diff options
author | Øyvind Grønnesby <oyving@verizonmedia.com> | 2021-11-11 12:36:02 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-11-11 12:36:02 +0100 |
commit | c791b6873d0a8ada38a7f90b45db00e86affe808 (patch) | |
tree | 15c2c7aba0f36e45758bd777025897aff9412983 /config-model | |
parent | 1ceb982f59439e283e64b684a80256e97a740691 (diff) | |
parent | 1133f4d798bcf0df2d1d4474b5e776b49a3fafcd (diff) |
Merge pull request #19928 from vespa-engine/mortent/validate-cloud-secret-store
Validate system can set up cloud secret store
Diffstat (limited to 'config-model')
2 files changed, 30 insertions, 0 deletions
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java index ca4dccbbbe1..527897a3266 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java @@ -283,6 +283,8 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> { private void addCloudSecretStore(ApplicationContainerCluster cluster, Element secretStoreElement, DeployState deployState) { if ( ! deployState.isHosted()) return; + if ( ! cluster.getZone().system().isPublic()) + throw new RuntimeException("cloud secret store is not supported in non-public system, please see documentation"); CloudSecretStore cloudSecretStore = new CloudSecretStore(); Map<String, TenantSecretStore> secretStoresByName = deployState.getProperties().tenantSecretStores() .stream() diff --git a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilderTest.java b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilderTest.java index bd0d62c70a7..5516c74f9a6 100644 --- a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilderTest.java +++ b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilderTest.java @@ -797,6 +797,34 @@ public class ContainerModelBuilderTest extends ContainerModelBuilderTestBase { } @Test + public void cloud_secret_store_fails_to_set_up_in_non_public_zone() { + try { + Element clusterElem = DomBuilderTest.parse( + "<container version='1.0'>", + " <secret-store type='cloud'>", + " <store id='store'>", + " <aws-parameter-store account='store1' region='eu-north-1'/>", + " </store>", + " </secret-store>", + "</container>"); + + DeployState state = new DeployState.Builder() + .properties( + new TestProperties() + .setHostedVespa(true) + .setTenantSecretStores(List.of(new TenantSecretStore("store1", "1234", "role", Optional.of("externalid"))))) + .zone(new Zone(SystemName.main, Environment.prod, RegionName.defaultName())) + .build(); + createModel(root, state, null, clusterElem); + } catch (RuntimeException e) { + assertEquals("cloud secret store is not supported in non-public system, please see documentation", + e.getMessage()); + return; + } + fail(); + } + + @Test public void missing_security_clients_pem_fails_in_public() { Element clusterElem = DomBuilderTest.parse("<container version='1.0' />"); |