summaryrefslogtreecommitdiffstats
path: root/node-repository
diff options
context:
space:
mode:
authorHåkon Hallingstad <hakon@yahooinc.com>2023-07-05 11:38:16 +0200
committerHåkon Hallingstad <hakon@yahooinc.com>2023-07-05 11:38:16 +0200
commit9ee3d3b3c54fd3340ef508e2e78e6cab22a22374 (patch)
tree85260ca6dfdecdcf6166686660fc40db97cab6ab /node-repository
parent05c101c0dac4debcdf1a858931c94fb6f53eed4c (diff)
No need to handle ready tenant nodes
Diffstat (limited to 'node-repository')
-rw-r--r--node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java9
-rw-r--r--node-repository/src/main/java/com/yahoo/vespa/hosted/provision/testutils/MockNodeRepository.java2
-rw-r--r--node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java21
-rw-r--r--node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/NodesV2ApiTest.java2
-rw-r--r--node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/responses/acl-config-server.json9
-rw-r--r--node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/responses/acl-tenant-node.json88
-rw-r--r--node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/responses/enclave-nodes-recursive.json3
-rw-r--r--node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/responses/enclave-nodes.json3
-rw-r--r--node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/responses/node5-after-changes.json2
-rw-r--r--node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/responses/node5.json2
10 files changed, 33 insertions, 108 deletions
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java
index 17a04238ac9..9c45a8ede1c 100644
--- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java
+++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java
@@ -55,7 +55,7 @@ public record NodeAcl(Node node,
// SSH opened (which is safe for 2 reasons: SSH daemon is not run inside containers, and NPT networks
// will (should) not forward port 22 traffic to container).
// - parent host (for health checks and metrics)
- // - nodes in same application
+ // - nodes in same application (Slobrok for tenant nodes, file distribution and ZK for config servers, etc).
// - load balancers allocated to application
trustedPorts.add(22);
allNodes.parentOf(node).map(parent -> TrustedNode.of(parent, node.cloudAccount(), simplerAcl)).ifPresent(trustedNodes::add);
@@ -80,13 +80,6 @@ public record NodeAcl(Node node,
trustedNodes.addAll(TrustedNode.of(allNodes.nodeType(NodeType.config), node.cloudAccount(), simplerAcl));
trustedNodes.addAll(TrustedNode.of(allNodes.nodeType(NodeType.proxy), node.cloudAccount(), simplerAcl));
node.allocation().ifPresent(allocation -> trustedNodes.addAll(TrustedNode.of(allNodes.parentsOf(allNodes.owner(allocation.owner())), node.cloudAccount(), simplerAcl)));
- if (node.state() == Node.State.ready) {
- // Tenant nodes in state ready, trust:
- // - All tenant nodes in zone. When a ready node is allocated to an application there's a brief
- // window where current ACLs have not yet been applied on the node. To avoid service disruption
- // during this window, ready tenant nodes trust all other tenant nodes
- trustedNodes.addAll(TrustedNode.of(allNodes.nodeType(NodeType.tenant), node.cloudAccount(), simplerAcl));
- }
}
case config -> {
// Config servers trust:
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/testutils/MockNodeRepository.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/testutils/MockNodeRepository.java
index 676adbf3d73..5ad0dd327c8 100644
--- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/testutils/MockNodeRepository.java
+++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/testutils/MockNodeRepository.java
@@ -126,7 +126,7 @@ public class MockNodeRepository extends NodeRepository {
.status(Status.initial()
.withVespaVersion(new Version("1.2.3"))
.withContainerImage(DockerImage.fromString("docker-registry.domain.tld:8080/dist/vespa:1.2.3")))
- .cloudAccount(defaultCloudAccount)
+ .cloudAccount(tenantAccount)
.build();
nodes.add(node5);
diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java
index 8d487dea38b..1fb339e8814 100644
--- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java
+++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java
@@ -67,23 +67,26 @@ public class AclProvisioningTest {
}
@Test
- public void trusted_nodes_for_unallocated_node() {
+ public void trusted_nodes_for_parked_node() {
NodeList configServers = tester.makeConfigServers(3, "default", Version.fromString("6.123.456"));
// Populate repo
- tester.makeReadyNodes(10, nodeResources);
+ List<Node> tenantNodes = tester.makeReadyNodes(10, nodeResources);
List<Node> proxyNodes = tester.makeReadyNodes(3, "default", NodeType.proxy);
// Allocate 2 nodes to an application
- deploy(2);
+ Set<String> deployedTenantNodes = deploy(2).stream().map(Node::hostname).collect(Collectors.toSet());
+
+ tester.move(Node.State.parked, tenantNodes.stream()
+ .filter(node -> !deployedTenantNodes.contains(node.hostname()))
+ .toList());
- // Get trusted nodes for a ready tenant node
- Node node = tester.nodeRepository().nodes().list(Node.State.ready).nodeType(NodeType.tenant).first().get();
+ // Get trusted nodes for a parked tenant node
+ Node node = tester.nodeRepository().nodes().list(Node.State.parked).nodeType(NodeType.tenant).first().get();
NodeAcl nodeAcl = node.acl(tester.nodeRepository().nodes().list(), tester.nodeRepository().loadBalancers(), tester.nodeRepository().zone(), true);
- NodeList tenantNodes = tester.nodeRepository().nodes().list().nodeType(NodeType.tenant);
- // Trusted nodes are all proxy-, config-, and, tenant-nodes
- assertAcls(trustedNodesOf(List.of(proxyNodes, configServers.asList(), tenantNodes.asList()), node.cloudAccount()), List.of(nodeAcl));
+ // Trusted nodes are all config-nodes
+ assertAcls(trustedNodesOf(List.of(proxyNodes, configServers.asList()), node.cloudAccount()), List.of(nodeAcl));
}
@Test
@@ -171,7 +174,7 @@ public class AclProvisioningTest {
.findFirst()
.orElseThrow(() -> new RuntimeException("Expected to find ACL for node " + node.hostname()));
assertEquals(host.hostname(), node.parentHostname().get());
- assertAcls(trustedNodesOf(List.of(configServers.asList(), nodes, List.of(host)), node.cloudAccount()), nodeAcl);
+ assertAcls(trustedNodesOf(List.of(configServers.asList(), List.of(host)), node.cloudAccount()), nodeAcl);
}
}
diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/NodesV2ApiTest.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/NodesV2ApiTest.java
index d93c8e3cbeb..e2082a70c3c 100644
--- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/NodesV2ApiTest.java
+++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/NodesV2ApiTest.java
@@ -460,7 +460,7 @@ public class NodesV2ApiTest {
@Test
public void acls_for_exclave_tenant_host() throws Exception {
- assertFile(new Request("http://localhost:8080/nodes/v2/acl/host3.yahoo.com"), "acl-tenant-node.json");
+ assertFile(new Request("http://localhost:8080/nodes/v2/acl/host5.yahoo.com"), "acl-tenant-node.json");
}
@Test
diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/responses/acl-config-server.json b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/responses/acl-config-server.json
index c5094e03348..de7b4de7fd9 100644
--- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/responses/acl-config-server.json
+++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/responses/acl-config-server.json
@@ -232,15 +232,6 @@
"trustedBy": "cfg1.yahoo.com"
},
{
- "hostname": "host5.yahoo.com",
- "type": "tenant",
- "ipAddress": "127.0.5.1",
- "ports": [
- 19070
- ],
- "trustedBy": "cfg1.yahoo.com"
- },
- {
"hostname": "host55.yahoo.com",
"type": "tenant",
"ipAddress": "::55:1",
diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/responses/acl-tenant-node.json b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/responses/acl-tenant-node.json
index f947540f7c5..2ca385a26b6 100644
--- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/responses/acl-tenant-node.json
+++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/responses/acl-tenant-node.json
@@ -4,98 +4,32 @@
"hostname": "cfg1.yahoo.com",
"type": "config",
"ipAddress": "::201:1",
- "trustedBy": "host3.yahoo.com"
+ "trustedBy": "host5.yahoo.com"
},
{
"hostname": "cfg2.yahoo.com",
"type": "config",
"ipAddress": "::202:1",
- "trustedBy": "host3.yahoo.com"
+ "trustedBy": "host5.yahoo.com"
},
{
- "hostname": "host1.yahoo.com",
- "type": "tenant",
- "ipAddress": "::1:1",
- "trustedBy": "host3.yahoo.com"
+ "hostname": "dockerhost2.yahoo.com",
+ "type": "host",
+ "ipAddress": "::101:1",
+ "trustedBy": "host5.yahoo.com"
},
{
- "hostname": "host10.yahoo.com",
- "type": "tenant",
- "ipAddress": "::10:1",
- "trustedBy": "host3.yahoo.com"
- },
- {
- "hostname": "host13.yahoo.com",
- "type": "tenant",
- "ipAddress": "::13:1",
- "trustedBy": "host3.yahoo.com"
- },
- {
- "hostname": "host14.yahoo.com",
- "type": "tenant",
- "ipAddress": "::14:1",
- "trustedBy": "host3.yahoo.com"
- },
- {
- "hostname": "host2.yahoo.com",
- "type": "tenant",
- "ipAddress": "::2:1",
- "trustedBy": "host3.yahoo.com"
- },
- {
- "hostname": "host3.yahoo.com",
- "type": "tenant",
- "ipAddress": "127.0.3.1",
- "trustedBy": "host3.yahoo.com"
- },
- {
- "hostname": "host3.yahoo.com",
- "type": "tenant",
- "ipAddress": "::3:1",
- "trustedBy": "host3.yahoo.com"
- },
- {
- "hostname": "host4.yahoo.com",
- "type": "tenant",
- "ipAddress": "::4:1",
- "trustedBy": "host3.yahoo.com"
- },
- {
- "hostname": "host5.yahoo.com",
- "type": "tenant",
- "ipAddress": "::5:1",
- "trustedBy": "host3.yahoo.com"
- },
- {
- "hostname": "host55.yahoo.com",
- "type": "tenant",
- "ipAddress": "::55:1",
- "trustedBy": "host3.yahoo.com"
- },
- {
- "hostname": "host6.yahoo.com",
- "type": "tenant",
- "ipAddress": "::6:1",
- "trustedBy": "host3.yahoo.com"
- },
- {
- "hostname": "host7.yahoo.com",
- "type": "tenant",
- "ipAddress": "::7:1",
- "trustedBy": "host3.yahoo.com"
- },
- {
- "hostname": "test-node-pool-102-2",
- "type": "tenant",
- "ipAddress": "::102:2",
- "trustedBy": "host3.yahoo.com"
+ "hostname": "dockerhost2.yahoo.com",
+ "type": "host",
+ "ipAddress": "127.0.101.1",
+ "trustedBy": "host5.yahoo.com"
}
],
"trustedNetworks": [],
"trustedPorts": [
{
"port": 22,
- "trustedBy": "host3.yahoo.com"
+ "trustedBy": "host5.yahoo.com"
}
],
"trustedUdpPorts": []
diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/responses/enclave-nodes-recursive.json b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/responses/enclave-nodes-recursive.json
index 540a0086cbf..3e41d87dd4a 100644
--- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/responses/enclave-nodes-recursive.json
+++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/responses/enclave-nodes-recursive.json
@@ -1,6 +1,7 @@
{
"nodes": [
@include(docker-node2.json),
- @include(node3.json)
+ @include(node3.json),
+ @include(node5.json)
]
}
diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/responses/enclave-nodes.json b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/responses/enclave-nodes.json
index 33fd4daa699..fa34aca85c8 100644
--- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/responses/enclave-nodes.json
+++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/responses/enclave-nodes.json
@@ -5,6 +5,9 @@
},
{
"url":"http://localhost:8080/nodes/v2/node/host3.yahoo.com"
+ },
+ {
+ "url":"http://localhost:8080/nodes/v2/node/host5.yahoo.com"
}
]
}
diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/responses/node5-after-changes.json b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/responses/node5-after-changes.json
index bf2f37d7c50..b71e0c6f6a6 100644
--- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/responses/node5-after-changes.json
+++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/responses/node5-after-changes.json
@@ -74,5 +74,5 @@
],
"ipAddresses": ["127.0.5.1", "::5:1"],
"additionalIpAddresses": [],
- "cloudAccount": "aws:111222333444"
+ "cloudAccount": "aws:777888999000"
}
diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/responses/node5.json b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/responses/node5.json
index 2d74768e53c..dad099ebf71 100644
--- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/responses/node5.json
+++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/responses/node5.json
@@ -76,5 +76,5 @@
],
"ipAddresses": ["127.0.5.1", "::5:1"],
"additionalIpAddresses": [],
- "cloudAccount": "aws:111222333444"
+ "cloudAccount": "aws:777888999000"
}