diff options
| author | Martin Polden <mpolden@mpolden.no> | 2021-11-16 12:49:47 +0100 |
|---|---|---|
| committer | Martin Polden <mpolden@mpolden.no> | 2021-11-16 15:59:29 +0100 |
| commit | 803d44ee818d1ebeaf8e7aa16a0630c0a040a60c (patch) | |
| tree | afcc878d565e17b02575305b5a1e28643767742a /controller-server | |
| parent | ae17913e52e645b10f41ab5633bba785272546e6 (diff) | |
Include declared application endpoints in certificate
Diffstat (limited to 'controller-server')
5 files changed, 98 insertions, 23 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java index 2d7f9b27334..01b12a5136d 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java @@ -376,7 +376,7 @@ public class ApplicationController { && run.testerCertificate().isPresent()) applicationPackage = applicationPackage.withTrustedCertificate(run.testerCertificate().get()); - endpointCertificateMetadata = endpointCertificates.getMetadata(instance, zone, applicationPackage.deploymentSpec().instance(instance.name())); + endpointCertificateMetadata = endpointCertificates.getMetadata(instance, zone, applicationPackage.deploymentSpec()); containerEndpoints = controller.routing().containerEndpointsOf(application.get(), job.application().instance(), zone); diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/RoutingController.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/RoutingController.java index a6b261a2981..37266dd6dac 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/RoutingController.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/RoutingController.java @@ -173,21 +173,34 @@ public class RoutingController { } /** Returns certificate DNS names (CN and SAN values) for given deployment */ - public List<String> certificateDnsNames(DeploymentId deployment) { + public List<String> certificateDnsNames(DeploymentId deployment, DeploymentSpec deploymentSpec) { List<String> endpointDnsNames = new ArrayList<>(); // We add first an endpoint name based on a hash of the application ID, // as the certificate provider requires the first CN to be < 64 characters long. endpointDnsNames.add(commonNameHashOf(deployment.applicationId(), controller.system())); - // Add wildcard names for global endpoints when deploying to production List<Endpoint.EndpointBuilder> builders = new ArrayList<>(); if (deployment.zoneId().environment().isProduction()) { + // Add default and wildcard names for global endpoints builders.add(Endpoint.of(deployment.applicationId()).target(EndpointId.defaultId())); builders.add(Endpoint.of(deployment.applicationId()).wildcard()); + + // Add default and wildcard names for each region targeted by application endpoints + List<DeploymentId> deploymentTargets = deploymentSpec.endpoints().stream() + .map(com.yahoo.config.application.api.Endpoint::targets) + .flatMap(Collection::stream) + .map(com.yahoo.config.application.api.Endpoint.Target::region) + .distinct() + .map(region -> new DeploymentId(deployment.applicationId(), ZoneId.from(Environment.prod, region))) + .collect(Collectors.toUnmodifiableList()); + for (var targetDeployment : deploymentTargets) { + builders.add(Endpoint.of(targetDeployment.applicationId()).targetApplication(EndpointId.defaultId(), targetDeployment)); + builders.add(Endpoint.of(targetDeployment.applicationId()).wildcardApplication(targetDeployment)); + } } - // Add wildcard names for zone endpoints + // Add default and wildcard names for zone endpoints builders.add(Endpoint.of(deployment.applicationId()).target(ClusterSpec.Id.from("default"), deployment)); builders.add(Endpoint.of(deployment.applicationId()).wildcard(deployment)); diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/application/Endpoint.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/application/Endpoint.java index 5bfc5a97e3d..1e917dd1376 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/application/Endpoint.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/application/Endpoint.java @@ -526,11 +526,21 @@ public class Endpoint { return target(endpointId, ClusterSpec.Id.from("default"), List.of()); } + /** Sets the application target with given ID and pointing to the default cluster */ + public EndpointBuilder targetApplication(EndpointId endpointId, DeploymentId deployment) { + return targetApplication(endpointId, ClusterSpec.Id.from("default"), Map.of(deployment, 1)); + } + /** Sets the global wildcard target for this */ public EndpointBuilder wildcard() { return target(EndpointId.of("*"), ClusterSpec.Id.from("*"), List.of()); } + /** Sets the application wildcard target for this */ + public EndpointBuilder wildcardApplication(DeploymentId deployment) { + return targetApplication(EndpointId.of("*"), ClusterSpec.Id.from("*"), Map.of(deployment, 1)); + } + /** Sets the zone wildcard target for this */ public EndpointBuilder wildcard(DeploymentId deployment) { return target(ClusterSpec.Id.from("*"), deployment); diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificates.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificates.java index 684648ed70a..e3091b704e4 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificates.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificates.java @@ -2,6 +2,7 @@ package com.yahoo.vespa.hosted.controller.certificate; import com.yahoo.config.application.api.DeploymentInstanceSpec; +import com.yahoo.config.application.api.DeploymentSpec; import com.yahoo.config.provision.zone.ZoneId; import com.yahoo.text.Text; import com.yahoo.vespa.hosted.controller.Controller; @@ -52,9 +53,9 @@ public class EndpointCertificates { } /** Returns certificate metadata for endpoints of given instance and zone */ - public Optional<EndpointCertificateMetadata> getMetadata(Instance instance, ZoneId zone, Optional<DeploymentInstanceSpec> instanceSpec) { + public Optional<EndpointCertificateMetadata> getMetadata(Instance instance, ZoneId zone, DeploymentSpec deploymentSpec) { Instant start = clock.instant(); - Optional<EndpointCertificateMetadata> metadata = getOrProvision(instance, zone, instanceSpec); + Optional<EndpointCertificateMetadata> metadata = getOrProvision(instance, zone, deploymentSpec); metadata.ifPresent(m -> curator.writeEndpointCertificateMetadata(instance.id(), m.withLastRequested(clock.instant().getEpochSecond()))); Duration duration = Duration.between(start, clock.instant()); if (duration.toSeconds() > 30) @@ -62,13 +63,12 @@ public class EndpointCertificates { return metadata; } - private Optional<EndpointCertificateMetadata> getOrProvision(Instance instance, ZoneId zone, Optional<DeploymentInstanceSpec> instanceSpec) { - final var currentCertificateMetadata = curator.readEndpointCertificateMetadata(instance.id()); - + private Optional<EndpointCertificateMetadata> getOrProvision(Instance instance, ZoneId zone, DeploymentSpec deploymentSpec) { + Optional<EndpointCertificateMetadata> currentCertificateMetadata = curator.readEndpointCertificateMetadata(instance.id()); DeploymentId deployment = new DeploymentId(instance.id(), zone); if (currentCertificateMetadata.isEmpty()) { - var provisionedCertificateMetadata = provisionEndpointCertificate(deployment, Optional.empty(), instanceSpec); + var provisionedCertificateMetadata = provisionEndpointCertificate(deployment, Optional.empty(), deploymentSpec); // We do not verify the certificate if one has never existed before - because we do not want to // wait for it to be available before we deploy. This allows the config server to start // provisioning nodes ASAP, and the risk is small for a new deployment. @@ -77,10 +77,10 @@ public class EndpointCertificates { } // Re-provision certificate if it is missing SANs for the zone we are deploying to - var requiredSansForZone = controller.routing().certificateDnsNames(deployment); + var requiredSansForZone = controller.routing().certificateDnsNames(deployment, deploymentSpec); if (!currentCertificateMetadata.get().requestedDnsSans().containsAll(requiredSansForZone)) { var reprovisionedCertificateMetadata = - provisionEndpointCertificate(deployment, currentCertificateMetadata, instanceSpec) + provisionEndpointCertificate(deployment, currentCertificateMetadata, deploymentSpec) .withRequestId(currentCertificateMetadata.get().requestId()); // We're required to keep the original request ID curator.writeEndpointCertificateMetadata(instance.id(), reprovisionedCertificateMetadata); // Verification is unlikely to succeed in this case, as certificate must be available first - controller will retry @@ -94,12 +94,13 @@ public class EndpointCertificates { private EndpointCertificateMetadata provisionEndpointCertificate(DeploymentId deployment, Optional<EndpointCertificateMetadata> currentMetadata, - Optional<DeploymentInstanceSpec> instanceSpec) { + DeploymentSpec deploymentSpec) { List<ZoneId> zonesInSystem = controller.zoneRegistry().zones().controllerUpgraded().ids(); Set<ZoneId> requiredZones = new LinkedHashSet<>(); requiredZones.add(deployment.zoneId()); if (!deployment.zoneId().environment().isManuallyDeployed()) { // If not deploying to a dev or perf zone, require all prod zones in deployment spec + test and staging + Optional<DeploymentInstanceSpec> instanceSpec = deploymentSpec.instance(deployment.applicationId().instance()); zonesInSystem.stream() .filter(zone -> zone.environment().isTest() || (instanceSpec.isPresent() && @@ -107,14 +108,16 @@ public class EndpointCertificates { .forEach(requiredZones::add); } Set<String> requiredNames = requiredZones.stream() - .flatMap(zone -> controller.routing().certificateDnsNames(new DeploymentId(deployment.applicationId(), zone)).stream()) + .flatMap(zone -> controller.routing().certificateDnsNames(new DeploymentId(deployment.applicationId(), zone), + deploymentSpec) + .stream()) .collect(Collectors.toCollection(LinkedHashSet::new)); // Preserve any currently present names that are still valid List<String> currentNames = currentMetadata.map(EndpointCertificateMetadata::requestedDnsSans) .orElseGet(List::of); zonesInSystem.stream() - .map(zone -> controller.routing().certificateDnsNames(new DeploymentId(deployment.applicationId(), zone))) + .map(zone -> controller.routing().certificateDnsNames(new DeploymentId(deployment.applicationId(), zone), deploymentSpec)) .filter(currentNames::containsAll) .forEach(requiredNames::addAll); diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificatesTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificatesTest.java index c6a9c12027f..0a93c936b41 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificatesTest.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificatesTest.java @@ -5,6 +5,8 @@ import com.yahoo.config.application.api.DeploymentSpec; import com.yahoo.config.application.api.xml.DeploymentSpecXmlReader; import com.yahoo.config.provision.ApplicationId; import com.yahoo.config.provision.Environment; +import com.yahoo.config.provision.InstanceName; +import com.yahoo.config.provision.RegionName; import com.yahoo.config.provision.SystemName; import com.yahoo.config.provision.zone.RoutingMethod; import com.yahoo.config.provision.zone.ZoneId; @@ -19,6 +21,8 @@ import com.yahoo.vespa.hosted.controller.Instance; import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateMetadata; import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateMock; import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateValidatorImpl; +import com.yahoo.vespa.hosted.controller.application.pkg.ApplicationPackage; +import com.yahoo.vespa.hosted.controller.deployment.ApplicationPackageBuilder; import com.yahoo.vespa.hosted.controller.integration.SecretStoreMock; import com.yahoo.vespa.hosted.controller.persistence.CuratorDb; import org.junit.Before; @@ -31,6 +35,7 @@ import java.time.Instant; import java.time.temporal.ChronoUnit; import java.util.ArrayList; import java.util.List; +import java.util.Map; import java.util.Optional; import java.util.Set; @@ -111,7 +116,7 @@ public class EndpointCertificatesTest { @Test public void provisions_new_certificate_in_dev() { ZoneId testZone = tester.zoneRegistry().zones().routingMethod(RoutingMethod.exclusive).in(Environment.dev).zones().stream().findFirst().orElseThrow().getId(); - Optional<EndpointCertificateMetadata> endpointCertificateMetadata = endpointCertificates.getMetadata(testInstance, testZone, Optional.empty()); + Optional<EndpointCertificateMetadata> endpointCertificateMetadata = endpointCertificates.getMetadata(testInstance, testZone, DeploymentSpec.empty); assertTrue(endpointCertificateMetadata.isPresent()); assertTrue(endpointCertificateMetadata.get().keyName().matches("vespa.tls.default.default.*-key")); assertTrue(endpointCertificateMetadata.get().certName().matches("vespa.tls.default.default.*-cert")); @@ -121,7 +126,7 @@ public class EndpointCertificatesTest { @Test public void provisions_new_certificate_in_prod() { - Optional<EndpointCertificateMetadata> endpointCertificateMetadata = endpointCertificates.getMetadata(testInstance, testZone, Optional.empty()); + Optional<EndpointCertificateMetadata> endpointCertificateMetadata = endpointCertificates.getMetadata(testInstance, testZone, DeploymentSpec.empty); assertTrue(endpointCertificateMetadata.isPresent()); assertTrue(endpointCertificateMetadata.get().keyName().matches("vespa.tls.default.default.*-key")); assertTrue(endpointCertificateMetadata.get().certName().matches("vespa.tls.default.default.*-cert")); @@ -145,7 +150,7 @@ public class EndpointCertificatesTest { "default.default.aws-us-east-1c.staging.z.vespa-app.cloud", "*.default.default.aws-us-east-1c.staging.z.vespa-app.cloud" ); - Optional<EndpointCertificateMetadata> endpointCertificateMetadata = endpointCertificates.getMetadata(testInstance, testZone, Optional.empty()); + Optional<EndpointCertificateMetadata> endpointCertificateMetadata = endpointCertificates.getMetadata(testInstance, testZone, DeploymentSpec.empty); assertTrue(endpointCertificateMetadata.isPresent()); assertTrue(endpointCertificateMetadata.get().keyName().matches("vespa.tls.default.default.*-key")); assertTrue(endpointCertificateMetadata.get().certName().matches("vespa.tls.default.default.*-cert")); @@ -164,7 +169,7 @@ public class EndpointCertificatesTest { "", Optional.empty(), Optional.empty())); secretStore.setSecret(testKeyName, KeyUtils.toPem(testKeyPair.getPrivate()), 7); secretStore.setSecret(testCertName, X509CertificateUtils.toPem(testCertificate) + X509CertificateUtils.toPem(testCertificate), 7); - Optional<EndpointCertificateMetadata> endpointCertificateMetadata = endpointCertificates.getMetadata(testInstance, testZone, Optional.empty()); + Optional<EndpointCertificateMetadata> endpointCertificateMetadata = endpointCertificates.getMetadata(testInstance, testZone, DeploymentSpec.empty); assertTrue(endpointCertificateMetadata.isPresent()); assertEquals(testKeyName, endpointCertificateMetadata.get().keyName()); assertEquals(testCertName, endpointCertificateMetadata.get().certName()); @@ -176,7 +181,7 @@ public class EndpointCertificatesTest { mockCuratorDb.writeEndpointCertificateMetadata(testInstance.id(), new EndpointCertificateMetadata(testKeyName, testCertName, -1, 0, "uuid", List.of(), "issuer", Optional.empty(), Optional.empty())); secretStore.setSecret("vespa.tls.default.default.default-key", KeyUtils.toPem(testKeyPair.getPrivate()), 0); secretStore.setSecret("vespa.tls.default.default.default-cert", X509CertificateUtils.toPem(testCertificate) + X509CertificateUtils.toPem(testCertificate), 0); - Optional<EndpointCertificateMetadata> endpointCertificateMetadata = endpointCertificates.getMetadata(testInstance, testZone, Optional.empty()); + Optional<EndpointCertificateMetadata> endpointCertificateMetadata = endpointCertificates.getMetadata(testInstance, testZone, DeploymentSpec.empty); assertTrue(endpointCertificateMetadata.isPresent()); assertEquals(0, endpointCertificateMetadata.get().version()); assertEquals(endpointCertificateMetadata, mockCuratorDb.readEndpointCertificateMetadata(testInstance.id())); @@ -193,7 +198,7 @@ public class EndpointCertificatesTest { secretStore.setSecret("vespa.tls.default.default.default-key", KeyUtils.toPem(testKeyPair.getPrivate()), 0); secretStore.setSecret("vespa.tls.default.default.default-cert", X509CertificateUtils.toPem(testCertificate2) + X509CertificateUtils.toPem(testCertificate2), 0); - Optional<EndpointCertificateMetadata> endpointCertificateMetadata = endpointCertificates.getMetadata(testInstance, testZone, Optional.empty()); + Optional<EndpointCertificateMetadata> endpointCertificateMetadata = endpointCertificates.getMetadata(testInstance, testZone, DeploymentSpec.empty); assertTrue(endpointCertificateMetadata.isPresent()); assertEquals(0, endpointCertificateMetadata.get().version()); assertEquals(endpointCertificateMetadata, mockCuratorDb.readEndpointCertificateMetadata(testInstance.id())); @@ -203,7 +208,6 @@ public class EndpointCertificatesTest { @Test public void includes_zones_in_deployment_spec_when_deploying_to_staging() { - DeploymentSpec deploymentSpec = new DeploymentSpecXmlReader(true).read( "<deployment version=\"1.0\">\n" + " <instance id=\"default\">\n" + @@ -215,7 +219,7 @@ public class EndpointCertificatesTest { "</deployment>\n"); ZoneId testZone = tester.zoneRegistry().zones().all().in(Environment.staging).zones().stream().findFirst().orElseThrow().getId(); - Optional<EndpointCertificateMetadata> endpointCertificateMetadata = endpointCertificates.getMetadata(testInstance, testZone, Optional.of(deploymentSpec.requireInstance("default"))); + Optional<EndpointCertificateMetadata> endpointCertificateMetadata = endpointCertificates.getMetadata(testInstance, testZone, deploymentSpec); assertTrue(endpointCertificateMetadata.isPresent()); assertTrue(endpointCertificateMetadata.get().keyName().matches("vespa.tls.default.default.*-key")); assertTrue(endpointCertificateMetadata.get().certName().matches("vespa.tls.default.default.*-cert")); @@ -223,4 +227,49 @@ public class EndpointCertificatesTest { assertEquals(Set.copyOf(expectedCombinedSans), Set.copyOf(endpointCertificateMetadata.get().requestedDnsSans())); } + @Test + public void includes_application_endpoint_when_declared() { + Instance instance = new Instance(ApplicationId.from("t1", "a1", "default")); + ZoneId zone1 = ZoneId.from(Environment.prod, RegionName.from("aws-us-east-1c")); + ZoneId zone2 = ZoneId.from(Environment.prod, RegionName.from("aws-us-west-2a")); + ApplicationPackage applicationPackage = new ApplicationPackageBuilder() + .instances("beta,main") + .region(zone1.region()) + .region(zone2.region()) + .applicationEndpoint("a", "qrs", zone2.region().value(), + Map.of(InstanceName.from("beta"), 2, + InstanceName.from("main"), 8)) + .applicationEndpoint("b", "qrs", zone2.region().value(), + Map.of(InstanceName.from("beta"), 1, + InstanceName.from("main"), 1)) + .applicationEndpoint("c", "qrs", zone1.region().value(), + Map.of(InstanceName.from("beta"), 4, + InstanceName.from("main"), 6)) + .build(); + ControllerTester tester = new ControllerTester(SystemName.Public); + EndpointCertificateValidatorImpl endpointCertificateValidator = new EndpointCertificateValidatorImpl(secretStore, clock); + EndpointCertificates endpointCertificates = new EndpointCertificates(tester.controller(), endpointCertificateMock, endpointCertificateValidator); + List<String> expectedSans = List.of( + "vlfms2wpoa4nyrka2s5lktucypjtxkqhv.internal.vespa-app.cloud", + "a1.t1.g.vespa-app.cloud", + "*.a1.t1.g.vespa-app.cloud", + "a1.t1.aws-us-west-2a.r.vespa-app.cloud", + "*.a1.t1.aws-us-west-2a.r.vespa-app.cloud", + "a1.t1.aws-us-east-1c.r.vespa-app.cloud", + "*.a1.t1.aws-us-east-1c.r.vespa-app.cloud", + "a1.t1.aws-us-east-1c.z.vespa-app.cloud", + "*.a1.t1.aws-us-east-1c.z.vespa-app.cloud", + "a1.t1.aws-us-east-1c.test.z.vespa-app.cloud", + "*.a1.t1.aws-us-east-1c.test.z.vespa-app.cloud", + "a1.t1.aws-us-east-1c.staging.z.vespa-app.cloud", + "*.a1.t1.aws-us-east-1c.staging.z.vespa-app.cloud" + ); + Optional<EndpointCertificateMetadata> endpointCertificateMetadata = endpointCertificates.getMetadata(instance, zone1, applicationPackage.deploymentSpec()); + assertTrue(endpointCertificateMetadata.isPresent()); + assertTrue(endpointCertificateMetadata.get().keyName().matches("vespa.tls.t1.a1.*-key")); + assertTrue(endpointCertificateMetadata.get().certName().matches("vespa.tls.t1.a1.*-cert")); + assertEquals(0, endpointCertificateMetadata.get().version()); + assertEquals(expectedSans, endpointCertificateMetadata.get().requestedDnsSans()); + } + } |