diff options
author | Harald Musum <musum@verizonmedia.com> | 2023-03-24 15:13:50 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-03-24 15:13:50 +0100 |
commit | d60659d97428e5d664d9182238f6d32b2406e09b (patch) | |
tree | 2bd0d3fb99873e1a08d2015cf4ae116f061b060e /config-model | |
parent | fadc739b1da408c43f565157080461cb645f3399 (diff) |
Revert "Bjorncs/cloud app validation"
Diffstat (limited to 'config-model')
7 files changed, 14 insertions, 159 deletions
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/application/validation/CloudHttpConnectorValidator.java b/config-model/src/main/java/com/yahoo/vespa/model/application/validation/CloudHttpConnectorValidator.java deleted file mode 100644 index 737042a3695..00000000000 --- a/config-model/src/main/java/com/yahoo/vespa/model/application/validation/CloudHttpConnectorValidator.java +++ /dev/null @@ -1,47 +0,0 @@ -// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. - -package com.yahoo.vespa.model.application.validation; - -import com.yahoo.config.model.deploy.DeployState; -import com.yahoo.vespa.model.VespaModel; -import com.yahoo.vespa.model.container.Container; -import com.yahoo.vespa.model.container.http.JettyHttpServer; -import com.yahoo.vespa.model.container.http.ssl.ConfiguredDirectSslProvider; -import com.yahoo.vespa.model.container.http.ssl.DefaultSslProvider; -import com.yahoo.vespa.model.container.xml.ContainerModelBuilder; - -import java.util.List; - -/** - * Enforces that Cloud applications cannot - * 1) override connector specific TLS configuration - * 2) add additional HTTP connectors - * - * @author bjorncs - */ -public class CloudHttpConnectorValidator extends Validator { - @Override - public void validate(VespaModel model, DeployState state) { - if (!state.isHostedTenantApplication(model.getAdmin().getApplicationType())) return; - - model.getContainerClusters().forEach((__, cluster) -> { - var http = cluster.getHttp(); - if (http == null) return; - var connectors = http.getHttpServer().map(JettyHttpServer::getConnectorFactories).orElse(List.of()); - for (var connector : connectors) { - int port = connector.getListenPort(); - if (!List.of(ContainerModelBuilder.HOSTED_VESPA_DATAPLANE_PORT, Container.BASEPORT).contains(port)) { - throw new IllegalArgumentException( - "Adding additional HTTP connectors is not allowed for Vespa Cloud applications. " + - "See https://cloud.vespa.ai/en/security/whitepaper."); - } - var sslProvider = connector.sslProvider(); - if (!(sslProvider instanceof ConfiguredDirectSslProvider || sslProvider instanceof DefaultSslProvider)) { - throw new IllegalArgumentException( - "Overriding connector specific TLS configuration is not allowed in Vespa Cloud. " + - "See https://cloud.vespa.ai/en/security/guide#data-plane."); - } - } - }); - } -} diff --git a/config-model/src/main/java/com/yahoo/vespa/model/application/validation/Validation.java b/config-model/src/main/java/com/yahoo/vespa/model/application/validation/Validation.java index 8d22c7f3f7b..c7a363010b7 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/application/validation/Validation.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/application/validation/Validation.java @@ -1,6 +1,7 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.model.application.validation; +import com.yahoo.config.application.api.DeployLogger; import com.yahoo.config.application.api.ValidationId; import com.yahoo.config.application.api.ValidationOverrides; import com.yahoo.config.model.api.ConfigChangeAction; @@ -12,6 +13,7 @@ import com.yahoo.vespa.model.VespaModel; import com.yahoo.vespa.model.application.validation.change.CertificateRemovalChangeValidator; import com.yahoo.vespa.model.application.validation.change.ChangeValidator; import com.yahoo.vespa.model.application.validation.change.CloudAccountChangeValidator; +import com.yahoo.vespa.model.application.validation.change.ResourcesReductionValidator; import com.yahoo.vespa.model.application.validation.change.ConfigValueChangeValidator; import com.yahoo.vespa.model.application.validation.change.ContainerRestartValidator; import com.yahoo.vespa.model.application.validation.change.ContentClusterRemovalValidator; @@ -21,11 +23,11 @@ import com.yahoo.vespa.model.application.validation.change.IndexedSearchClusterC import com.yahoo.vespa.model.application.validation.change.IndexingModeChangeValidator; import com.yahoo.vespa.model.application.validation.change.NodeResourceChangeValidator; import com.yahoo.vespa.model.application.validation.change.RedundancyIncreaseValidator; -import com.yahoo.vespa.model.application.validation.change.ResourcesReductionValidator; import com.yahoo.vespa.model.application.validation.change.StartupCommandChangeValidator; import com.yahoo.vespa.model.application.validation.change.StreamingSearchClusterChangeValidator; import com.yahoo.vespa.model.application.validation.first.RedundancyValidator; +import java.time.Instant; import java.util.Arrays; import java.util.Collection; import java.util.Collections; @@ -86,7 +88,6 @@ public class Validation { new CloudDataPlaneFilterValidator().validate(model, deployState); new AccessControlFilterExcludeValidator().validate(model, deployState); new CloudUserFilterValidator().validate(model, deployState); - new CloudHttpConnectorValidator().validate(model, deployState); additionalValidators.forEach(v -> v.validate(model, deployState)); diff --git a/config-model/src/main/java/com/yahoo/vespa/model/builder/xml/dom/DomAdminV4Builder.java b/config-model/src/main/java/com/yahoo/vespa/model/builder/xml/dom/DomAdminV4Builder.java index fab0b29770e..80000e54b1b 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/builder/xml/dom/DomAdminV4Builder.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/builder/xml/dom/DomAdminV4Builder.java @@ -94,7 +94,9 @@ public class DomAdminV4Builder extends DomAdminBuilderBase { private NodesSpecification createNodesSpecificationForLogserver() { DeployState deployState = context.getDeployState(); if ( deployState.getProperties().useDedicatedNodeForLogserver() - && deployState.isHostedTenantApplication(context.getApplicationType())) + && context.getApplicationType() == ConfigModelContext.ApplicationType.DEFAULT + && deployState.isHosted() + && ! deployState.getProperties().applicationId().instance().isTester()) return NodesSpecification.dedicated(1, context); else return NodesSpecification.nonDedicated(1, context); diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ConnectorFactory.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ConnectorFactory.java index 697cfc95039..c76077e6c7b 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ConnectorFactory.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ConnectorFactory.java @@ -59,8 +59,6 @@ public class ConnectorFactory extends SimpleComponent implements ConnectorConfig public void setDefaultResponseFilterChain(ComponentId filterChain) { this.defaultResponseFilterChain = filterChain; } - public SslProvider sslProvider() { return sslProviderComponent; } - public static class Builder { private final String name; private final int listenPort; diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java index b9a644d7480..36d34b99223 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java @@ -137,7 +137,7 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> { static final String HOSTED_VESPA_STATUS_FILE = Defaults.getDefaults().underVespaHome("var/vespa/load-balancer/status.html"); // Data plane port for hosted Vespa - public static final int HOSTED_VESPA_DATAPLANE_PORT = 4443; + static final int HOSTED_VESPA_DATAPLANE_PORT = 4443; //Path to vip status file for container in Hosted Vespa. Only used if set, else use HOSTED_VESPA_STATUS_FILE private static final String HOSTED_VESPA_STATUS_FILE_SETTING = "VESPA_LB_STATUS_FILE"; diff --git a/config-model/src/test/java/com/yahoo/vespa/model/application/validation/CloudHttpConnectorValidatorTest.java b/config-model/src/test/java/com/yahoo/vespa/model/application/validation/CloudHttpConnectorValidatorTest.java deleted file mode 100644 index 6a2eed1d21b..00000000000 --- a/config-model/src/test/java/com/yahoo/vespa/model/application/validation/CloudHttpConnectorValidatorTest.java +++ /dev/null @@ -1,103 +0,0 @@ -// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. - -package com.yahoo.vespa.model.application.validation; - -import com.yahoo.config.model.NullConfigModelRegistry; -import com.yahoo.config.model.deploy.DeployState; -import com.yahoo.config.model.deploy.TestProperties; -import com.yahoo.config.model.test.MockApplicationPackage; -import com.yahoo.vespa.model.VespaModel; -import org.junit.jupiter.api.Test; - -import static org.junit.jupiter.api.Assertions.assertDoesNotThrow; -import static org.junit.jupiter.api.Assertions.assertEquals; -import static org.junit.jupiter.api.Assertions.assertThrows; - -/** - * @author bjorncs - */ -class CloudHttpConnectorValidatorTest { - - private static final String CUSTOM_SSL_ON_8080 = - """ - <server port='8080' id='default'> - <ssl> - <private-key-file>/foo/key</private-key-file> - <certificate-file>/foo/cert</certificate-file> - </ssl> - </server> - """; - - private static final String DEFAULT_SSL_ON_8080 = - """ - <server port='8080' id='default'/> - """; - - private static final String ADDITIONAL_CONNECTOR = - """ - <server port='8080' id='default'/> - <server port='1234' id='custom'/> - """; - - @Test - void fails_on_custom_ssl_for_cloud_application() { - var exception = assertThrows(IllegalArgumentException.class, () -> runValidatorOnApp(true, "", CUSTOM_SSL_ON_8080)); - var expected = "Overriding connector specific TLS configuration is not allowed in Vespa Cloud. " + - "See https://cloud.vespa.ai/en/security/guide#data-plane."; - assertEquals(expected, exception.getMessage()); - } - - @Test - void allows_custom_ssl_for_infra() { - assertDoesNotThrow(() -> runValidatorOnApp(true, " application-type='hosted-infrastructure'", CUSTOM_SSL_ON_8080)); - } - - @Test - void allows_custom_ssl_for_self_hosted() { - assertDoesNotThrow(() -> runValidatorOnApp(false, "", CUSTOM_SSL_ON_8080)); - } - - @Test - void fails_on_additional_connectors_for_cloud_application() { - var exception = assertThrows(IllegalArgumentException.class, () -> runValidatorOnApp(true, "", ADDITIONAL_CONNECTOR)); - var expected = "Illegal port 1234 in http server 'custom': Port must be set to 8080"; // Currently fails earlier in model construction - assertEquals(expected, exception.getMessage()); - } - - @Test - void allows_additional_connectors_for_self_hosted() { - assertDoesNotThrow(() -> runValidatorOnApp(false, "", ADDITIONAL_CONNECTOR)); - } - - @Test - void allows_default_ssl_for_cloud_application() { - assertDoesNotThrow(() -> runValidatorOnApp(true, "", DEFAULT_SSL_ON_8080)); - } - - @Test - void allows_default_ssl_for_self_hosted() { - assertDoesNotThrow(() -> runValidatorOnApp(false, "", DEFAULT_SSL_ON_8080)); - } - - private static void runValidatorOnApp(boolean hosted, String appTypeAttribute, String serverXml) throws Exception { - String servicesXml = """ - <services version='1.0'%s> - <container version='1.0'> - <http> - %s - </http> - </container> - </services> - """.formatted(appTypeAttribute, serverXml); - var state = new DeployState.Builder() - .applicationPackage( - new MockApplicationPackage.Builder() - .withServices(servicesXml) - .build()) - .properties(new TestProperties().setHostedVespa(hosted)) - .build(); - var model = new VespaModel(new NullConfigModelRegistry(), state); - new CloudHttpConnectorValidator().validate(model, state); - } - -}
\ No newline at end of file diff --git a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/JettyContainerModelBuilderTest.java b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/JettyContainerModelBuilderTest.java index 89cce7feacb..8b1217758ab 100644 --- a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/JettyContainerModelBuilderTest.java +++ b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/JettyContainerModelBuilderTest.java @@ -243,7 +243,11 @@ public class JettyContainerModelBuilderTest extends ContainerModelBuilderTestBas Element clusterElem = DomBuilderTest.parse( "<container id='default' version='1.0'>", " <http>", - " <server port='8080' id='default'>", + " <server port='8080' id='ssl'>", + " <ssl>", + " <private-key-file>/foo/key</private-key-file>", + " <certificate-file>/foo/cert</certificate-file>", + " </ssl>", " </server>", " </http>", multiNode, @@ -268,8 +272,8 @@ public class JettyContainerModelBuilderTest extends ContainerModelBuilderTestBas .build(); MockRoot root = new MockRoot("root", deployState); createModel(root, deployState, null, clusterElem); - ConnectorConfig sslProvider = root.getConfig(ConnectorConfig.class, "default/http/jdisc-jetty/default"); - assertFalse(sslProvider.ssl().enabled()); + ConnectorConfig sslProvider = root.getConfig(ConnectorConfig.class, "default/http/jdisc-jetty/ssl"); + assertTrue(sslProvider.ssl().enabled()); assertEquals("", sslProvider.ssl().certificate()); assertEquals("", sslProvider.ssl().privateKey()); |