Handle missing tokens when setting up data plane proxy

author: Morten Tokle <mortent@yahooinc.com> 2023-09-18 15:51:07 +0200
committer: Morten Tokle <mortent@yahooinc.com> 2023-09-18 15:51:07 +0200
commit: 16a4153953248160093cecedfd0a97777de480e3 (patch)
tree: a73ecb99fa50405fa9985a4b1470b9f9b1d4de4f /config-model
parent: b3831f1e2ef267c6eab26b1fa865347cc36b1dcc (diff)
1 files changed, 30 insertions, 30 deletions
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
index 9804cb0b10d..d0d039a9dcb 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
@@ -459,7 +459,7 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> {
     private static void addCloudDataPlaneFilter(DeployState deployState, ApplicationContainerCluster cluster) {
         if (!deployState.isHosted() || !deployState.zone().system().isPublic()) return;
 
-        var dataplanePort = getMtlsDataplanePort(deployState);
+        var dataplanePort = getMtlsDataplanePort(deployState, cluster);
         // Setup secure filter chain
         var secureChain = new HttpFilterChain("cloud-data-plane-secure", HttpFilterChain.Type.SYSTEM);
         secureChain.addInnerComponent(new CloudDataPlaneFilter(cluster, deployState));
@@ -594,7 +594,7 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> {
         String serverName = server.getComponentId().getName();
 
         // If the deployment contains certificate/private key reference, setup TLS port
-        var builder = HostedSslConnectorFactory.builder(serverName, getMtlsDataplanePort(state))
+        var builder = HostedSslConnectorFactory.builder(serverName, getMtlsDataplanePort(state, cluster))
                 .proxyProtocol(true, state.getProperties().featureFlags().enableProxyProtocolMixedMode())
                 .tlsCiphersOverride(state.getProperties().tlsCiphersOverride())
                 .endpointConnectionTtl(state.getProperties().endpointConnectionTtl());
@@ -627,23 +627,19 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> {
 
     private void addCloudTokenSupport(DeployState state, ApplicationContainerCluster cluster) {
         var server = cluster.getHttp().getHttpServer().get();
+        if (!enableTokenSupport(state, cluster)) return;
         Set<String> tokenEndpoints = tokenEndpoints(state).stream()
                 .map(ContainerEndpoint::names)
                 .flatMap(Collection::stream)
                 .collect(Collectors.toSet());
-
-        boolean enableTokenSupport = state.isHosted() && state.zone().system().isPublic()
-                && cluster.getClients().stream().anyMatch(c -> !c.tokens().isEmpty())
-                && ! tokenEndpoints.isEmpty();
-        if (!enableTokenSupport) return;
         var endpointCert = state.endpointCertificateSecrets().orElseThrow();
-        int tokenPort = getTokenDataplanePort(state).orElseThrow();
+        int tokenPort = getTokenDataplanePort(state, cluster).orElseThrow();
 
         // Set up component to generate proxy cert if token support is enabled
         cluster.addSimpleComponent(DataplaneProxyCredentials.class);
         cluster.addSimpleComponent(DataplaneProxyService.class);
         var dataplaneProxy = new DataplaneProxy(
-                getMtlsDataplanePort(state),
+                getMtlsDataplanePort(state, cluster),
                 tokenPort,
                 endpointCert.certificate(),
                 endpointCert.key(),
@@ -714,7 +710,7 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> {
     }
 
     private Http buildHttp(DeployState deployState, ApplicationContainerCluster cluster, Element httpElement, ConfigModelContext context) {
-        Http http = new HttpBuilder(portBindingOverride(deployState, context)).build(deployState, cluster, httpElement);
+        Http http = new HttpBuilder(portBindingOverride(deployState, context, cluster)).build(deployState, cluster, httpElement);
 
         if (networking == Networking.disable)
             http.removeAllServers();
@@ -819,7 +815,7 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> {
         cluster.addSearchAndDocprocBundles();
         addIncludes(processingElement);
         cluster.setProcessingChains(new DomProcessingBuilder(null).build(deployState, cluster, processingElement),
-                                    serverBindings(deployState, context, processingElement, ProcessingChains.defaultBindings).toArray(BindingPattern[]::new));
+                                    serverBindings(deployState, context, processingElement, ProcessingChains.defaultBindings, cluster).toArray(BindingPattern[]::new));
         validateAndAddConfiguredComponents(deployState, cluster, processingElement, "renderer", ContainerModelBuilder::validateRendererElement);
     }
 
@@ -844,7 +840,7 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> {
     private void addUserHandlers(DeployState deployState, ApplicationContainerCluster cluster, Element spec, ConfigModelContext context) {
         for (Element component: XML.getChildren(spec, "handler")) {
             cluster.addComponent(
-                    new DomHandlerBuilder(cluster, portBindingOverride(deployState, context)).build(deployState, cluster, component));
+                    new DomHandlerBuilder(cluster, portBindingOverride(deployState, context, cluster)).build(deployState, cluster, component));
         }
     }
 
@@ -1132,10 +1128,10 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> {
     private void addSearchHandler(DeployState deployState, ApplicationContainerCluster cluster, Element searchElement, ConfigModelContext context) {
         var bindingPatterns = List.<BindingPattern>of(SearchHandler.DEFAULT_BINDING);
         if (isHostedTenantApplication(context)) {
-            bindingPatterns = SearchHandler.bindingPattern(getDataplanePorts(deployState));
+            bindingPatterns = SearchHandler.bindingPattern(getDataplanePorts(deployState, cluster));
         }
         SearchHandler searchHandler = new SearchHandler(cluster,
-                                                        serverBindings(deployState, context, searchElement, bindingPatterns),
+                                                        serverBindings(deployState, context, searchElement, bindingPatterns, cluster),
                                                         ContainerThreadpool.UserOptions.fromXml(searchElement).orElse(null));
         cluster.addComponent(searchHandler);
 
@@ -1143,17 +1139,17 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> {
         searchHandler.addComponent(Component.fromClassAndBundle(SearchHandler.EXECUTION_FACTORY, PlatformBundles.SEARCH_AND_DOCPROC_BUNDLE));
     }
 
-    private List<BindingPattern> serverBindings(DeployState deployState, ConfigModelContext context, Element searchElement, Collection<BindingPattern> defaultBindings) {
+    private List<BindingPattern> serverBindings(DeployState deployState, ConfigModelContext context, Element searchElement, Collection<BindingPattern> defaultBindings, ApplicationContainerCluster cluster) {
         List<Element> bindings = XML.getChildren(searchElement, "binding");
         if (bindings.isEmpty())
             return List.copyOf(defaultBindings);
 
-        return toBindingList(deployState, context, bindings);
+        return toBindingList(deployState, context, bindings, cluster);
     }
 
-    private List<BindingPattern> toBindingList(DeployState deployState, ConfigModelContext context, List<Element> bindingElements) {
+    private List<BindingPattern> toBindingList(DeployState deployState, ConfigModelContext context, List<Element> bindingElements, ApplicationContainerCluster cluster) {
         List<BindingPattern> result = new ArrayList<>();
-        var portOverride = isHostedTenantApplication(context) ? getDataplanePorts(deployState) : Set.<Integer>of();
+        var portOverride = isHostedTenantApplication(context) ? getDataplanePorts(deployState, cluster) : Set.<Integer>of();
         for (Element element: bindingElements) {
             String text = element.getTextContent().trim();
             if (!text.isEmpty())
@@ -1178,12 +1174,12 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> {
         ContainerDocumentApi.HandlerOptions documentApiOptions = DocumentApiOptionsBuilder.build(documentApiElement);
         Element ignoreUndefinedFields = XML.getChild(documentApiElement, "ignore-undefined-fields");
         return new ContainerDocumentApi(cluster, documentApiOptions,
-                                        "true".equals(XML.getValue(ignoreUndefinedFields)), portBindingOverride(deployState, context));
+                                        "true".equals(XML.getValue(ignoreUndefinedFields)), portBindingOverride(deployState, context, cluster));
     }
 
-    private Set<Integer> portBindingOverride(DeployState deployState, ConfigModelContext context) {
+    private Set<Integer> portBindingOverride(DeployState deployState, ConfigModelContext context, ApplicationContainerCluster cluster) {
         return isHostedTenantApplication(context)
-                ? getDataplanePorts(deployState)
+                ? getDataplanePorts(deployState, cluster)
                 : Set.<Integer>of();
     }
 
@@ -1442,20 +1438,18 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> {
 
     }
 
-    private static Set<Integer> getDataplanePorts(DeployState ds) {
-        var tokenPort = getTokenDataplanePort(ds);
-        var mtlsPort = getMtlsDataplanePort(ds);
+    private static Set<Integer> getDataplanePorts(DeployState ds, ApplicationContainerCluster cluster) {
+        var tokenPort = getTokenDataplanePort(ds, cluster);
+        var mtlsPort = getMtlsDataplanePort(ds, cluster);
         return tokenPort.isPresent() ? Set.of(mtlsPort, tokenPort.getAsInt()) : Set.of(mtlsPort);
     }
 
-    private static int getMtlsDataplanePort(DeployState ds) {
-        boolean enableDataplaneProxy = ! tokenEndpoints(ds).isEmpty();
-        return enableDataplaneProxy ? 8443 : 4443;
+    private static int getMtlsDataplanePort(DeployState ds, ApplicationContainerCluster cluster) {
+        return enableTokenSupport(ds, cluster) ? 8443 : 4443;
     }
 
-    private static OptionalInt getTokenDataplanePort(DeployState ds) {
-        boolean enableDataplaneProxy = ! tokenEndpoints(ds).isEmpty();
-        return enableDataplaneProxy ? OptionalInt.of(8444) : OptionalInt.empty();
+    private static OptionalInt getTokenDataplanePort(DeployState ds, ApplicationContainerCluster cluster) {
+        return enableTokenSupport(ds, cluster) ? OptionalInt.of(8444) : OptionalInt.empty();
     }
 
     private static Set<ContainerEndpoint> tokenEndpoints(DeployState deployState) {
@@ -1464,4 +1458,10 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> {
                 .collect(Collectors.toSet());
     }
 
+    private static boolean enableTokenSupport(DeployState state, ApplicationContainerCluster cluster) {
+        Set<ContainerEndpoint> tokenEndpoints = tokenEndpoints(state);
+        return state.isHosted() && state.zone().system().isPublic()
+                && cluster.getClients().stream().anyMatch(c -> !c.tokens().isEmpty())
+                && ! tokenEndpoints.isEmpty();
+    }
 }
author	Morten Tokle <mortent@yahooinc.com>	2023-09-18 15:51:07 +0200
committer	Morten Tokle <mortent@yahooinc.com>	2023-09-18 15:51:07 +0200
commit	16a4153953248160093cecedfd0a97777de480e3 (patch)
tree	a73ecb99fa50405fa9985a4b1470b9f9b1d4de4f /config-model
parent	b3831f1e2ef267c6eab26b1fa865347cc36b1dcc (diff)