retry deployment on missing certificate

5 files changed, 43 insertions, 1 deletions

diff --git a/config-model/src/main/java/com/yahoo/vespa/model/application/validation/TlsSecretsValidator.java b/config-model/src/main/java/com/yahoo/vespa/model/application/validation/TlsSecretsValidator.java
new file mode 100644
index 00000000000..c8154bf2bc2
--- /dev/null
+++ b/config-model/src/main/java/com/yahoo/vespa/model/application/validation/TlsSecretsValidator.java
@@ -0,0 +1,16 @@
+package com.yahoo.vespa.model.application.validation;
+
+import com.yahoo.config.model.api.TlsSecrets;
+import com.yahoo.config.model.deploy.DeployState;
+import com.yahoo.vespa.model.VespaModel;
+
+public class TlsSecretsValidator extends Validator {
+
+    /** This check is delayed until validation to allow node provisioning to complete while we are waiting for cert */
+    @Override
+    public void validate(VespaModel model, DeployState deployState) {
+        if (deployState.tlsSecrets().isPresent() && deployState.tlsSecrets().get() == TlsSecrets.MISSING) {
+            throw new IllegalArgumentException("TLS enabled, but could not retrieve certificate yet");
+        }
+    }
+}
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/application/validation/Validation.java b/config-model/src/main/java/com/yahoo/vespa/model/application/validation/Validation.java
index e44acf61466..042c7cc867c 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/application/validation/Validation.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/application/validation/Validation.java
@@ -56,6 +56,7 @@ public class Validation {
         new DeploymentFileValidator().validate(model, deployState);
         new RankingConstantsValidator().validate(model, deployState);
         new SecretStoreValidator().validate(model, deployState);
+        new TlsSecretsValidator().validate(model, deployState);
 
         List<ConfigChangeAction> result = Collections.emptyList();
         if (deployState.getProperties().isFirstTimeDeployment()) {
diff --git a/config-provisioning/src/main/java/com/yahoo/config/provision/CertificateNotReadyException.java b/config-provisioning/src/main/java/com/yahoo/config/provision/CertificateNotReadyException.java
new file mode 100644
index 00000000000..0d88a7aa435
--- /dev/null
+++ b/config-provisioning/src/main/java/com/yahoo/config/provision/CertificateNotReadyException.java
@@ -0,0 +1,17 @@
+// Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.config.provision;
+
+/**
+ * Exception thrown when trying to validate an application which is configured
+ * with a certificate that is not yet retrievable
+ * 
+ * @author andreer
+ *
+ */
+public class CertificateNotReadyException extends TransientException {
+
+    public CertificateNotReadyException(String message) {
+        super(message);
+    }
+
+}
diff --git a/configserver/src/main/java/com/yahoo/vespa/config/server/http/HttpErrorResponse.java b/configserver/src/main/java/com/yahoo/vespa/config/server/http/HttpErrorResponse.java
index a29891ae764..3d2ecd4a2ca 100644
--- a/configserver/src/main/java/com/yahoo/vespa/config/server/http/HttpErrorResponse.java
+++ b/configserver/src/main/java/com/yahoo/vespa/config/server/http/HttpErrorResponse.java
@@ -48,7 +48,8 @@ public class HttpErrorResponse extends HttpResponse {
         OUT_OF_CAPACITY,
         REQUEST_TIMEOUT,
         UNKNOWN_VESPA_VERSION,
-        PARENT_HOST_NOT_READY
+        PARENT_HOST_NOT_READY,
+        CERTIFICATE_NOT_READY
     }
 
     public static HttpErrorResponse notFoundError(String msg) {
@@ -95,6 +96,10 @@ public class HttpErrorResponse extends HttpResponse {
         return new HttpErrorResponse(CONFLICT, errorCodes.PARENT_HOST_NOT_READY.name(), msg);
     }
 
+    public static HttpErrorResponse certificateNotReady(String msg) {
+        return new HttpErrorResponse(CONFLICT, errorCodes.CERTIFICATE_NOT_READY.name(), msg);
+    }
+
     @Override
     public void render(OutputStream stream) throws IOException {
         new JsonFormat(true).encode(stream, slime);
diff --git a/configserver/src/main/java/com/yahoo/vespa/config/server/http/HttpHandler.java b/configserver/src/main/java/com/yahoo/vespa/config/server/http/HttpHandler.java
index cd2052653ed..20ee77be9fe 100644
--- a/configserver/src/main/java/com/yahoo/vespa/config/server/http/HttpHandler.java
+++ b/configserver/src/main/java/com/yahoo/vespa/config/server/http/HttpHandler.java
@@ -2,6 +2,7 @@
 package com.yahoo.vespa.config.server.http;
 
 import com.yahoo.config.provision.ApplicationLockException;
+import com.yahoo.config.provision.CertificateNotReadyException;
 import com.yahoo.config.provision.ParentHostUnavailableException;
 import com.yahoo.container.jdisc.HttpRequest;
 import com.yahoo.container.jdisc.HttpResponse;
@@ -64,6 +65,8 @@ public class HttpHandler extends LoggingRequestHandler {
             return HttpErrorResponse.applicationLockFailure(getMessage(e, request));
         } catch (ParentHostUnavailableException e) {
             return HttpErrorResponse.parentHostNotReady(getMessage(e, request));
+        } catch (CertificateNotReadyException e) {
+            return HttpErrorResponse.certificateNotReady(getMessage(e, request));
         } catch (Exception e) {
             log.log(LogLevel.WARNING, "Unexpected exception handling a config server request", e);
             return HttpErrorResponse.internalServerError(getMessage(e, request));