Merge pull request #17170 from vespa-engine/mortent/secret-store-syntax

New syntax for cloud secret store
author: Morten Tokle <mortent@verizonmedia.com> 2021-03-25 10:59:23 +0100
committer: GitHub <noreply@github.com> 2021-03-25 10:59:23 +0100
commit: b855dfed18dcc292c510d38f2bbd91cb6fc5c4fe (patch)
tree: e72b0a9560dacbc80a0115df1780c66d5f419000 /config-model
parent: 0623ccf5d2f1c32e6e9db61d0f1e187686ec3501 (diff)
parent: 42b41fa23d421f8957ada3002e6ca82572e08ae7 (diff)
4 files changed, 27 insertions, 13 deletions
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
index 19141bd1f4d..1cee722feaf 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
@@ -281,19 +281,19 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> {
                         TenantSecretStore::getName,
                         store -> store
                 ));
-
-        for (Element group : XML.getChildren(secretStoreElement, "aws-parameter-store")) {
-            String name = group.getAttribute("name");
-            String region = group.getAttribute("region");
-            TenantSecretStore secretStore = secretStoresByName.get(name);
+        Element store = XML.getChild(secretStoreElement, "store");
+        for (Element group : XML.getChildren(store, "aws-parameter-store")) {
+            String account = group.getAttribute("account");
+            String region = group.getAttribute("aws-region");
+            TenantSecretStore secretStore = secretStoresByName.get(account);
 
             if (secretStore == null)
-                throw new RuntimeException("No configured secret store named " + name);
+                throw new RuntimeException("No configured secret store named " + account);
 
             if (secretStore.getExternalId().isEmpty())
                 throw new RuntimeException("No external ID has been set");
 
-            cloudSecretStore.addConfig(name, region, secretStore.getAwsId(), secretStore.getRole(), secretStore.getExternalId().get());
+            cloudSecretStore.addConfig(account, region, secretStore.getAwsId(), secretStore.getRole(), secretStore.getExternalId().get());
         }
 
         cluster.addComponent(cloudSecretStore);
diff --git a/config-model/src/main/resources/schema/containercluster.rnc b/config-model/src/main/resources/schema/containercluster.rnc
index 9313d91ea55..39df939f78c 100644
--- a/config-model/src/main/resources/schema/containercluster.rnc
+++ b/config-model/src/main/resources/schema/containercluster.rnc
@@ -91,10 +91,13 @@ SecretStore = element secret-store {
       attribute name { string } &
       attribute environment { string "alpha" | string "corp" | string "prod" | string "aws" | string "aws_stage" }
     } * &
-    element aws-parameter-store {
-      attribute name { string } &
-      attribute region { string }
-    } *
+    element store {
+      attribute id { string } &
+      element aws-parameter-store {
+        attribute account { string } &
+        attribute aws-region { string }
+      } *
+    }?
 }
 
 ZooKeeper = element zookeeper {
diff --git a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilderTest.java b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilderTest.java
index 7082720f721..7f862afa1b0 100644
--- a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilderTest.java
+++ b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilderTest.java
@@ -728,7 +728,9 @@ public class ContainerModelBuilderTest extends ContainerModelBuilderTestBase {
         Element clusterElem = DomBuilderTest.parse(
                 "<container version='1.0'>",
                 "  <secret-store type='cloud'>",
-                "    <aws-parameter-store name='store1' region='eu-north-1'/>",
+                "    <store id='store'>",
+                "      <aws-parameter-store account='store1' region='eu-north-1'/>",
+                "    </store>",
                 "  </secret-store>",
                 "</container>");
         try {
@@ -749,7 +751,9 @@ public class ContainerModelBuilderTest extends ContainerModelBuilderTestBase {
         Element clusterElem = DomBuilderTest.parse(
                 "<container version='1.0'>",
                 "  <secret-store type='cloud'>",
-                "    <aws-parameter-store name='store1' region='eu-north-1'/>",
+                "    <store id='store'>",
+                "      <aws-parameter-store account='store1' region='eu-north-1'/>",
+                "    </store>",
                 "  </secret-store>",
                 "</container>");
 
diff --git a/config-model/src/test/schema-test-files/services.xml b/config-model/src/test/schema-test-files/services.xml
index d37000b1ff7..db1e6c29586 100644
--- a/config-model/src/test/schema-test-files/services.xml
+++ b/config-model/src/test/schema-test-files/services.xml
@@ -244,4 +244,11 @@
     </nodes>
   </container>
 
+  <container id='qrsCluster_2' version='1.0'>
+    <secret-store type="cloud">
+      <store id="foo">
+        <aws-parameter-store account="foo" aws-region="us-east-1"/>
+      </store>
+    </secret-store>
+  </container>
 </services>
author	Morten Tokle <mortent@verizonmedia.com>	2021-03-25 10:59:23 +0100
committer	GitHub <noreply@github.com>	2021-03-25 10:59:23 +0100
commit	b855dfed18dcc292c510d38f2bbd91cb6fc5c4fe (patch)
tree	e72b0a9560dacbc80a0115df1780c66d5f419000 /config-model
parent	0623ccf5d2f1c32e6e9db61d0f1e187686ec3501 (diff)
parent	42b41fa23d421f8957ada3002e6ca82572e08ae7 (diff)