diff options
| author | Morten Tokle <mortent@verizonmedia.com> | 2021-10-28 11:20:38 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-10-28 11:20:38 +0200 |
| commit | 0b724511faedaeaf583d954499e38652388c7d18 (patch) | |
| tree | 97a6645ea13485e0645ed1f9e6ffd994116b124d /controller-server/src | |
| parent | 63fc9646de4611c4a907255ca282512422c1ac60 (diff) | |
| parent | 29bd3e58d581ffe28e091810745a23ccc7c21d62 (diff) | |
Merge pull request #19763 from vespa-engine/mpolden/avoid-three-level-names
Avoid three-level names in certificates
Diffstat (limited to 'controller-server/src')
3 files changed, 14 insertions, 2 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/RoutingController.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/RoutingController.java index ca6e11b868d..46c4d9d22b2 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/RoutingController.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/RoutingController.java @@ -394,7 +394,7 @@ public class RoutingController { private String commonNameHashOf(ApplicationId application, SystemName system) { HashCode sha1 = Hashing.sha1().hashString(application.serializedForm(), StandardCharsets.UTF_8); String base32 = BaseEncoding.base32().omitPadding().lowerCase().encode(sha1.asBytes()); - return 'v' + base32 + Endpoint.dnsSuffix(system, includeLegacyEndpoint(application, system)); + return 'v' + base32 + Endpoint.internalDnsSuffix(system, includeLegacyEndpoint(application, system)); } private boolean includeLegacyEndpoint(ApplicationId application, SystemName system) { diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/application/Endpoint.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/application/Endpoint.java index 6cfcdd345a4..a98e88210d2 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/application/Endpoint.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/application/Endpoint.java @@ -266,6 +266,18 @@ public class Endpoint { } } + /** Returns the DNS suffix used for internal names (i.e. names not exposed to tenants) in given system */ + public static String internalDnsSuffix(SystemName system, boolean legacy) { + // TODO(mpolden): Stop exposing legacy parameter after legacy endpoints in public are completely removed + String suffix = dnsSuffix(system, legacy); + if (system.isPublic() && !legacy) { + // Certificate provider requires special approval for three-level DNS names, e.g. foo.vespa-app.cloud. + // To avoid this in public we always add an extra level. + return ".internal" + suffix; + } + return suffix; + } + private static String upstreamIdOf(String name, ApplicationId application, ZoneId zone) { return Stream.of(namePart(name, ""), instancePart(Optional.of(application.instance()), ""), diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificatesTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificatesTest.java index 41745169f7a..8a0b97f20db 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificatesTest.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificatesTest.java @@ -134,7 +134,7 @@ public class EndpointCertificatesTest { EndpointCertificateValidatorImpl endpointCertificateValidator = new EndpointCertificateValidatorImpl(secretStore, clock); EndpointCertificates endpointCertificates = new EndpointCertificates(tester.controller(), endpointCertificateMock, endpointCertificateValidator); List<String> expectedSans = List.of( - "vt2ktgkqme5zlnp4tj4ttyor7fj3v7q5o.vespa-app.cloud", + "vt2ktgkqme5zlnp4tj4ttyor7fj3v7q5o.internal.vespa-app.cloud", "default.default.g.vespa-app.cloud", "*.default.default.g.vespa-app.cloud", "default.default.aws-us-east-1a.z.vespa-app.cloud", |