diff options
author | Martin Polden <mpolden@mpolden.no> | 2021-10-28 09:16:50 +0200 |
---|---|---|
committer | Martin Polden <mpolden@mpolden.no> | 2021-10-28 09:22:56 +0200 |
commit | 29bd3e58d581ffe28e091810745a23ccc7c21d62 (patch) | |
tree | bf77aba207c7aff034baa894778e49af96c2ed1c /controller-server | |
parent | 062c783e30399fad743aabeb892a362e168e788a (diff) |
Avoid three-level names in certificates
Diffstat (limited to 'controller-server')
3 files changed, 14 insertions, 2 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/RoutingController.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/RoutingController.java index f0c8a46fa45..a4077eeea50 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/RoutingController.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/RoutingController.java @@ -394,7 +394,7 @@ public class RoutingController { private String commonNameHashOf(ApplicationId application, SystemName system) { HashCode sha1 = Hashing.sha1().hashString(application.serializedForm(), StandardCharsets.UTF_8); String base32 = BaseEncoding.base32().omitPadding().lowerCase().encode(sha1.asBytes()); - return 'v' + base32 + Endpoint.dnsSuffix(system, includeLegacyEndpoint(application, system)); + return 'v' + base32 + Endpoint.internalDnsSuffix(system, includeLegacyEndpoint(application, system)); } private boolean includeLegacyEndpoint(ApplicationId application, SystemName system) { diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/application/Endpoint.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/application/Endpoint.java index 3a35e3aec7a..2fe2f7b20ac 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/application/Endpoint.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/application/Endpoint.java @@ -266,6 +266,18 @@ public class Endpoint { } } + /** Returns the DNS suffix used for internal names (i.e. names not exposed to tenants) in given system */ + public static String internalDnsSuffix(SystemName system, boolean legacy) { + // TODO(mpolden): Stop exposing legacy parameter after legacy endpoints in public are completely removed + String suffix = dnsSuffix(system, legacy); + if (system.isPublic() && !legacy) { + // Certificate provider requires special approval for three-level DNS names, e.g. foo.vespa-app.cloud. + // To avoid this in public we always add an extra level. + return ".internal" + suffix; + } + return suffix; + } + private static String upstreamIdOf(String name, ApplicationId application, ZoneId zone) { return Stream.of(namePart(name, ""), instancePart(Optional.of(application.instance()), ""), diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificatesTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificatesTest.java index 41745169f7a..8a0b97f20db 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificatesTest.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificatesTest.java @@ -134,7 +134,7 @@ public class EndpointCertificatesTest { EndpointCertificateValidatorImpl endpointCertificateValidator = new EndpointCertificateValidatorImpl(secretStore, clock); EndpointCertificates endpointCertificates = new EndpointCertificates(tester.controller(), endpointCertificateMock, endpointCertificateValidator); List<String> expectedSans = List.of( - "vt2ktgkqme5zlnp4tj4ttyor7fj3v7q5o.vespa-app.cloud", + "vt2ktgkqme5zlnp4tj4ttyor7fj3v7q5o.internal.vespa-app.cloud", "default.default.g.vespa-app.cloud", "*.default.default.g.vespa-app.cloud", "default.default.aws-us-east-1a.z.vespa-app.cloud", |