Merge pull request #21141 from vespa-engine/mpolden/update-acl

Stop trusting port 4080 on proxy nodes
author: Martin Polden <mpolden@mpolden.no> 2022-02-11 09:25:42 +0100
committer: GitHub <noreply@github.com> 2022-02-11 09:25:42 +0100
commit: 1ca6892352f04c5f645f8caed076cc667973a2f0 (patch)
tree: 656367c8b956c7c19b3758a76b890e969f9c98b5 /node-repository
parent: 5e849a507070560565d4fed6646f1b49943b81bf (diff)
parent: 3c70f554d6385a628cd2f6f5193b417dffa36243 (diff)
2 files changed, 3 insertions, 2 deletions
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java
index 88a62c94f43..ac24c83e129 100644
--- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java
+++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java
@@ -109,10 +109,9 @@ public class NodeAcl {
             case proxy:
                 // Proxy nodes trust:
                 // - config servers
-                // - all connections from the world on 4080 (insecure tb removed), and 4443
+                // - all connections from the world on 443 (production traffic) and 4443 (health checks)
                 trustedNodes.addAll(allNodes.nodeType(NodeType.config).asList());
                 trustedPorts.add(443);
-                trustedPorts.add(4080);
                 trustedPorts.add(4443);
                 break;
 
diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java
index 23f5701f825..2346b9e2fab 100644
--- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java
+++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java
@@ -100,6 +100,7 @@ public class AclProvisioningTest {
 
         // Trusted nodes is all tenant nodes, all proxy nodes, all config servers and load balancer subnets
         assertAcls(List.of(tenantNodes.asList(), proxyNodes, configServers.asList()), Set.of("10.2.3.0/24", "10.4.5.0/24"), List.of(nodeAcl));
+        assertEquals(Set.of(22, 4443), nodeAcl.trustedPorts());
     }
 
     @Test
@@ -121,6 +122,7 @@ public class AclProvisioningTest {
 
         // Trusted nodes is all config servers and all proxy nodes
         assertAcls(List.of(proxyNodes.asList(), configServers.asList()), List.of(nodeAcl));
+        assertEquals(Set.of(22, 443, 4443), nodeAcl.trustedPorts());
     }
 
     @Test
author	Martin Polden <mpolden@mpolden.no>	2022-02-11 09:25:42 +0100
committer	GitHub <noreply@github.com>	2022-02-11 09:25:42 +0100
commit	1ca6892352f04c5f645f8caed076cc667973a2f0 (patch)
tree	656367c8b956c7c19b3758a76b890e969f9c98b5 /node-repository
parent	5e849a507070560565d4fed6646f1b49943b81bf (diff)
parent	3c70f554d6385a628cd2f6f5193b417dffa36243 (diff)