Merge pull request #19732 from vespa-engine/mpolden/remove-legacy-endpoints-in-cert

Remove legacy endpoint from certificate
author: Martin Polden <mpolden@mpolden.no> 2021-10-26 14:26:01 +0200
committer: GitHub <noreply@github.com> 2021-10-26 14:26:01 +0200
commit: 2712b0b3f8a240f38c3cfd398c930314b7c81388 (patch)
tree: f764ec6cb8b3c9479f232a82f9e2ebccca27d3e0
parent: 4c46aa8897fdcacefb5e3351487eb6b7f13033ce (diff)
parent: c72a8c04d1f9a1d683b578a3cf39a8850253acb4 (diff)
3 files changed, 19 insertions, 12 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/RoutingController.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/RoutingController.java
index ef141353688..f0c8a46fa45 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/RoutingController.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/RoutingController.java
@@ -72,6 +72,7 @@ public class RoutingController {
     private final RoutingPolicies routingPolicies;
     private final RotationRepository rotationRepository;
     private final BooleanFlag hideSharedRoutingEndpoint;
+    private final BooleanFlag legacyEndpointInCertificate;
 
     public RoutingController(Controller controller, RotationsConfig rotationsConfig) {
         this.controller = Objects.requireNonNull(controller, "controller must be non-null");
@@ -80,6 +81,7 @@ public class RoutingController {
                                                          controller.applications(),
                                                          controller.curator());
         this.hideSharedRoutingEndpoint = Flags.HIDE_SHARED_ROUTING_ENDPOINT.bindTo(controller.flagSource());
+        this.legacyEndpointInCertificate = Flags.LEGACY_ENDPOINT_IN_CERTIFICATE.bindTo(controller.flagSource());
     }
 
     public RoutingPolicies policies() {
@@ -179,7 +181,7 @@ public class RoutingController {
             builder = builder.routingMethod(RoutingMethod.exclusive)
                              .on(Port.tls());
             Endpoint endpoint = builder.in(controller.system());
-            if (controller.system().isPublic()) {
+            if (includeLegacyEndpoint(deployment.applicationId(), controller.system())) {
                 Endpoint legacyEndpoint = builder.legacy().in(controller.system());
                 endpointDnsNames.add(legacyEndpoint.dnsName());
             }
@@ -389,10 +391,16 @@ public class RoutingController {
     }
 
     /** Create a common name based on a hash of given application. This must be less than 64 characters long. */
-    private static String commonNameHashOf(ApplicationId application, SystemName system) {
+    private String commonNameHashOf(ApplicationId application, SystemName system) {
         HashCode sha1 = Hashing.sha1().hashString(application.serializedForm(), StandardCharsets.UTF_8);
         String base32 = BaseEncoding.base32().omitPadding().lowerCase().encode(sha1.asBytes());
-        return 'v' + base32 + Endpoint.dnsSuffix(system, system.isPublic());
+        return 'v' + base32 + Endpoint.dnsSuffix(system, includeLegacyEndpoint(application, system));
+    }
+
+    private boolean includeLegacyEndpoint(ApplicationId application, SystemName system) {
+        return system.isPublic() && legacyEndpointInCertificate.with(FetchVector.Dimension.APPLICATION_ID,
+                                                                     application.serializedForm())
+                                                               .value();
     }
 
     /** Returns direct routing endpoints if any exist and feature flag is set for given application */
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificatesTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificatesTest.java
index a509c457111..41745169f7a 100644
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificatesTest.java
+++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificatesTest.java
@@ -134,22 +134,14 @@ public class EndpointCertificatesTest {
         EndpointCertificateValidatorImpl endpointCertificateValidator = new EndpointCertificateValidatorImpl(secretStore, clock);
         EndpointCertificates endpointCertificates = new EndpointCertificates(tester.controller(), endpointCertificateMock, endpointCertificateValidator);
         List<String> expectedSans = List.of(
-                "vt2ktgkqme5zlnp4tj4ttyor7fj3v7q5o.public.vespa.oath.cloud",
-                "default.default.global.public.vespa.oath.cloud",
+                "vt2ktgkqme5zlnp4tj4ttyor7fj3v7q5o.vespa-app.cloud",
                 "default.default.g.vespa-app.cloud",
-                "*.default.default.global.public.vespa.oath.cloud",
                 "*.default.default.g.vespa-app.cloud",
-                "default.default.aws-us-east-1a.public.vespa.oath.cloud",
                 "default.default.aws-us-east-1a.z.vespa-app.cloud",
-                "*.default.default.aws-us-east-1a.public.vespa.oath.cloud",
                 "*.default.default.aws-us-east-1a.z.vespa-app.cloud",
-                "default.default.aws-us-east-1c.test.public.vespa.oath.cloud",
                 "default.default.aws-us-east-1c.test.z.vespa-app.cloud",
-                "*.default.default.aws-us-east-1c.test.public.vespa.oath.cloud",
                 "*.default.default.aws-us-east-1c.test.z.vespa-app.cloud",
-                "default.default.aws-us-east-1c.staging.public.vespa.oath.cloud",
                 "default.default.aws-us-east-1c.staging.z.vespa-app.cloud",
-                "*.default.default.aws-us-east-1c.staging.public.vespa.oath.cloud",
                 "*.default.default.aws-us-east-1c.staging.z.vespa-app.cloud"
         );
         Optional<EndpointCertificateMetadata> endpointCertificateMetadata = endpointCertificates.getMetadata(testInstance, testZone, Optional.empty());
diff --git a/flags/src/main/java/com/yahoo/vespa/flags/Flags.java b/flags/src/main/java/com/yahoo/vespa/flags/Flags.java
index e7441acc203..60ada655b4b 100644
--- a/flags/src/main/java/com/yahoo/vespa/flags/Flags.java
+++ b/flags/src/main/java/com/yahoo/vespa/flags/Flags.java
@@ -383,6 +383,13 @@ public class Flags {
             "Takes effect on restart of Docker container",
             APPLICATION_ID);
 
+    public static final UnboundBooleanFlag LEGACY_ENDPOINT_IN_CERTIFICATE = defineFeatureFlag(
+            "legacy-endpoint-in-certificate", false,
+            List.of("mpolden"), "2021-10-26", "2021-12-01",
+            "Whether to include legacy endpoint names in issued certificates",
+            "Takes effect on deployment through controller",
+            APPLICATION_ID);
+
     /** WARNING: public for testing: All flags should be defined in {@link Flags}. */
     public static UnboundBooleanFlag defineFeatureFlag(String flagId, boolean defaultValue, List<String> owners,
                                                        String createdAt, String expiresAt, String description,
author	Martin Polden <mpolden@mpolden.no>	2021-10-26 14:26:01 +0200
committer	GitHub <noreply@github.com>	2021-10-26 14:26:01 +0200
commit	2712b0b3f8a240f38c3cfd398c930314b7c81388 (patch)
tree	f764ec6cb8b3c9479f232a82f9e2ebccca27d3e0
parent	4c46aa8897fdcacefb5e3351487eb6b7f13033ce (diff)
parent	c72a8c04d1f9a1d683b578a3cf39a8850253acb4 (diff)