summaryrefslogtreecommitdiffstats
path: root/config-model
diff options
context:
space:
mode:
authorMorten Tokle <mortent@verizonmedia.com>2021-11-09 14:16:23 +0100
committerMorten Tokle <mortent@verizonmedia.com>2021-11-11 11:02:01 +0100
commit1133f4d798bcf0df2d1d4474b5e776b49a3fafcd (patch)
tree5b3f8474c882dfb39a162239e595a485b24e42ab /config-model
parent0b220e542f0e326e59e6f39af0400718726be871 (diff)
Validate system can set up cloud secret store
Diffstat (limited to 'config-model')
-rw-r--r--config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java2
-rw-r--r--config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilderTest.java28
2 files changed, 30 insertions, 0 deletions
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
index 39d4d7ec6c8..835a1c96c6b 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
@@ -281,6 +281,8 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> {
private void addCloudSecretStore(ApplicationContainerCluster cluster, Element secretStoreElement, DeployState deployState) {
if ( ! deployState.isHosted()) return;
+ if ( ! cluster.getZone().system().isPublic())
+ throw new RuntimeException("cloud secret store is not supported in non-public system, please see documentation");
CloudSecretStore cloudSecretStore = new CloudSecretStore();
Map<String, TenantSecretStore> secretStoresByName = deployState.getProperties().tenantSecretStores()
.stream()
diff --git a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilderTest.java b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilderTest.java
index be6d8ca5d0a..dadacf00405 100644
--- a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilderTest.java
+++ b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilderTest.java
@@ -796,6 +796,34 @@ public class ContainerModelBuilderTest extends ContainerModelBuilderTestBase {
}
@Test
+ public void cloud_secret_store_fails_to_set_up_in_non_public_zone() {
+ try {
+ Element clusterElem = DomBuilderTest.parse(
+ "<container version='1.0'>",
+ " <secret-store type='cloud'>",
+ " <store id='store'>",
+ " <aws-parameter-store account='store1' region='eu-north-1'/>",
+ " </store>",
+ " </secret-store>",
+ "</container>");
+
+ DeployState state = new DeployState.Builder()
+ .properties(
+ new TestProperties()
+ .setHostedVespa(true)
+ .setTenantSecretStores(List.of(new TenantSecretStore("store1", "1234", "role", Optional.of("externalid")))))
+ .zone(new Zone(SystemName.main, Environment.prod, RegionName.defaultName()))
+ .build();
+ createModel(root, state, null, clusterElem);
+ } catch (RuntimeException e) {
+ assertEquals("cloud secret store is not supported in non-public system, please see documentation",
+ e.getMessage());
+ return;
+ }
+ fail();
+ }
+
+ @Test
public void missing_security_clients_pem_fails_in_public() {
Element clusterElem = DomBuilderTest.parse("<container version='1.0' />");