summaryrefslogtreecommitdiffstats
path: root/node-repository
diff options
context:
space:
mode:
authorAndreas Eriksen <andreer@yahooinc.com>2023-03-24 10:35:55 +0100
committerAndreas Eriksen <andreer@yahooinc.com>2023-03-24 10:35:55 +0100
commit57f5e9706a982d91fc8317996648b9ffbd29b5ff (patch)
tree9ac7b95aa6eae006fd56a2f42f452625b8237fa6 /node-repository
parent6db94ff887b65b10b8c4a8ce10c0d2e195bc0c0a (diff)
wg port public aws only
Diffstat (limited to 'node-repository')
-rw-r--r--node-repository/src/main/java/com/yahoo/vespa/hosted/provision/Node.java5
-rw-r--r--node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java2
-rw-r--r--node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java8
-rw-r--r--node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/NodeAclResponse.java2
-rw-r--r--node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java12
5 files changed, 17 insertions, 12 deletions
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/Node.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/Node.java
index acfb5d6fa5e..3b518728607 100644
--- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/Node.java
+++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/Node.java
@@ -11,6 +11,7 @@ import com.yahoo.config.provision.NodeResources;
import com.yahoo.config.provision.NodeType;
import com.yahoo.config.provision.TenantName;
import com.yahoo.config.provision.WireguardKey;
+import com.yahoo.config.provision.Zone;
import com.yahoo.vespa.hosted.provision.lb.LoadBalancers;
import com.yahoo.vespa.hosted.provision.node.Agent;
import com.yahoo.vespa.hosted.provision.node.Allocation;
@@ -573,8 +574,8 @@ public final class Node implements Nodelike {
}
/** Returns the ACL for the node (trusted nodes, networks and ports) */
- public NodeAcl acl(NodeList allNodes, LoadBalancers loadBalancers) {
- return NodeAcl.from(this, allNodes, loadBalancers);
+ public NodeAcl acl(NodeList allNodes, LoadBalancers loadBalancers, Zone zone) {
+ return NodeAcl.from(this, allNodes, loadBalancers, zone);
}
@Override
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java
index 510c4041efb..d6671d41cbd 100644
--- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java
+++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java
@@ -219,7 +219,7 @@ public class NodeRepository extends AbstractComponent {
if ( ! host.type().isHost()) throw new IllegalArgumentException("Only hosts have children");
NodeList allNodes = nodes().list();
return allNodes.childrenOf(host)
- .mapToList(childNode -> childNode.acl(allNodes, loadBalancers));
+ .mapToList(childNode -> childNode.acl(allNodes, loadBalancers, zone));
}
/** Removes this application: all nodes are set dirty. */
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java
index fe0c55e0618..5106b786691 100644
--- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java
+++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java
@@ -2,7 +2,9 @@
package com.yahoo.vespa.hosted.provision.node;
import com.google.common.collect.ImmutableSet;
+import com.yahoo.config.provision.CloudName;
import com.yahoo.config.provision.NodeType;
+import com.yahoo.config.provision.Zone;
import com.yahoo.vespa.hosted.provision.Node;
import com.yahoo.vespa.hosted.provision.NodeList;
import com.yahoo.vespa.hosted.provision.lb.LoadBalancer;
@@ -40,7 +42,7 @@ public record NodeAcl(Node node,
this.trustedUdpPorts = ImmutableSet.copyOf(Objects.requireNonNull(trustedUdpPorts, "trustedUdpPorts must be non-null"));
}
- public static NodeAcl from(Node node, NodeList allNodes, LoadBalancers loadBalancers) {
+ public static NodeAcl from(Node node, NodeList allNodes, LoadBalancers loadBalancers, Zone zone) {
Set<TrustedNode> trustedNodes = new TreeSet<>(Comparator.comparing(TrustedNode::hostname));
Set<Integer> trustedPorts = new LinkedHashSet<>();
Set<Integer> trustedUdpPorts = new LinkedHashSet<>();
@@ -95,7 +97,9 @@ public record NodeAcl(Node node,
NodeType.proxyhost, NodeType.proxy),
RPC_PORTS));
trustedPorts.add(4443);
- trustedUdpPorts.add(WIREGUARD_PORT);
+ if (zone.system().isPublic() && zone.cloud().name().equals(CloudName.AWS)) {
+ trustedUdpPorts.add(WIREGUARD_PORT);
+ }
}
case proxy -> {
// Proxy nodes trust:
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/NodeAclResponse.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/NodeAclResponse.java
index 48dae3a925e..6fe14715355 100644
--- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/NodeAclResponse.java
+++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/NodeAclResponse.java
@@ -34,7 +34,7 @@ public class NodeAclResponse extends SlimeJsonResponse {
.orElseThrow(() -> new NotFoundException("No node with hostname '" + hostname + "'"));
List<NodeAcl> acls = aclsForChildren ? nodeRepository.getChildAcls(node) :
- List.of(node.acl(nodeRepository.nodes().list(), nodeRepository.loadBalancers()));
+ List.of(node.acl(nodeRepository.nodes().list(), nodeRepository.loadBalancers(), nodeRepository.zone()));
Cursor trustedNodesArray = object.setArray("trustedNodes");
acls.forEach(nodeAcl -> toSlime(nodeAcl, trustedNodesArray));
diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java
index 47fcde1c96e..67f734eede2 100644
--- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java
+++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java
@@ -52,7 +52,7 @@ public class AclProvisioningTest {
// Get trusted nodes for the first active node
Node node = activeNodes.get(0);
List<Node> hostOfNode = node.parentHostname().flatMap(tester.nodeRepository().nodes()::node).map(List::of).orElseGet(List::of);
- Supplier<NodeAcl> nodeAcls = () -> node.acl(tester.nodeRepository().nodes().list(), tester.nodeRepository().loadBalancers());
+ Supplier<NodeAcl> nodeAcls = () -> node.acl(tester.nodeRepository().nodes().list(), tester.nodeRepository().loadBalancers(), tester.nodeRepository().zone());
// Trusted nodes are active nodes in same application, proxy nodes and config servers
assertAcls(trustedNodesOf(List.of(activeNodes, proxyNodes, configServers.asList(), hostOfNode)),
@@ -73,7 +73,7 @@ public class AclProvisioningTest {
// Get trusted nodes for a ready tenant node
Node node = tester.nodeRepository().nodes().list(Node.State.ready).nodeType(NodeType.tenant).first().get();
- NodeAcl nodeAcl = node.acl(tester.nodeRepository().nodes().list(), tester.nodeRepository().loadBalancers());
+ NodeAcl nodeAcl = node.acl(tester.nodeRepository().nodes().list(), tester.nodeRepository().loadBalancers(), tester.nodeRepository().zone());
NodeList tenantNodes = tester.nodeRepository().nodes().list().nodeType(NodeType.tenant);
// Trusted nodes are all proxy-, config-, and, tenant-nodes
@@ -99,7 +99,7 @@ public class AclProvisioningTest {
// Get trusted nodes for the first config server
Node node = tester.nodeRepository().nodes().node("cfg1")
.orElseThrow(() -> new RuntimeException("Failed to find cfg1"));
- NodeAcl nodeAcl = node.acl(nodes, tester.nodeRepository().loadBalancers());
+ NodeAcl nodeAcl = node.acl(nodes, tester.nodeRepository().loadBalancers(), tester.nodeRepository().zone());
// Trusted nodes is all tenant nodes+hosts, all proxy nodes+hosts, all config servers and load balancer subnets
assertAcls(List.of(TrustedNode.of(tenantHosts, Set.of(19070)),
@@ -128,7 +128,7 @@ public class AclProvisioningTest {
// Get trusted nodes for first proxy node
NodeList proxyNodes = tester.nodeRepository().nodes().list().owner(zoneApplication);
Node node = proxyNodes.first().get();
- NodeAcl nodeAcl = node.acl(tester.nodeRepository().nodes().list(), tester.nodeRepository().loadBalancers());
+ NodeAcl nodeAcl = node.acl(tester.nodeRepository().nodes().list(), tester.nodeRepository().loadBalancers(), tester.nodeRepository().zone());
// Trusted nodes is all config servers and all proxy nodes
assertAcls(trustedNodesOf(List.of(proxyNodes.asList(), configServers.asList())), List.of(nodeAcl));
@@ -170,7 +170,7 @@ public class AclProvisioningTest {
List<Node> controllers = tester.deploy(controllerApplication, Capacity.fromRequiredNodeType(NodeType.controller));
// Controllers and hosts all trust each other
- NodeAcl controllerAcl = controllers.get(0).acl(tester.nodeRepository().nodes().list(), tester.nodeRepository().loadBalancers());
+ NodeAcl controllerAcl = controllers.get(0).acl(tester.nodeRepository().nodes().list(), tester.nodeRepository().loadBalancers(), tester.nodeRepository().zone());
assertAcls(trustedNodesOf(List.of(controllers)), Set.of("10.2.3.0/24", "10.4.5.0/24"), List.of(controllerAcl));
assertEquals(Set.of(22, 4443, 443), controllerAcl.trustedPorts());
assertEquals(Set.of(), controllerAcl.trustedUdpPorts());
@@ -217,7 +217,7 @@ public class AclProvisioningTest {
tester.makeConfigServers(3, "default", Version.fromString("6.123.456"));
List<Node> readyNodes = tester.makeReadyNodes(1, "default", NodeType.proxy);
- NodeAcl nodeAcl = readyNodes.get(0).acl(tester.nodeRepository().nodes().list(), tester.nodeRepository().loadBalancers());
+ NodeAcl nodeAcl = readyNodes.get(0).acl(tester.nodeRepository().nodes().list(), tester.nodeRepository().loadBalancers(), tester.nodeRepository().zone());
assertEquals(3, nodeAcl.trustedNodes().size());
assertEquals(List.of(Set.of("127.0.1.1"), Set.of("127.0.1.2"), Set.of("127.0.1.3")),