Make it possible to launch an Athenz service in public

2 files changed, 54 insertions, 31 deletions

diff --git a/config-model/src/main/java/com/yahoo/config/model/deploy/TestProperties.java b/config-model/src/main/java/com/yahoo/config/model/deploy/TestProperties.java
index 5b144f5950a..c2d6adddeed 100644
--- a/config-model/src/main/java/com/yahoo/config/model/deploy/TestProperties.java
+++ b/config-model/src/main/java/com/yahoo/config/model/deploy/TestProperties.java
@@ -85,6 +85,7 @@ public class TestProperties implements ModelContext.Properties, ModelContext.Fea
     private boolean logserverOtelCol = false;
     private boolean symmetricPutAndActivateReplicaSelection = false;
     private boolean enforceStrictlyIncreasingClusterStateVersions = false;
+    private boolean launchApplicationAthenzService = false;
 
     @Override public ModelContext.FeatureFlags featureFlags() { return this; }
     @Override public boolean multitenant() { return multitenant; }
@@ -144,6 +145,7 @@ public class TestProperties implements ModelContext.Properties, ModelContext.Fea
     @Override public boolean logserverOtelCol() { return logserverOtelCol; }
     @Override public boolean symmetricPutAndActivateReplicaSelection() { return symmetricPutAndActivateReplicaSelection; }
     @Override public boolean enforceStrictlyIncreasingClusterStateVersions() { return enforceStrictlyIncreasingClusterStateVersions; }
+    @Override public boolean launchApplicationAthenzService() { return launchApplicationAthenzService; }
 
     public TestProperties sharedStringRepoNoReclaim(boolean sharedStringRepoNoReclaim) {
         this.sharedStringRepoNoReclaim = sharedStringRepoNoReclaim;
@@ -389,6 +391,11 @@ public class TestProperties implements ModelContext.Properties, ModelContext.Fea
         return this;
     }
 
+    public TestProperties setLaunchApplicationAthenzService(boolean launch) {
+        this.launchApplicationAthenzService = launch;
+        return this;
+    }
+
     public static class Spec implements ConfigServerSpec {
 
         private final String hostName;
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
index d3f5407b0f9..4995c20b985 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
@@ -140,6 +140,8 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> {
     // Default path to vip status file for container in Hosted Vespa.
     static final String HOSTED_VESPA_STATUS_FILE = Defaults.getDefaults().underVespaHome("var/vespa/load-balancer/status.html");
 
+    static final String HOSTED_VESPA_TENANT_PARENT_DOMAIN = "vespa.tenant.";
+
     //Path to vip status file for container in Hosted Vespa. Only used if set, else use HOSTED_VESPA_STATUS_FILE
     private static final String HOSTED_VESPA_STATUS_FILE_SETTING = "VESPA_LB_STATUS_FILE";
 
@@ -235,6 +237,7 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> {
         // Must be added after nodes:
         addDeploymentSpecConfig(cluster, context, deployState.getDeployLogger());
         addZooKeeper(cluster, spec);
+        addAthenzServiceIdentityProvider(cluster, context, deployState.getDeployLogger());
 
         addParameterStoreValidationHandler(cluster, deployState);
     }
@@ -344,6 +347,20 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> {
         cluster.addComponent(cloudSecretStore);
     }
 
+    private void addAthenzServiceIdentityProvider(ApplicationContainerCluster cluster, ConfigModelContext context, DeployLogger deployLogger) {
+        if ( ! context.getDeployState().isHosted()) return;
+        if ( ! context.getDeployState().zone().system().isPublic()) return; // Non-public is handled by deployment spec config.
+        if ( ! context.properties().launchApplicationAthenzService()) return;
+        addIdentityProvider(cluster,
+                            context.getDeployState().getProperties().configServerSpecs(),
+                            context.getDeployState().getProperties().loadBalancerName(),
+                            context.getDeployState().getProperties().ztsUrl(),
+                            context.getDeployState().getProperties().athenzDnsSuffix(),
+                            context.getDeployState().zone(),
+                            AthenzDomain.from(HOSTED_VESPA_TENANT_PARENT_DOMAIN + context.properties().applicationId().tenant().value()),
+                            AthenzService.from(context.properties().applicationId().application().value()));
+    }
+
     private void addDeploymentSpecConfig(ApplicationContainerCluster cluster, ConfigModelContext context, DeployLogger deployLogger) {
         if ( ! context.getDeployState().isHosted()) return;
         DeploymentSpec deploymentSpec = app.getDeploymentSpec();
@@ -1295,37 +1312,36 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> {
         }
     }
 
-    private void addIdentityProvider(ApplicationContainerCluster cluster,
-                                     List<ConfigServerSpec> configServerSpecs,
-                                     HostName loadBalancerName,
-                                     URI ztsUrl,
-                                     String athenzDnsSuffix,
-                                     Zone zone,
-                                     DeploymentSpec spec) {
-        spec.athenzDomain()
-            .ifPresent(domain -> {
-                AthenzService service = spec.athenzService(app.getApplicationId().instance(), zone.environment(), zone.region())
-                                            .orElseThrow(() -> new IllegalArgumentException("Missing Athenz service configuration in instance '" +
-                                                                                            app.getApplicationId().instance() + "'"));
-            String zoneDnsSuffix = zone.environment().value() + "-" + zone.region().value() + "." + athenzDnsSuffix;
-            IdentityProvider identityProvider = new IdentityProvider(domain,
-                                                                     service,
-                                                                     getLoadBalancerName(loadBalancerName, configServerSpecs),
-                                                                     ztsUrl,
-                                                                     zoneDnsSuffix,
-                                                                     zone);
-
-            // Replace AthenzIdentityProviderProvider
-            cluster.removeComponent(ComponentId.fromString("com.yahoo.container.jdisc.AthenzIdentityProviderProvider"));
-            cluster.addComponent(identityProvider);
-
-            var serviceIdentityProviderProvider = "com.yahoo.vespa.athenz.identityprovider.client.ServiceIdentityProviderProvider";
-            cluster.addComponent(new SimpleComponent(new ComponentModel(serviceIdentityProviderProvider, serviceIdentityProviderProvider, "vespa-athenz")));
-
-            cluster.getContainers().forEach(container -> {
-                container.setProp("identity.domain", domain.value());
-                container.setProp("identity.service", service.value());
-            });
+    private void addIdentityProvider(ApplicationContainerCluster cluster, List<ConfigServerSpec> configServerSpecs, HostName loadBalancerName,
+                                     URI ztsUrl, String athenzDnsSuffix, Zone zone, DeploymentSpec spec) {
+        spec.athenzDomain().ifPresent(domain -> {
+            AthenzService service = spec.athenzService(app.getApplicationId().instance(), zone.environment(), zone.region())
+                                        .orElseThrow(() -> new IllegalArgumentException("Missing Athenz service configuration in instance '" +
+                                                                                        app.getApplicationId().instance() + "'"));
+            addIdentityProvider(cluster, configServerSpecs, loadBalancerName, ztsUrl, athenzDnsSuffix, zone, domain, service);
+        });
+    }
+
+    private void addIdentityProvider(ApplicationContainerCluster cluster, List<ConfigServerSpec> configServerSpecs, HostName loadBalancerName,
+                                     URI ztsUrl, String athenzDnsSuffix, Zone zone, AthenzDomain domain, AthenzService service) {
+        String zoneDnsSuffix = zone.environment().value() + "-" + zone.region().value() + "." + athenzDnsSuffix;
+        IdentityProvider identityProvider = new IdentityProvider(domain,
+                                                                 service,
+                                                                 getLoadBalancerName(loadBalancerName, configServerSpecs),
+                                                                 ztsUrl,
+                                                                 zoneDnsSuffix,
+                                                                 zone);
+
+        // Replace AthenzIdentityProviderProvider
+        cluster.removeComponent(ComponentId.fromString("com.yahoo.container.jdisc.AthenzIdentityProviderProvider"));
+        cluster.addComponent(identityProvider);
+
+        var serviceIdentityProviderProvider = "com.yahoo.vespa.athenz.identityprovider.client.ServiceIdentityProviderProvider";
+        cluster.addComponent(new SimpleComponent(new ComponentModel(serviceIdentityProviderProvider, serviceIdentityProviderProvider, "vespa-athenz")));
+
+        cluster.getContainers().forEach(container -> {
+            container.setProp("identity.domain", domain.value());
+            container.setProp("identity.service", service.value());
         });
     }