Use list flag

author: Martin Polden <mpolden@mpolden.no> 2021-06-24 10:33:55 +0200
committer: Martin Polden <mpolden@mpolden.no> 2021-06-24 10:33:55 +0200
commit: 54792b76404ed27a95c3238a8850d720f6a38cc9 (patch)
tree: 0c7f6c3baf1489877cb110b303b0a1ecab41bce6 /node-repository
parent: 684731b4223a6a414f079a5724014695dccfc73f (diff)
2 files changed, 28 insertions, 17 deletions
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/maintenance/HostEncrypter.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/maintenance/HostEncrypter.java
index c93f226603c..a4569f03d82 100644
--- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/maintenance/HostEncrypter.java
+++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/maintenance/HostEncrypter.java
@@ -5,10 +5,9 @@ import com.yahoo.component.Version;
 import com.yahoo.config.provision.ApplicationId;
 import com.yahoo.config.provision.NodeType;
 import com.yahoo.jdisc.Metric;
-import com.yahoo.vespa.flags.BooleanFlag;
-import com.yahoo.vespa.flags.FetchVector;
 import com.yahoo.vespa.flags.Flags;
 import com.yahoo.vespa.flags.IntFlag;
+import com.yahoo.vespa.flags.ListFlag;
 import com.yahoo.vespa.hosted.provision.Node;
 import com.yahoo.vespa.hosted.provision.NodeList;
 import com.yahoo.vespa.hosted.provision.NodeRepository;
@@ -40,12 +39,12 @@ public class HostEncrypter extends NodeRepositoryMaintainer {
     private static final Logger LOG = Logger.getLogger(HostEncrypter.class.getName());
 
     private final IntFlag maxEncryptingHosts;
-    private final BooleanFlag deferHostEncryption;
+    private final ListFlag<String> deferApplicationEncryption;
 
     public HostEncrypter(NodeRepository nodeRepository, Duration interval, Metric metric) {
         super(nodeRepository, interval, metric);
         this.maxEncryptingHosts = Flags.MAX_ENCRYPTING_HOSTS.bindTo(nodeRepository.flagSource());
-        this.deferHostEncryption = Flags.DEFER_HOST_ENCRYPTION.bindTo(nodeRepository.flagSource());
+        this.deferApplicationEncryption = Flags.DEFER_APPLICATION_ENCRYPTION.bindTo(nodeRepository.flagSource());
     }
 
     @Override
@@ -82,10 +81,14 @@ public class HostEncrypter extends NodeRepositoryMaintainer {
 
         // Encrypt hosts not containing stateful clusters with retiring nodes, up to limit
         List<Node> hostsToEncrypt = new ArrayList<>(hostLimit);
+
+        Set<ApplicationId> deferredApplications = deferApplicationEncryption.value().stream()
+                                                                            .map(ApplicationId::fromSerializedForm)
+                                                                            .collect(Collectors.toSet());
         NodeList candidates = hostsOfTargetType.state(Node.State.active)
                                                .not().encrypted()
                                                .not().encrypting()
-                                               .not().matching(host -> deferEncryptionOf(host, allNodes))
+                                               .matching(host -> encryptHost(host, allNodes, deferredApplications))
                                                // Require an OS version supporting encryption
                                                .matching(node -> node.status().osVersion().current()
                                                                      .orElse(Version.emptyVersion)
@@ -112,18 +115,15 @@ public class HostEncrypter extends NodeRepositoryMaintainer {
         return Math.max(0, limit - hosts.encrypting().size());
     }
 
-    private boolean deferEncryptionOf(Node host, NodeList allNodes) {
+    private boolean encryptHost(Node host, NodeList allNodes, Set<ApplicationId> deferredApplications) {
         // TODO: Require a minimum number of proxies in Orchestrator. For now skip proxy hosts.
-        if (host.type() == NodeType.proxyhost) return true;
+        if (host.type() == NodeType.proxyhost) return false;
 
         Set<ApplicationId> applicationsOnHost = allNodes.childrenOf(host).stream()
                                                         .filter(node -> node.allocation().isPresent())
                                                         .map(node -> node.allocation().get().owner())
                                                         .collect(Collectors.toSet());
-        return applicationsOnHost.stream()
-                                 .anyMatch(application -> deferHostEncryption.with(FetchVector.Dimension.APPLICATION_ID,
-                                                                                   application.serializedForm())
-                                                                             .value());
+        return Collections.disjoint(applicationsOnHost, deferredApplications);
     }
 
     private void encrypt(Node host, Instant now) {
diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/maintenance/HostEncrypterTest.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/maintenance/HostEncrypterTest.java
index f55452acba8..1e5d57263fa 100644
--- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/maintenance/HostEncrypterTest.java
+++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/maintenance/HostEncrypterTest.java
@@ -22,8 +22,10 @@ import java.time.Instant;
 import java.util.Comparator;
 import java.util.List;
 import java.util.Optional;
+import java.util.Set;
 import java.util.function.Consumer;
 import java.util.function.Supplier;
+import java.util.stream.Collectors;
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
@@ -48,22 +50,31 @@ public class HostEncrypterTest {
 
     @Test
     public void deferred_hosts_are_not_encrypted() {
-        int hostCount = 2;
+        int hostCount = 4;
         int proxyHostCount = 1;
-        ApplicationId tenantApp = ApplicationId.from("t1", "a1", "i1");
+        ApplicationId app1 = ApplicationId.from("t1", "a1", "i1");
+        ApplicationId app2 = ApplicationId.from("t2", "a2", "i2");
         provisionHosts(hostCount);
-        deployApplication(tenantApp);
+        deployApplication(app1);
+        deployApplication(app2);
 
-        ApplicationId proxyHostApp = ApplicationId.from("t2", "a2", "i2");
+        ApplicationId proxyHostApp = ApplicationId.from("hosted-vespa", "proxy-host", "default");
         List<Node> proxyHosts = tester.makeReadyNodes(proxyHostCount, "default", NodeType.proxyhost, 10);
         tester.patchNodes(proxyHosts, (host) -> host.with(host.status().withOsVersion(host.status().osVersion().withCurrent(Optional.of(Version.fromString("8.0"))))));
         tester.prepareAndActivateInfraApplication(proxyHostApp, NodeType.proxyhost);
 
         tester.flagSource()
               .withIntFlag(Flags.MAX_ENCRYPTING_HOSTS.id(), hostCount + proxyHostCount)
-              .withBooleanFlag(Flags.DEFER_HOST_ENCRYPTION.id(), true);
+              .withListFlag(Flags.DEFER_APPLICATION_ENCRYPTION.id(), List.of(app2.serializedForm()), String.class);
         encrypter.maintain();
-        assertEquals("No hosts are encrypted", 0, tester.nodeRepository().nodes().list().encrypting().size());
+        NodeList allNodes = tester.nodeRepository().nodes().list();
+        NodeList encryptingHosts = allNodes.encrypting().parents();
+
+        assertEquals(1, encryptingHosts.size());
+        assertEquals("Host of included application is encrypted", Set.of(app1),
+                     allNodes.childrenOf(encryptingHosts.asList().get(0)).stream()
+                             .map(node -> node.allocation().get().owner())
+                             .collect(Collectors.toSet()));
     }
 
     @Test
author	Martin Polden <mpolden@mpolden.no>	2021-06-24 10:33:55 +0200
committer	Martin Polden <mpolden@mpolden.no>	2021-06-24 10:33:55 +0200
commit	54792b76404ed27a95c3238a8850d720f6a38cc9 (patch)
tree	0c7f6c3baf1489877cb110b303b0a1ecab41bce6 /node-repository
parent	684731b4223a6a414f079a5724014695dccfc73f (diff)