diff options
author | Morten Tokle <mortent@yahooinc.com> | 2023-09-18 15:51:07 +0200 |
---|---|---|
committer | Morten Tokle <mortent@yahooinc.com> | 2023-09-18 15:51:07 +0200 |
commit | 16a4153953248160093cecedfd0a97777de480e3 (patch) | |
tree | a73ecb99fa50405fa9985a4b1470b9f9b1d4de4f /config-model | |
parent | b3831f1e2ef267c6eab26b1fa865347cc36b1dcc (diff) |
Handle missing tokens when setting up data plane proxy
Diffstat (limited to 'config-model')
-rw-r--r-- | config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java | 60 |
1 files changed, 30 insertions, 30 deletions
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java index 9804cb0b10d..d0d039a9dcb 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java @@ -459,7 +459,7 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> { private static void addCloudDataPlaneFilter(DeployState deployState, ApplicationContainerCluster cluster) { if (!deployState.isHosted() || !deployState.zone().system().isPublic()) return; - var dataplanePort = getMtlsDataplanePort(deployState); + var dataplanePort = getMtlsDataplanePort(deployState, cluster); // Setup secure filter chain var secureChain = new HttpFilterChain("cloud-data-plane-secure", HttpFilterChain.Type.SYSTEM); secureChain.addInnerComponent(new CloudDataPlaneFilter(cluster, deployState)); @@ -594,7 +594,7 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> { String serverName = server.getComponentId().getName(); // If the deployment contains certificate/private key reference, setup TLS port - var builder = HostedSslConnectorFactory.builder(serverName, getMtlsDataplanePort(state)) + var builder = HostedSslConnectorFactory.builder(serverName, getMtlsDataplanePort(state, cluster)) .proxyProtocol(true, state.getProperties().featureFlags().enableProxyProtocolMixedMode()) .tlsCiphersOverride(state.getProperties().tlsCiphersOverride()) .endpointConnectionTtl(state.getProperties().endpointConnectionTtl()); @@ -627,23 +627,19 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> { private void addCloudTokenSupport(DeployState state, ApplicationContainerCluster cluster) { var server = cluster.getHttp().getHttpServer().get(); + if (!enableTokenSupport(state, cluster)) return; Set<String> tokenEndpoints = tokenEndpoints(state).stream() .map(ContainerEndpoint::names) .flatMap(Collection::stream) .collect(Collectors.toSet()); - - boolean enableTokenSupport = state.isHosted() && state.zone().system().isPublic() - && cluster.getClients().stream().anyMatch(c -> !c.tokens().isEmpty()) - && ! tokenEndpoints.isEmpty(); - if (!enableTokenSupport) return; var endpointCert = state.endpointCertificateSecrets().orElseThrow(); - int tokenPort = getTokenDataplanePort(state).orElseThrow(); + int tokenPort = getTokenDataplanePort(state, cluster).orElseThrow(); // Set up component to generate proxy cert if token support is enabled cluster.addSimpleComponent(DataplaneProxyCredentials.class); cluster.addSimpleComponent(DataplaneProxyService.class); var dataplaneProxy = new DataplaneProxy( - getMtlsDataplanePort(state), + getMtlsDataplanePort(state, cluster), tokenPort, endpointCert.certificate(), endpointCert.key(), @@ -714,7 +710,7 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> { } private Http buildHttp(DeployState deployState, ApplicationContainerCluster cluster, Element httpElement, ConfigModelContext context) { - Http http = new HttpBuilder(portBindingOverride(deployState, context)).build(deployState, cluster, httpElement); + Http http = new HttpBuilder(portBindingOverride(deployState, context, cluster)).build(deployState, cluster, httpElement); if (networking == Networking.disable) http.removeAllServers(); @@ -819,7 +815,7 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> { cluster.addSearchAndDocprocBundles(); addIncludes(processingElement); cluster.setProcessingChains(new DomProcessingBuilder(null).build(deployState, cluster, processingElement), - serverBindings(deployState, context, processingElement, ProcessingChains.defaultBindings).toArray(BindingPattern[]::new)); + serverBindings(deployState, context, processingElement, ProcessingChains.defaultBindings, cluster).toArray(BindingPattern[]::new)); validateAndAddConfiguredComponents(deployState, cluster, processingElement, "renderer", ContainerModelBuilder::validateRendererElement); } @@ -844,7 +840,7 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> { private void addUserHandlers(DeployState deployState, ApplicationContainerCluster cluster, Element spec, ConfigModelContext context) { for (Element component: XML.getChildren(spec, "handler")) { cluster.addComponent( - new DomHandlerBuilder(cluster, portBindingOverride(deployState, context)).build(deployState, cluster, component)); + new DomHandlerBuilder(cluster, portBindingOverride(deployState, context, cluster)).build(deployState, cluster, component)); } } @@ -1132,10 +1128,10 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> { private void addSearchHandler(DeployState deployState, ApplicationContainerCluster cluster, Element searchElement, ConfigModelContext context) { var bindingPatterns = List.<BindingPattern>of(SearchHandler.DEFAULT_BINDING); if (isHostedTenantApplication(context)) { - bindingPatterns = SearchHandler.bindingPattern(getDataplanePorts(deployState)); + bindingPatterns = SearchHandler.bindingPattern(getDataplanePorts(deployState, cluster)); } SearchHandler searchHandler = new SearchHandler(cluster, - serverBindings(deployState, context, searchElement, bindingPatterns), + serverBindings(deployState, context, searchElement, bindingPatterns, cluster), ContainerThreadpool.UserOptions.fromXml(searchElement).orElse(null)); cluster.addComponent(searchHandler); @@ -1143,17 +1139,17 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> { searchHandler.addComponent(Component.fromClassAndBundle(SearchHandler.EXECUTION_FACTORY, PlatformBundles.SEARCH_AND_DOCPROC_BUNDLE)); } - private List<BindingPattern> serverBindings(DeployState deployState, ConfigModelContext context, Element searchElement, Collection<BindingPattern> defaultBindings) { + private List<BindingPattern> serverBindings(DeployState deployState, ConfigModelContext context, Element searchElement, Collection<BindingPattern> defaultBindings, ApplicationContainerCluster cluster) { List<Element> bindings = XML.getChildren(searchElement, "binding"); if (bindings.isEmpty()) return List.copyOf(defaultBindings); - return toBindingList(deployState, context, bindings); + return toBindingList(deployState, context, bindings, cluster); } - private List<BindingPattern> toBindingList(DeployState deployState, ConfigModelContext context, List<Element> bindingElements) { + private List<BindingPattern> toBindingList(DeployState deployState, ConfigModelContext context, List<Element> bindingElements, ApplicationContainerCluster cluster) { List<BindingPattern> result = new ArrayList<>(); - var portOverride = isHostedTenantApplication(context) ? getDataplanePorts(deployState) : Set.<Integer>of(); + var portOverride = isHostedTenantApplication(context) ? getDataplanePorts(deployState, cluster) : Set.<Integer>of(); for (Element element: bindingElements) { String text = element.getTextContent().trim(); if (!text.isEmpty()) @@ -1178,12 +1174,12 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> { ContainerDocumentApi.HandlerOptions documentApiOptions = DocumentApiOptionsBuilder.build(documentApiElement); Element ignoreUndefinedFields = XML.getChild(documentApiElement, "ignore-undefined-fields"); return new ContainerDocumentApi(cluster, documentApiOptions, - "true".equals(XML.getValue(ignoreUndefinedFields)), portBindingOverride(deployState, context)); + "true".equals(XML.getValue(ignoreUndefinedFields)), portBindingOverride(deployState, context, cluster)); } - private Set<Integer> portBindingOverride(DeployState deployState, ConfigModelContext context) { + private Set<Integer> portBindingOverride(DeployState deployState, ConfigModelContext context, ApplicationContainerCluster cluster) { return isHostedTenantApplication(context) - ? getDataplanePorts(deployState) + ? getDataplanePorts(deployState, cluster) : Set.<Integer>of(); } @@ -1442,20 +1438,18 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> { } - private static Set<Integer> getDataplanePorts(DeployState ds) { - var tokenPort = getTokenDataplanePort(ds); - var mtlsPort = getMtlsDataplanePort(ds); + private static Set<Integer> getDataplanePorts(DeployState ds, ApplicationContainerCluster cluster) { + var tokenPort = getTokenDataplanePort(ds, cluster); + var mtlsPort = getMtlsDataplanePort(ds, cluster); return tokenPort.isPresent() ? Set.of(mtlsPort, tokenPort.getAsInt()) : Set.of(mtlsPort); } - private static int getMtlsDataplanePort(DeployState ds) { - boolean enableDataplaneProxy = ! tokenEndpoints(ds).isEmpty(); - return enableDataplaneProxy ? 8443 : 4443; + private static int getMtlsDataplanePort(DeployState ds, ApplicationContainerCluster cluster) { + return enableTokenSupport(ds, cluster) ? 8443 : 4443; } - private static OptionalInt getTokenDataplanePort(DeployState ds) { - boolean enableDataplaneProxy = ! tokenEndpoints(ds).isEmpty(); - return enableDataplaneProxy ? OptionalInt.of(8444) : OptionalInt.empty(); + private static OptionalInt getTokenDataplanePort(DeployState ds, ApplicationContainerCluster cluster) { + return enableTokenSupport(ds, cluster) ? OptionalInt.of(8444) : OptionalInt.empty(); } private static Set<ContainerEndpoint> tokenEndpoints(DeployState deployState) { @@ -1464,4 +1458,10 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> { .collect(Collectors.toSet()); } + private static boolean enableTokenSupport(DeployState state, ApplicationContainerCluster cluster) { + Set<ContainerEndpoint> tokenEndpoints = tokenEndpoints(state); + return state.isHosted() && state.zone().system().isPublic() + && cluster.getClients().stream().anyMatch(c -> !c.tokens().isEmpty()) + && ! tokenEndpoints.isEmpty(); + } } |