Add docker bridge network to ACL spec

2 files changed, 42 insertions, 29 deletions

diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java
index a61565126ef..fde5669bfd5 100644
--- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java
+++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java
@@ -32,6 +32,7 @@ import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.Comparator;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
@@ -164,8 +165,9 @@ public class NodeRepository extends AbstractComponent {
     /**
      * Returns a set of nodes that should be trusted by the given node.
      */
-    private Set<Node> getTrustedNodes(Node node, NodeList candidates) {
+    private NodeAcl getNodeAcl(Node node, NodeList candidates) {
         Set<Node> trustedNodes = new TreeSet<>(Comparator.comparing(Node::hostname));
+        Set<String> trustedNetworks = new HashSet<>();
 
         // For all cases below, trust:
         // - nodes in same application
@@ -196,8 +198,12 @@ public class NodeRepository extends AbstractComponent {
                 break;
 
             case proxy:
+                // No special rules for proxies
+                break;
+
             case host:
-                // No special rules for proxies and Docker hosts
+                // Docker bridge network
+                trustedNetworks.add("172.17.0.0/16");
                 break;
 
             default:
@@ -206,7 +212,7 @@ public class NodeRepository extends AbstractComponent {
                                 node.hostname(), node.type()));
         }
 
-        return Collections.unmodifiableSet(trustedNodes);
+        return new NodeAcl(node, trustedNodes, trustedNetworks);
     }
 
     /**
@@ -217,17 +223,14 @@ public class NodeRepository extends AbstractComponent {
      * @return List of node ACLs
      */
     public List<NodeAcl> getNodeAcls(Node node, boolean children) {
-        List<NodeAcl> nodeAcls = new ArrayList<>();
-
         NodeList candidates = new NodeList(getNodes());
         if (children) {
-            List<Node> childNodes = candidates.childNodes(node).asList();
-            childNodes.forEach(childNode -> nodeAcls.add(new NodeAcl(childNode, getTrustedNodes(childNode, candidates))));
+            return candidates.childNodes(node).asList().stream()
+                    .map(childNode -> getNodeAcl(childNode, candidates))
+                    .collect(Collectors.collectingAndThen(Collectors.toList(), Collections::unmodifiableList));
         } else {
-            nodeAcls.add(new NodeAcl(node, getTrustedNodes(node, candidates)));
+            return Collections.singletonList(getNodeAcl(node, candidates));
         }
-
-        return Collections.unmodifiableList(nodeAcls);
     }
 
     /** Get config node by hostname */
diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java
index 3b7a14000ec..134808b7114 100644
--- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java
+++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java
@@ -22,7 +22,6 @@ import java.util.Comparator;
 import java.util.HashSet;
 import java.util.Iterator;
 import java.util.List;
-import java.util.Optional;
 import java.util.Set;
 import java.util.stream.Collectors;
 
@@ -40,6 +39,8 @@ public class AclProvisioningTest {
     private ProvisioningTester tester;
     private MockNameResolver nameResolver;
 
+    private final List<String> dockerBridgeNetwork = Collections.singletonList("172.17.0.0/16");
+
     @Before
     public void before() {
         this.curator = new MockCurator();
@@ -146,31 +147,27 @@ public class AclProvisioningTest {
         List<NodeAcl> acls = tester.nodeRepository().getNodeAcls(dockerHostNodes.get(0), false);
 
         // Trusted nodes is all Docker hosts and all config servers
-        assertAcls(Arrays.asList(dockerHostNodes, configServers), acls.get(0));
+        assertAcls(Arrays.asList(dockerHostNodes, configServers), dockerBridgeNetwork, acls.get(0));
     }
 
 
     @Test
-    public void trusted_nodes_for_docker_hosts_and_proxy_nodes_in_zone_application() {
+    public void trusted_nodes_for_docker_hosts_nodes_in_zone_application() {
         ApplicationId applicationId = tester.makeApplicationId(); // use same id for both allocate calls below
         List<Node> configServers = setConfigServers("cfg1:1234,cfg2:1234,cfg3:1234");
 
         // Populate repo
-        tester.makeReadyNodes(3, "default", NodeType.proxy);
         tester.makeReadyNodes(2, "default", NodeType.host);
 
-        // Allocate 3 proxy nodes
-        List<Node> activeProxyNodes = allocateNodes(NodeType.proxy, applicationId);
-        assertEquals(3, activeProxyNodes.size());
-        // Allocate 2 Docker hosts, a total of 5 hosts
-        List<Node> activeDockerHostsAndProxyNodes = allocateNodes(NodeType.host, applicationId);
-        assertEquals(5, activeDockerHostsAndProxyNodes.size());
+        // Allocate 2 Docker hosts
+        List<Node> activeDockerHostNodes = allocateNodes(NodeType.host, applicationId);
+        assertEquals(2, activeDockerHostNodes.size());
 
         // Check trusted nodes for all nodes
-        activeDockerHostsAndProxyNodes.forEach(node -> {
+        activeDockerHostNodes.forEach(node -> {
             System.out.println("Checking node " + node);
             List<NodeAcl> nodeAcls = tester.nodeRepository().getNodeAcls(node, false);
-            assertAcls(Arrays.asList(activeDockerHostsAndProxyNodes, configServers), nodeAcls);
+            assertAcls(Arrays.asList(activeDockerHostNodes, configServers), dockerBridgeNetwork, nodeAcls);
         });
     }
 
@@ -238,17 +235,30 @@ public class AclProvisioningTest {
     }
 
     private static void assertAcls(List<List<Node>> expected, NodeAcl actual) {
-        assertAcls(expected, Collections.singletonList(actual));
+        assertAcls(expected, Collections.emptyList(), Collections.singletonList(actual));
     }
 
     private static void assertAcls(List<List<Node>> expected, List<NodeAcl> actual) {
-        List<Node> nodes = expected.stream()
+        assertAcls(expected, Collections.emptyList(), actual);
+    }
+
+    private static void assertAcls(List<List<Node>> expected, List<String> expectedNetworks, NodeAcl actual) {
+        assertAcls(expected, expectedNetworks, Collections.singletonList(actual));
+    }
+
+    private static void assertAcls(List<List<Node>> expectedNodes, List<String> expectedNetworks, List<NodeAcl> actual) {
+        Set<Node> expectedTrustedNodes = expectedNodes.stream()
                 .flatMap(Collection::stream)
-                .sorted(Comparator.comparing(Node::hostname))
-                .collect(Collectors.toList());
-        List<Node> trustedNodes = actual.stream()
+                .collect(Collectors.toSet());
+        Set<Node> actualTrustedNodes = actual.stream()
                 .flatMap(acl -> acl.trustedNodes().stream())
-                .collect(Collectors.toList());
-        assertEquals(nodes, trustedNodes);
+                .collect(Collectors.toSet());
+        assertEquals(expectedTrustedNodes, actualTrustedNodes);
+
+        Set<String> expectedTrustedNetworks = new HashSet<>(expectedNetworks);
+        Set<String> actualTrustedNetworks = actual.stream()
+                .flatMap(acl -> acl.trustedNetworks().stream())
+                .collect(Collectors.toSet());
+        assertEquals(expectedTrustedNetworks, actualTrustedNetworks);
     }
 }