Revert "Bjorncs/cloud app validation"

author: Harald Musum <musum@verizonmedia.com> 2023-03-24 15:13:50 +0100
committer: GitHub <noreply@github.com> 2023-03-24 15:13:50 +0100
commit: d60659d97428e5d664d9182238f6d32b2406e09b (patch)
tree: 2bd0d3fb99873e1a08d2015cf4ae116f061b060e /config-model
parent: fadc739b1da408c43f565157080461cb645f3399 (diff)
7 files changed, 14 insertions, 159 deletions
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/application/validation/CloudHttpConnectorValidator.java b/config-model/src/main/java/com/yahoo/vespa/model/application/validation/CloudHttpConnectorValidator.java
deleted file mode 100644
index 737042a3695..00000000000
--- a/config-model/src/main/java/com/yahoo/vespa/model/application/validation/CloudHttpConnectorValidator.java
+++ /dev/null
@@ -1,47 +0,0 @@
-// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-
-package com.yahoo.vespa.model.application.validation;
-
-import com.yahoo.config.model.deploy.DeployState;
-import com.yahoo.vespa.model.VespaModel;
-import com.yahoo.vespa.model.container.Container;
-import com.yahoo.vespa.model.container.http.JettyHttpServer;
-import com.yahoo.vespa.model.container.http.ssl.ConfiguredDirectSslProvider;
-import com.yahoo.vespa.model.container.http.ssl.DefaultSslProvider;
-import com.yahoo.vespa.model.container.xml.ContainerModelBuilder;
-
-import java.util.List;
-
-/**
- * Enforces that Cloud applications cannot
- * 1) override connector specific TLS configuration
- * 2) add additional HTTP connectors
- *
- * @author bjorncs
- */
-public class CloudHttpConnectorValidator extends Validator {
-    @Override
-    public void validate(VespaModel model, DeployState state) {
-        if (!state.isHostedTenantApplication(model.getAdmin().getApplicationType())) return;
-
-        model.getContainerClusters().forEach((__, cluster) -> {
-            var http = cluster.getHttp();
-            if (http == null) return;
-            var connectors = http.getHttpServer().map(JettyHttpServer::getConnectorFactories).orElse(List.of());
-            for (var connector : connectors) {
-                int port = connector.getListenPort();
-                if (!List.of(ContainerModelBuilder.HOSTED_VESPA_DATAPLANE_PORT, Container.BASEPORT).contains(port)) {
-                    throw new IllegalArgumentException(
-                            "Adding additional HTTP connectors is not allowed for Vespa Cloud applications. " +
-                                    "See https://cloud.vespa.ai/en/security/whitepaper.");
-                }
-                var sslProvider = connector.sslProvider();
-                if (!(sslProvider instanceof ConfiguredDirectSslProvider || sslProvider instanceof DefaultSslProvider)) {
-                    throw new IllegalArgumentException(
-                            "Overriding connector specific TLS configuration is not allowed in Vespa Cloud. " +
-                                    "See https://cloud.vespa.ai/en/security/guide#data-plane.");
-                }
-            }
-        });
-    }
-}
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/application/validation/Validation.java b/config-model/src/main/java/com/yahoo/vespa/model/application/validation/Validation.java
index 8d22c7f3f7b..c7a363010b7 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/application/validation/Validation.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/application/validation/Validation.java
@@ -1,6 +1,7 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.model.application.validation;
 
+import com.yahoo.config.application.api.DeployLogger;
 import com.yahoo.config.application.api.ValidationId;
 import com.yahoo.config.application.api.ValidationOverrides;
 import com.yahoo.config.model.api.ConfigChangeAction;
@@ -12,6 +13,7 @@ import com.yahoo.vespa.model.VespaModel;
 import com.yahoo.vespa.model.application.validation.change.CertificateRemovalChangeValidator;
 import com.yahoo.vespa.model.application.validation.change.ChangeValidator;
 import com.yahoo.vespa.model.application.validation.change.CloudAccountChangeValidator;
+import com.yahoo.vespa.model.application.validation.change.ResourcesReductionValidator;
 import com.yahoo.vespa.model.application.validation.change.ConfigValueChangeValidator;
 import com.yahoo.vespa.model.application.validation.change.ContainerRestartValidator;
 import com.yahoo.vespa.model.application.validation.change.ContentClusterRemovalValidator;
@@ -21,11 +23,11 @@ import com.yahoo.vespa.model.application.validation.change.IndexedSearchClusterC
 import com.yahoo.vespa.model.application.validation.change.IndexingModeChangeValidator;
 import com.yahoo.vespa.model.application.validation.change.NodeResourceChangeValidator;
 import com.yahoo.vespa.model.application.validation.change.RedundancyIncreaseValidator;
-import com.yahoo.vespa.model.application.validation.change.ResourcesReductionValidator;
 import com.yahoo.vespa.model.application.validation.change.StartupCommandChangeValidator;
 import com.yahoo.vespa.model.application.validation.change.StreamingSearchClusterChangeValidator;
 import com.yahoo.vespa.model.application.validation.first.RedundancyValidator;
 
+import java.time.Instant;
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.Collections;
@@ -86,7 +88,6 @@ public class Validation {
         new CloudDataPlaneFilterValidator().validate(model, deployState);
         new AccessControlFilterExcludeValidator().validate(model, deployState);
         new CloudUserFilterValidator().validate(model, deployState);
-        new CloudHttpConnectorValidator().validate(model, deployState);
 
         additionalValidators.forEach(v -> v.validate(model, deployState));
 
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/builder/xml/dom/DomAdminV4Builder.java b/config-model/src/main/java/com/yahoo/vespa/model/builder/xml/dom/DomAdminV4Builder.java
index fab0b29770e..80000e54b1b 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/builder/xml/dom/DomAdminV4Builder.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/builder/xml/dom/DomAdminV4Builder.java
@@ -94,7 +94,9 @@ public class DomAdminV4Builder extends DomAdminBuilderBase {
     private NodesSpecification createNodesSpecificationForLogserver() {
         DeployState deployState = context.getDeployState();
         if (     deployState.getProperties().useDedicatedNodeForLogserver()
-                && deployState.isHostedTenantApplication(context.getApplicationType()))
+            &&   context.getApplicationType() == ConfigModelContext.ApplicationType.DEFAULT
+            &&   deployState.isHosted()
+            && ! deployState.getProperties().applicationId().instance().isTester())
             return NodesSpecification.dedicated(1, context);
         else
             return NodesSpecification.nonDedicated(1, context);
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ConnectorFactory.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ConnectorFactory.java
index 697cfc95039..c76077e6c7b 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ConnectorFactory.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ConnectorFactory.java
@@ -59,8 +59,6 @@ public class ConnectorFactory extends SimpleComponent implements ConnectorConfig
 
     public void setDefaultResponseFilterChain(ComponentId filterChain) { this.defaultResponseFilterChain = filterChain; }
 
-    public SslProvider sslProvider() { return sslProviderComponent; }
-
     public static class Builder {
         private final String name;
         private final int listenPort;
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
index b9a644d7480..36d34b99223 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
@@ -137,7 +137,7 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> {
     static final String HOSTED_VESPA_STATUS_FILE = Defaults.getDefaults().underVespaHome("var/vespa/load-balancer/status.html");
 
     // Data plane port for hosted Vespa
-    public static final int HOSTED_VESPA_DATAPLANE_PORT = 4443;
+    static final int HOSTED_VESPA_DATAPLANE_PORT = 4443;
 
     //Path to vip status file for container in Hosted Vespa. Only used if set, else use HOSTED_VESPA_STATUS_FILE
     private static final String HOSTED_VESPA_STATUS_FILE_SETTING = "VESPA_LB_STATUS_FILE";
diff --git a/config-model/src/test/java/com/yahoo/vespa/model/application/validation/CloudHttpConnectorValidatorTest.java b/config-model/src/test/java/com/yahoo/vespa/model/application/validation/CloudHttpConnectorValidatorTest.java
deleted file mode 100644
index 6a2eed1d21b..00000000000
--- a/config-model/src/test/java/com/yahoo/vespa/model/application/validation/CloudHttpConnectorValidatorTest.java
+++ /dev/null
@@ -1,103 +0,0 @@
-// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-
-package com.yahoo.vespa.model.application.validation;
-
-import com.yahoo.config.model.NullConfigModelRegistry;
-import com.yahoo.config.model.deploy.DeployState;
-import com.yahoo.config.model.deploy.TestProperties;
-import com.yahoo.config.model.test.MockApplicationPackage;
-import com.yahoo.vespa.model.VespaModel;
-import org.junit.jupiter.api.Test;
-
-import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertThrows;
-
-/**
- * @author bjorncs
- */
-class CloudHttpConnectorValidatorTest {
-
-    private static final String CUSTOM_SSL_ON_8080 =
-            """
-            <server port='8080' id='default'>
-                <ssl>
-                  <private-key-file>/foo/key</private-key-file>
-                  <certificate-file>/foo/cert</certificate-file>
-                </ssl>
-            </server>
-            """;
-
-    private static final String DEFAULT_SSL_ON_8080 =
-            """
-            <server port='8080' id='default'/>
-            """;
-
-    private static final String ADDITIONAL_CONNECTOR =
-            """
-            <server port='8080' id='default'/>
-            <server port='1234' id='custom'/>
-            """;
-
-    @Test
-    void fails_on_custom_ssl_for_cloud_application() {
-        var exception = assertThrows(IllegalArgumentException.class, () -> runValidatorOnApp(true, "", CUSTOM_SSL_ON_8080));
-        var expected = "Overriding connector specific TLS configuration is not allowed in Vespa Cloud. " +
-                "See https://cloud.vespa.ai/en/security/guide#data-plane.";
-        assertEquals(expected, exception.getMessage());
-    }
-
-    @Test
-    void allows_custom_ssl_for_infra() {
-        assertDoesNotThrow(() -> runValidatorOnApp(true, " application-type='hosted-infrastructure'", CUSTOM_SSL_ON_8080));
-    }
-
-    @Test
-    void allows_custom_ssl_for_self_hosted() {
-        assertDoesNotThrow(() -> runValidatorOnApp(false, "", CUSTOM_SSL_ON_8080));
-    }
-
-    @Test
-    void fails_on_additional_connectors_for_cloud_application() {
-        var exception = assertThrows(IllegalArgumentException.class, () -> runValidatorOnApp(true, "", ADDITIONAL_CONNECTOR));
-        var expected = "Illegal port 1234 in http server 'custom': Port must be set to 8080"; // Currently fails earlier in model construction
-        assertEquals(expected, exception.getMessage());
-    }
-
-    @Test
-    void allows_additional_connectors_for_self_hosted() {
-        assertDoesNotThrow(() -> runValidatorOnApp(false, "", ADDITIONAL_CONNECTOR));
-    }
-
-    @Test
-    void allows_default_ssl_for_cloud_application() {
-        assertDoesNotThrow(() -> runValidatorOnApp(true, "", DEFAULT_SSL_ON_8080));
-    }
-
-    @Test
-    void allows_default_ssl_for_self_hosted() {
-        assertDoesNotThrow(() -> runValidatorOnApp(false, "", DEFAULT_SSL_ON_8080));
-    }
-
-    private static void runValidatorOnApp(boolean hosted, String appTypeAttribute, String serverXml) throws Exception {
-        String servicesXml = """
-                        <services version='1.0'%s>
-                          <container version='1.0'>
-                            <http>
-                              %s
-                            </http>
-                          </container>
-                        </services>
-                """.formatted(appTypeAttribute, serverXml);
-        var state = new DeployState.Builder()
-                .applicationPackage(
-                        new MockApplicationPackage.Builder()
-                                .withServices(servicesXml)
-                                .build())
-                .properties(new TestProperties().setHostedVespa(hosted))
-                .build();
-        var model = new VespaModel(new NullConfigModelRegistry(), state);
-        new CloudHttpConnectorValidator().validate(model, state);
-    }
-
-}
-\ No newline at end of file
diff --git a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/JettyContainerModelBuilderTest.java b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/JettyContainerModelBuilderTest.java
index 89cce7feacb..8b1217758ab 100644
--- a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/JettyContainerModelBuilderTest.java
+++ b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/JettyContainerModelBuilderTest.java
@@ -243,7 +243,11 @@ public class JettyContainerModelBuilderTest extends ContainerModelBuilderTestBas
         Element clusterElem = DomBuilderTest.parse(
                 "<container id='default' version='1.0'>",
                 "    <http>",
-                "        <server port='8080' id='default'>",
+                "        <server port='8080' id='ssl'>",
+                "            <ssl>",
+                "                <private-key-file>/foo/key</private-key-file>",
+                "                <certificate-file>/foo/cert</certificate-file>",
+                "            </ssl>",
                 "        </server>",
                 "    </http>",
                 multiNode,
@@ -268,8 +272,8 @@ public class JettyContainerModelBuilderTest extends ContainerModelBuilderTestBas
                 .build();
         MockRoot root = new MockRoot("root", deployState);
         createModel(root, deployState, null, clusterElem);
-        ConnectorConfig sslProvider = root.getConfig(ConnectorConfig.class, "default/http/jdisc-jetty/default");
-        assertFalse(sslProvider.ssl().enabled());
+        ConnectorConfig sslProvider = root.getConfig(ConnectorConfig.class, "default/http/jdisc-jetty/ssl");
+        assertTrue(sslProvider.ssl().enabled());
         assertEquals("", sslProvider.ssl().certificate());
         assertEquals("", sslProvider.ssl().privateKey());
author	Harald Musum <musum@verizonmedia.com>	2023-03-24 15:13:50 +0100
committer	GitHub <noreply@github.com>	2023-03-24 15:13:50 +0100
commit	d60659d97428e5d664d9182238f6d32b2406e09b (patch)
tree	2bd0d3fb99873e1a08d2015cf4ae116f061b060e /config-model
parent	fadc739b1da408c43f565157080461cb645f3399 (diff)