.admin.task.util.process.CommandLine; import com.yahoo.vespa.hosted.node.admin.task.util.process.CommandResult; import java.time.Duration; @@ -48,7 +49,11 @@ public interface ContainerEngine { CommandResult execute(NodeAgentContext context, UnixUser user, Duration timeout, String... command); /** Execute command inside the container's network namespace. Throws on non-zero exit code */ - CommandResult executeInNetworkNamespace(NodeAgentContext context, String... command); + CommandResult executeInNetworkNamespace(NodeAgentContext context, CommandLine.Options options, String... command); + + default CommandResult executeInNetworkNamespace(NodeAgentContext context, String... command) { + return executeInNetworkNamespace(context, new CommandLine.Options(), command); + } /** Download given image */ void pullImage(TaskContext context, DockerImage image, RegistryCredentials registryCredentials); diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/container/ContainerOperations.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/container/ContainerOperations.java index fa933e9622a..cae47a88961 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/container/ContainerOperations.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/container/ContainerOperations.java @@ -78,7 +78,11 @@ public class ContainerOperations { /** Execute command in inside containers network namespace, identified by given context. Throws on non-zero exit code */ public CommandResult executeCommandInNetworkNamespace(NodeAgentContext context, String... command) { - return containerEngine.executeInNetworkNamespace(context, command); + return executeCommandInNetworkNamespace(context, new CommandLine.Options(), command); + } + + public CommandResult executeCommandInNetworkNamespace(NodeAgentContext context, CommandLine.Options options, String... command) { + return containerEngine.executeInNetworkNamespace(context, options, command); } /** Resume node. Resuming a node means that it is ready to receive traffic */ diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainer.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainer.java index e8d10805a45..1cfe73e8937 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainer.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainer.java @@ -9,10 +9,10 @@ import com.yahoo.vespa.hosted.node.admin.task.util.file.Editor; import com.yahoo.vespa.hosted.node.admin.task.util.file.LineEditor; import com.yahoo.vespa.hosted.node.admin.task.util.network.IPAddresses; import com.yahoo.vespa.hosted.node.admin.task.util.network.IPVersion; +import com.yahoo.vespa.hosted.node.admin.task.util.process.CommandLine; import java.io.IOException; import java.net.InetAddress; -import java.nio.charset.StandardCharsets; import java.nio.file.Files; import java.nio.file.Path; import java.util.List; @@ -89,7 +89,7 @@ public class AclMaintainer { private Supplier<List<String>> listTable(NodeAgentContext context, String table, IPVersion ipVersion) { return () -> containerOperations - .executeCommandInNetworkNamespace(context, ipVersion.iptablesCmd(), "-S", "-t", table) + .executeCommandInNetworkNamespace(context, new CommandLine.Options().setSilent(true), ipVersion.iptablesCmd(), "-S", "-t", table) .mapEachLine(String::trim); } diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/task/util/process/CommandLine.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/task/util/process/CommandLine.java index 2153a15e76b..3d45f515d96 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/task/util/process/CommandLine.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/task/util/process/CommandLine.java @@ -144,6 +144,23 @@ public class CommandLine { return doExecute(); } + public static class Options { + private boolean silent = false; + + public Options() {} + + /** Invoke {@link #executeSilently()} instead of {@link #execute()} (default). */ + public Options setSilent(boolean silent) { + this.silent = silent; + return this; + } + } + + /** Convenience method to bundle up a bunch of calls on this into an options object. */ + public CommandResult execute(Options options) { + return options.silent ? executeSilently() : execute(); + } + /** * Record an already executed executeSilently() as having modified the system. * For instance with YUM it is not known until after a 'yum install' whether it diff --git a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/container/ContainerEngineMock.java b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/container/ContainerEngineMock.java index af869786504..28e733ac018 100644 --- a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/container/ContainerEngineMock.java +++ b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/container/ContainerEngineMock.java @@ -8,6 +8,7 @@ import com.yahoo.vespa.hosted.node.admin.nodeagent.ContainerData; import com.yahoo.vespa.hosted.node.admin.nodeagent.NodeAgentContext; import com.yahoo.vespa.hosted.node.admin.task.util.file.UnixUser; import com.yahoo.vespa.hosted.node.admin.task.util.fs.ContainerPath; +import com.yahoo.vespa.hosted.node.admin.task.util.process.CommandLine; import com.yahoo.vespa.hosted.node.admin.task.util.process.CommandResult; import com.yahoo.vespa.hosted.node.admin.task.util.process.TestTerminal; @@ -158,13 +159,11 @@ public class ContainerEngineMock implements ContainerEngine { } @Override - public CommandResult executeInNetworkNamespace(NodeAgentContext context, String... command) { + public CommandResult executeInNetworkNamespace(NodeAgentContext context, CommandLine.Options options, String... command) { if (terminal == null) { return new CommandResult(null, 0, ""); } - return terminal.newCommandLine(context) - .add(command) - .executeSilently(); + return terminal.newCommandLine(context).add(command).execute(options); } @Override diff --git a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java index 827c6ebb6ec..32e82627d9a 100644 --- a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java +++ b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java @@ -9,6 +9,7 @@ import com.yahoo.vespa.hosted.node.admin.nodeagent.NodeAgentContextImpl; import com.yahoo.vespa.hosted.node.admin.task.util.file.UnixPath; import com.yahoo.vespa.hosted.node.admin.task.util.network.IPAddressesMock; import com.yahoo.vespa.hosted.node.admin.task.util.network.IPVersion; +import com.yahoo.vespa.hosted.node.admin.task.util.process.CommandLine; import com.yahoo.vespa.hosted.node.admin.task.util.process.CommandResult; import com.yahoo.vespa.test.file.TestFileSystem; import org.junit.jupiter.api.BeforeEach; @@ -64,7 +65,7 @@ public class AclMaintainerTest { aclMaintainer.converge(context); - verify(containerOperations, times(4)).executeCommandInNetworkNamespace(eq(context), any(), eq("-S"), eq("-t"), any()); + verify(containerOperations, times(4)).executeCommandInNetworkNamespace(eq(context), any(CommandLine.Options.class), any(), eq("-S"), eq("-t"), any()); verify(containerOperations, times(2)).executeCommandInNetworkNamespace(eq(context), eq("iptables-restore"), any()); verify(containerOperations, times(2)).executeCommandInNetworkNamespace(eq(context), eq("ip6tables-restore"), any()); verifyNoMoreInteractions(containerOperations); @@ -131,7 +132,7 @@ public class AclMaintainerTest { aclMaintainer.converge(context); - verify(containerOperations, times(2)).executeCommandInNetworkNamespace(eq(context), any(), eq("-S"), eq("-t"), any()); + verify(containerOperations, times(2)).executeCommandInNetworkNamespace(eq(context), any(CommandLine.Options.class), any(), eq("-S"), eq("-t"), any()); verify(containerOperations, times(1)).executeCommandInNetworkNamespace(eq(context), eq("iptables-restore"), any()); verify(containerOperations, times(1)).executeCommandInNetworkNamespace(eq(context), eq("ip6tables-restore"), any()); verifyNoMoreInteractions(containerOperations); @@ -188,7 +189,7 @@ public class AclMaintainerTest { aclMaintainer.converge(context); - verify(containerOperations, times(3)).executeCommandInNetworkNamespace(eq(context), any(), eq("-S"), eq("-t"), any()); + verify(containerOperations, times(3)).executeCommandInNetworkNamespace(eq(context), any(CommandLine.Options.class), any(), eq("-S"), eq("-t"), any()); verify(containerOperations, times(1)).executeCommandInNetworkNamespace(eq(context), eq("iptables-restore"), any()); verify(containerOperations, never()).executeCommandInNetworkNamespace(eq(context), eq("ip6tables-restore"), any()); //we don't have a ip4 address for the container so no redirect verifyNoMoreInteractions(containerOperations); @@ -237,7 +238,7 @@ public class AclMaintainerTest { aclMaintainer.converge(context); - verify(containerOperations, times(3)).executeCommandInNetworkNamespace(eq(context), any(), eq("-S"), eq("-t"), any()); + verify(containerOperations, times(3)).executeCommandInNetworkNamespace(eq(context), any(CommandLine.Options.class), any(), eq("-S"), eq("-t"), any()); verify(containerOperations, times(1)).executeCommandInNetworkNamespace(eq(context), eq("iptables-restore"), any()); verify(containerOperations, times(1)).executeCommandInNetworkNamespace(eq(context), eq("iptables"), eq("-F"), eq("-t"), eq("filter")); verifyNoMoreInteractions(containerOperations); @@ -271,7 +272,7 @@ public class AclMaintainerTest { aclMaintainer.converge(context); - verify(containerOperations, times(4)).executeCommandInNetworkNamespace(eq(context), any(), eq("-S"), eq("-t"), any()); + verify(containerOperations, times(4)).executeCommandInNetworkNamespace(eq(context), any(CommandLine.Options.class), any(), eq("-S"), eq("-t"), any()); verify(containerOperations, times(2)).executeCommandInNetworkNamespace(eq(context), eq("iptables-restore"), any()); verify(containerOperations, times(2)).executeCommandInNetworkNamespace(eq(context), eq("ip6tables-restore"), any()); verifyNoMoreInteractions(containerOperations); @@ -343,7 +344,7 @@ public class AclMaintainerTest { private void whenListRules(NodeAgentContext context, String table, IPVersion ipVersion, String output) { when(containerOperations.executeCommandInNetworkNamespace( - eq(context), eq(ipVersion.iptablesCmd()), eq("-S"), eq("-t"), eq(table))) + eq(context), any(CommandLine.Options.class), eq(ipVersion.iptablesCmd()), eq("-S"), eq("-t"), eq(table))) .thenReturn(new CommandResult(null, 0, output)); } diff --git a/vespa-athenz/pom.xml b/vespa-athenz/pom.xml index 55fd25f8b99..a9379040133 100644 --- a/vespa-athenz/pom.xml +++ b/vespa-athenz/pom.xml @@ -275,52 +275,6 @@ <groupId>commons-codec</groupId> <artifactId>commons-codec</artifactId> </dependency> - <dependency> - <groupId>com.google.http-client</groupId> - <artifactId>google-http-client-apache-v2</artifactId> - <exclusions> - <exclusion> - <groupId>org.apache.httpcomponents</groupId> - <artifactId>httpcore</artifactId> - </exclusion> - <exclusion> - <groupId>org.apache.httpcomponents</groupId> - <artifactId>httpclient</artifactId> - </exclusion> - <exclusion> - <groupId>com.google.http-client</groupId> - <artifactId>google-http-client</artifactId> - </exclusion> - </exclusions> - </dependency> - <dependency> - <groupId>com.google.http-client</groupId> - <artifactId>google-http-client</artifactId> - <exclusions> - <exclusion> - <groupId>org.apache.httpcomponents</groupId> - <artifactId>httpcore</artifactId> - </exclusion> - <exclusion> - <groupId>org.apache.httpcomponents</groupId> - <artifactId>httpclient</artifactId> - </exclusion> - <exclusion> - <groupId>com.google.guava</groupId> - <artifactId>guava</artifactId> - </exclusion> - </exclusions> - </dependency> - <dependency> - <groupId>com.google.auth</groupId> - <artifactId>google-auth-library-oauth2-http</artifactId> - <exclusions> - <exclusion> - <groupId>com.google.guava</groupId> - <artifactId>guava</artifactId> - </exclusion> - </exclusions> - </dependency> </dependencies> <build> diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/gcp/GcpCredentials.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/gcp/GcpCredentials.java deleted file mode 100644 index bbdc3c2b372..00000000000 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/gcp/GcpCredentials.java +++ /dev/null @@ -1,180 +0,0 @@ -package com.yahoo.vespa.athenz.gcp; - -import com.google.api.client.http.apache.v2.ApacheHttpTransport; -import com.google.auth.http.HttpTransportFactory; -import com.google.auth.oauth2.ExternalAccountCredentials; -import com.yahoo.security.token.TokenDomain; -import com.yahoo.security.token.TokenGenerator; -import com.yahoo.slime.Cursor; -import com.yahoo.slime.Slime; -import com.yahoo.slime.SlimeUtils; -import com.yahoo.vespa.athenz.api.AthenzDomain; -import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider; -import org.apache.http.conn.ssl.SSLConnectionSocketFactory; -import org.apache.http.impl.client.HttpClientBuilder; - -import java.io.ByteArrayInputStream; -import java.io.IOException; -import java.io.InputStream; -import java.net.URLEncoder; -import java.nio.charset.StandardCharsets; -import java.util.Objects; - -public class GcpCredentials { - private static final TokenDomain domain = TokenDomain.of("athenz-gcp-oauth2-nonce"); - - final private InputStream tokenApiStream; - private final HttpTransportFactory httpTransportFactory; - - private GcpCredentials(Builder builder) { - String clientId = builder.athenzDomain.getName() + ".gcp"; - String audience = String.format("//iam.googleapis.com/projects/%s/locations/global/workloadIdentityPools/%s/providers/%s", - builder.projectNumber, builder.workloadPoolName, builder.workloadProviderName); - String serviceUrl = String.format("https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/%s@%s.iam.gserviceaccount.com:generateAccessToken", - builder.serviceAccountName, builder.projectName); - String scope = URLEncoder.encode(generateIdTokenScope(builder.athenzDomain.getName(), builder.role), StandardCharsets.UTF_8); - String redirectUri = URLEncoder.encode(generateRedirectUri(clientId, builder.redirectURISuffix), StandardCharsets.UTF_8); - String tokenUrl = String.format("%s/oauth2/auth?response_type=id_token&client_id=%s&redirect_uri=%s&scope=%s&nonce=%s&keyType=EC&fullArn=true&output=json", - builder.ztsUrl, clientId, redirectUri, scope, TokenGenerator.generateToken(domain, "", 32).secretTokenString()); - - tokenApiStream = createTokenAPIStream(audience, serviceUrl, tokenUrl, builder.tokenLifetimeSeconds); - SSLConnectionSocketFactory sslConnectionSocketFactory = new SSLConnectionSocketFactory(builder.identityProvider.getIdentitySslContext()); - HttpClientBuilder httpClientBuilder = ApacheHttpTransport.newDefaultHttpClientBuilder() - .setSSLSocketFactory(sslConnectionSocketFactory); - httpTransportFactory = () -> new ApacheHttpTransport(httpClientBuilder.build()); - } - - public ExternalAccountCredentials getCredential() throws IOException { - return ExternalAccountCredentials.fromStream(tokenApiStream, httpTransportFactory); - } - - private InputStream createTokenAPIStream(final String audience, final String serviceUrl, final String tokenUrl, - int tokenLifetimeSeconds) { - - Slime root = new Slime(); - Cursor c = root.setObject(); - - c.setString("type", "external_account"); - c.setString("audience", audience); - c.setString("subject_token_type", "urn:ietf:params:oauth:token-type:jwt"); - c.setString("token_url", "https://sts.googleapis.com/v1/token"); - - c.setString("service_account_impersonation_url", serviceUrl); - Cursor sai = c.setObject("service_account_impersonation"); - sai.setLong("token_lifetime_seconds", tokenLifetimeSeconds); - - Cursor credentialSource = c.setObject("credential_source"); - credentialSource.setString("url", tokenUrl); - - Cursor credentialSourceFormat = credentialSource.setObject("format"); - credentialSourceFormat.setString("type", "json"); - credentialSourceFormat.setString("subject_token_field_name", "id_token"); - - try { - return new ByteArrayInputStream(SlimeUtils.toJsonBytes(root)); - } catch (IOException e) { - throw new RuntimeException(e); - } - } - - private static String generateIdTokenScope(final String domainName, String roleName) { - StringBuilder scope = new StringBuilder(256); - scope.append("openid"); - scope.append(' ').append(domainName).append(":role.").append(roleName); - return scope.toString(); - } - - private static String generateRedirectUri(final String clientId, String uriSuffix) { - int idx = clientId.lastIndexOf('.'); - if (idx == -1) { - return ""; - } - final String dashDomain = clientId.substring(0, idx).replace('.', '-'); - final String service = clientId.substring(idx + 1); - return "https://" + service + "." + dashDomain + "." + uriSuffix; - } - - - public static class Builder { - private String ztsUrl; - private ServiceIdentityProvider identityProvider; - private String redirectURISuffix; - private AthenzDomain athenzDomain; - private String role; - private String projectName; - private String projectNumber; - private String serviceAccountName; - - private int tokenLifetimeSeconds = 3600; // default to 1 hour lifetime - private String workloadPoolName = "athenz"; - private String workloadProviderName = "athenz"; - - public GcpCredentials build() { - Objects.requireNonNull(ztsUrl); - Objects.requireNonNull(identityProvider); - Objects.requireNonNull(redirectURISuffix); - Objects.requireNonNull(athenzDomain); - Objects.requireNonNull(role); - Objects.requireNonNull(projectName); - Objects.requireNonNull(projectNumber); - Objects.requireNonNull(serviceAccountName); - - return new GcpCredentials(this); - } - - public Builder setZtsUrl(String ztsUrl) { - this.ztsUrl = ztsUrl; - return this; - } - - public Builder identityProvider(ServiceIdentityProvider provider) { - this.identityProvider = provider; - return this; - } - - public Builder redirectURISuffix(String redirectURISuffix) { - this.redirectURISuffix = redirectURISuffix; - return this; - } - - public Builder athenzDomain(AthenzDomain athenzDomain) { - this.athenzDomain = athenzDomain; - return this; - } - - public Builder role(String gcpRole) { - this.role = gcpRole; - return this; - } - - public Builder projectName(String projectName) { - this.projectName = projectName; - return this; - } - - public Builder projectNumber(String projectNumber) { - this.projectNumber = projectNumber; - return this; - } - - public Builder serviceAccountName(String serviceAccountName) { - this.serviceAccountName = serviceAccountName; - return this; - } - - public Builder tokenLifetimeSeconds(int tokenLifetimeSeconds) { - this.tokenLifetimeSeconds = tokenLifetimeSeconds; - return this; - } - - public Builder workloadPoolName(String workloadPoolName) { - this.workloadPoolName = workloadPoolName; - return this; - } - - public Builder workloadProviderName(String workloadProviderName) { - this.workloadProviderName = workloadProviderName; - return this; - } - } -} diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/gcp/package-info.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/gcp/package-info.java deleted file mode 100644 index 706f9fdfc99..00000000000 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/gcp/package-info.java +++ /dev/null @@ -1,9 +0,0 @@ -// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. - -/** - * @author bjorncs - */ -@ExportPackage -package com.yahoo.vespa.athenz.gcp; - -import com.yahoo.osgi.annotation.ExportPackage;
\ No newline at end of file diff --git a/vespa-dependencies-enforcer/allowed-maven-dependencies.txt b/vespa-dependencies-enforcer/allowed-maven-dependencies.txt index b3bf21c76a3..ca7d1fd8aab 100644 --- a/vespa-dependencies-enforcer/allowed-maven-dependencies.txt +++ b/vespa-dependencies-enforcer/allowed-maven-dependencies.txt @@ -22,17 +22,10 @@ com.fasterxml.jackson.datatype:jackson-datatype-jdk8:2.15.2 com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.15.2 com.github.luben:zstd-jni:1.5.5-5 com.github.spotbugs:spotbugs-annotations:3.1.9 -com.google.auth:google-auth-library-credentials:1.19.0 -com.google.auth:google-auth-library-oauth2-http:1.19.0 -com.google.auto.value:auto-value-annotations:1.10.1 com.google.code.findbugs:jsr305:3.0.2 -com.google.code.gson:gson:2.10 com.google.errorprone:error_prone_annotations:2.21.1 com.google.guava:failureaccess:1.0.1 com.google.guava:guava:32.1.2-jre -com.google.http-client:google-http-client:1.43.3 -com.google.http-client:google-http-client-apache-v2:1.43.3 -com.google.http-client:google-http-client-gson:1.42.3 com.google.inject:guice:6.0.0 com.google.j2objc:j2objc-annotations:2.8 com.google.protobuf:protobuf-java:3.24.3 @@ -56,7 +49,6 @@ commons-io:commons-io:2.13.0 commons-logging:commons-logging:1.2 io.airlift:airline:0.9 io.dropwizard.metrics:metrics-core:4.2.19 -io.grpc:grpc-context:1.27.2 io.jsonwebtoken:jjwt-api:0.11.5 io.jsonwebtoken:jjwt-impl:0.11.5 io.jsonwebtoken:jjwt-jackson:0.11.5 @@ -71,8 +63,6 @@ io.netty:netty-transport:4.1.97.Final io.netty:netty-transport-classes-epoll:4.1.97.Final io.netty:netty-transport-native-epoll:4.1.97.Final io.netty:netty-transport-native-unix-common:4.1.97.Final -io.opencensus:opencensus-api:0.31.1 -io.opencensus:opencensus-contrib-http-util:0.31.1 io.prometheus:simpleclient:0.16.0 io.prometheus:simpleclient_common:0.16.0 io.prometheus:simpleclient_tracer_common:0.16.0 |