Add cloud secret store config

7 files changed, 52 insertions, 10 deletions

diff --git a/config-model/src/main/java/com/yahoo/vespa/model/application/validation/SecretStoreValidator.java b/config-model/src/main/java/com/yahoo/vespa/model/application/validation/SecretStoreValidator.java
index d26ff49c4fa..bafc0b8b3de 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/application/validation/SecretStoreValidator.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/application/validation/SecretStoreValidator.java
@@ -7,8 +7,11 @@ import com.yahoo.vespa.model.VespaModel;
 import com.yahoo.vespa.model.container.Container;
 import com.yahoo.vespa.model.container.ContainerCluster;
 import com.yahoo.vespa.model.container.IdentityProvider;
+import com.yahoo.vespa.model.container.SecretStore;
 import com.yahoo.vespa.model.container.component.Component;
 
+import java.util.List;
+
 /**
  * Validates the requirements for setting up a secret store.
  *
@@ -16,14 +19,23 @@ import com.yahoo.vespa.model.container.component.Component;
  */
 public class SecretStoreValidator extends Validator {
 
+    private final List<String> VALID_TYPES = List.of("oath-ckms", "cloud");
+
     @Override
     public void validate(VespaModel model, DeployState deployState) {
         if (! deployState.isHosted()) return;
         if (model.getAdmin().getApplicationType() != ApplicationType.DEFAULT) return;
 
         for (ContainerCluster cluster : model.getContainerClusters().values()) {
-            if (cluster.getSecretStore().isPresent() && ! hasIdentityProvider(cluster)) {
-                throw new IllegalArgumentException(String.format(
+
+            if (cluster.getSecretStore().isPresent() ) {
+                var secretStore = (SecretStore) cluster.getSecretStore().get();
+
+                if (!isValidType(secretStore.getType())) {
+                    throw new IllegalArgumentException("Secret store must be one of the following types: " + VALID_TYPES);
+                }
+                if (! secretStore.isCloud() && ! hasIdentityProvider(cluster))
+                    throw new IllegalArgumentException(String.format(
                         "Container cluster '%s' uses a secret store, so an Athenz domain and an Athenz service" +
                                 " must be declared in deployment.xml.", cluster.getName()));
             }
@@ -36,4 +48,8 @@ public class SecretStoreValidator extends Validator {
         }
         return false;
     }
+
+    private boolean isValidType(String type) {
+        return VALID_TYPES.contains(type);
+    }
 }
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/ContainerCluster.java b/config-model/src/main/java/com/yahoo/vespa/model/container/ContainerCluster.java
index a1db3c43f1c..55d6c0ba6a9 100755
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/ContainerCluster.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/ContainerCluster.java
@@ -4,6 +4,7 @@ package com.yahoo.vespa.model.container;
 import com.yahoo.cloud.config.ClusterInfoConfig;
 import com.yahoo.cloud.config.ConfigserverConfig;
 import com.yahoo.cloud.config.CuratorConfig;
+import com.yahoo.cloud.config.SecretStoreConfig;
 import com.yahoo.component.ComponentId;
 import com.yahoo.config.application.api.ApplicationMetaData;
 import com.yahoo.config.docproc.DocprocConfig;
@@ -101,7 +102,8 @@ public abstract class ContainerCluster<CONTAINER extends Container>
         DocprocConfig.Producer,
         ClusterInfoConfig.Producer,
         ConfigserverConfig.Producer,
-        CuratorConfig.Producer
+        CuratorConfig.Producer,
+        SecretStoreConfig.Producer
 {
 
     /**
@@ -577,6 +579,16 @@ public abstract class ContainerCluster<CONTAINER extends Container>
         builder.zookeeperLocalhostAffinity(zooKeeperLocalhostAffinity);
     }
 
+    @Override
+    public void getConfig(SecretStoreConfig.Builder builder) {
+        secretStore.getGroups().forEach(group ->
+            builder.groups(new SecretStoreConfig.Groups.Builder()
+                    .name(group.name)
+                    .region(group.environment)
+            )
+        );
+    }
+
     private List<ClusterInfoConfig.Services.Ports.Builder> getPorts(Service service) {
         List<ClusterInfoConfig.Services.Ports.Builder> builders = new ArrayList<>();
         PortsMeta portsMeta = service.getPortsMeta();
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/SecretStore.java b/config-model/src/main/java/com/yahoo/vespa/model/container/SecretStore.java
index c803168af81..0332192c5c6 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/SecretStore.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/SecretStore.java
@@ -11,6 +11,11 @@ import java.util.List;
  */
 public class SecretStore {
     private final List<Group> groups = new ArrayList<>();
+    private final String type;
+
+    public SecretStore(String type) {
+        this.type = type;
+    }
 
     public void addGroup(String name, String environment) {
         groups.add(new Group(name, environment));
@@ -20,6 +25,14 @@ public class SecretStore {
         return ImmutableList.copyOf(groups);
     }
 
+    public String getType() {
+        return type;
+    }
+
+    public boolean isCloud() {
+        return "cloud".equals(type);
+    }
+
     public static class Group {
         public final String name;
         public final String environment;
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
index e7e82d577f4..4dc20fc668b 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
@@ -29,7 +29,6 @@ import com.yahoo.config.provision.Environment;
 import com.yahoo.config.provision.HostName;
 import com.yahoo.config.provision.NodeResources;
 import com.yahoo.config.provision.NodeType;
-import com.yahoo.config.provision.SystemName;
 import com.yahoo.config.provision.Zone;
 import com.yahoo.container.logging.FileConnectionLog;
 import com.yahoo.osgi.provider.model.ComponentModel;
@@ -258,9 +257,10 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> {
     private void addSecretStore(ApplicationContainerCluster cluster, Element spec) {
         Element secretStoreElement = XML.getChild(spec, "secret-store");
         if (secretStoreElement != null) {
-            SecretStore secretStore = new SecretStore();
+            SecretStore secretStore = new SecretStore(secretStoreElement.getAttribute("type"));
+            String attributeName = secretStore.isCloud() ? "region" : "environment";
             for (Element group : XML.getChildren(secretStoreElement, "group")) {
-                secretStore.addGroup(group.getAttribute("name"), group.getAttribute("environment"));
+                secretStore.addGroup(group.getAttribute("name"), group.getAttribute(attributeName));
             }
             cluster.setSecretStore(secretStore);
         }
diff --git a/config-model/src/main/resources/schema/containercluster.rnc b/config-model/src/main/resources/schema/containercluster.rnc
index 5257345c39e..abe7386fa00 100644
--- a/config-model/src/main/resources/schema/containercluster.rnc
+++ b/config-model/src/main/resources/schema/containercluster.rnc
@@ -86,10 +86,11 @@ AccessLog = element accesslog {
 }
 
 SecretStore = element secret-store {
-    attribute type { string "oath-ckms" } &
+    attribute type { string "oath-ckms" | string "cloud" } &
     element group {
       attribute name { string } &
-      attribute environment { string "alpha" | string "corp" | string "prod" | string "aws" | string "aws_stage" }
+      (attribute environment { string "alpha" | string "corp" | string "prod" | string "aws" | string "aws_stage" } |
+      attribute region { string } )
     } +
 }
 
diff --git a/config-model/src/test/java/com/yahoo/vespa/model/application/validation/SecretStoreValidatorTest.java b/config-model/src/test/java/com/yahoo/vespa/model/application/validation/SecretStoreValidatorTest.java
index da81c74fdd2..4a9535623bb 100644
--- a/config-model/src/test/java/com/yahoo/vespa/model/application/validation/SecretStoreValidatorTest.java
+++ b/config-model/src/test/java/com/yahoo/vespa/model/application/validation/SecretStoreValidatorTest.java
@@ -27,7 +27,7 @@ public class SecretStoreValidatorTest {
     private static String servicesXml() {
         return joinLines("<services version='1.0'>",
                          "  <container id='default' version='1.0'>",
-                         "    <secret-store>",
+                         "    <secret-store type='oath-ckms'>",
                          "      <group name='group1' environment='prod'/>",
                          "    </secret-store>",
                          "  </container>",
diff --git a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilderTest.java b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilderTest.java
index e0e4cbf19c0..92e0b116878 100644
--- a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilderTest.java
+++ b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilderTest.java
@@ -704,7 +704,7 @@ public class ContainerModelBuilderTest extends ContainerModelBuilderTestBase {
     public void secret_store_can_be_set_up() {
         Element clusterElem = DomBuilderTest.parse(
                 "<container version='1.0'>",
-                "  <secret-store>",
+                "  <secret-store type='oath-ckms'>",
                 "    <group name='group1' environment='env1'/>",
                 "  </secret-store>",
                 "</container>");