diff options
author | Håkon Hallingstad <hakon@yahooinc.com> | 2023-06-19 11:24:51 +0200 |
---|---|---|
committer | Håkon Hallingstad <hakon@yahooinc.com> | 2023-06-19 11:24:51 +0200 |
commit | 316d672042b9159cf3f19fefcbcb81472d9b1bda (patch) | |
tree | 226238d95869ff0a71c73b251008afa89044c473 /node-repository/src/main | |
parent | 2dbee348336346b42e7cacc22d80ce24e1730c23 (diff) |
Avoid forward resolving to IPv4 in exclave GCP
Diffstat (limited to 'node-repository/src/main')
2 files changed, 22 insertions, 11 deletions
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/maintenance/HostResumeProvisioner.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/maintenance/HostResumeProvisioner.java index ad3c98d4512..aa014de58b1 100644 --- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/maintenance/HostResumeProvisioner.java +++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/maintenance/HostResumeProvisioner.java @@ -78,14 +78,23 @@ public class HostResumeProvisioner extends NodeRepositoryMaintainer { /** Verify DNS configuration of given node */ private void verifyDns(Node node, IP.Config ipConfig) { - for (var ipAddress : ipConfig.primary()) { - IP.verifyDns(node.hostname(), ipAddress, nodeRepository().nameResolver(), verifyPtr(node, ipAddress)); + boolean exclave = node.cloudAccount().isEnclave(nodeRepository().zone()); + boolean gcp = nodeRepository().zone().cloud().name().equals(CloudName.GCP); + for (String ipAddress : ipConfig.primary()) { + IP.verifyDns(node.hostname(), ipAddress, nodeRepository().nameResolver(), + hasForwardRecord(exclave, gcp, ipAddress), + hasReverseRecord(exclave, gcp, ipAddress)); } } - private boolean verifyPtr(Node node, String address) { - if (node.cloudAccount().isEnclave(nodeRepository().zone())) return false; - if (nodeRepository().zone().cloud().name().equals(CloudName.GCP) && IP.isV6(address)) return false; + public static boolean hasForwardRecord(boolean exclave, boolean gcp, String address) { + if (exclave && gcp && IP.isV4(address)) return false; + return true; + } + + public static boolean hasReverseRecord(boolean exclave, boolean gcp, String address) { + if (exclave) return false; + if (gcp && IP.isV6(address)) return false; return true; } diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/IP.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/IP.java index 3ef1951c19c..3f236b9d8a5 100644 --- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/IP.java +++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/IP.java @@ -395,12 +395,14 @@ public record IP() { } /** Verify DNS configuration of given hostname and IP address */ - public static void verifyDns(String hostname, String ipAddress, NameResolver resolver, boolean hasPtr) { - RecordType recordType = isV6(ipAddress) ? RecordType.AAAA : RecordType.A; - Set<String> addresses = resolver.resolve(hostname, recordType); - if (!addresses.equals(Set.of(ipAddress))) - throw new IllegalArgumentException("Expected " + hostname + " to resolve to " + ipAddress + - ", but got " + addresses); + public static void verifyDns(String hostname, String ipAddress, NameResolver resolver, boolean hasForward, boolean hasPtr) { + if (hasForward) { + RecordType recordType = isV6(ipAddress) ? RecordType.AAAA : RecordType.A; + Set<String> addresses = resolver.resolve(hostname, recordType); + if (!addresses.equals(Set.of(ipAddress))) + throw new IllegalArgumentException("Expected " + hostname + " to resolve to " + ipAddress + + ", but got " + addresses); + } if (hasPtr) { Optional<String> reverseHostname = resolver.resolveHostname(ipAddress); |