diff options
author | Morten Tokle <mortent@verizonmedia.com> | 2021-11-09 14:16:23 +0100 |
---|---|---|
committer | Morten Tokle <mortent@verizonmedia.com> | 2021-11-11 11:02:01 +0100 |
commit | 1133f4d798bcf0df2d1d4474b5e776b49a3fafcd (patch) | |
tree | 5b3f8474c882dfb39a162239e595a485b24e42ab /config-model | |
parent | 0b220e542f0e326e59e6f39af0400718726be871 (diff) |
Validate system can set up cloud secret store
Diffstat (limited to 'config-model')
2 files changed, 30 insertions, 0 deletions
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java index 39d4d7ec6c8..835a1c96c6b 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java @@ -281,6 +281,8 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> { private void addCloudSecretStore(ApplicationContainerCluster cluster, Element secretStoreElement, DeployState deployState) { if ( ! deployState.isHosted()) return; + if ( ! cluster.getZone().system().isPublic()) + throw new RuntimeException("cloud secret store is not supported in non-public system, please see documentation"); CloudSecretStore cloudSecretStore = new CloudSecretStore(); Map<String, TenantSecretStore> secretStoresByName = deployState.getProperties().tenantSecretStores() .stream() diff --git a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilderTest.java b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilderTest.java index be6d8ca5d0a..dadacf00405 100644 --- a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilderTest.java +++ b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilderTest.java @@ -796,6 +796,34 @@ public class ContainerModelBuilderTest extends ContainerModelBuilderTestBase { } @Test + public void cloud_secret_store_fails_to_set_up_in_non_public_zone() { + try { + Element clusterElem = DomBuilderTest.parse( + "<container version='1.0'>", + " <secret-store type='cloud'>", + " <store id='store'>", + " <aws-parameter-store account='store1' region='eu-north-1'/>", + " </store>", + " </secret-store>", + "</container>"); + + DeployState state = new DeployState.Builder() + .properties( + new TestProperties() + .setHostedVespa(true) + .setTenantSecretStores(List.of(new TenantSecretStore("store1", "1234", "role", Optional.of("externalid"))))) + .zone(new Zone(SystemName.main, Environment.prod, RegionName.defaultName())) + .build(); + createModel(root, state, null, clusterElem); + } catch (RuntimeException e) { + assertEquals("cloud secret store is not supported in non-public system, please see documentation", + e.getMessage()); + return; + } + fail(); + } + + @Test public void missing_security_clients_pem_fails_in_public() { Element clusterElem = DomBuilderTest.parse("<container version='1.0' />"); |