Extract TrustedNode

author: Martin Polden <mpolden@mpolden.no> 2022-08-25 10:52:21 +0200
committer: Martin Polden <mpolden@mpolden.no> 2022-08-25 10:55:33 +0200
commit: f506a54040a18c0e74092dd701b2165f845e7711 (patch)
tree: d303215aa147666e21a4b01896061e8d9bb2b9d4 /node-repository/src/main
parent: 34d28df24200715d9a436267a1b7eb1bad0fab61 (diff)
2 files changed, 38 insertions, 28 deletions
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java
index 26b57677fcf..7f7b1cd1035 100644
--- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java
+++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java
@@ -11,10 +11,12 @@ import com.yahoo.vespa.hosted.provision.lb.LoadBalancers;
 
 import java.util.Comparator;
 import java.util.LinkedHashSet;
+import java.util.List;
 import java.util.Objects;
 import java.util.Optional;
 import java.util.Set;
 import java.util.TreeSet;
+import java.util.stream.StreamSupport;
 
 /**
  * A node ACL declares which nodes, networks and ports a node should trust.
@@ -22,7 +24,7 @@ import java.util.TreeSet;
  * @author mpolden
  */
 public record NodeAcl(Node node,
-                      Set<Node> trustedNodes,
+                      Set<TrustedNode> trustedNodes,
                       Set<String> trustedNetworks,
                       Set<Integer> trustedPorts) {
 
@@ -34,7 +36,7 @@ public record NodeAcl(Node node,
     }
 
     public static NodeAcl from(Node node, NodeList allNodes, LoadBalancers loadBalancers) {
-        Set<Node> trustedNodes = new TreeSet<>(Comparator.comparing(Node::hostname));
+        Set<TrustedNode> trustedNodes = new TreeSet<>(Comparator.comparing(TrustedNode::hostname));
         Set<Integer> trustedPorts = new LinkedHashSet<>();
         Set<String> trustedNetworks = new LinkedHashSet<>();
 
@@ -47,9 +49,9 @@ public record NodeAcl(Node node,
         // - nodes in same application
         // - load balancers allocated to application
         trustedPorts.add(22);
-        allNodes.parentOf(node).ifPresent(trustedNodes::add);
+        allNodes.parentOf(node).map(TrustedNode::of).ifPresent(trustedNodes::add);
         node.allocation().ifPresent(allocation -> {
-            trustedNodes.addAll(allNodes.owner(allocation.owner()).asList());
+            trustedNodes.addAll(TrustedNode.of(allNodes.owner(allocation.owner())));
             loadBalancers.list(allocation.owner()).asList()
                          .stream()
                          .map(LoadBalancer::instance)
@@ -59,57 +61,65 @@ public record NodeAcl(Node node,
         });
 
         switch (node.type()) {
-            case tenant:
+            case tenant -> {
                 // Tenant nodes in other states than ready, trust:
                 // - config servers
                 // - proxy nodes
                 // - parents of the nodes in the same application: If some nodes are on a different IP version
                 //   or only a subset of them are dual-stacked, the communication between the nodes may be NAT-ed
                 //   via parent's IP address
-                trustedNodes.addAll(allNodes.nodeType(NodeType.config).asList());
-                trustedNodes.addAll(allNodes.nodeType(NodeType.proxy).asList());
-                node.allocation().ifPresent(allocation ->
-                                                    trustedNodes.addAll(allNodes.parentsOf(allNodes.owner(allocation.owner())).asList()));
-
+                trustedNodes.addAll(TrustedNode.of(allNodes.nodeType(NodeType.config)));
+                trustedNodes.addAll(TrustedNode.of(allNodes.nodeType(NodeType.proxy)));
+                node.allocation().ifPresent(allocation -> trustedNodes.addAll(TrustedNode.of(allNodes.parentsOf(allNodes.owner(allocation.owner())))));
                 if (node.state() == Node.State.ready) {
                     // Tenant nodes in state ready, trust:
                     // - All tenant nodes in zone. When a ready node is allocated to an application there's a brief
                     //   window where current ACLs have not yet been applied on the node. To avoid service disruption
                     //   during this window, ready tenant nodes trust all other tenant nodes
-                    trustedNodes.addAll(allNodes.nodeType(NodeType.tenant).asList());
+                    trustedNodes.addAll(TrustedNode.of(allNodes.nodeType(NodeType.tenant)));
                 }
-                break;
-
-            case config:
+            }
+            case config -> {
                 // Config servers trust:
                 // - all nodes
                 // - port 4443 from the world
-                trustedNodes.addAll(allNodes.asList());
+                trustedNodes.addAll(TrustedNode.of(allNodes));
                 trustedPorts.add(4443);
-                break;
-
-            case proxy:
+            }
+            case proxy -> {
                 // Proxy nodes trust:
                 // - config servers
                 // - all connections from the world on 443 (production traffic) and 4443 (health checks)
-                trustedNodes.addAll(allNodes.nodeType(NodeType.config).asList());
+                trustedNodes.addAll(TrustedNode.of(allNodes.nodeType(NodeType.config)));
                 trustedPorts.add(443);
                 trustedPorts.add(4443);
-                break;
-
-            case controller:
+            }
+            case controller -> {
                 // Controllers:
                 // - port 4443 (HTTPS + Athenz) from the world
                 // - port 443 (HTTPS + Okta) from the world
                 trustedPorts.add(4443);
                 trustedPorts.add(443);
-                break;
-
-            default:
-                throw new IllegalArgumentException("Don't know how to create ACL for " + node +
-                                                   " of type " + node.type());
+            }
+            default -> throw new IllegalArgumentException("Don't know how to create ACL for " + node +
+                                                          " of type " + node.type());
         }
         return new NodeAcl(node, trustedNodes, trustedNetworks, trustedPorts);
     }
 
+    public record TrustedNode(String hostname, NodeType type, Set<String> ipAddresses) {
+
+        public static TrustedNode of(Node node) {
+            return new TrustedNode(node.hostname(), node.type(), node.ipConfig().primary());
+
+        }
+
+        public static List<TrustedNode> of(Iterable<Node> nodes) {
+            return StreamSupport.stream(nodes.spliterator(), false)
+                                .map(TrustedNode::of)
+                                .toList();
+        }
+
+    }
+
 }
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/NodeAclResponse.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/NodeAclResponse.java
index b03d37b4d46..af09278623b 100644
--- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/NodeAclResponse.java
+++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/NodeAclResponse.java
@@ -47,7 +47,7 @@ public class NodeAclResponse extends SlimeJsonResponse {
     }
 
     private void toSlime(NodeAcl nodeAcl, Cursor array) {
-        nodeAcl.trustedNodes().forEach(node -> node.ipConfig().primary().forEach(ipAddress -> {
+        nodeAcl.trustedNodes().forEach(node -> node.ipAddresses().forEach(ipAddress -> {
             Cursor object = array.addObject();
             object.setString("hostname", node.hostname());
             object.setString("type", node.type().name());
author	Martin Polden <mpolden@mpolden.no>	2022-08-25 10:52:21 +0200
committer	Martin Polden <mpolden@mpolden.no>	2022-08-25 10:55:33 +0200
commit	f506a54040a18c0e74092dd701b2165f845e7711 (patch)
tree	d303215aa147666e21a4b01896061e8d9bb2b9d4 /node-repository/src/main
parent	34d28df24200715d9a436267a1b7eb1bad0fab61 (diff)