when deleting endpoint cert, clean up associated keys (#25413)

author: Andreas Eriksen <andreer@yahooinc.com> 2023-01-06 14:39:59 +0100
committer: GitHub <noreply@github.com> 2023-01-06 14:39:59 +0100
commit: d1a6c1090d18b4d168c364dd4c16a50871a8240b (patch)
tree: c5ed78478a817f542bf6285a19c5ebc47632ee31 /controller-server
parent: 97bda04ceeeddfcac94f435575450900397932a0 (diff)
2 files changed, 14 insertions, 7 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/EndpointCertificateMaintainer.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/EndpointCertificateMaintainer.java
index 2e2680cd34a..0b96d8adc1a 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/EndpointCertificateMaintainer.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/EndpointCertificateMaintainer.java
@@ -14,6 +14,7 @@ import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCe
 import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateProvider;
 import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateRequestMetadata;
 import com.yahoo.vespa.hosted.controller.api.integration.deployment.JobType;
+import com.yahoo.vespa.hosted.controller.api.integration.secrets.EndpointSecretManager;
 import com.yahoo.vespa.hosted.controller.application.Deployment;
 import com.yahoo.vespa.hosted.controller.application.TenantAndApplicationId;
 import com.yahoo.vespa.hosted.controller.deployment.DeploymentTrigger;
@@ -49,6 +50,7 @@ public class EndpointCertificateMaintainer extends ControllerMaintainer {
     private final Clock clock;
     private final CuratorDb curator;
     private final SecretStore secretStore;
+    private final EndpointSecretManager endpointSecretManager;
     private final EndpointCertificateProvider endpointCertificateProvider;
     final Comparator<EligibleJob> oldestFirst = Comparator.comparing(e -> e.deployment.at());
 
@@ -58,6 +60,7 @@ public class EndpointCertificateMaintainer extends ControllerMaintainer {
         this.deploymentTrigger = controller.applications().deploymentTrigger();
         this.clock = controller.clock();
         this.secretStore = controller.secretStore();
+        this.endpointSecretManager = controller.serviceRegistry().secretManager();
         this.curator = controller().curator();
         this.endpointCertificateProvider = controller.serviceRegistry().endpointCertificateProvider();
     }
@@ -144,9 +147,11 @@ public class EndpointCertificateMaintainer extends ControllerMaintainer {
                 try (Mutex lock = lock(applicationId)) {
                     if (Optional.of(storedMetaData).equals(curator.readEndpointCertificateMetadata(applicationId))) {
                         log.log(Level.INFO, "Cert for app " + applicationId.serializedForm()
-                                + " has not been requested in a month and app has no deployments, deleting from provider and ZK");
+                                + " has not been requested in a month and app has no deployments, deleting from provider, ZK and secret store");
                         endpointCertificateProvider.deleteCertificate(applicationId, storedMetaData.rootRequestId());
                         curator.deleteEndpointCertificateMetadata(applicationId);
+                        endpointSecretManager.deleteSecret(storedMetaData.certName());
+                        endpointSecretManager.deleteSecret(storedMetaData.keyName());
                     }
                 }
             }
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/integration/ServiceRegistryMock.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/integration/ServiceRegistryMock.java
index eb16ecaab81..382a697c4cd 100644
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/integration/ServiceRegistryMock.java
+++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/integration/ServiceRegistryMock.java
@@ -1,12 +1,10 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.hosted.controller.integration;
 
-import ai.vespa.http.DomainName;
 import com.yahoo.cloud.config.ConfigserverConfig;
 import com.yahoo.component.AbstractComponent;
 import com.yahoo.component.Version;
 import com.yahoo.component.annotation.Inject;
-import com.yahoo.config.provision.CloudAccount;
 import com.yahoo.config.provision.CloudName;
 import com.yahoo.config.provision.HostName;
 import com.yahoo.config.provision.SystemName;
@@ -31,10 +29,6 @@ import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCe
 import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateValidatorMock;
 import com.yahoo.vespa.hosted.controller.api.integration.dns.MemoryNameService;
 import com.yahoo.vespa.hosted.controller.api.integration.dns.MockVpcEndpointService;
-import com.yahoo.vespa.hosted.controller.api.integration.dns.RecordData;
-import com.yahoo.vespa.hosted.controller.api.integration.dns.RecordName;
-import com.yahoo.vespa.hosted.controller.api.integration.dns.VpcEndpointService;
-import com.yahoo.vespa.hosted.controller.api.integration.dns.VpcEndpointService.DnsChallenge;
 import com.yahoo.vespa.hosted.controller.api.integration.entity.MemoryEntityService;
 import com.yahoo.vespa.hosted.controller.api.integration.horizon.HorizonClient;
 import com.yahoo.vespa.hosted.controller.api.integration.horizon.MockHorizonClient;
@@ -45,7 +39,9 @@ import com.yahoo.vespa.hosted.controller.api.integration.resource.ResourceDataba
 import com.yahoo.vespa.hosted.controller.api.integration.resource.ResourceDatabaseClientMock;
 import com.yahoo.vespa.hosted.controller.api.integration.secrets.GcpSecretStore;
 import com.yahoo.vespa.hosted.controller.api.integration.secrets.NoopGcpSecretStore;
+import com.yahoo.vespa.hosted.controller.api.integration.secrets.NoopEndpointSecretManager;
 import com.yahoo.vespa.hosted.controller.api.integration.secrets.NoopTenantSecretService;
+import com.yahoo.vespa.hosted.controller.api.integration.secrets.EndpointSecretManager;
 import com.yahoo.vespa.hosted.controller.api.integration.stubs.DummyOwnershipIssues;
 import com.yahoo.vespa.hosted.controller.api.integration.stubs.DummySystemMonitor;
 import com.yahoo.vespa.hosted.controller.api.integration.stubs.LoggingDeploymentIssues;
@@ -92,6 +88,7 @@ public class ServiceRegistryMock extends AbstractComponent implements ServiceReg
     private final BillingController billingController = new MockBillingController(clock);
     private final ArtifactRegistryMock containerRegistry = new ArtifactRegistryMock();
     private final NoopTenantSecretService tenantSecretService = new NoopTenantSecretService();
+    private final NoopEndpointSecretManager secretManager = new NoopEndpointSecretManager();
     private final ArchiveService archiveService = new MockArchiveService();
     private final MockChangeRequestClient changeRequestClient = new MockChangeRequestClient();
     private final AccessControlService accessControlService = new MockAccessControlService();
@@ -254,6 +251,11 @@ public class ServiceRegistryMock extends AbstractComponent implements ServiceReg
     }
 
     @Override
+    public EndpointSecretManager secretManager() {
+        return secretManager;
+    }
+
+    @Override
     public ArchiveService archiveService() {
         return archiveService;
     }
author	Andreas Eriksen <andreer@yahooinc.com>	2023-01-06 14:39:59 +0100
committer	GitHub <noreply@github.com>	2023-01-06 14:39:59 +0100
commit	d1a6c1090d18b4d168c364dd4c16a50871a8240b (patch)
tree	c5ed78478a817f542bf6285a19c5ebc47632ee31 /controller-server
parent	97bda04ceeeddfcac94f435575450900397932a0 (diff)