Copy endpoint certs to GCP (#22806)

Co-authored-by: Ola Aunrønning <olaa@yahooinc.com>
author: Andreas Eriksen <andreer@yahooinc.com> 2022-06-07 15:37:36 +0200
committer: GitHub <noreply@github.com> 2022-06-07 15:37:36 +0200
commit: 55739697251b3498966be7916e879660eee0c6a3 (patch)
tree: c81509bb450fe105a9c4601e1395bd9e4a188f5b /controller-server
parent: 3c11b757e61d022832de4c48fae6f0a44030f4bd (diff)
2 files changed, 22 insertions, 0 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificates.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificates.java
index 996b53cc6f5..270cfba00c0 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificates.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificates.java
@@ -3,6 +3,7 @@ package com.yahoo.vespa.hosted.controller.certificate;
 
 import com.yahoo.config.application.api.DeploymentInstanceSpec;
 import com.yahoo.config.application.api.DeploymentSpec;
+import com.yahoo.config.provision.CloudName;
 import com.yahoo.config.provision.zone.ZoneId;
 import com.yahoo.text.Text;
 import com.yahoo.vespa.hosted.controller.Controller;
@@ -11,6 +12,7 @@ import com.yahoo.vespa.hosted.controller.api.identifiers.DeploymentId;
 import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateMetadata;
 import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateProvider;
 import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateValidator;
+import com.yahoo.vespa.hosted.controller.api.integration.secrets.GcpSecretStore;
 import com.yahoo.vespa.hosted.controller.persistence.CuratorDb;
 
 import java.time.Clock;
@@ -60,6 +62,22 @@ public class EndpointCertificates {
         Duration duration = Duration.between(start, clock.instant());
         if (duration.toSeconds() > 30)
             log.log(Level.INFO, Text.format("Getting endpoint certificate metadata for %s took %d seconds!", instance.id().serializedForm(), duration.toSeconds()));
+
+        if (controller.zoneRegistry().zones().ofCloud(CloudName.from("gcp")).ids().contains(zone)) { // Until CKMS is available from GCP
+            if(metadata.isPresent()) {
+                var m = metadata.get();
+                GcpSecretStore gcpSecretStore = controller.serviceRegistry().gcpSecretStore();
+                String mangledCertName = "endpointCert_" + m.certName().replace('.', '_'); // Google cloud does not accept dots in secrets, but they accept underscores
+                String mangledKeyName = "endpointCert_" + m.keyName().replace('.', '_'); // Google cloud does not accept dots in secrets, but they accept underscores
+                if (gcpSecretStore.getSecret(mangledCertName, m.version()) == null)
+                    gcpSecretStore.createSecret(mangledCertName + "-v" + m.version(), controller.secretStore().getSecret(m.certName(), m.version()));
+                if (gcpSecretStore.getSecret(mangledKeyName, m.version()) == null)
+                    gcpSecretStore.createSecret(mangledKeyName + "-v" + m.version(), controller.secretStore().getSecret(m.keyName(), m.version()));
+
+                return Optional.of(m.withVersion(1).withKeyName(mangledKeyName).withCertName(mangledCertName));
+            }
+        }
+
         return metadata;
     }
 
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/integration/ServiceRegistryMock.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/integration/ServiceRegistryMock.java
index 596335baeb5..8e0d70bdb80 100644
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/integration/ServiceRegistryMock.java
+++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/integration/ServiceRegistryMock.java
@@ -37,6 +37,8 @@ import com.yahoo.vespa.hosted.controller.api.integration.organization.MockIssueH
 import com.yahoo.vespa.hosted.controller.api.integration.resource.CostReportConsumerMock;
 import com.yahoo.vespa.hosted.controller.api.integration.resource.ResourceDatabaseClient;
 import com.yahoo.vespa.hosted.controller.api.integration.resource.ResourceDatabaseClientMock;
+import com.yahoo.vespa.hosted.controller.api.integration.secrets.GcpSecretStore;
+import com.yahoo.vespa.hosted.controller.api.integration.secrets.NoopGcpSecretStore;
 import com.yahoo.vespa.hosted.controller.api.integration.secrets.NoopTenantSecretService;
 import com.yahoo.vespa.hosted.controller.api.integration.stubs.DummyOwnershipIssues;
 import com.yahoo.vespa.hosted.controller.api.integration.stubs.DummySystemMonitor;
@@ -295,4 +297,6 @@ public class ServiceRegistryMock extends AbstractComponent implements ServiceReg
     public RoleMaintainerMock roleMaintainerMock() {
         return roleMaintainer;
     }
+
+    public GcpSecretStore gcpSecretStore() { return new NoopGcpSecretStore(); }
 }
author	Andreas Eriksen <andreer@yahooinc.com>	2022-06-07 15:37:36 +0200
committer	GitHub <noreply@github.com>	2022-06-07 15:37:36 +0200
commit	55739697251b3498966be7916e879660eee0c6a3 (patch)
tree	c81509bb450fe105a9c4601e1395bd9e4a188f5b /controller-server
parent	3c11b757e61d022832de4c48fae6f0a44030f4bd (diff)