Include load balancer networks for application of child node

3 files changed, 32 insertions, 19 deletions

diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java
index 48a53104f7f..4af68fa702c 100644
--- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java
+++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java
@@ -215,7 +215,7 @@ public class NodeRepository extends AbstractComponent {
     /**
      * Returns the ACL for the node (trusted nodes, networks and ports)
      */
-    private NodeAcl getNodeAcl(Node node, NodeList candidates, LoadBalancerList loadBalancers) {
+    private NodeAcl getNodeAcl(Node node, NodeList candidates) {
         Set<Node> trustedNodes = new TreeSet<>(Comparator.comparing(Node::hostname));
         Set<Integer> trustedPorts = new LinkedHashSet<>();
         Set<String> trustedNetworks = new LinkedHashSet<>();
@@ -232,10 +232,10 @@ public class NodeRepository extends AbstractComponent {
         candidates.parentOf(node).ifPresent(trustedNodes::add);
         node.allocation().ifPresent(allocation -> {
             trustedNodes.addAll(candidates.owner(allocation.owner()).asList());
-            loadBalancers.asList().stream()
-                         .map(LoadBalancer::instance)
-                         .map(LoadBalancerInstance::networks)
-                         .forEach(trustedNetworks::addAll);
+            loadBalancers(allocation.owner()).asList().stream()
+                                             .map(LoadBalancer::instance)
+                                             .map(LoadBalancerInstance::networks)
+                                             .forEach(trustedNetworks::addAll);
         });
 
         switch (node.type()) {
@@ -304,18 +304,12 @@ public class NodeRepository extends AbstractComponent {
      */
     public List<NodeAcl> getNodeAcls(Node node, boolean children) {
         NodeList candidates = list();
-        LoadBalancerList loadBalancers;
-        if (node.allocation().isPresent()) {
-            loadBalancers = loadBalancers(node.allocation().get().owner());
-        } else {
-            loadBalancers = LoadBalancerList.EMPTY;
-        }
         if (children) {
             return candidates.childrenOf(node).asList().stream()
-                             .map(childNode -> getNodeAcl(childNode, candidates, loadBalancers))
+                             .map(childNode -> getNodeAcl(childNode, candidates))
                              .collect(Collectors.collectingAndThen(Collectors.toList(), Collections::unmodifiableList));
         }
-        return Collections.singletonList(getNodeAcl(node, candidates, loadBalancers));
+        return Collections.singletonList(getNodeAcl(node, candidates));
     }
 
     public NodeFlavors getAvailableFlavors() {
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/lb/LoadBalancerList.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/lb/LoadBalancerList.java
index 479fd328162..bad16bf7d12 100644
--- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/lb/LoadBalancerList.java
+++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/lb/LoadBalancerList.java
@@ -15,8 +15,6 @@ import java.util.stream.Stream;
  */
 public class LoadBalancerList implements Iterable<LoadBalancer> {
 
-    public static LoadBalancerList EMPTY = new LoadBalancerList(List.of());
-
     private final List<LoadBalancer> loadBalancers;
 
     private LoadBalancerList(Collection<LoadBalancer> loadBalancers) {
diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java
index 92d066e5f16..8995897769c 100644
--- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java
+++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java
@@ -164,12 +164,33 @@ public class AclProvisioningTest {
 
     @Test
     public void trusted_nodes_for_application_with_load_balancer() {
-        // Populate repo
-        tester.makeReadyNodes(10, nodeResources);
+        // Provision hosts and containers
+        var hosts = tester.makeReadyNodes(2, "default", NodeType.host);
+        tester.deployZoneApp();
+        for (var host : hosts) {
+            tester.makeReadyVirtualDockerNodes(2, new NodeResources(2, 8, 50, 1),
+                                               host.hostname());
+        }
 
-        // Allocate 2 nodes
-        List<Node> activeNodes = deploy(2);
+        // Deploy application
+        var application = tester.makeApplicationId();
+        List<Node> activeNodes = deploy(application, 2);
         assertEquals(2, activeNodes.size());
+
+        // Load balancer is allocated to application
+        var loadBalancers = tester.nodeRepository().loadBalancers(application);
+        assertEquals(1, loadBalancers.asList().size());
+        var lbNetworks = loadBalancers.asList().get(0).instance().networks();
+        assertEquals(2, lbNetworks.size());
+
+        // ACL for nodes with allocation trust their respective load balancer networks, if any
+        for (var host : hosts) {
+            var acls = tester.nodeRepository().getNodeAcls(host, true);
+            assertEquals(2, acls.size());
+            assertEquals(Set.of(), acls.get(0).trustedNetworks());
+            assertEquals(application, acls.get(1).node().allocation().get().owner());
+            assertEquals(lbNetworks, acls.get(1).trustedNetworks());
+        }
     }
 
     @Test