diff options
author | Andreas Eriksen <andreer@yahooinc.com> | 2022-06-07 15:37:36 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-06-07 15:37:36 +0200 |
commit | 55739697251b3498966be7916e879660eee0c6a3 (patch) | |
tree | c81509bb450fe105a9c4601e1395bd9e4a188f5b /controller-server | |
parent | 3c11b757e61d022832de4c48fae6f0a44030f4bd (diff) |
Copy endpoint certs to GCP (#22806)
Co-authored-by: Ola Aunrønning <olaa@yahooinc.com>
Diffstat (limited to 'controller-server')
2 files changed, 22 insertions, 0 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificates.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificates.java index 996b53cc6f5..270cfba00c0 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificates.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificates.java @@ -3,6 +3,7 @@ package com.yahoo.vespa.hosted.controller.certificate; import com.yahoo.config.application.api.DeploymentInstanceSpec; import com.yahoo.config.application.api.DeploymentSpec; +import com.yahoo.config.provision.CloudName; import com.yahoo.config.provision.zone.ZoneId; import com.yahoo.text.Text; import com.yahoo.vespa.hosted.controller.Controller; @@ -11,6 +12,7 @@ import com.yahoo.vespa.hosted.controller.api.identifiers.DeploymentId; import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateMetadata; import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateProvider; import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateValidator; +import com.yahoo.vespa.hosted.controller.api.integration.secrets.GcpSecretStore; import com.yahoo.vespa.hosted.controller.persistence.CuratorDb; import java.time.Clock; @@ -60,6 +62,22 @@ public class EndpointCertificates { Duration duration = Duration.between(start, clock.instant()); if (duration.toSeconds() > 30) log.log(Level.INFO, Text.format("Getting endpoint certificate metadata for %s took %d seconds!", instance.id().serializedForm(), duration.toSeconds())); + + if (controller.zoneRegistry().zones().ofCloud(CloudName.from("gcp")).ids().contains(zone)) { // Until CKMS is available from GCP + if(metadata.isPresent()) { + var m = metadata.get(); + GcpSecretStore gcpSecretStore = controller.serviceRegistry().gcpSecretStore(); + String mangledCertName = "endpointCert_" + m.certName().replace('.', '_'); // Google cloud does not accept dots in secrets, but they accept underscores + String mangledKeyName = "endpointCert_" + m.keyName().replace('.', '_'); // Google cloud does not accept dots in secrets, but they accept underscores + if (gcpSecretStore.getSecret(mangledCertName, m.version()) == null) + gcpSecretStore.createSecret(mangledCertName + "-v" + m.version(), controller.secretStore().getSecret(m.certName(), m.version())); + if (gcpSecretStore.getSecret(mangledKeyName, m.version()) == null) + gcpSecretStore.createSecret(mangledKeyName + "-v" + m.version(), controller.secretStore().getSecret(m.keyName(), m.version())); + + return Optional.of(m.withVersion(1).withKeyName(mangledKeyName).withCertName(mangledCertName)); + } + } + return metadata; } diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/integration/ServiceRegistryMock.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/integration/ServiceRegistryMock.java index 596335baeb5..8e0d70bdb80 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/integration/ServiceRegistryMock.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/integration/ServiceRegistryMock.java @@ -37,6 +37,8 @@ import com.yahoo.vespa.hosted.controller.api.integration.organization.MockIssueH import com.yahoo.vespa.hosted.controller.api.integration.resource.CostReportConsumerMock; import com.yahoo.vespa.hosted.controller.api.integration.resource.ResourceDatabaseClient; import com.yahoo.vespa.hosted.controller.api.integration.resource.ResourceDatabaseClientMock; +import com.yahoo.vespa.hosted.controller.api.integration.secrets.GcpSecretStore; +import com.yahoo.vespa.hosted.controller.api.integration.secrets.NoopGcpSecretStore; import com.yahoo.vespa.hosted.controller.api.integration.secrets.NoopTenantSecretService; import com.yahoo.vespa.hosted.controller.api.integration.stubs.DummyOwnershipIssues; import com.yahoo.vespa.hosted.controller.api.integration.stubs.DummySystemMonitor; @@ -295,4 +297,6 @@ public class ServiceRegistryMock extends AbstractComponent implements ServiceReg public RoleMaintainerMock roleMaintainerMock() { return roleMaintainer; } + + public GcpSecretStore gcpSecretStore() { return new NoopGcpSecretStore(); } } |