Re-assign existing certificate from pool

2 files changed, 11 insertions, 1 deletions

diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificates.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificates.java
index 5d0ee7b74c5..052d70e92bc 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificates.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificates.java
@@ -115,8 +115,9 @@ public class EndpointCertificates {
         // certificate because application endpoints can span instances
         Optional<InstanceName> instanceName = zone.environment().isManuallyDeployed() ? Optional.of(instance.name()) : Optional.empty();
         TenantAndApplicationId application = TenantAndApplicationId.from(instance.id());
+        // Re-use existing certificate if it contains a randomized ID
         Optional<AssignedCertificate> assignedCertificate = curator.readAssignedCertificate(application, instanceName);
-        if (assignedCertificate.isPresent()) {
+        if (assignedCertificate.isPresent() && assignedCertificate.get().certificate().randomizedId().isPresent()) {
             AssignedCertificate updated = assignedCertificate.get().with(assignedCertificate.get().certificate().withLastRequested(clock.instant().getEpochSecond()));
             curator.writeAssignedCertificate(updated);
             return updated.certificate();
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificatesTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificatesTest.java
index 9c84ab48229..f151b90d760 100644
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificatesTest.java
+++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificatesTest.java
@@ -45,6 +45,7 @@ import java.util.Set;
 import java.util.stream.Stream;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertNotEquals;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.junit.jupiter.api.Assertions.fail;
@@ -290,6 +291,12 @@ public class EndpointCertificatesTest {
 
     @Test
     public void assign_certificate_from_pool() {
+        // Initial certificate is requested directly from provider
+        Optional<EndpointCertificate> certFromProvider = endpointCertificates.get(instance, prodZone, DeploymentSpec.empty);
+        assertTrue(certFromProvider.isPresent());
+        assertFalse(certFromProvider.get().randomizedId().isPresent());
+
+        // Pooled certificates become available
         tester.flagSource().withBooleanFlag(Flags.RANDOMIZED_ENDPOINT_NAMES.id(), true);
         try {
             addCertificateToPool("pool-cert-1", UnassignedCertificate.State.requested);
@@ -297,6 +304,8 @@ public class EndpointCertificatesTest {
             fail("Expected exception as certificate is not ready");
         } catch (IllegalArgumentException ignored) {}
 
+        // Certificate is assigned from pool instead. The previously assigned certificate will eventually be cleaned up
+        // by EndpointCertificateMaintainer
         { // prod
             String certId = "pool-cert-1";
             addCertificateToPool(certId, UnassignedCertificate.State.ready);