andreer/endpoint certificate maintainer (#16099)

* remove support for old formats and introduce EndpointCertificateMaintainer * record certificate refresh time, run maintainer every 12 hours * retrigger prod deployments if refreshed certificate not deployed after one week * only re-trigger production jobs * unit test EndpointCertificateMaintainer * take application lock to avoid concurrent modifications when managing endpoint certs * only trigger deployment jobs Co-authored-by: Jon Marius Venstad <jonmv@users.noreply.github.com>
author: Andreas Eriksen <andreer@verizonmedia.com> 2021-01-21 09:14:00 +0100
committer: GitHub <noreply@github.com> 2021-01-21 09:14:00 +0100
commit: 44c35b15ab1849a13f6d86464984e0d31cf8188b (patch)
tree: 904dea50e837eaaad0b87865a66904154178d458 /controller-api
parent: c2c6faa030f68efa35ec42157e6d7b4d532b804d (diff)
2 files changed, 49 insertions, 19 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMetadata.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMetadata.java
index e610e5505af..4d2cafa3e48 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMetadata.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMetadata.java
@@ -17,16 +17,13 @@ public class EndpointCertificateMetadata {
     private final String certName;
     private final int version;
     private final long lastRequested;
-    // TODO: make these fields required once all certs have them stored
-    private final Optional<String> request_id;
-    private final Optional<List<String>> requestedDnsSans;
-    private final Optional<String> issuer;
+    private final String request_id;
+    private final List<String> requestedDnsSans;
+    private final String issuer;
+    private final Optional<Long> expiry;
+    private final Optional<Long> lastRefreshed;
 
-    public EndpointCertificateMetadata(String keyName, String certName, int version, long lastRequested) {
-        this(keyName, certName, version, lastRequested, Optional.empty(), Optional.empty(), Optional.empty());
-    }
-
-    public EndpointCertificateMetadata(String keyName, String certName, int version, long lastRequested, Optional<String> request_id, Optional<List<String>> requestedDnsSans, Optional<String> issuer) {
+    public EndpointCertificateMetadata(String keyName, String certName, int version, long lastRequested, String request_id, List<String> requestedDnsSans, String issuer, Optional<Long> expiry, Optional<Long> lastRefreshed) {
         this.keyName = keyName;
         this.certName = certName;
         this.version = version;
@@ -34,6 +31,8 @@ public class EndpointCertificateMetadata {
         this.request_id = request_id;
         this.requestedDnsSans = requestedDnsSans;
         this.issuer = issuer;
+        this.expiry = expiry;
+        this.lastRefreshed = lastRefreshed;
     }
 
     public String keyName() {
@@ -52,18 +51,26 @@ public class EndpointCertificateMetadata {
         return lastRequested;
     }
 
-    public Optional<String> request_id() {
+    public String request_id() {
         return request_id;
     }
 
-    public Optional<List<String>> requestedDnsSans() {
+    public List<String> requestedDnsSans() {
         return requestedDnsSans;
     }
 
-    public Optional<String> issuer() {
+    public String issuer() {
         return issuer;
     }
 
+    public Optional<Long> expiry() {
+        return expiry;
+    }
+
+    public Optional<Long> lastRefreshed() {
+        return lastRefreshed;
+    }
+
     public EndpointCertificateMetadata withVersion(int version) {
         return new EndpointCertificateMetadata(
                 this.keyName,
@@ -72,8 +79,9 @@ public class EndpointCertificateMetadata {
                 this.lastRequested,
                 this.request_id,
                 this.requestedDnsSans,
-                this.issuer
-        );
+                this.issuer,
+                this.expiry,
+                this.lastRefreshed);
     }
 
     public EndpointCertificateMetadata withLastRequested(long lastRequested) {
@@ -84,8 +92,22 @@ public class EndpointCertificateMetadata {
                 lastRequested,
                 this.request_id,
                 this.requestedDnsSans,
-                this.issuer
-        );
+                this.issuer,
+                this.expiry,
+                this.lastRefreshed);
+    }
+
+    public EndpointCertificateMetadata withLastRefreshed(long lastRefreshed) {
+        return new EndpointCertificateMetadata(
+                this.keyName,
+                this.certName,
+                this.version,
+                this.lastRequested,
+                this.request_id,
+                this.requestedDnsSans,
+                this.issuer,
+                this.expiry,
+                Optional.of(lastRefreshed));
     }
 
     @Override
@@ -98,6 +120,8 @@ public class EndpointCertificateMetadata {
                 ", request_id=" + request_id +
                 ", requestedDnsSans=" + requestedDnsSans +
                 ", issuer=" + issuer +
+                ", expiry=" + expiry +
+                ", lastRefreshed=" + lastRefreshed +
                 '}';
     }
 
@@ -112,11 +136,13 @@ public class EndpointCertificateMetadata {
                 certName.equals(that.certName) &&
                 request_id.equals(that.request_id) &&
                 requestedDnsSans.equals(that.requestedDnsSans) &&
-                issuer.equals(that.issuer);
+                issuer.equals(that.issuer) &&
+                expiry.equals(that.expiry) &&
+                lastRefreshed.equals(that.lastRefreshed);
     }
 
     @Override
     public int hashCode() {
-        return Objects.hash(keyName, certName, version, lastRequested, request_id, requestedDnsSans, issuer);
+        return Objects.hash(keyName, certName, version, lastRequested, request_id, requestedDnsSans, issuer, expiry, lastRefreshed);
     }
 }
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMock.java
index 8c63613ec91..b5ee78251f0 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMock.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMock.java
@@ -3,6 +3,7 @@ package com.yahoo.vespa.hosted.controller.api.integration.certificates;
 
 import com.yahoo.config.provision.ApplicationId;
 
+import java.time.Instant;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
@@ -25,7 +26,10 @@ public class EndpointCertificateMock implements EndpointCertificateProvider {
         this.dnsNames.put(applicationId, dnsNames);
         String endpointCertificatePrefix = String.format("vespa.tls.%s.%s.%s", applicationId.tenant(),
                 applicationId.application(), applicationId.instance());
-        return new EndpointCertificateMetadata(endpointCertificatePrefix + "-key", endpointCertificatePrefix + "-cert", 0, 0, Optional.of("mock-id-string"), Optional.of(dnsNames), Optional.of("mockCa"));
+        long epochSecond = Instant.now().getEpochSecond();
+        long inAnHour = epochSecond + 3600;
+        return new EndpointCertificateMetadata(endpointCertificatePrefix + "-key", endpointCertificatePrefix + "-cert", 0, 0,
+                "mock-id-string", dnsNames, "mockCa", Optional.of(inAnHour), Optional.of(epochSecond));
     }
 
     @Override
author	Andreas Eriksen <andreer@verizonmedia.com>	2021-01-21 09:14:00 +0100
committer	GitHub <noreply@github.com>	2021-01-21 09:14:00 +0100
commit	44c35b15ab1849a13f6d86464984e0d31cf8188b (patch)
tree	904dea50e837eaaad0b87865a66904154178d458 /controller-api
parent	c2c6faa030f68efa35ec42157e6d7b4d532b804d (diff)