Include declared application endpoints in certificate

author: Martin Polden <mpolden@mpolden.no> 2021-11-16 12:49:47 +0100
committer: Martin Polden <mpolden@mpolden.no> 2021-11-16 15:59:29 +0100
commit: 803d44ee818d1ebeaf8e7aa16a0630c0a040a60c (patch)
tree: afcc878d565e17b02575305b5a1e28643767742a /controller-server/src/main/java/com/yahoo/vespa/hosted/controller/certificate
parent: ae17913e52e645b10f41ab5633bba785272546e6 (diff)
1 files changed, 14 insertions, 11 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificates.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificates.java
index 684648ed70a..e3091b704e4 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificates.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificates.java
@@ -2,6 +2,7 @@
 package com.yahoo.vespa.hosted.controller.certificate;
 
 import com.yahoo.config.application.api.DeploymentInstanceSpec;
+import com.yahoo.config.application.api.DeploymentSpec;
 import com.yahoo.config.provision.zone.ZoneId;
 import com.yahoo.text.Text;
 import com.yahoo.vespa.hosted.controller.Controller;
@@ -52,9 +53,9 @@ public class EndpointCertificates {
     }
 
     /** Returns certificate metadata for endpoints of given instance and zone */
-    public Optional<EndpointCertificateMetadata> getMetadata(Instance instance, ZoneId zone, Optional<DeploymentInstanceSpec> instanceSpec) {
+    public Optional<EndpointCertificateMetadata> getMetadata(Instance instance, ZoneId zone, DeploymentSpec deploymentSpec) {
         Instant start = clock.instant();
-        Optional<EndpointCertificateMetadata> metadata = getOrProvision(instance, zone, instanceSpec);
+        Optional<EndpointCertificateMetadata> metadata = getOrProvision(instance, zone, deploymentSpec);
         metadata.ifPresent(m -> curator.writeEndpointCertificateMetadata(instance.id(), m.withLastRequested(clock.instant().getEpochSecond())));
         Duration duration = Duration.between(start, clock.instant());
         if (duration.toSeconds() > 30)
@@ -62,13 +63,12 @@ public class EndpointCertificates {
         return metadata;
     }
 
-    private Optional<EndpointCertificateMetadata> getOrProvision(Instance instance, ZoneId zone, Optional<DeploymentInstanceSpec> instanceSpec) {
-        final var currentCertificateMetadata = curator.readEndpointCertificateMetadata(instance.id());
-
+    private Optional<EndpointCertificateMetadata> getOrProvision(Instance instance, ZoneId zone, DeploymentSpec deploymentSpec) {
+        Optional<EndpointCertificateMetadata> currentCertificateMetadata = curator.readEndpointCertificateMetadata(instance.id());
         DeploymentId deployment = new DeploymentId(instance.id(), zone);
 
         if (currentCertificateMetadata.isEmpty()) {
-            var provisionedCertificateMetadata = provisionEndpointCertificate(deployment, Optional.empty(), instanceSpec);
+            var provisionedCertificateMetadata = provisionEndpointCertificate(deployment, Optional.empty(), deploymentSpec);
             // We do not verify the certificate if one has never existed before - because we do not want to
             // wait for it to be available before we deploy. This allows the config server to start
             // provisioning nodes ASAP, and the risk is small for a new deployment.
@@ -77,10 +77,10 @@ public class EndpointCertificates {
         }
 
         // Re-provision certificate if it is missing SANs for the zone we are deploying to
-        var requiredSansForZone = controller.routing().certificateDnsNames(deployment);
+        var requiredSansForZone = controller.routing().certificateDnsNames(deployment, deploymentSpec);
         if (!currentCertificateMetadata.get().requestedDnsSans().containsAll(requiredSansForZone)) {
             var reprovisionedCertificateMetadata =
-                    provisionEndpointCertificate(deployment, currentCertificateMetadata, instanceSpec)
+                    provisionEndpointCertificate(deployment, currentCertificateMetadata, deploymentSpec)
                             .withRequestId(currentCertificateMetadata.get().requestId()); // We're required to keep the original request ID
             curator.writeEndpointCertificateMetadata(instance.id(), reprovisionedCertificateMetadata);
             // Verification is unlikely to succeed in this case, as certificate must be available first - controller will retry
@@ -94,12 +94,13 @@ public class EndpointCertificates {
 
     private EndpointCertificateMetadata provisionEndpointCertificate(DeploymentId deployment,
                                                                      Optional<EndpointCertificateMetadata> currentMetadata,
-                                                                     Optional<DeploymentInstanceSpec> instanceSpec) {
+                                                                     DeploymentSpec deploymentSpec) {
         List<ZoneId> zonesInSystem = controller.zoneRegistry().zones().controllerUpgraded().ids();
         Set<ZoneId> requiredZones = new LinkedHashSet<>();
         requiredZones.add(deployment.zoneId());
         if (!deployment.zoneId().environment().isManuallyDeployed()) {
             // If not deploying to a dev or perf zone, require all prod zones in deployment spec + test and staging
+            Optional<DeploymentInstanceSpec> instanceSpec = deploymentSpec.instance(deployment.applicationId().instance());
             zonesInSystem.stream()
                          .filter(zone -> zone.environment().isTest() ||
                                          (instanceSpec.isPresent() &&
@@ -107,14 +108,16 @@ public class EndpointCertificates {
                          .forEach(requiredZones::add);
         }
         Set<String> requiredNames = requiredZones.stream()
-                                                 .flatMap(zone -> controller.routing().certificateDnsNames(new DeploymentId(deployment.applicationId(), zone)).stream())
+                                                 .flatMap(zone -> controller.routing().certificateDnsNames(new DeploymentId(deployment.applicationId(), zone),
+                                                                                                           deploymentSpec)
+                                                                            .stream())
                                                  .collect(Collectors.toCollection(LinkedHashSet::new));
 
         // Preserve any currently present names that are still valid
         List<String> currentNames = currentMetadata.map(EndpointCertificateMetadata::requestedDnsSans)
                                                    .orElseGet(List::of);
         zonesInSystem.stream()
-                     .map(zone -> controller.routing().certificateDnsNames(new DeploymentId(deployment.applicationId(), zone)))
+                     .map(zone -> controller.routing().certificateDnsNames(new DeploymentId(deployment.applicationId(), zone), deploymentSpec))
                      .filter(currentNames::containsAll)
                      .forEach(requiredNames::addAll);
author	Martin Polden <mpolden@mpolden.no>	2021-11-16 12:49:47 +0100
committer	Martin Polden <mpolden@mpolden.no>	2021-11-16 15:59:29 +0100
commit	803d44ee818d1ebeaf8e7aa16a0630c0a040a60c (patch)
tree	afcc878d565e17b02575305b5a1e28643767742a /controller-server/src/main/java/com/yahoo/vespa/hosted/controller/certificate
parent	ae17913e52e645b10f41ab5633bba785272546e6 (diff)