Merge pull request #9882 from vespa-engine/andreer/reapply-tls-config-from-deploy-params

tls config from deploy params
author: Andreas Eriksen <andreer@verizonmedia.com> 2019-06-25 09:35:22 +0200
committer: GitHub <noreply@github.com> 2019-06-25 09:35:22 +0200
commit: 82a276c8bf15071725d08c5e6051bd5113c1c5af (patch)
tree: 4d62ad32703765193e5f406a44f2f67d251a5dc3 /config-model
parent: 37bfd5bcf655243394b60f3164f026805ed1fe3c (diff)
parent: e11f35d832c1beef87092114aa5ad3a81f1479a1 (diff)
12 files changed, 200 insertions, 17 deletions
diff --git a/config-model/src/main/java/com/yahoo/config/model/deploy/DeployState.java b/config-model/src/main/java/com/yahoo/config/model/deploy/DeployState.java
index 21a8297910f..1892c8920a7 100644
--- a/config-model/src/main/java/com/yahoo/config/model/deploy/DeployState.java
+++ b/config-model/src/main/java/com/yahoo/config/model/deploy/DeployState.java
@@ -15,6 +15,7 @@ import com.yahoo.config.model.api.ContainerEndpoint;
 import com.yahoo.config.model.api.HostProvisioner;
 import com.yahoo.config.model.api.Model;
 import com.yahoo.config.model.api.ModelContext;
+import com.yahoo.config.model.api.TlsSecrets;
 import com.yahoo.config.model.api.ValidationParameters;
 import com.yahoo.config.model.application.provider.BaseDeployLogger;
 import com.yahoo.config.model.application.provider.MockFileRegistry;
@@ -256,6 +257,8 @@ public class DeployState implements ConfigDefinitionStore {
 
     public Instant now() { return now; }
 
+    public Optional<TlsSecrets> tlsSecrets() { return properties.tlsSecrets(); }
+
     public static class Builder {
 
         private ApplicationPackage applicationPackage = MockApplicationPackage.createEmpty();
@@ -273,6 +276,7 @@ public class DeployState implements ConfigDefinitionStore {
         private Zone zone = Zone.defaultZone();
         private Instant now = Instant.now();
         private Version wantedNodeVespaVersion = Vtag.currentVersion;
+        private Optional<TlsSecrets> tlsSecrets = Optional.empty();
 
         public Builder applicationPackage(ApplicationPackage applicationPackage) {
             this.applicationPackage = applicationPackage;
diff --git a/config-model/src/main/java/com/yahoo/config/model/deploy/TestProperties.java b/config-model/src/main/java/com/yahoo/config/model/deploy/TestProperties.java
index 87ff9d1bb2a..d974db73547 100644
--- a/config-model/src/main/java/com/yahoo/config/model/deploy/TestProperties.java
+++ b/config-model/src/main/java/com/yahoo/config/model/deploy/TestProperties.java
@@ -5,6 +5,7 @@ import com.google.common.collect.ImmutableList;
 import com.yahoo.config.model.api.ConfigServerSpec;
 import com.yahoo.config.model.api.ContainerEndpoint;
 import com.yahoo.config.model.api.ModelContext;
+import com.yahoo.config.model.api.TlsSecrets;
 import com.yahoo.config.provision.ApplicationId;
 import com.yahoo.config.provision.HostName;
 import com.yahoo.config.provision.Rotation;
@@ -13,6 +14,7 @@ import com.yahoo.config.provision.Zone;
 import java.net.URI;
 import java.util.Collections;
 import java.util.List;
+import java.util.Optional;
 import java.util.Set;
 
 /**
@@ -39,6 +41,7 @@ public class TestProperties implements ModelContext.Properties {
     private boolean useFdispatchByDefault = true;
     private boolean dispatchWithProtobuf = true;
     private boolean useAdaptiveDispatch = false;
+    private Optional<TlsSecrets> tlsSecrets = Optional.empty();
 
 
     @Override public boolean multitenant() { return multitenant; }
@@ -58,6 +61,7 @@ public class TestProperties implements ModelContext.Properties {
     @Override public boolean useDedicatedNodeForLogserver() { return useDedicatedNodeForLogserver; }
     @Override public boolean useFdispatchByDefault() { return useFdispatchByDefault; }
     @Override public boolean dispatchWithProtobuf() { return dispatchWithProtobuf; }
+    @Override public Optional<TlsSecrets> tlsSecrets() { return tlsSecrets; }
 
     public TestProperties setApplicationId(ApplicationId applicationId) {
         this.applicationId = applicationId;
@@ -90,6 +94,11 @@ public class TestProperties implements ModelContext.Properties {
     }
 
 
+    public TestProperties setTlsSecrets(Optional<TlsSecrets> tlsSecrets) {
+        this.tlsSecrets = tlsSecrets;
+        return this;
+    }
+
     public static class Spec implements ConfigServerSpec {
 
         private final String hostName;
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/ApplicationContainer.java b/config-model/src/main/java/com/yahoo/vespa/model/container/ApplicationContainer.java
index b381168838f..48f7fa3c1a2 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/ApplicationContainer.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/ApplicationContainer.java
@@ -1,8 +1,15 @@
 // Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.model.container;
 
+import com.yahoo.config.model.api.TlsSecrets;
 import com.yahoo.config.model.api.container.ContainerServiceType;
 import com.yahoo.config.model.producer.AbstractConfigProducer;
+import com.yahoo.vespa.model.container.http.ConnectorFactory;
+import com.yahoo.vespa.model.container.http.Http;
+import com.yahoo.vespa.model.container.http.JettyHttpServer;
+import com.yahoo.vespa.model.container.http.ssl.ConfiguredDirectSslProvider;
+
+import java.util.Optional;
 
 /**
  * A container that is typically used by container clusters set up from the user application.
@@ -15,14 +22,23 @@ public final class ApplicationContainer extends Container {
 
     private final boolean isHostedVespa;
 
-
-    public ApplicationContainer(AbstractConfigProducer parent, String name, int index, boolean isHostedVespa) {
-        this(parent, name, false, index, isHostedVespa);
+    public ApplicationContainer(AbstractConfigProducer parent, String name, int index, boolean isHostedVespa, Optional<TlsSecrets> tlsSecrets) {
+        this(parent, name, false, index, isHostedVespa, tlsSecrets);
     }
 
-    public ApplicationContainer(AbstractConfigProducer parent, String name, boolean retired, int index, boolean isHostedVespa) {
+    public ApplicationContainer(AbstractConfigProducer parent, String name, boolean retired, int index, boolean isHostedVespa, Optional<TlsSecrets> tlsSecrets) {
         super(parent, name, retired, index);
         this.isHostedVespa = isHostedVespa;
+
+        if (isHostedVespa && tlsSecrets.isPresent()) {
+            String connectorName = "tls4443";
+
+            JettyHttpServer server = Optional.ofNullable(getHttp())
+                                             .map(Http::getHttpServer)
+                                             .orElse(getDefaultHttpServer());
+            server.addConnector(new ConnectorFactory(connectorName, 4443,
+                                                     new ConfiguredDirectSslProvider(server.getComponentId().getName(), tlsSecrets.get().key(), tlsSecrets.get().certificate(), null, null)));
+        }
     }
 
     @Override
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/ApplicationContainerCluster.java b/config-model/src/main/java/com/yahoo/vespa/model/container/ApplicationContainerCluster.java
index 9cbaa5f91af..e9db64f8e4b 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/ApplicationContainerCluster.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/ApplicationContainerCluster.java
@@ -4,6 +4,7 @@ package com.yahoo.vespa.model.container;
 import com.yahoo.component.ComponentId;
 import com.yahoo.config.FileReference;
 import com.yahoo.config.application.api.ComponentInfo;
+import com.yahoo.config.model.api.TlsSecrets;
 import com.yahoo.config.model.deploy.DeployState;
 import com.yahoo.config.model.producer.AbstractConfigProducer;
 import com.yahoo.container.BundlesConfig;
@@ -22,6 +23,7 @@ import java.util.ArrayList;
 import java.util.Collection;
 import java.util.LinkedHashSet;
 import java.util.Map;
+import java.util.Optional;
 import java.util.Set;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
@@ -45,13 +47,18 @@ public final class ApplicationContainerCluster extends ContainerCluster<Applicat
 
     private ContainerModelEvaluation modelEvaluation;
 
+    private Optional<TlsSecrets> tlsSecrets;
+
     public ApplicationContainerCluster(AbstractConfigProducer<?> parent, String subId, String name, DeployState deployState) {
         super(parent, subId, name, deployState);
+
+        this.tlsSecrets = deployState.tlsSecrets();
         restApiGroup = new ConfigProducerGroup<>(this, "rest-api");
         servletGroup = new ConfigProducerGroup<>(this, "servlet");
 
         addSimpleComponent(DEFAULT_LINGUISTICS_PROVIDER);
         addSimpleComponent("com.yahoo.container.jdisc.SecretStoreProvider");
+        addSimpleComponent("com.yahoo.container.jdisc.DeprecatedSecretStoreProvider");
         addSimpleComponent("com.yahoo.container.jdisc.CertificateStoreProvider");
     }
 
@@ -139,4 +146,8 @@ public final class ApplicationContainerCluster extends ContainerCluster<Applicat
         if (modelEvaluation != null) modelEvaluation.getConfig(builder);
     }
 
+    public Optional<TlsSecrets> getTlsSecrets() {
+        return tlsSecrets;
+    }
+
 }
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/ConfiguredDirectSslProvider.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/ConfiguredDirectSslProvider.java
new file mode 100644
index 00000000000..28dba3331d3
--- /dev/null
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/ConfiguredDirectSslProvider.java
@@ -0,0 +1,66 @@
+// Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.vespa.model.container.http.ssl;
+
+import com.yahoo.component.ComponentId;
+import com.yahoo.container.bundle.BundleInstantiationSpecification;
+import com.yahoo.jdisc.http.ConnectorConfig;
+import com.yahoo.jdisc.http.ssl.impl.ConfiguredSslContextFactoryProvider;
+import com.yahoo.osgi.provider.model.ComponentModel;
+import com.yahoo.vespa.model.container.component.SimpleComponent;
+
+import java.util.Optional;
+
+import static com.yahoo.component.ComponentSpecification.fromString;
+
+/**
+ * Configure SSL with PEM encoded certificate/key strings
+ *
+ * @author mortent
+ * @author andreer
+ */
+public class ConfiguredDirectSslProvider extends SimpleComponent implements ConnectorConfig.Producer {
+    public static final String COMPONENT_ID_PREFIX = "configured-ssl-provider@";
+    public static final String COMPONENT_CLASS = ConfiguredSslContextFactoryProvider.class.getName();
+    public static final String COMPONENT_BUNDLE = "jdisc_http_service";
+
+    private final String privateKey;
+    private final String certificate;
+    private final String caCertificatePath;
+    private final ConnectorConfig.Ssl.ClientAuth.Enum clientAuthentication;
+
+    public ConfiguredDirectSslProvider(String servername, String privateKey, String certificate, String caCertificatePath, String clientAuthentication) {
+        super(new ComponentModel(
+                new BundleInstantiationSpecification(new ComponentId(COMPONENT_ID_PREFIX+servername),
+                                                     fromString(COMPONENT_CLASS),
+                                                     fromString(COMPONENT_BUNDLE))));
+        this.privateKey = privateKey;
+        this.certificate = certificate;
+        this.caCertificatePath = caCertificatePath;
+        this.clientAuthentication = mapToConfigEnum(clientAuthentication);
+    }
+
+    @Override
+    public void getConfig(ConnectorConfig.Builder builder) {
+        builder.ssl.enabled(true);
+        builder.ssl.privateKey(privateKey);
+        builder.ssl.certificate(certificate);
+        builder.ssl.caCertificateFile(Optional.ofNullable(caCertificatePath).orElse(""));
+        builder.ssl.clientAuth(clientAuthentication);
+    }
+
+    public SimpleComponent getComponent() {
+        return new SimpleComponent(new ComponentModel(getComponentId().stringValue(), COMPONENT_CLASS, COMPONENT_BUNDLE));
+    }
+
+    private static ConnectorConfig.Ssl.ClientAuth.Enum mapToConfigEnum(String clientAuthValue) {
+        if ("disabled".equals(clientAuthValue)) {
+            return ConnectorConfig.Ssl.ClientAuth.Enum.DISABLED;
+        } else if ("want".equals(clientAuthValue)) {
+            return ConnectorConfig.Ssl.ClientAuth.Enum.WANT_AUTH;
+        } else if ("need".equals(clientAuthValue)) {
+            return ConnectorConfig.Ssl.ClientAuth.Enum.NEED_AUTH;
+        } else {
+            return ConnectorConfig.Ssl.ClientAuth.Enum.DISABLED;
+        }
+    }
+}
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/ConfiguredSslProvider.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/ConfiguredFilebasedSslProvider.java
index 3c36933c030..4f84a01ff94 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/ConfiguredSslProvider.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/ConfiguredFilebasedSslProvider.java
@@ -13,9 +13,11 @@ import java.util.Optional;
 import static com.yahoo.component.ComponentSpecification.fromString;
 
 /**
+ * Configure SSL using file references
+ *
  * @author mortent
  */
-public class ConfiguredSslProvider extends SimpleComponent implements ConnectorConfig.Producer {
+public class ConfiguredFilebasedSslProvider extends SimpleComponent implements ConnectorConfig.Producer {
     public static final String COMPONENT_ID_PREFIX = "configured-ssl-provider@";
     public static final String COMPONENT_CLASS = ConfiguredSslContextFactoryProvider.class.getName();
     public static final String COMPONENT_BUNDLE = "jdisc_http_service";
@@ -25,7 +27,7 @@ public class ConfiguredSslProvider extends SimpleComponent implements ConnectorC
     private final String caCertificatePath;
     private final ConnectorConfig.Ssl.ClientAuth.Enum clientAuthentication;
 
-    public ConfiguredSslProvider(String servername, String privateKeyPath, String certificatePath, String caCertificatePath, String clientAuthentication) {
+    public ConfiguredFilebasedSslProvider(String servername, String privateKeyPath, String certificatePath, String caCertificatePath, String clientAuthentication) {
         super(new ComponentModel(
                 new BundleInstantiationSpecification(new ComponentId(COMPONENT_ID_PREFIX+servername),
                                                      fromString(COMPONENT_CLASS),
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/xml/JettyConnectorBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/xml/JettyConnectorBuilder.java
index 23865eb9bdd..1b457b1250a 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/xml/JettyConnectorBuilder.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/xml/JettyConnectorBuilder.java
@@ -9,7 +9,7 @@ import com.yahoo.vespa.model.builder.xml.dom.VespaDomBuilder;
 import com.yahoo.vespa.model.container.component.SimpleComponent;
 import com.yahoo.vespa.model.container.http.ConnectorFactory;
 import com.yahoo.vespa.model.container.http.ssl.CustomSslProvider;
-import com.yahoo.vespa.model.container.http.ssl.ConfiguredSslProvider;
+import com.yahoo.vespa.model.container.http.ssl.ConfiguredFilebasedSslProvider;
 import com.yahoo.vespa.model.container.http.ssl.DefaultSslProvider;
 import org.w3c.dom.Element;
 
@@ -39,7 +39,7 @@ public class JettyConnectorBuilder extends VespaDomBuilder.DomConfigProducerBuil
             String certificateFile = XML.getValue(XML.getChild(sslConfigurator, "certificate-file"));
             Optional<String> caCertificateFile = XmlHelper.getOptionalChildValue(sslConfigurator, "ca-certificates-file");
             Optional<String> clientAuthentication = XmlHelper.getOptionalChildValue(sslConfigurator, "client-authentication");
-            return new ConfiguredSslProvider(
+            return new ConfiguredFilebasedSslProvider(
                     serverName,
                     privateKeyFile,
                     certificateFile,
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
index f68ddecad9d..57e0b969929 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
@@ -431,7 +431,7 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> {
     }
 
     private void addStandaloneNode(ApplicationContainerCluster cluster) {
-        ApplicationContainer container =  new ApplicationContainer(cluster, "standalone", cluster.getContainers().size(), cluster.isHostedVespa());
+        ApplicationContainer container =  new ApplicationContainer(cluster, "standalone", cluster.getContainers().size(), cluster.isHostedVespa(), cluster.getTlsSecrets());
         cluster.addContainers(Collections.singleton(container));
     }
 
@@ -497,7 +497,7 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> {
         Element nodesElement = XML.getChild(containerElement, "nodes");
         Element rotationsElement = XML.getChild(containerElement, "rotations");
         if (nodesElement == null) { // default single node on localhost
-            ApplicationContainer node = new ApplicationContainer(cluster, "container.0", 0, cluster.isHostedVespa());
+            ApplicationContainer node = new ApplicationContainer(cluster, "container.0", 0, cluster.isHostedVespa(), cluster.getTlsSecrets());
             HostResource host = allocateSingleNodeHost(cluster, log, containerElement, context);
             node.setHostResource(host);
             node.initService(context.getDeployLogger());
@@ -686,7 +686,7 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> {
         List<ApplicationContainer> nodes = new ArrayList<>();
         for (Map.Entry<HostResource, ClusterMembership> entry : hosts.entrySet()) {
             String id = "container." + entry.getValue().index();
-            ApplicationContainer container = new ApplicationContainer(cluster, id, entry.getValue().retired(), entry.getValue().index(), cluster.isHostedVespa());
+            ApplicationContainer container = new ApplicationContainer(cluster, id, entry.getValue().retired(), entry.getValue().index(), cluster.isHostedVespa(), cluster.getTlsSecrets());
             container.setHostResource(entry.getKey());
             container.initService(deployLogger);
             nodes.add(container);
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerServiceBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerServiceBuilder.java
index fd0797d6098..46271d3c0a2 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerServiceBuilder.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerServiceBuilder.java
@@ -22,7 +22,7 @@ public class ContainerServiceBuilder extends VespaDomBuilder.DomConfigProducerBu
 
     @Override
     protected ApplicationContainer doBuild(DeployState deployState, AbstractConfigProducer parent, Element nodeElem) {
-        return new ApplicationContainer(parent, id, index, deployState.isHosted());
+        return new ApplicationContainer(parent, id, index, deployState.isHosted(), deployState.tlsSecrets());
     }
 
 }
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/content/Content.java b/config-model/src/main/java/com/yahoo/vespa/model/content/Content.java
index 74caf2d8026..8eda707be99 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/content/Content.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/content/Content.java
@@ -324,7 +324,7 @@ public class Content extends ConfigModel {
                 if (!processedHosts.contains(host)) {
                     String containerName = String.valueOf(searchNode.getDistributionKey());
                     ApplicationContainer docprocService = new ApplicationContainer(indexingCluster, containerName, index,
-                                                                                   modelContext.getDeployState().isHosted());
+                                                                                   modelContext.getDeployState().isHosted(), modelContext.getDeployState().tlsSecrets());
                     index++;
                     docprocService.useDynamicPorts();
                     docprocService.setHostResource(host);
diff --git a/config-model/src/test/java/com/yahoo/vespa/model/container/ContainerClusterTest.java b/config-model/src/test/java/com/yahoo/vespa/model/container/ContainerClusterTest.java
index ba7fbef439c..ac85a958ed5 100755
--- a/config-model/src/test/java/com/yahoo/vespa/model/container/ContainerClusterTest.java
+++ b/config-model/src/test/java/com/yahoo/vespa/model/container/ContainerClusterTest.java
@@ -5,6 +5,7 @@ import com.yahoo.cloud.config.ClusterInfoConfig;
 import com.yahoo.cloud.config.ConfigserverConfig;
 import com.yahoo.cloud.config.RoutingProviderConfig;
 import com.yahoo.config.application.api.DeployLogger;
+import com.yahoo.config.model.api.TlsSecrets;
 import com.yahoo.config.model.deploy.DeployState;
 import com.yahoo.config.model.deploy.TestProperties;
 import com.yahoo.config.model.test.MockRoot;
@@ -13,6 +14,7 @@ import com.yahoo.config.provision.RegionName;
 import com.yahoo.config.provision.SystemName;
 import com.yahoo.config.provision.Zone;
 import com.yahoo.container.handler.ThreadpoolConfig;
+import com.yahoo.jdisc.http.ConnectorConfig;
 import com.yahoo.search.config.QrStartConfig;
 import com.yahoo.vespa.model.Host;
 import com.yahoo.vespa.model.HostResource;
@@ -20,15 +22,22 @@ import com.yahoo.vespa.model.admin.clustercontroller.ClusterControllerContainer;
 import com.yahoo.vespa.model.admin.clustercontroller.ClusterControllerContainerCluster;
 import com.yahoo.vespa.model.container.component.Component;
 import com.yahoo.vespa.model.container.docproc.ContainerDocproc;
+import com.yahoo.vespa.model.container.http.ConnectorFactory;
 import com.yahoo.vespa.model.container.search.ContainerSearch;
 import com.yahoo.vespa.model.container.search.searchchain.SearchChains;
+import org.hamcrest.Matchers;
 import org.junit.Test;
 
 import java.util.Collection;
 import java.util.Iterator;
+import java.util.List;
+import java.util.Optional;
+import java.util.stream.Collectors;
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertThat;
+import static org.junit.Assert.assertTrue;
 
 /**
  * @author Simon Thoresen Hult
@@ -210,9 +219,40 @@ public class ContainerClusterTest {
         assertEquals(0, cluster.getAllComponents().stream().map(c -> c.getClassId().getName()).filter(c -> c.equals("com.yahoo.jdisc.http.filter.security.RoutingConfigProvider")).count());
     }
 
+    @Test
+    public void requireThatProvidingTlsSecretOpensPort4443() {
+        DeployState state = new DeployState.Builder().properties(new TestProperties().setHostedVespa(true).setTlsSecrets(Optional.of(new TlsSecrets("CERT", "KEY")))).build();
+        MockRoot root = new MockRoot("foo", state);
+        ApplicationContainerCluster cluster = new ApplicationContainerCluster(root, "container0", "container1", state);
+
+        addContainer(state.getDeployLogger(), cluster, "c1", "host-c1");
+        Optional<ApplicationContainer> container = cluster.getContainers().stream().findFirst();
+        assertTrue(container.isPresent());
+
+        var httpServer = (container.get().getHttp() == null) ? container.get().getDefaultHttpServer() : container.get().getHttp().getHttpServer();
+
+        // Verify that there are two connectors
+        List<ConnectorFactory> connectorFactories = httpServer.getConnectorFactories();
+        assertEquals(2, connectorFactories.size());
+        List<Integer> ports = connectorFactories.stream()
+                                                .map(ConnectorFactory::getListenPort)
+                                                .collect(Collectors.toList());
+        assertThat(ports, Matchers.containsInAnyOrder(8080, 4443));
+
+        ConnectorFactory tlsPort = connectorFactories.stream().filter(connectorFactory -> connectorFactory.getListenPort() == 4443).findFirst().orElseThrow();
+
+        ConnectorConfig.Builder builder = new ConnectorConfig.Builder();
+        tlsPort.getConfig(builder);
+
+        ConnectorConfig connectorConfig = new ConnectorConfig(builder);
+        assertTrue(connectorConfig.ssl().enabled());
+        assertEquals("CERT", connectorConfig.ssl().certificate());
+        assertEquals("KEY", connectorConfig.ssl().privateKey());
+        assertEquals(4443, connectorConfig.listenPort());
+    }
 
     private static void addContainer(DeployLogger deployLogger, ApplicationContainerCluster cluster, String name, String hostName) {
-        ApplicationContainer container = new ApplicationContainer(cluster, name, 0, cluster.isHostedVespa());
+        ApplicationContainer container = new ApplicationContainer(cluster, name, 0, cluster.isHostedVespa(), cluster.getTlsSecrets());
         container.setHostResource(new HostResource(new Host(null, hostName)));
         container.initService(deployLogger);
         cluster.addContainer(container);
diff --git a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/JettyContainerModelBuilderTest.java b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/JettyContainerModelBuilderTest.java
index 03e115f0608..880cccf02e4 100644
--- a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/JettyContainerModelBuilderTest.java
+++ b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/JettyContainerModelBuilderTest.java
@@ -1,16 +1,19 @@
 // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.model.container.xml;
 
+import com.yahoo.config.model.api.TlsSecrets;
 import com.yahoo.config.model.builder.xml.test.DomBuilderTest;
+import com.yahoo.config.model.deploy.DeployState;
+import com.yahoo.config.model.deploy.TestProperties;
 import com.yahoo.container.ComponentsConfig;
 import com.yahoo.container.jdisc.FilterBindingsProvider;
 import com.yahoo.jdisc.http.ConnectorConfig;
-import com.yahoo.vespa.model.container.ContainerCluster;
 import com.yahoo.vespa.model.container.ApplicationContainerCluster;
+import com.yahoo.vespa.model.container.ContainerCluster;
 import com.yahoo.vespa.model.container.component.SimpleComponent;
 import com.yahoo.vespa.model.container.http.ConnectorFactory;
 import com.yahoo.vespa.model.container.http.JettyHttpServer;
-import com.yahoo.vespa.model.container.http.ssl.ConfiguredSslProvider;
+import com.yahoo.vespa.model.container.http.ssl.ConfiguredFilebasedSslProvider;
 import org.junit.Test;
 import org.w3c.dom.Element;
 
@@ -21,6 +24,7 @@ import static org.hamcrest.CoreMatchers.equalTo;
 import static org.hamcrest.CoreMatchers.is;
 import static org.hamcrest.CoreMatchers.not;
 import static org.hamcrest.CoreMatchers.nullValue;
+import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertThat;
 import static org.junit.Assert.assertTrue;
 
@@ -174,7 +178,7 @@ public class JettyContainerModelBuilderTest extends ContainerModelBuilderTestBas
 
         ContainerCluster cluster = (ContainerCluster) root.getChildren().get("default");
         List<ConnectorFactory> connectorFactories = cluster.getChildrenByTypeRecursive(ConnectorFactory.class);
-        connectorFactories.forEach(connectorFactory -> assertChildComponentExists(connectorFactory, ConfiguredSslProvider.COMPONENT_CLASS));
+        connectorFactories.forEach(connectorFactory -> assertChildComponentExists(connectorFactory, ConfiguredFilebasedSslProvider.COMPONENT_CLASS));
     }
 
     @Test
@@ -222,6 +226,37 @@ public class JettyContainerModelBuilderTest extends ContainerModelBuilderTestBas
         assertTrue(sslProvider.ssl().enabled());
     }
 
+    @Test
+    public void verify_that_container_setup_additional_tls4443(){
+        Element clusterElem = DomBuilderTest.parse(
+                "<jdisc id='default' version='1.0' jetty='true'>",
+                "    <http>",
+                "        <server port='9000' id='ssl'>",
+                "            <ssl>",
+                "                <private-key-file>/foo/key</private-key-file>",
+                "                <certificate-file>/foo/cert</certificate-file>",
+                "            </ssl>",
+                "        </server>",
+                "    </http>",
+                nodesXml,
+                "",
+                "</jdisc>");
+
+        DeployState deployState = new DeployState.Builder().properties(new TestProperties().setHostedVespa(true).setTlsSecrets(Optional.of(new TlsSecrets("CERT", "KEY")))).build();
+        createModel(root, deployState, null, clusterElem);
+        ConnectorConfig sslProvider = root.getConfig(ConnectorConfig.class, "default/http/jdisc-jetty/ssl");
+        assertTrue(sslProvider.ssl().enabled());
+        assertEquals("", sslProvider.ssl().certificate());
+        assertEquals("", sslProvider.ssl().privateKey());
+
+        ConnectorConfig providedTls = root.getConfig(ConnectorConfig.class, "default/http/jdisc-jetty/tls4443");
+        assertTrue(providedTls.ssl().enabled());
+        assertEquals("CERT", providedTls.ssl().certificate());
+        assertEquals("KEY", providedTls.ssl().privateKey());
+        assertEquals(4443, providedTls.listenPort());
+
+    }
+
     private static void assertChildComponentExists(ConnectorFactory connectorFactory, String className) {
         Optional<SimpleComponent> simpleComponent = connectorFactory.getChildren().values().stream()
                 .map(z -> (SimpleComponent) z)
author	Andreas Eriksen <andreer@verizonmedia.com>	2019-06-25 09:35:22 +0200
committer	GitHub <noreply@github.com>	2019-06-25 09:35:22 +0200
commit	82a276c8bf15071725d08c5e6051bd5113c1c5af (patch)
tree	4d62ad32703765193e5f406a44f2f67d251a5dc3 /config-model
parent	37bfd5bcf655243394b60f3164f026805ed1fe3c (diff)
parent	e11f35d832c1beef87092114aa5ad3a81f1479a1 (diff)