diff options
10 files changed, 32 insertions, 77 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/ServiceRegistry.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/ServiceRegistry.java index 6ca5cae0455..9e5b01a91d7 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/ServiceRegistry.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/ServiceRegistry.java @@ -3,7 +3,7 @@ package com.yahoo.vespa.hosted.controller.api.integration; import com.yahoo.vespa.hosted.controller.api.integration.aws.AwsEventFetcher; import com.yahoo.vespa.hosted.controller.api.integration.aws.ResourceTagger; -import com.yahoo.vespa.hosted.controller.api.integration.certificates.ApplicationCertificateProvider; +import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateProvider; import com.yahoo.vespa.hosted.controller.api.integration.configserver.ConfigServer; import com.yahoo.vespa.hosted.controller.api.integration.deployment.ApplicationStore; import com.yahoo.vespa.hosted.controller.api.integration.deployment.ArtifactRepository; @@ -46,7 +46,7 @@ public interface ServiceRegistry { Mailer mailer(); - ApplicationCertificateProvider applicationCertificateProvider(); + EndpointCertificateProvider endpointCertificateProvider(); MeteringClient meteringService(); diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/ApplicationCertificate.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/ApplicationCertificate.java deleted file mode 100644 index 41f5b65d263..00000000000 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/ApplicationCertificate.java +++ /dev/null @@ -1,43 +0,0 @@ -// Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.hosted.controller.api.integration.certificates; - -import java.util.Objects; - -/** - * Represents a reference to a certificate and private key. - * - * @author mortent - * @author andreer - */ -public class ApplicationCertificate { - - private final String secretsKeyNamePrefix; - - public ApplicationCertificate(String secretsKeyNamePrefix) { - this.secretsKeyNamePrefix = Objects.requireNonNull(secretsKeyNamePrefix, "secretsKeyNamePrefix must be non-null"); - } - - /** The prefix of keys identifying this certificate and its private key in a key store */ - public String secretsKeyNamePrefix() { - return secretsKeyNamePrefix; - } - - @Override - public boolean equals(Object o) { - if (this == o) return true; - if (o == null || getClass() != o.getClass()) return false; - ApplicationCertificate that = (ApplicationCertificate) o; - return Objects.equals(secretsKeyNamePrefix, that.secretsKeyNamePrefix); - } - - @Override - public int hashCode() { - return Objects.hash(secretsKeyNamePrefix); - } - - @Override - public String toString() { - return "application certificate '" + secretsKeyNamePrefix + "'"; - } - -} diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/ApplicationCertificateMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMock.java index cc2d08c3fcd..aa0ac5f8296 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/ApplicationCertificateMock.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateMock.java @@ -12,7 +12,7 @@ import java.util.UUID; /** * @author tokle */ -public class ApplicationCertificateMock implements ApplicationCertificateProvider { +public class EndpointCertificateMock implements EndpointCertificateProvider { private final Map<ApplicationId, List<String>> dnsNames = new HashMap<>(); @@ -21,11 +21,12 @@ public class ApplicationCertificateMock implements ApplicationCertificateProvide } @Override - public ApplicationCertificate requestCaSignedCertificate(ApplicationId applicationId, List<String> dnsNames) { + public EndpointCertificateMetadata requestCaSignedCertificate(ApplicationId applicationId, List<String> dnsNames) { this.dnsNames.put(applicationId, dnsNames); - return new ApplicationCertificate(String.format("vespa.tls.%s.%s@%s", applicationId.tenant(), - applicationId.application(), - UUID.randomUUID().toString())); + String endpointCertificatePrefix = String.format("vespa.tls.%s.%s@%s", applicationId.tenant(), + applicationId.application(), + UUID.randomUUID().toString()); + return new EndpointCertificateMetadata(endpointCertificatePrefix + "-key", endpointCertificatePrefix + "-cert", 0); } } diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/ApplicationCertificateProvider.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateProvider.java index b6ad1701449..147ada51816 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/ApplicationCertificateProvider.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateProvider.java @@ -6,12 +6,12 @@ import com.yahoo.config.provision.ApplicationId; import java.util.List; /** - * Generates a certificate. + * Generates an endpoint certificate for an application instance. * * @author andreer */ -public interface ApplicationCertificateProvider { +public interface EndpointCertificateProvider { - ApplicationCertificate requestCaSignedCertificate(ApplicationId applicationId, List<String> dnsNames); + EndpointCertificateMetadata requestCaSignedCertificate(ApplicationId applicationId, List<String> dnsNames); } diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java index 3ade72b020c..17c9e852bd9 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java @@ -122,7 +122,7 @@ public class ApplicationController { deploymentTrigger = new DeploymentTrigger(controller, clock); applicationPackageValidator = new ApplicationPackageValidator(controller); endpointCertificateManager = new EndpointCertificateManager(controller.zoneRegistry(), curator, secretStore, - controller.serviceRegistry().applicationCertificateProvider(), clock, flagSource); + controller.serviceRegistry().endpointCertificateProvider(), clock, flagSource); // Update serialization format of all applications Once.after(Duration.ofMinutes(1), () -> { diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/endpointcertificates/EndpointCertificateManager.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/endpointcertificates/EndpointCertificateManager.java index 218efb871ae..cf43e83d735 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/endpointcertificates/EndpointCertificateManager.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/endpointcertificates/EndpointCertificateManager.java @@ -14,8 +14,7 @@ import com.yahoo.vespa.flags.FetchVector; import com.yahoo.vespa.flags.FlagSource; import com.yahoo.vespa.flags.Flags; import com.yahoo.vespa.hosted.controller.Instance; -import com.yahoo.vespa.hosted.controller.api.integration.certificates.ApplicationCertificate; -import com.yahoo.vespa.hosted.controller.api.integration.certificates.ApplicationCertificateProvider; +import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateProvider; import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateMetadata; import com.yahoo.vespa.hosted.controller.api.integration.zone.ZoneRegistry; import com.yahoo.vespa.hosted.controller.application.Endpoint; @@ -50,19 +49,19 @@ public class EndpointCertificateManager { private final ZoneRegistry zoneRegistry; private final CuratorDb curator; private final SecretStore secretStore; - private final ApplicationCertificateProvider applicationCertificateProvider; + private final EndpointCertificateProvider endpointCertificateProvider; private final Clock clock; private final BooleanFlag useRefreshedEndpointCertificate; public EndpointCertificateManager(ZoneRegistry zoneRegistry, CuratorDb curator, SecretStore secretStore, - ApplicationCertificateProvider applicationCertificateProvider, + EndpointCertificateProvider endpointCertificateProvider, Clock clock, FlagSource flagSource) { this.zoneRegistry = zoneRegistry; this.curator = curator; this.secretStore = secretStore; - this.applicationCertificateProvider = applicationCertificateProvider; + this.endpointCertificateProvider = endpointCertificateProvider; this.clock = clock; this.useRefreshedEndpointCertificate = Flags.USE_REFRESHED_ENDPOINT_CERTIFICATE.bindTo(flagSource); } @@ -107,9 +106,8 @@ public class EndpointCertificateManager { private EndpointCertificateMetadata provisionEndpointCertificate(Instance instance) { List<ZoneId> directlyRoutedZones = zoneRegistry.zones().directlyRouted().zones().stream().map(ZoneApi::getId).collect(Collectors.toUnmodifiableList()); - ApplicationCertificate newCertificate = applicationCertificateProvider + EndpointCertificateMetadata provisionedCertificateMetadata = endpointCertificateProvider .requestCaSignedCertificate(instance.id(), dnsNamesOf(instance.id(), directlyRoutedZones)); - EndpointCertificateMetadata provisionedCertificateMetadata = EndpointCertificateMetadataSerializer.fromTlsSecretsKeysString(newCertificate.secretsKeyNamePrefix()); curator.writeEndpointCertificateMetadata(instance.id(), provisionedCertificateMetadata); return provisionedCertificateMetadata; } diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/persistence/CuratorDb.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/persistence/CuratorDb.java index 2c51a9bdc00..368621cac96 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/persistence/CuratorDb.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/persistence/CuratorDb.java @@ -15,7 +15,6 @@ import com.yahoo.vespa.config.SlimeUtils; import com.yahoo.vespa.curator.Curator; import com.yahoo.vespa.curator.Lock; import com.yahoo.vespa.hosted.controller.Application; -import com.yahoo.vespa.hosted.controller.api.integration.certificates.ApplicationCertificate; import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateMetadata; import com.yahoo.vespa.hosted.controller.api.integration.deployment.JobType; import com.yahoo.vespa.hosted.controller.api.integration.deployment.RunId; @@ -84,7 +83,7 @@ public class CuratorDb { private static final Path controllerRoot = root.append("controllers"); private static final Path routingPoliciesRoot = root.append("routingPolicies"); private static final Path zoneRoutingPoliciesRoot = root.append("zoneRoutingPolicies"); - private static final Path applicationCertificateRoot = root.append("applicationCertificates"); + private static final Path endpointCertificateRoot = root.append("applicationCertificates"); private final StringSetSerializer stringSetSerializer = new StringSetSerializer(); private final NodeVersionSerializer nodeVersionSerializer = new NodeVersionSerializer(); @@ -516,11 +515,11 @@ public class CuratorDb { // -------------- Application web certificates ---------------------------- public void writeEndpointCertificateMetadata(ApplicationId applicationId, EndpointCertificateMetadata endpointCertificateMetadata) { - curator.set(applicationCertificatePath(applicationId), asJson(EndpointCertificateMetadataSerializer.toSlime(endpointCertificateMetadata))); + curator.set(endpointCertificatePath(applicationId), asJson(EndpointCertificateMetadataSerializer.toSlime(endpointCertificateMetadata))); } public Optional<EndpointCertificateMetadata> readEndpointCertificateMetadata(ApplicationId applicationId) { - Optional<String> zkData = curator.getData(applicationCertificatePath(applicationId)).map(String::new); + Optional<String> zkData = curator.getData(endpointCertificatePath(applicationId)).map(String::new); return zkData.map(EndpointCertificateMetadataSerializer::fromJsonOrTlsSecretsKeysString); } @@ -641,8 +640,8 @@ public class CuratorDb { return controllerRoot.append(hostname); } - private static Path applicationCertificatePath(ApplicationId id) { - return applicationCertificateRoot.append(id.serializedForm()); + private static Path endpointCertificatePath(ApplicationId id) { + return endpointCertificateRoot.append(id.serializedForm()); } } diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/ControllerTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/ControllerTest.java index 17108b8ee44..50e567b2024 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/ControllerTest.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/ControllerTest.java @@ -722,7 +722,7 @@ public class ControllerTest { (zone.environment() == Environment.prod ? "" : "." + zone.environment().value()) + ".vespa.oath.cloud"))) .collect(Collectors.toUnmodifiableList()), - tester.controllerTester().serviceRegistry().applicationCertificateMock().dnsNamesOf(context1.instanceId())); + tester.controllerTester().serviceRegistry().endpointCertificateMock().dnsNamesOf(context1.instanceId())); // Next deployment reuses certificate context1.submit(applicationPackage).deploy(); diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/endpointcertificates/EndpointCertificateManagerTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/endpointcertificates/EndpointCertificateManagerTest.java index 7d5872eb05a..3f8e91dec58 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/endpointcertificates/EndpointCertificateManagerTest.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/endpointcertificates/EndpointCertificateManagerTest.java @@ -11,7 +11,7 @@ import com.yahoo.security.X509CertificateUtils; import com.yahoo.vespa.flags.Flags; import com.yahoo.vespa.flags.InMemoryFlagSource; import com.yahoo.vespa.hosted.controller.Instance; -import com.yahoo.vespa.hosted.controller.api.integration.certificates.ApplicationCertificateMock; +import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateMock; import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateMetadata; import com.yahoo.vespa.hosted.controller.integration.SecretStoreMock; import com.yahoo.vespa.hosted.controller.integration.ZoneRegistryMock; @@ -38,10 +38,10 @@ public class EndpointCertificateManagerTest { private final SecretStoreMock secretStore = new SecretStoreMock(); private final ZoneRegistryMock zoneRegistryMock = new ZoneRegistryMock(SystemName.main); private final MockCuratorDb mockCuratorDb = new MockCuratorDb(); - private final ApplicationCertificateMock applicationCertificateMock = new ApplicationCertificateMock(); + private final EndpointCertificateMock endpointCertificateMock = new EndpointCertificateMock(); private final InMemoryFlagSource inMemoryFlagSource = new InMemoryFlagSource(); private final Clock clock = Clock.systemUTC(); - private final EndpointCertificateManager endpointCertificateManager = new EndpointCertificateManager(zoneRegistryMock, mockCuratorDb, secretStore, applicationCertificateMock, clock, inMemoryFlagSource); + private final EndpointCertificateManager endpointCertificateManager = new EndpointCertificateManager(zoneRegistryMock, mockCuratorDb, secretStore, endpointCertificateMock, clock, inMemoryFlagSource); private static final KeyPair testKeyPair = KeyUtils.generateKeypair(KeyAlgorithm.EC, 192); private static final X509Certificate testCertificate = X509CertificateBuilder diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/integration/ServiceRegistryMock.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/integration/ServiceRegistryMock.java index 2dfeb7b8b02..323b86be1d3 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/integration/ServiceRegistryMock.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/integration/ServiceRegistryMock.java @@ -10,7 +10,7 @@ import com.yahoo.vespa.hosted.controller.api.integration.ServiceRegistry; import com.yahoo.vespa.hosted.controller.api.integration.aws.MockAwsEventFetcher; import com.yahoo.vespa.hosted.controller.api.integration.aws.MockResourceTagger; import com.yahoo.vespa.hosted.controller.api.integration.aws.ResourceTagger; -import com.yahoo.vespa.hosted.controller.api.integration.certificates.ApplicationCertificateMock; +import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateMock; import com.yahoo.vespa.hosted.controller.api.integration.configserver.ConfigServer; import com.yahoo.vespa.hosted.controller.api.integration.dns.MemoryNameService; import com.yahoo.vespa.hosted.controller.api.integration.entity.MemoryEntityService; @@ -44,7 +44,7 @@ public class ServiceRegistryMock extends AbstractComponent implements ServiceReg private final MemoryGlobalRoutingService memoryGlobalRoutingService = new MemoryGlobalRoutingService(); private final RoutingGeneratorMock routingGeneratorMock; private final MockMailer mockMailer = new MockMailer(); - private final ApplicationCertificateMock applicationCertificateMock = new ApplicationCertificateMock(); + private final EndpointCertificateMock endpointCertificateMock = new EndpointCertificateMock(); private final MockMeteringClient mockMeteringClient = new MockMeteringClient(); private final MockContactRetriever mockContactRetriever = new MockContactRetriever(); private final MockIssueHandler mockIssueHandler = new MockIssueHandler(); @@ -102,8 +102,8 @@ public class ServiceRegistryMock extends AbstractComponent implements ServiceReg } @Override - public ApplicationCertificateMock applicationCertificateProvider() { - return applicationCertificateMock; + public EndpointCertificateMock endpointCertificateProvider() { + return endpointCertificateMock; } @Override @@ -213,8 +213,8 @@ public class ServiceRegistryMock extends AbstractComponent implements ServiceReg return artifactRepositoryMock; } - public ApplicationCertificateMock applicationCertificateMock() { - return applicationCertificateMock; + public EndpointCertificateMock endpointCertificateMock() { + return endpointCertificateMock; } } |