diff options
author | Andreas Eriksen <andreer@verizonmedia.com> | 2021-01-21 09:14:00 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-01-21 09:14:00 +0100 |
commit | 44c35b15ab1849a13f6d86464984e0d31cf8188b (patch) | |
tree | 904dea50e837eaaad0b87865a66904154178d458 /controller-api | |
parent | c2c6faa030f68efa35ec42157e6d7b4d532b804d (diff) |
andreer/endpoint certificate maintainer (#16099)
* remove support for old formats and introduce EndpointCertificateMaintainer
* record certificate refresh time, run maintainer every 12 hours
* retrigger prod deployments if refreshed certificate not deployed after one week
* only re-trigger production jobs
* unit test EndpointCertificateMaintainer
* take application lock to avoid concurrent modifications when managing endpoint certs
* only trigger deployment jobs
Co-authored-by: Jon Marius Venstad <jonmv@users.noreply.github.com>
Diffstat (limited to 'controller-api')
2 files changed, 49 insertions, 19 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMetadata.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMetadata.java index e610e5505af..4d2cafa3e48 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMetadata.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMetadata.java @@ -17,16 +17,13 @@ public class EndpointCertificateMetadata { private final String certName; private final int version; private final long lastRequested; - // TODO: make these fields required once all certs have them stored - private final Optional<String> request_id; - private final Optional<List<String>> requestedDnsSans; - private final Optional<String> issuer; + private final String request_id; + private final List<String> requestedDnsSans; + private final String issuer; + private final Optional<Long> expiry; + private final Optional<Long> lastRefreshed; - public EndpointCertificateMetadata(String keyName, String certName, int version, long lastRequested) { - this(keyName, certName, version, lastRequested, Optional.empty(), Optional.empty(), Optional.empty()); - } - - public EndpointCertificateMetadata(String keyName, String certName, int version, long lastRequested, Optional<String> request_id, Optional<List<String>> requestedDnsSans, Optional<String> issuer) { + public EndpointCertificateMetadata(String keyName, String certName, int version, long lastRequested, String request_id, List<String> requestedDnsSans, String issuer, Optional<Long> expiry, Optional<Long> lastRefreshed) { this.keyName = keyName; this.certName = certName; this.version = version; @@ -34,6 +31,8 @@ public class EndpointCertificateMetadata { this.request_id = request_id; this.requestedDnsSans = requestedDnsSans; this.issuer = issuer; + this.expiry = expiry; + this.lastRefreshed = lastRefreshed; } public String keyName() { @@ -52,18 +51,26 @@ public class EndpointCertificateMetadata { return lastRequested; } - public Optional<String> request_id() { + public String request_id() { return request_id; } - public Optional<List<String>> requestedDnsSans() { + public List<String> requestedDnsSans() { return requestedDnsSans; } - public Optional<String> issuer() { + public String issuer() { return issuer; } + public Optional<Long> expiry() { + return expiry; + } + + public Optional<Long> lastRefreshed() { + return lastRefreshed; + } + public EndpointCertificateMetadata withVersion(int version) { return new EndpointCertificateMetadata( this.keyName, @@ -72,8 +79,9 @@ public class EndpointCertificateMetadata { this.lastRequested, this.request_id, this.requestedDnsSans, - this.issuer - ); + this.issuer, + this.expiry, + this.lastRefreshed); } public EndpointCertificateMetadata withLastRequested(long lastRequested) { @@ -84,8 +92,22 @@ public class EndpointCertificateMetadata { lastRequested, this.request_id, this.requestedDnsSans, - this.issuer - ); + this.issuer, + this.expiry, + this.lastRefreshed); + } + + public EndpointCertificateMetadata withLastRefreshed(long lastRefreshed) { + return new EndpointCertificateMetadata( + this.keyName, + this.certName, + this.version, + this.lastRequested, + this.request_id, + this.requestedDnsSans, + this.issuer, + this.expiry, + Optional.of(lastRefreshed)); } @Override @@ -98,6 +120,8 @@ public class EndpointCertificateMetadata { ", request_id=" + request_id + ", requestedDnsSans=" + requestedDnsSans + ", issuer=" + issuer + + ", expiry=" + expiry + + ", lastRefreshed=" + lastRefreshed + '}'; } @@ -112,11 +136,13 @@ public class EndpointCertificateMetadata { certName.equals(that.certName) && request_id.equals(that.request_id) && requestedDnsSans.equals(that.requestedDnsSans) && - issuer.equals(that.issuer); + issuer.equals(that.issuer) && + expiry.equals(that.expiry) && + lastRefreshed.equals(that.lastRefreshed); } @Override public int hashCode() { - return Objects.hash(keyName, certName, version, lastRequested, request_id, requestedDnsSans, issuer); + return Objects.hash(keyName, certName, version, lastRequested, request_id, requestedDnsSans, issuer, expiry, lastRefreshed); } } diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMock.java index 8c63613ec91..b5ee78251f0 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMock.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMock.java @@ -3,6 +3,7 @@ package com.yahoo.vespa.hosted.controller.api.integration.certificates; import com.yahoo.config.provision.ApplicationId; +import java.time.Instant; import java.util.Collections; import java.util.HashMap; import java.util.List; @@ -25,7 +26,10 @@ public class EndpointCertificateMock implements EndpointCertificateProvider { this.dnsNames.put(applicationId, dnsNames); String endpointCertificatePrefix = String.format("vespa.tls.%s.%s.%s", applicationId.tenant(), applicationId.application(), applicationId.instance()); - return new EndpointCertificateMetadata(endpointCertificatePrefix + "-key", endpointCertificatePrefix + "-cert", 0, 0, Optional.of("mock-id-string"), Optional.of(dnsNames), Optional.of("mockCa")); + long epochSecond = Instant.now().getEpochSecond(); + long inAnHour = epochSecond + 3600; + return new EndpointCertificateMetadata(endpointCertificatePrefix + "-key", endpointCertificatePrefix + "-cert", 0, 0, + "mock-id-string", dnsNames, "mockCa", Optional.of(inAnHour), Optional.of(epochSecond)); } @Override |