diff options
author | Morten Tokle <mortent@verizonmedia.com> | 2020-01-15 08:50:25 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-01-15 08:50:25 +0100 |
commit | e42294b01c863ca4ba0986f3e52f568dd746f797 (patch) | |
tree | 6c9c563e7555afc7f790af121e99e47197135acb /config-model | |
parent | 0a84d6fd6f9ea6ebb2eb584a0f207a0e8b5093ec (diff) | |
parent | a1965885a22238c3eb9370c2532a90b302e954f5 (diff) |
Merge pull request #11789 from vespa-engine/bjorncs/additional-container-port-hosted-4443
Always add container port 4443 in hosted Vespa
Diffstat (limited to 'config-model')
2 files changed, 46 insertions, 17 deletions
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java index d00ce3974fa..7a08a3c1a7b 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java @@ -4,6 +4,7 @@ package com.yahoo.vespa.model.container.http.ssl; import com.yahoo.config.model.api.TlsSecrets; import com.yahoo.jdisc.http.ConnectorConfig; import com.yahoo.jdisc.http.ConnectorConfig.Ssl.ClientAuth; +import com.yahoo.vespa.model.container.component.SimpleComponent; import com.yahoo.vespa.model.container.http.ConnectorFactory; import java.util.List; @@ -19,16 +20,33 @@ public class HostedSslConnectorFactory extends ConnectorFactory { private final boolean enforceClientAuth; - public HostedSslConnectorFactory(String serverName, TlsSecrets tlsSecrets) { - this(serverName, tlsSecrets, null, false); + /** + * Create connector factory that uses a certificate provided by the config-model / configserver. + */ + public static HostedSslConnectorFactory withProvidedCertificate(String serverName, TlsSecrets tlsSecrets) { + return new HostedSslConnectorFactory(createConfiguredDirectSslProvider(serverName, tlsSecrets, /*tlsCaCertificates*/null), false); } - public HostedSslConnectorFactory(String serverName, TlsSecrets tlsSecrets, String tlsCaCertificates, boolean enforceClientAuth) { - super("tls4443", 4443, createSslProvider(serverName, tlsSecrets, tlsCaCertificates)); + /** + * Create connector factory that uses a certificate provided by the config-model / configserver and a truststore configured by the application. + */ + public static HostedSslConnectorFactory withProvidedCertificateAndTruststore(String serverName, TlsSecrets tlsSecrets, String tlsCaCertificates) { + return new HostedSslConnectorFactory(createConfiguredDirectSslProvider(serverName, tlsSecrets, tlsCaCertificates), true); + } + + /** + * Create connector factory that uses the default certificate and truststore provided by Vespa (through Vespa-global TLS configuration). + */ + public static HostedSslConnectorFactory withDefaultCertificateAndTruststore(String serverName) { + return new HostedSslConnectorFactory(new DefaultSslProvider(serverName), true); + } + + private HostedSslConnectorFactory(SimpleComponent sslProviderComponent, boolean enforceClientAuth) { + super("tls4443", 4443, sslProviderComponent); this.enforceClientAuth = enforceClientAuth; } - private static ConfiguredDirectSslProvider createSslProvider( + private static ConfiguredDirectSslProvider createConfiguredDirectSslProvider( String serverName, TlsSecrets tlsSecrets, String tlsCaCertificates) { return new ConfiguredDirectSslProvider( serverName, diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java index 0f808988a15..d749cdc465e 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java @@ -12,6 +12,7 @@ import com.yahoo.config.application.api.DeploymentSpec; import com.yahoo.config.model.ConfigModelContext; import com.yahoo.config.model.api.ConfigServerSpec; import com.yahoo.config.model.api.ContainerEndpoint; +import com.yahoo.config.model.api.TlsSecrets; import com.yahoo.config.model.application.provider.IncludeDirs; import com.yahoo.config.model.builder.xml.ConfigModelBuilder; import com.yahoo.config.model.builder.xml.ConfigModelId; @@ -314,17 +315,33 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> { if (httpElement != null) { cluster.setHttp(buildHttp(deployState, cluster, httpElement)); } + if (deployState.isHosted()) { + addAdditionalHostedConnector(deployState, cluster); + } + } + + private void addAdditionalHostedConnector(DeployState deployState, ApplicationContainerCluster cluster) { + addImplicitHttpIfNotPresent(cluster); + JettyHttpServer server = cluster.getHttp().getHttpServer(); + String serverName = server.getComponentId().getName(); + // If the deployment contains certificate/private key reference, setup TLS port if (deployState.tlsSecrets().isPresent()) { - addTlsPort(deployState, cluster); + boolean authorizeClient = deployState.zone().system().isPublic(); + if (authorizeClient && deployState.tlsClientAuthority().isEmpty()) { + throw new RuntimeException("Client certificate authority security/clients.pem is missing - see: https://cloud.vespa.ai/security-model#data-plane"); + } + TlsSecrets tlsSecrets = deployState.tlsSecrets().get(); + HostedSslConnectorFactory connectorFactory = authorizeClient + ? HostedSslConnectorFactory.withProvidedCertificateAndTruststore(serverName, tlsSecrets, deployState.tlsClientAuthority().get()) + : HostedSslConnectorFactory.withProvidedCertificate(serverName, tlsSecrets); + server.addConnector(connectorFactory); + } else { + server.addConnector(HostedSslConnectorFactory.withDefaultCertificateAndTruststore(serverName)); } } - private void addTlsPort(DeployState deployState, ApplicationContainerCluster cluster) { - boolean authorizeClient = deployState.zone().system().isPublic(); - if (authorizeClient && deployState.tlsClientAuthority().isEmpty()) { - throw new RuntimeException("Client certificate authority security/clients.pem is missing - see: https://cloud.vespa.ai/security-model#data-plane"); - } + private static void addImplicitHttpIfNotPresent(ApplicationContainerCluster cluster) { if(cluster.getHttp() == null) { Http http = new Http(Collections.emptyList()); http.setFilterChains(new FilterChains(cluster)); @@ -335,12 +352,6 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> { cluster.getHttp().setHttpServer(defaultHttpServer); defaultHttpServer.addConnector(new ConnectorFactory("SearchServer", Defaults.getDefaults().vespaWebServicePort())); } - JettyHttpServer server = cluster.getHttp().getHttpServer(); - String serverName = server.getComponentId().getName(); - HostedSslConnectorFactory connectorFactory = authorizeClient - ? new HostedSslConnectorFactory(serverName, deployState.tlsSecrets().get(), deployState.tlsClientAuthority().get(), true) - : new HostedSslConnectorFactory(serverName, deployState.tlsSecrets().get()); - server.addConnector(connectorFactory); } private Http buildHttp(DeployState deployState, ApplicationContainerCluster cluster, Element httpElement) { |