Only return public addresses in Wireguard peer API (#27273)

* Only return public addresses in Wireguard peer API * Only add public IP WG peers in config server
author: Valerij Fredriksen <freva@users.noreply.github.com> 2023-06-05 12:54:40 +0200
committer: GitHub <noreply@github.com> 2023-06-05 12:54:40 +0200
commit: 4864d94e48919a8cb734191ab90b80738e843d08 (patch)
tree: f39afd8a79d5e8b8d1b3aad5585f071fa8b3ea10 /node-admin
parent: 377812082b5b87d15e2053dfb0eb838ba3b198f0 (diff)
2 files changed, 18 insertions, 14 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/RealNodeRepository.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/RealNodeRepository.java
index b26b9d2d0e4..043a8ae4cd5 100644
--- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/RealNodeRepository.java
+++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/RealNodeRepository.java
@@ -2,6 +2,7 @@
 package com.yahoo.vespa.hosted.node.admin.configserver.noderepository;
 
 import com.fasterxml.jackson.databind.JsonNode;
+import com.google.common.net.InetAddresses;
 import com.yahoo.component.Version;
 import com.yahoo.config.provision.ApplicationId;
 import com.yahoo.config.provision.CloudAccount;
@@ -30,6 +31,7 @@ import java.util.Objects;
 import java.util.Optional;
 import java.util.Set;
 import java.util.TreeMap;
+import java.util.function.Consumer;
 import java.util.function.Function;
 import java.util.logging.Logger;
 import java.util.stream.Collectors;
@@ -136,8 +138,18 @@ public class RealNodeRepository implements NodeRepository {
         final GetNodesResponse response = configServerApi.get(path, GetNodesResponse.class);
 
         return response.nodes.stream()
-                .filter(node -> node.wireguardPubkey != null && ! node.wireguardPubkey.isEmpty())
-                .map(RealNodeRepository::createTenantPeer)
+                .mapMulti((NodeRepositoryNode node, Consumer<WireguardPeer> consumer) -> {
+                    if (node.wireguardPubkey == null || node.wireguardPubkey.isEmpty()) return;
+                    List<VersionedIpAddress> ipAddresses = node.ipAddresses.stream()
+                            .map(InetAddresses::forString)
+                            .filter(address -> !address.isLoopbackAddress() && !address.isLinkLocalAddress() && !address.isSiteLocalAddress())
+                            .map(VersionedIpAddress::from)
+                            .toList();
+                    if (ipAddresses.isEmpty()) return;
+
+                    consumer.accept(new WireguardPeer(
+                            HostName.of(node.hostname), ipAddresses, WireguardKey.from(node.wireguardPubkey)));
+                })
                 .sorted()
                 .toList();
     }
@@ -353,16 +365,9 @@ public class RealNodeRepository implements NodeRepository {
         return node;
     }
 
-    private static WireguardPeer createTenantPeer(NodeRepositoryNode node) {
-        return new WireguardPeer(HostName.of(node.hostname),
-                                 node.ipAddresses.stream().map(VersionedIpAddress::from).toList(),
-                                 WireguardKey.from(node.wireguardPubkey));
-    }
-
     private static WireguardPeer createConfigserverPeer(GetWireguardResponse.Configserver configServer) {
         return new WireguardPeer(HostName.of(configServer.hostname),
                                  configServer.ipAddresses.stream().map(VersionedIpAddress::from).toList(),
                                  WireguardKey.from(configServer.wireguardPubkey));
     }
-
 }
diff --git a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/RealNodeRepositoryTest.java b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/RealNodeRepositoryTest.java
index 12816e1b8a3..6358fcecafb 100644
--- a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/RealNodeRepositoryTest.java
+++ b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/RealNodeRepositoryTest.java
@@ -211,7 +211,7 @@ public class RealNodeRepositoryTest {
         assertEquals(1, cfgPeers.size());
 
         assertWireguardPeer(cfgPeers.get(0), "cfg1.yahoo.com",
-                            "::201:1", "127.0.201.1",
+                            "::201:1",
                             "lololololololololololololololololololololoo=");
 
         //// Exclave nodes ////
@@ -222,15 +222,14 @@ public class RealNodeRepositoryTest {
         assertEquals(1, exclavePeers.size());
 
         assertWireguardPeer(exclavePeers.get(0), "dockerhost2.yahoo.com",
-                            "::101:1", "127.0.101.1",
+                            "::101:1",
                             "000011112222333344445555666677778888999900c=");
     }
 
-    private void assertWireguardPeer(WireguardPeer peer, String hostname, String ipv6, String ipv4, String publicKey) {
+    private void assertWireguardPeer(WireguardPeer peer, String hostname, String ipv6, String publicKey) {
         assertEquals(hostname, peer.hostname().value());
-        assertEquals(2, peer.ipAddresses().size());
+        assertEquals(1, peer.ipAddresses().size());
         assertIp(peer.ipAddresses().get(0), ipv6, 6);
-        assertIp(peer.ipAddresses().get(1), ipv4, 4);
         assertEquals(publicKey, peer.publicKey().value());
     }
author	Valerij Fredriksen <freva@users.noreply.github.com>	2023-06-05 12:54:40 +0200
committer	GitHub <noreply@github.com>	2023-06-05 12:54:40 +0200
commit	4864d94e48919a8cb734191ab90b80738e843d08 (patch)
tree	f39afd8a79d5e8b8d1b3aad5585f071fa8b3ea10 /node-admin
parent	377812082b5b87d15e2053dfb0eb838ba3b198f0 (diff)