Merge pull request #11789 from vespa-engine/bjorncs/additional-container-port-hosted-4443

Always add container port 4443 in hosted Vespa 

2 files changed, 46 insertions, 17 deletions

diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java
index d00ce3974fa..7a08a3c1a7b 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java
@@ -4,6 +4,7 @@ package com.yahoo.vespa.model.container.http.ssl;
 import com.yahoo.config.model.api.TlsSecrets;
 import com.yahoo.jdisc.http.ConnectorConfig;
 import com.yahoo.jdisc.http.ConnectorConfig.Ssl.ClientAuth;
+import com.yahoo.vespa.model.container.component.SimpleComponent;
 import com.yahoo.vespa.model.container.http.ConnectorFactory;
 
 import java.util.List;
@@ -19,16 +20,33 @@ public class HostedSslConnectorFactory extends ConnectorFactory {
 
     private final boolean enforceClientAuth;
 
-    public HostedSslConnectorFactory(String serverName, TlsSecrets tlsSecrets) {
-        this(serverName, tlsSecrets, null, false);
+    /**
+     * Create connector factory that uses a certificate provided by the config-model / configserver.
+     */
+    public static HostedSslConnectorFactory withProvidedCertificate(String serverName, TlsSecrets tlsSecrets) {
+        return new HostedSslConnectorFactory(createConfiguredDirectSslProvider(serverName, tlsSecrets, /*tlsCaCertificates*/null), false);
     }
 
-    public HostedSslConnectorFactory(String serverName, TlsSecrets tlsSecrets, String tlsCaCertificates, boolean enforceClientAuth) {
-        super("tls4443", 4443, createSslProvider(serverName, tlsSecrets, tlsCaCertificates));
+    /**
+     * Create connector factory that uses a certificate provided by the config-model / configserver and a truststore configured by the application.
+     */
+    public static HostedSslConnectorFactory withProvidedCertificateAndTruststore(String serverName, TlsSecrets tlsSecrets, String tlsCaCertificates) {
+        return new HostedSslConnectorFactory(createConfiguredDirectSslProvider(serverName, tlsSecrets, tlsCaCertificates), true);
+    }
+
+    /**
+     * Create connector factory that uses the default certificate and truststore provided by Vespa (through Vespa-global TLS configuration).
+     */
+    public static HostedSslConnectorFactory withDefaultCertificateAndTruststore(String serverName) {
+        return new HostedSslConnectorFactory(new DefaultSslProvider(serverName), true);
+    }
+
+    private HostedSslConnectorFactory(SimpleComponent sslProviderComponent, boolean enforceClientAuth) {
+        super("tls4443", 4443, sslProviderComponent);
         this.enforceClientAuth = enforceClientAuth;
     }
 
-    private static ConfiguredDirectSslProvider createSslProvider(
+    private static ConfiguredDirectSslProvider createConfiguredDirectSslProvider(
             String serverName, TlsSecrets tlsSecrets, String tlsCaCertificates) {
         return new ConfiguredDirectSslProvider(
                 serverName,
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
index 0f808988a15..d749cdc465e 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
@@ -12,6 +12,7 @@ import com.yahoo.config.application.api.DeploymentSpec;
 import com.yahoo.config.model.ConfigModelContext;
 import com.yahoo.config.model.api.ConfigServerSpec;
 import com.yahoo.config.model.api.ContainerEndpoint;
+import com.yahoo.config.model.api.TlsSecrets;
 import com.yahoo.config.model.application.provider.IncludeDirs;
 import com.yahoo.config.model.builder.xml.ConfigModelBuilder;
 import com.yahoo.config.model.builder.xml.ConfigModelId;
@@ -314,17 +315,33 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> {
         if (httpElement != null) {
             cluster.setHttp(buildHttp(deployState, cluster, httpElement));
         }
+        if (deployState.isHosted()) {
+            addAdditionalHostedConnector(deployState, cluster);
+        }
+    }
+
+    private void addAdditionalHostedConnector(DeployState deployState, ApplicationContainerCluster cluster) {
+        addImplicitHttpIfNotPresent(cluster);
+        JettyHttpServer server = cluster.getHttp().getHttpServer();
+        String serverName = server.getComponentId().getName();
+
         // If the deployment contains certificate/private key reference, setup TLS port
         if (deployState.tlsSecrets().isPresent()) {
-            addTlsPort(deployState, cluster);
+            boolean authorizeClient = deployState.zone().system().isPublic();
+            if (authorizeClient && deployState.tlsClientAuthority().isEmpty()) {
+                throw new RuntimeException("Client certificate authority security/clients.pem is missing - see: https://cloud.vespa.ai/security-model#data-plane");
+            }
+            TlsSecrets tlsSecrets = deployState.tlsSecrets().get();
+            HostedSslConnectorFactory connectorFactory = authorizeClient
+                    ? HostedSslConnectorFactory.withProvidedCertificateAndTruststore(serverName, tlsSecrets, deployState.tlsClientAuthority().get())
+                    : HostedSslConnectorFactory.withProvidedCertificate(serverName, tlsSecrets);
+            server.addConnector(connectorFactory);
+        } else {
+            server.addConnector(HostedSslConnectorFactory.withDefaultCertificateAndTruststore(serverName));
         }
     }
 
-    private void addTlsPort(DeployState deployState, ApplicationContainerCluster cluster) {
-        boolean authorizeClient = deployState.zone().system().isPublic();
-        if (authorizeClient && deployState.tlsClientAuthority().isEmpty()) {
-            throw new RuntimeException("Client certificate authority security/clients.pem is missing - see: https://cloud.vespa.ai/security-model#data-plane");
-        }
+    private static void addImplicitHttpIfNotPresent(ApplicationContainerCluster cluster) {
         if(cluster.getHttp() == null) {
             Http http = new Http(Collections.emptyList());
             http.setFilterChains(new FilterChains(cluster));
@@ -335,12 +352,6 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> {
             cluster.getHttp().setHttpServer(defaultHttpServer);
             defaultHttpServer.addConnector(new ConnectorFactory("SearchServer", Defaults.getDefaults().vespaWebServicePort()));
         }
-        JettyHttpServer server = cluster.getHttp().getHttpServer();
-        String serverName = server.getComponentId().getName();
-        HostedSslConnectorFactory connectorFactory = authorizeClient
-                ? new HostedSslConnectorFactory(serverName, deployState.tlsSecrets().get(), deployState.tlsClientAuthority().get(), true)
-                : new HostedSslConnectorFactory(serverName, deployState.tlsSecrets().get());
-        server.addConnector(connectorFactory);
     }
 
     private Http buildHttp(DeployState deployState, ApplicationContainerCluster cluster, Element httpElement) {