Generate server ZK TLS config using Vespa mTLS config

Server ZK TLS config follows Vespa mTLS config and is no longer controlled by feature flag.

2 files changed, 52 insertions, 81 deletions

diff --git a/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/Configurator.java b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/Configurator.java
index d662bab8463..f302798589c 100644
--- a/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/Configurator.java
+++ b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/Configurator.java
@@ -3,7 +3,9 @@
 package com.yahoo.vespa.zookeeper;
 
 import com.yahoo.cloud.config.ZookeeperServerConfig;
+import com.yahoo.security.tls.MixedMode;
 import com.yahoo.security.tls.TlsContext;
+import com.yahoo.security.tls.TransportSecurityUtils;
 import com.yahoo.vespa.defaults.Defaults;
 
 import java.io.FileWriter;
@@ -40,11 +42,14 @@ public class Configurator {
         System.setProperty("zookeeper.authProvider.x509", "com.yahoo.vespa.zookeeper.VespaMtlsAuthenticationProvider");
     }
 
-    void writeConfigToDisk(Optional<TlsContext> tlsContext) {
+    void writeConfigToDisk() { writeConfigToDisk(VespaTlsConfig.fromSystem()); }
+
+    // override of Vespa TLS config for unit testing
+    void writeConfigToDisk(VespaTlsConfig vespaTlsConfig) {
         configFilePath.toFile().getParentFile().mkdirs();
 
         try {
-            writeZooKeeperConfigFile(zookeeperServerConfig, tlsContext);
+            writeZooKeeperConfigFile(zookeeperServerConfig, vespaTlsConfig);
             writeMyIdFile(zookeeperServerConfig);
         } catch (IOException e) {
             throw new RuntimeException("Error writing zookeeper config", e);
@@ -52,13 +57,13 @@ public class Configurator {
     }
 
     private void writeZooKeeperConfigFile(ZookeeperServerConfig config,
-                                          Optional<TlsContext> tlsContext) throws IOException {
+                                          VespaTlsConfig vespaTlsConfig) throws IOException {
         try (FileWriter writer = new FileWriter(configFilePath.toFile())) {
-            writer.write(transformConfigToString(config, tlsContext));
+            writer.write(transformConfigToString(config, vespaTlsConfig));
         }
     }
 
-    private String transformConfigToString(ZookeeperServerConfig config, Optional<TlsContext> tlsContext) {
+    private String transformConfigToString(ZookeeperServerConfig config, VespaTlsConfig vespaTlsConfig) {
         StringBuilder sb = new StringBuilder();
         sb.append("tickTime=").append(config.tickTime()).append("\n");
         sb.append("initLimit=").append(config.initLimit()).append("\n");
@@ -80,8 +85,8 @@ public class Configurator {
         sb.append("skipACL=yes").append("\n");
         ensureThisServerIsRepresented(config.myid(), config.server());
         config.server().forEach(server -> addServerToCfg(sb, server, config.clientPort()));
-        sb.append(new TlsQuorumConfig().createConfig(config, tlsContext));
-        sb.append(new TlsClientServerConfig().createConfig(config, tlsContext));
+        sb.append(new TlsQuorumConfig().createConfig(vespaTlsConfig));
+        sb.append(new TlsClientServerConfig().createConfig(vespaTlsConfig));
         return sb.toString();
     }
 
@@ -143,22 +148,10 @@ public class Configurator {
     }
 
     private interface TlsConfig {
-        String createConfig(ZookeeperServerConfig config, Optional<TlsContext> tlsContext);
-
-        default Optional<String> getEnvironmentVariable(String variableName) {
-            return Optional.ofNullable(System.getenv().get(variableName))
-                    .filter(var -> !var.isEmpty());
-        }
-
-        default void validateOptions(Optional<TlsContext> tlsContext, String tlsSetting) {
-            if (tlsContext.isEmpty() && !tlsSetting.equals("OFF"))
-                throw new RuntimeException("Could not retrieve transport security options");
-        }
-
         String configFieldPrefix();
 
-        default void appendSharedTlsConfig(StringBuilder builder, Optional<TlsContext> tlsContext) {
-            tlsContext.ifPresent(ctx -> {
+        default void appendSharedTlsConfig(StringBuilder builder, VespaTlsConfig vespaTlsConfig) {
+            vespaTlsConfig.context().ifPresent(ctx -> {
                 builder.append(configFieldPrefix()).append(".context.supplier.class=").append(VespaSslContextProvider.class.getName()).append("\n");
                 String enabledCiphers = Arrays.stream(ctx.parameters().getCipherSuites()).sorted().collect(Collectors.joining(","));
                 builder.append(configFieldPrefix()).append(".ciphersuites=").append(enabledCiphers).append("\n");
@@ -167,39 +160,23 @@ public class Configurator {
                 builder.append(configFieldPrefix()).append(".clientAuth=NEED\n");
             });
         }
+
+        default boolean enablePortUnification(VespaTlsConfig config) {
+            return config.tlsEnabled()
+                    && (config.mixedMode() == MixedMode.TLS_CLIENT_MIXED_SERVER || config.mixedMode() == MixedMode.PLAINTEXT_CLIENT_MIXED_SERVER);
+        }
     }
 
     static class TlsClientServerConfig implements TlsConfig {
 
-        @Override
-        public String createConfig(ZookeeperServerConfig config, Optional<TlsContext> tlsContext) {
-            String tlsSetting = getEnvironmentVariable("VESPA_TLS_FOR_ZOOKEEPER_CLIENT_SERVER_COMMUNICATION")
-                    .orElse(config.tlsForClientServerCommunication().name());
-            validateOptions(tlsContext, tlsSetting);
-
-            StringBuilder sb = new StringBuilder();
-            boolean portUnification;
-            boolean secureClientPort;
-            switch (tlsSetting) {
-                case "OFF":
-                    secureClientPort = false; portUnification = false;
-                    break;
-                case "TLS_ONLY":
-                    secureClientPort = true; portUnification = false;
-                    break;
-                case "PORT_UNIFICATION":
-                case "TLS_WITH_PORT_UNIFICATION":
-                    secureClientPort = false; portUnification = true;
-                    break;
-                default:
-                    throw new IllegalArgumentException("Unknown value of config setting tlsForClientServerCommunication: " + tlsSetting);
-            }
-            sb.append("client.portUnification=").append(portUnification).append("\n");
+        public String createConfig(VespaTlsConfig vespaTlsConfig) {
+            StringBuilder sb = new StringBuilder()
+                    .append("client.portUnification=").append(enablePortUnification(vespaTlsConfig)).append("\n");
             // ZooKeeper Dynamic Reconfiguration requires the "non-secure" client port to exist
             // This is a hack to override the secure parameter through our connection factory wrapper
             // https://issues.apache.org/jira/browse/ZOOKEEPER-3577
-            VespaNettyServerCnxnFactory_isSecure = secureClientPort;
-            appendSharedTlsConfig(sb, tlsContext);
+            VespaNettyServerCnxnFactory_isSecure = vespaTlsConfig.tlsEnabled() && vespaTlsConfig.mixedMode() == MixedMode.DISABLED;
+            appendSharedTlsConfig(sb, vespaTlsConfig);
 
             return sb.toString();
         }
@@ -212,38 +189,11 @@ public class Configurator {
 
     static class TlsQuorumConfig implements TlsConfig {
 
-        @Override
-        public String createConfig(ZookeeperServerConfig config, Optional<TlsContext> tlsContext) {
-            String tlsSetting = getEnvironmentVariable("VESPA_TLS_FOR_ZOOKEEPER_QUORUM_COMMUNICATION")
-                    .orElse(config.tlsForQuorumCommunication().name());
-            validateOptions(tlsContext, tlsSetting);
-
-            StringBuilder sb = new StringBuilder();
-            boolean sslQuorum;
-            boolean portUnification;
-            switch (tlsSetting) {
-                case "OFF":
-                    sslQuorum = false;
-                    portUnification = false;
-                    break;
-                case "PORT_UNIFICATION":
-                    sslQuorum = false;
-                    portUnification = true;
-                    break;
-                case "TLS_WITH_PORT_UNIFICATION":
-                    sslQuorum = true;
-                    portUnification = true;
-                    break;
-                case "TLS_ONLY":
-                    sslQuorum = true;
-                    portUnification = false;
-                    break;
-                default: throw new IllegalArgumentException("Unknown value of config setting tlsForQuorumCommunication: " + tlsSetting);
-            }
-            sb.append("sslQuorum=").append(sslQuorum).append("\n");
-            sb.append("portUnification=").append(portUnification).append("\n");
-            appendSharedTlsConfig(sb, tlsContext);
-
+        public String createConfig(VespaTlsConfig vespaTlsConfig) {
+            StringBuilder sb = new StringBuilder()
+                    .append("sslQuorum=").append(vespaTlsConfig.tlsEnabled()).append("\n")
+                    .append("portUnification=").append(enablePortUnification(vespaTlsConfig)).append("\n");
+            appendSharedTlsConfig(sb, vespaTlsConfig);
             return sb.toString();
         }
 
@@ -253,4 +203,26 @@ public class Configurator {
         }
     }
 
+    static class VespaTlsConfig {
+        private final TlsContext context;
+        private final MixedMode mixedMode;
+
+        VespaTlsConfig(TlsContext context, MixedMode mixedMode) {
+            this.context = context;
+            this.mixedMode = mixedMode;
+        }
+
+        static VespaTlsConfig fromSystem() {
+            return new VespaTlsConfig(
+                    TransportSecurityUtils.getSystemTlsContext().orElse(null),
+                    TransportSecurityUtils.getInsecureMixedMode());
+        }
+
+        static VespaTlsConfig tlsDisabled() { return new VespaTlsConfig(null, MixedMode.defaultValue()); }
+
+        boolean tlsEnabled() { return context != null; }
+        Optional<TlsContext> context() { return Optional.ofNullable(context); }
+        MixedMode mixedMode() { return mixedMode; }
+    }
+
 }
diff --git a/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/ZooKeeperRunner.java b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/ZooKeeperRunner.java
index adbc7a369b3..8c748250503 100644
--- a/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/ZooKeeperRunner.java
+++ b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/ZooKeeperRunner.java
@@ -4,7 +4,6 @@ package com.yahoo.vespa.zookeeper;
 import com.yahoo.cloud.config.ZookeeperServerConfig;
 import com.yahoo.concurrent.DaemonThreadFactory;
 import com.yahoo.protect.Process;
-import com.yahoo.security.tls.TransportSecurityUtils;
 
 import java.nio.file.Path;
 import java.nio.file.Paths;
@@ -39,7 +38,7 @@ public class ZooKeeperRunner implements Runnable {
     public ZooKeeperRunner(ZookeeperServerConfig zookeeperServerConfig, VespaZooKeeperServer server) {
         this.zookeeperServerConfig = zookeeperServerConfig;
         this.server = server;
-        new Configurator(zookeeperServerConfig).writeConfigToDisk(TransportSecurityUtils.getSystemTlsContext());
+        new Configurator(zookeeperServerConfig).writeConfigToDisk();
         executorService = Executors.newSingleThreadExecutor(new DaemonThreadFactory("zookeeper server"));
         executorService.submit(this);
     }