accept and store json endpoint cert metadata on deploy

also refactor from tlsSecretKeys -> several "endpoint certificate" classes
author: andreer <andreer@verizonmedia.com> 2020-01-17 16:59:39 +0100
committer: andreer <andreer@verizonmedia.com> 2020-01-17 16:59:39 +0100
commit: e66e0ba2ccd2b973a13eff8645af66073eba31ed (patch)
tree: 561e155af40992cab549d8a760207af2ff84e9cc /config-model
parent: 0d7939b7036d2b0f8960f43edcafe6eff5051f7a (diff)
10 files changed, 39 insertions, 48 deletions
diff --git a/config-model/src/main/java/com/yahoo/config/model/deploy/DeployState.java b/config-model/src/main/java/com/yahoo/config/model/deploy/DeployState.java
index b286b94c699..7c9e930bb4f 100644
--- a/config-model/src/main/java/com/yahoo/config/model/deploy/DeployState.java
+++ b/config-model/src/main/java/com/yahoo/config/model/deploy/DeployState.java
@@ -15,7 +15,7 @@ import com.yahoo.config.model.api.ContainerEndpoint;
 import com.yahoo.config.model.api.HostProvisioner;
 import com.yahoo.config.model.api.Model;
 import com.yahoo.config.model.api.ModelContext;
-import com.yahoo.config.model.api.TlsSecrets;
+import com.yahoo.config.model.api.EndpointCertificateSecrets;
 import com.yahoo.config.model.api.ValidationParameters;
 import com.yahoo.config.model.application.provider.BaseDeployLogger;
 import com.yahoo.config.model.application.provider.MockFileRegistry;
@@ -255,7 +255,7 @@ public class DeployState implements ConfigDefinitionStore {
 
     public Instant now() { return now; }
 
-    public Optional<TlsSecrets> tlsSecrets() { return properties.tlsSecrets(); }
+    public Optional<EndpointCertificateSecrets> endpointCertificateSecrets() { return properties.endpointCertificateSecrets(); }
 
     public Optional<String> tlsClientAuthority() {
         var caFile = applicationPackage.getClientSecurityFile();
@@ -289,7 +289,6 @@ public class DeployState implements ConfigDefinitionStore {
         private Zone zone = Zone.defaultZone();
         private Instant now = Instant.now();
         private Version wantedNodeVespaVersion = Vtag.currentVersion;
-        private Optional<TlsSecrets> tlsSecrets = Optional.empty();
 
         public Builder applicationPackage(ApplicationPackage applicationPackage) {
             this.applicationPackage = applicationPackage;
diff --git a/config-model/src/main/java/com/yahoo/config/model/deploy/TestProperties.java b/config-model/src/main/java/com/yahoo/config/model/deploy/TestProperties.java
index cfa61560b29..6d1584ec44c 100644
--- a/config-model/src/main/java/com/yahoo/config/model/deploy/TestProperties.java
+++ b/config-model/src/main/java/com/yahoo/config/model/deploy/TestProperties.java
@@ -5,7 +5,7 @@ import com.google.common.collect.ImmutableList;
 import com.yahoo.config.model.api.ConfigServerSpec;
 import com.yahoo.config.model.api.ContainerEndpoint;
 import com.yahoo.config.model.api.ModelContext;
-import com.yahoo.config.model.api.TlsSecrets;
+import com.yahoo.config.model.api.EndpointCertificateSecrets;
 import com.yahoo.config.provision.ApplicationId;
 import com.yahoo.config.provision.HostName;
 import com.yahoo.config.provision.Zone;
@@ -39,7 +39,7 @@ public class TestProperties implements ModelContext.Properties {
     private boolean useDedicatedNodeForLogserver = false;
     private boolean useAdaptiveDispatch = false;
     private double defaultTermwiseLimit = 1.0;
-    private Optional<TlsSecrets> tlsSecrets = Optional.empty();
+    private Optional<EndpointCertificateSecrets> endpointCertificateSecrets = Optional.empty();
 
 
     @Override public boolean multitenant() { return multitenant; }
@@ -56,7 +56,7 @@ public class TestProperties implements ModelContext.Properties {
     @Override public boolean isFirstTimeDeployment() { return isFirstTimeDeployment; }
     @Override public boolean useAdaptiveDispatch() { return useAdaptiveDispatch; }
     @Override public boolean useDedicatedNodeForLogserver() { return useDedicatedNodeForLogserver; }
-    @Override public Optional<TlsSecrets> tlsSecrets() { return tlsSecrets; }
+    @Override public Optional<EndpointCertificateSecrets> endpointCertificateSecrets() { return endpointCertificateSecrets; }
     @Override public double defaultTermwiseLimit() { return defaultTermwiseLimit; }
 
     public TestProperties setDefaultTermwiseLimit(double limit) {
@@ -95,8 +95,8 @@ public class TestProperties implements ModelContext.Properties {
     }
 
 
-    public TestProperties setTlsSecrets(Optional<TlsSecrets> tlsSecrets) {
-        this.tlsSecrets = tlsSecrets;
+    public TestProperties setEndpointCertificateSecrets(Optional<EndpointCertificateSecrets> endpointCertificateSecrets) {
+        this.endpointCertificateSecrets = endpointCertificateSecrets;
         return this;
     }
 
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/application/validation/TlsSecretsValidator.java b/config-model/src/main/java/com/yahoo/vespa/model/application/validation/EndpointCertificateSecretsValidator.java
index 2f972b8ecb3..f00ad0f0dbb 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/application/validation/TlsSecretsValidator.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/application/validation/EndpointCertificateSecretsValidator.java
@@ -1,17 +1,17 @@
 // Copyright 2020 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.model.application.validation;
 
-import com.yahoo.config.model.api.TlsSecrets;
+import com.yahoo.config.model.api.EndpointCertificateSecrets;
 import com.yahoo.config.model.deploy.DeployState;
 import com.yahoo.config.provision.CertificateNotReadyException;
 import com.yahoo.vespa.model.VespaModel;
 
-public class TlsSecretsValidator extends Validator {
+public class EndpointCertificateSecretsValidator extends Validator {
 
     /** This check is delayed until validation to allow node provisioning to complete while we are waiting for cert */
     @Override
     public void validate(VespaModel model, DeployState deployState) {
-        if (deployState.tlsSecrets().isPresent() && deployState.tlsSecrets().get() == TlsSecrets.MISSING) {
+        if (deployState.endpointCertificateSecrets().isPresent() && deployState.endpointCertificateSecrets().get() == EndpointCertificateSecrets.MISSING) {
             throw new CertificateNotReadyException("TLS enabled, but could not retrieve certificate yet");
         }
     }
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/application/validation/Validation.java b/config-model/src/main/java/com/yahoo/vespa/model/application/validation/Validation.java
index 4959970d98e..403ca21aafe 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/application/validation/Validation.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/application/validation/Validation.java
@@ -56,7 +56,7 @@ public class Validation {
         new DeploymentSpecValidator().validate(model, deployState);
         new RankingConstantsValidator().validate(model, deployState);
         new SecretStoreValidator().validate(model, deployState);
-        new TlsSecretsValidator().validate(model, deployState);
+        new EndpointCertificateSecretsValidator().validate(model, deployState);
         new AccessControlFilterValidator().validate(model, deployState);
 
         List<ConfigChangeAction> result = Collections.emptyList();
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/ApplicationContainerCluster.java b/config-model/src/main/java/com/yahoo/vespa/model/container/ApplicationContainerCluster.java
index 5e0dde6161d..efd00528d54 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/ApplicationContainerCluster.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/ApplicationContainerCluster.java
@@ -5,7 +5,6 @@ import com.yahoo.component.ComponentId;
 import com.yahoo.component.ComponentSpecification;
 import com.yahoo.config.FileReference;
 import com.yahoo.config.application.api.ComponentInfo;
-import com.yahoo.config.model.api.TlsSecrets;
 import com.yahoo.config.model.deploy.DeployState;
 import com.yahoo.config.model.producer.AbstractConfigProducer;
 import com.yahoo.container.BundlesConfig;
@@ -55,7 +54,6 @@ public final class ApplicationContainerCluster extends ContainerCluster<Applicat
 
     private ContainerModelEvaluation modelEvaluation;
 
-    private Optional<TlsSecrets> tlsSecrets;
     private Optional<String> tlsClientAuthority;
 
     private MbusParams mbusParams;
@@ -65,8 +63,6 @@ public final class ApplicationContainerCluster extends ContainerCluster<Applicat
 
     public ApplicationContainerCluster(AbstractConfigProducer<?> parent, String subId, String name, DeployState deployState) {
         super(parent, subId, name, deployState);
-
-        this.tlsSecrets = deployState.tlsSecrets();
         this.tlsClientAuthority = deployState.tlsClientAuthority();
         restApiGroup = new ConfigProducerGroup<>(this, "rest-api");
         servletGroup = new ConfigProducerGroup<>(this, "servlet");
@@ -205,10 +201,6 @@ public final class ApplicationContainerCluster extends ContainerCluster<Applicat
         }
     }
 
-    public Optional<TlsSecrets> getTlsSecrets() {
-        return tlsSecrets;
-    }
-
     public Optional<String> getTlsClientAuthority() {
         return tlsClientAuthority;
     }
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java
index 7a08a3c1a7b..12db3b87243 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java
@@ -1,7 +1,7 @@
 // Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.model.container.http.ssl;
 
-import com.yahoo.config.model.api.TlsSecrets;
+import com.yahoo.config.model.api.EndpointCertificateSecrets;
 import com.yahoo.jdisc.http.ConnectorConfig;
 import com.yahoo.jdisc.http.ConnectorConfig.Ssl.ClientAuth;
 import com.yahoo.vespa.model.container.component.SimpleComponent;
@@ -23,15 +23,15 @@ public class HostedSslConnectorFactory extends ConnectorFactory {
     /**
      * Create connector factory that uses a certificate provided by the config-model / configserver.
      */
-    public static HostedSslConnectorFactory withProvidedCertificate(String serverName, TlsSecrets tlsSecrets) {
-        return new HostedSslConnectorFactory(createConfiguredDirectSslProvider(serverName, tlsSecrets, /*tlsCaCertificates*/null), false);
+    public static HostedSslConnectorFactory withProvidedCertificate(String serverName, EndpointCertificateSecrets endpointCertificateSecrets) {
+        return new HostedSslConnectorFactory(createConfiguredDirectSslProvider(serverName, endpointCertificateSecrets, /*tlsCaCertificates*/null), false);
     }
 
     /**
      * Create connector factory that uses a certificate provided by the config-model / configserver and a truststore configured by the application.
      */
-    public static HostedSslConnectorFactory withProvidedCertificateAndTruststore(String serverName, TlsSecrets tlsSecrets, String tlsCaCertificates) {
-        return new HostedSslConnectorFactory(createConfiguredDirectSslProvider(serverName, tlsSecrets, tlsCaCertificates), true);
+    public static HostedSslConnectorFactory withProvidedCertificateAndTruststore(String serverName, EndpointCertificateSecrets endpointCertificateSecrets, String tlsCaCertificates) {
+        return new HostedSslConnectorFactory(createConfiguredDirectSslProvider(serverName, endpointCertificateSecrets, tlsCaCertificates), true);
     }
 
     /**
@@ -47,11 +47,11 @@ public class HostedSslConnectorFactory extends ConnectorFactory {
     }
 
     private static ConfiguredDirectSslProvider createConfiguredDirectSslProvider(
-            String serverName, TlsSecrets tlsSecrets, String tlsCaCertificates) {
+            String serverName, EndpointCertificateSecrets endpointCertificateSecrets, String tlsCaCertificates) {
         return new ConfiguredDirectSslProvider(
                 serverName,
-                tlsSecrets.key(),
-                tlsSecrets.certificate(),
+                endpointCertificateSecrets.key(),
+                endpointCertificateSecrets.certificate(),
                 /*caCertificatePath*/null,
                 tlsCaCertificates,
                 ClientAuth.Enum.WANT_AUTH);
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
index 3da0b01f614..aef2697a5dd 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
@@ -13,7 +13,7 @@ import com.yahoo.config.model.ConfigModelContext;
 import com.yahoo.config.model.ConfigModelContext.ApplicationType;
 import com.yahoo.config.model.api.ConfigServerSpec;
 import com.yahoo.config.model.api.ContainerEndpoint;
-import com.yahoo.config.model.api.TlsSecrets;
+import com.yahoo.config.model.api.EndpointCertificateSecrets;
 import com.yahoo.config.model.application.provider.IncludeDirs;
 import com.yahoo.config.model.builder.xml.ConfigModelBuilder;
 import com.yahoo.config.model.builder.xml.ConfigModelId;
@@ -327,15 +327,15 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> {
         String serverName = server.getComponentId().getName();
 
         // If the deployment contains certificate/private key reference, setup TLS port
-        if (deployState.tlsSecrets().isPresent()) {
+        if (deployState.endpointCertificateSecrets().isPresent()) {
             boolean authorizeClient = deployState.zone().system().isPublic();
             if (authorizeClient && deployState.tlsClientAuthority().isEmpty()) {
                 throw new RuntimeException("Client certificate authority security/clients.pem is missing - see: https://cloud.vespa.ai/security-model#data-plane");
             }
-            TlsSecrets tlsSecrets = deployState.tlsSecrets().get();
+            EndpointCertificateSecrets endpointCertificateSecrets = deployState.endpointCertificateSecrets().get();
             HostedSslConnectorFactory connectorFactory = authorizeClient
-                    ? HostedSslConnectorFactory.withProvidedCertificateAndTruststore(serverName, tlsSecrets, deployState.tlsClientAuthority().get())
-                    : HostedSslConnectorFactory.withProvidedCertificate(serverName, tlsSecrets);
+                    ? HostedSslConnectorFactory.withProvidedCertificateAndTruststore(serverName, endpointCertificateSecrets, deployState.tlsClientAuthority().get())
+                    : HostedSslConnectorFactory.withProvidedCertificate(serverName, endpointCertificateSecrets);
             server.addConnector(connectorFactory);
         } else {
             server.addConnector(HostedSslConnectorFactory.withDefaultCertificateAndTruststore(serverName));
diff --git a/config-model/src/test/java/com/yahoo/vespa/model/application/validation/TlsSecretsValidatorTest.java b/config-model/src/test/java/com/yahoo/vespa/model/application/validation/EndpointCertificateSecretsValidatorTest.java
index cdb4ce955e2..21df39ebde8 100644
--- a/config-model/src/test/java/com/yahoo/vespa/model/application/validation/TlsSecretsValidatorTest.java
+++ b/config-model/src/test/java/com/yahoo/vespa/model/application/validation/EndpointCertificateSecretsValidatorTest.java
@@ -3,7 +3,7 @@ package com.yahoo.vespa.model.application.validation;
 
 import com.yahoo.config.application.api.ApplicationPackage;
 import com.yahoo.config.model.NullConfigModelRegistry;
-import com.yahoo.config.model.api.TlsSecrets;
+import com.yahoo.config.model.api.EndpointCertificateSecrets;
 import com.yahoo.config.model.deploy.DeployState;
 import com.yahoo.config.model.deploy.TestProperties;
 import com.yahoo.config.model.test.MockApplicationPackage;
@@ -24,7 +24,7 @@ import static org.junit.Assert.assertTrue;
 /**
  * @author andreer
  */
-public class TlsSecretsValidatorTest {
+public class EndpointCertificateSecretsValidatorTest {
     @Rule
     public final ExpectedException exceptionRule = ExpectedException.none();
 
@@ -43,21 +43,21 @@ public class TlsSecretsValidatorTest {
 
     @Test
     public void missing_certificate_fails_validation() throws Exception {
-        DeployState deployState = deployState(servicesXml(), deploymentXml(), Optional.of(TlsSecrets.MISSING));
+        DeployState deployState = deployState(servicesXml(), deploymentXml(), Optional.of(EndpointCertificateSecrets.MISSING));
         VespaModel model = new VespaModel(new NullConfigModelRegistry(), deployState);
 
         exceptionRule.expect(CertificateNotReadyException.class);
         exceptionRule.expectMessage("TLS enabled, but could not retrieve certificate yet");
 
-        new TlsSecretsValidator().validate(model, deployState);
+        new EndpointCertificateSecretsValidator().validate(model, deployState);
     }
 
     @Test
     public void validation_succeeds_with_certificate() throws Exception {
-        DeployState deployState = deployState(servicesXml(), deploymentXml(), Optional.of(new TlsSecrets("cert", "key")));
+        DeployState deployState = deployState(servicesXml(), deploymentXml(), Optional.of(new EndpointCertificateSecrets("cert", "key")));
         VespaModel model = new VespaModel(new NullConfigModelRegistry(), deployState);
 
-        new TlsSecretsValidator().validate(model, deployState);
+        new EndpointCertificateSecretsValidator().validate(model, deployState);
     }
 
     @Test
@@ -65,10 +65,10 @@ public class TlsSecretsValidatorTest {
         DeployState deployState = deployState(servicesXml(), deploymentXml(), Optional.empty());
         VespaModel model = new VespaModel(new NullConfigModelRegistry(), deployState);
 
-        new TlsSecretsValidator().validate(model, deployState);
+        new EndpointCertificateSecretsValidator().validate(model, deployState);
     }
 
-    private static DeployState deployState(String servicesXml, String deploymentXml, Optional<TlsSecrets> tlsSecrets) {
+    private static DeployState deployState(String servicesXml, String deploymentXml, Optional<EndpointCertificateSecrets> endpointCertificateSecretsSecrets) {
         ApplicationPackage app = new MockApplicationPackage.Builder()
                 .withServices(servicesXml)
                 .withDeploymentSpec(deploymentXml)
@@ -79,7 +79,7 @@ public class TlsSecretsValidatorTest {
                 .properties(
                         new TestProperties()
                                 .setHostedVespa(true)
-                                .setTlsSecrets(tlsSecrets));
+                                .setEndpointCertificateSecrets(endpointCertificateSecretsSecrets));
         final DeployState deployState = builder.build();
 
         assertTrue("Test must emulate a hosted deployment.", deployState.isHosted());
diff --git a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilderTest.java b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilderTest.java
index 5a1befd3eb0..14828a834fb 100644
--- a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilderTest.java
+++ b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilderTest.java
@@ -5,7 +5,7 @@ import com.yahoo.component.ComponentId;
 import com.yahoo.config.application.api.ApplicationPackage;
 import com.yahoo.config.model.NullConfigModelRegistry;
 import com.yahoo.config.model.api.ContainerEndpoint;
-import com.yahoo.config.model.api.TlsSecrets;
+import com.yahoo.config.model.api.EndpointCertificateSecrets;
 import com.yahoo.config.model.builder.xml.test.DomBuilderTest;
 import com.yahoo.config.model.deploy.DeployState;
 import com.yahoo.config.model.deploy.TestProperties;
@@ -670,7 +670,7 @@ public class ContainerModelBuilderTest extends ContainerModelBuilderTestBase {
                     .properties(
                         new TestProperties()
                                 .setHostedVespa(true)
-                                .setTlsSecrets(Optional.of(new TlsSecrets("CERT", "KEY"))))
+                                .setEndpointCertificateSecrets(Optional.of(new EndpointCertificateSecrets("CERT", "KEY"))))
                     .zone(new Zone(SystemName.Public, Environment.prod, RegionName.defaultName()))
                     .build();
             createModel(root, state, null, clusterElem);
@@ -749,13 +749,13 @@ public class ContainerModelBuilderTest extends ContainerModelBuilderTestBase {
     }
 
     @Test
-    public void requireThatProvidingTlsSecretOpensPort4443() {
+    public void requireThatProvidingEndpointCertificateSecretsOpensPort4443() {
         Element clusterElem = DomBuilderTest.parse(
                 "<container version='1.0'>",
                 nodesXml,
                 "</container>" );
 
-        DeployState state = new DeployState.Builder().properties(new TestProperties().setHostedVespa(true).setTlsSecrets(Optional.of(new TlsSecrets("CERT", "KEY")))).build();
+        DeployState state = new DeployState.Builder().properties(new TestProperties().setHostedVespa(true).setEndpointCertificateSecrets(Optional.of(new EndpointCertificateSecrets("CERT", "KEY")))).build();
         createModel(root, state, null, clusterElem);
         ApplicationContainer container = (ApplicationContainer)root.getProducer("container/container.0");
 
diff --git a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/JettyContainerModelBuilderTest.java b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/JettyContainerModelBuilderTest.java
index 929e520f984..5ef02981662 100644
--- a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/JettyContainerModelBuilderTest.java
+++ b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/JettyContainerModelBuilderTest.java
@@ -1,7 +1,7 @@
 // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.model.container.xml;
 
-import com.yahoo.config.model.api.TlsSecrets;
+import com.yahoo.config.model.api.EndpointCertificateSecrets;
 import com.yahoo.config.model.builder.xml.test.DomBuilderTest;
 import com.yahoo.config.model.deploy.DeployState;
 import com.yahoo.config.model.deploy.TestProperties;
@@ -258,7 +258,7 @@ public class JettyContainerModelBuilderTest extends ContainerModelBuilderTestBas
                 .properties(
                         new TestProperties()
                                 .setHostedVespa(true)
-                                .setTlsSecrets(Optional.of(new TlsSecrets("CERT", "KEY"))))
+                                .setEndpointCertificateSecrets(Optional.of(new EndpointCertificateSecrets("CERT", "KEY"))))
                 .modelHostProvisioner(new HostsXmlProvisioner(new StringReader(hostsxml)))
                 .build();
         MockRoot root = new MockRoot("root", deployState);
author	andreer <andreer@verizonmedia.com>	2020-01-17 16:59:39 +0100
committer	andreer <andreer@verizonmedia.com>	2020-01-17 16:59:39 +0100
commit	e66e0ba2ccd2b973a13eff8645af66073eba31ed (patch)
tree	561e155af40992cab549d8a760207af2ff84e9cc /config-model
parent	0d7939b7036d2b0f8960f43edcafe6eff5051f7a (diff)