diff options
author | Martin Polden <mpolden@mpolden.no> | 2021-06-24 10:33:55 +0200 |
---|---|---|
committer | Martin Polden <mpolden@mpolden.no> | 2021-06-24 10:33:55 +0200 |
commit | 54792b76404ed27a95c3238a8850d720f6a38cc9 (patch) | |
tree | 0c7f6c3baf1489877cb110b303b0a1ecab41bce6 /node-repository | |
parent | 684731b4223a6a414f079a5724014695dccfc73f (diff) |
Use list flag
Diffstat (limited to 'node-repository')
2 files changed, 28 insertions, 17 deletions
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/maintenance/HostEncrypter.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/maintenance/HostEncrypter.java index c93f226603c..a4569f03d82 100644 --- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/maintenance/HostEncrypter.java +++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/maintenance/HostEncrypter.java @@ -5,10 +5,9 @@ import com.yahoo.component.Version; import com.yahoo.config.provision.ApplicationId; import com.yahoo.config.provision.NodeType; import com.yahoo.jdisc.Metric; -import com.yahoo.vespa.flags.BooleanFlag; -import com.yahoo.vespa.flags.FetchVector; import com.yahoo.vespa.flags.Flags; import com.yahoo.vespa.flags.IntFlag; +import com.yahoo.vespa.flags.ListFlag; import com.yahoo.vespa.hosted.provision.Node; import com.yahoo.vespa.hosted.provision.NodeList; import com.yahoo.vespa.hosted.provision.NodeRepository; @@ -40,12 +39,12 @@ public class HostEncrypter extends NodeRepositoryMaintainer { private static final Logger LOG = Logger.getLogger(HostEncrypter.class.getName()); private final IntFlag maxEncryptingHosts; - private final BooleanFlag deferHostEncryption; + private final ListFlag<String> deferApplicationEncryption; public HostEncrypter(NodeRepository nodeRepository, Duration interval, Metric metric) { super(nodeRepository, interval, metric); this.maxEncryptingHosts = Flags.MAX_ENCRYPTING_HOSTS.bindTo(nodeRepository.flagSource()); - this.deferHostEncryption = Flags.DEFER_HOST_ENCRYPTION.bindTo(nodeRepository.flagSource()); + this.deferApplicationEncryption = Flags.DEFER_APPLICATION_ENCRYPTION.bindTo(nodeRepository.flagSource()); } @Override @@ -82,10 +81,14 @@ public class HostEncrypter extends NodeRepositoryMaintainer { // Encrypt hosts not containing stateful clusters with retiring nodes, up to limit List<Node> hostsToEncrypt = new ArrayList<>(hostLimit); + + Set<ApplicationId> deferredApplications = deferApplicationEncryption.value().stream() + .map(ApplicationId::fromSerializedForm) + .collect(Collectors.toSet()); NodeList candidates = hostsOfTargetType.state(Node.State.active) .not().encrypted() .not().encrypting() - .not().matching(host -> deferEncryptionOf(host, allNodes)) + .matching(host -> encryptHost(host, allNodes, deferredApplications)) // Require an OS version supporting encryption .matching(node -> node.status().osVersion().current() .orElse(Version.emptyVersion) @@ -112,18 +115,15 @@ public class HostEncrypter extends NodeRepositoryMaintainer { return Math.max(0, limit - hosts.encrypting().size()); } - private boolean deferEncryptionOf(Node host, NodeList allNodes) { + private boolean encryptHost(Node host, NodeList allNodes, Set<ApplicationId> deferredApplications) { // TODO: Require a minimum number of proxies in Orchestrator. For now skip proxy hosts. - if (host.type() == NodeType.proxyhost) return true; + if (host.type() == NodeType.proxyhost) return false; Set<ApplicationId> applicationsOnHost = allNodes.childrenOf(host).stream() .filter(node -> node.allocation().isPresent()) .map(node -> node.allocation().get().owner()) .collect(Collectors.toSet()); - return applicationsOnHost.stream() - .anyMatch(application -> deferHostEncryption.with(FetchVector.Dimension.APPLICATION_ID, - application.serializedForm()) - .value()); + return Collections.disjoint(applicationsOnHost, deferredApplications); } private void encrypt(Node host, Instant now) { diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/maintenance/HostEncrypterTest.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/maintenance/HostEncrypterTest.java index f55452acba8..1e5d57263fa 100644 --- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/maintenance/HostEncrypterTest.java +++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/maintenance/HostEncrypterTest.java @@ -22,8 +22,10 @@ import java.time.Instant; import java.util.Comparator; import java.util.List; import java.util.Optional; +import java.util.Set; import java.util.function.Consumer; import java.util.function.Supplier; +import java.util.stream.Collectors; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; @@ -48,22 +50,31 @@ public class HostEncrypterTest { @Test public void deferred_hosts_are_not_encrypted() { - int hostCount = 2; + int hostCount = 4; int proxyHostCount = 1; - ApplicationId tenantApp = ApplicationId.from("t1", "a1", "i1"); + ApplicationId app1 = ApplicationId.from("t1", "a1", "i1"); + ApplicationId app2 = ApplicationId.from("t2", "a2", "i2"); provisionHosts(hostCount); - deployApplication(tenantApp); + deployApplication(app1); + deployApplication(app2); - ApplicationId proxyHostApp = ApplicationId.from("t2", "a2", "i2"); + ApplicationId proxyHostApp = ApplicationId.from("hosted-vespa", "proxy-host", "default"); List<Node> proxyHosts = tester.makeReadyNodes(proxyHostCount, "default", NodeType.proxyhost, 10); tester.patchNodes(proxyHosts, (host) -> host.with(host.status().withOsVersion(host.status().osVersion().withCurrent(Optional.of(Version.fromString("8.0")))))); tester.prepareAndActivateInfraApplication(proxyHostApp, NodeType.proxyhost); tester.flagSource() .withIntFlag(Flags.MAX_ENCRYPTING_HOSTS.id(), hostCount + proxyHostCount) - .withBooleanFlag(Flags.DEFER_HOST_ENCRYPTION.id(), true); + .withListFlag(Flags.DEFER_APPLICATION_ENCRYPTION.id(), List.of(app2.serializedForm()), String.class); encrypter.maintain(); - assertEquals("No hosts are encrypted", 0, tester.nodeRepository().nodes().list().encrypting().size()); + NodeList allNodes = tester.nodeRepository().nodes().list(); + NodeList encryptingHosts = allNodes.encrypting().parents(); + + assertEquals(1, encryptingHosts.size()); + assertEquals("Host of included application is encrypted", Set.of(app1), + allNodes.childrenOf(encryptingHosts.asList().get(0)).stream() + .map(node -> node.allocation().get().owner()) + .collect(Collectors.toSet())); } @Test |