diff options
author | Martin Polden <mpolden@mpolden.no> | 2021-10-26 14:26:01 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-10-26 14:26:01 +0200 |
commit | 2712b0b3f8a240f38c3cfd398c930314b7c81388 (patch) | |
tree | f764ec6cb8b3c9479f232a82f9e2ebccca27d3e0 | |
parent | 4c46aa8897fdcacefb5e3351487eb6b7f13033ce (diff) | |
parent | c72a8c04d1f9a1d683b578a3cf39a8850253acb4 (diff) |
Merge pull request #19732 from vespa-engine/mpolden/remove-legacy-endpoints-in-cert
Remove legacy endpoint from certificate
3 files changed, 19 insertions, 12 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/RoutingController.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/RoutingController.java index ef141353688..f0c8a46fa45 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/RoutingController.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/RoutingController.java @@ -72,6 +72,7 @@ public class RoutingController { private final RoutingPolicies routingPolicies; private final RotationRepository rotationRepository; private final BooleanFlag hideSharedRoutingEndpoint; + private final BooleanFlag legacyEndpointInCertificate; public RoutingController(Controller controller, RotationsConfig rotationsConfig) { this.controller = Objects.requireNonNull(controller, "controller must be non-null"); @@ -80,6 +81,7 @@ public class RoutingController { controller.applications(), controller.curator()); this.hideSharedRoutingEndpoint = Flags.HIDE_SHARED_ROUTING_ENDPOINT.bindTo(controller.flagSource()); + this.legacyEndpointInCertificate = Flags.LEGACY_ENDPOINT_IN_CERTIFICATE.bindTo(controller.flagSource()); } public RoutingPolicies policies() { @@ -179,7 +181,7 @@ public class RoutingController { builder = builder.routingMethod(RoutingMethod.exclusive) .on(Port.tls()); Endpoint endpoint = builder.in(controller.system()); - if (controller.system().isPublic()) { + if (includeLegacyEndpoint(deployment.applicationId(), controller.system())) { Endpoint legacyEndpoint = builder.legacy().in(controller.system()); endpointDnsNames.add(legacyEndpoint.dnsName()); } @@ -389,10 +391,16 @@ public class RoutingController { } /** Create a common name based on a hash of given application. This must be less than 64 characters long. */ - private static String commonNameHashOf(ApplicationId application, SystemName system) { + private String commonNameHashOf(ApplicationId application, SystemName system) { HashCode sha1 = Hashing.sha1().hashString(application.serializedForm(), StandardCharsets.UTF_8); String base32 = BaseEncoding.base32().omitPadding().lowerCase().encode(sha1.asBytes()); - return 'v' + base32 + Endpoint.dnsSuffix(system, system.isPublic()); + return 'v' + base32 + Endpoint.dnsSuffix(system, includeLegacyEndpoint(application, system)); + } + + private boolean includeLegacyEndpoint(ApplicationId application, SystemName system) { + return system.isPublic() && legacyEndpointInCertificate.with(FetchVector.Dimension.APPLICATION_ID, + application.serializedForm()) + .value(); } /** Returns direct routing endpoints if any exist and feature flag is set for given application */ diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificatesTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificatesTest.java index a509c457111..41745169f7a 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificatesTest.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificatesTest.java @@ -134,22 +134,14 @@ public class EndpointCertificatesTest { EndpointCertificateValidatorImpl endpointCertificateValidator = new EndpointCertificateValidatorImpl(secretStore, clock); EndpointCertificates endpointCertificates = new EndpointCertificates(tester.controller(), endpointCertificateMock, endpointCertificateValidator); List<String> expectedSans = List.of( - "vt2ktgkqme5zlnp4tj4ttyor7fj3v7q5o.public.vespa.oath.cloud", - "default.default.global.public.vespa.oath.cloud", + "vt2ktgkqme5zlnp4tj4ttyor7fj3v7q5o.vespa-app.cloud", "default.default.g.vespa-app.cloud", - "*.default.default.global.public.vespa.oath.cloud", "*.default.default.g.vespa-app.cloud", - "default.default.aws-us-east-1a.public.vespa.oath.cloud", "default.default.aws-us-east-1a.z.vespa-app.cloud", - "*.default.default.aws-us-east-1a.public.vespa.oath.cloud", "*.default.default.aws-us-east-1a.z.vespa-app.cloud", - "default.default.aws-us-east-1c.test.public.vespa.oath.cloud", "default.default.aws-us-east-1c.test.z.vespa-app.cloud", - "*.default.default.aws-us-east-1c.test.public.vespa.oath.cloud", "*.default.default.aws-us-east-1c.test.z.vespa-app.cloud", - "default.default.aws-us-east-1c.staging.public.vespa.oath.cloud", "default.default.aws-us-east-1c.staging.z.vespa-app.cloud", - "*.default.default.aws-us-east-1c.staging.public.vespa.oath.cloud", "*.default.default.aws-us-east-1c.staging.z.vespa-app.cloud" ); Optional<EndpointCertificateMetadata> endpointCertificateMetadata = endpointCertificates.getMetadata(testInstance, testZone, Optional.empty()); diff --git a/flags/src/main/java/com/yahoo/vespa/flags/Flags.java b/flags/src/main/java/com/yahoo/vespa/flags/Flags.java index e7441acc203..60ada655b4b 100644 --- a/flags/src/main/java/com/yahoo/vespa/flags/Flags.java +++ b/flags/src/main/java/com/yahoo/vespa/flags/Flags.java @@ -383,6 +383,13 @@ public class Flags { "Takes effect on restart of Docker container", APPLICATION_ID); + public static final UnboundBooleanFlag LEGACY_ENDPOINT_IN_CERTIFICATE = defineFeatureFlag( + "legacy-endpoint-in-certificate", false, + List.of("mpolden"), "2021-10-26", "2021-12-01", + "Whether to include legacy endpoint names in issued certificates", + "Takes effect on deployment through controller", + APPLICATION_ID); + /** WARNING: public for testing: All flags should be defined in {@link Flags}. */ public static UnboundBooleanFlag defineFeatureFlag(String flagId, boolean defaultValue, List<String> owners, String createdAt, String expiresAt, String description, |