diff options
11 files changed, 80 insertions, 18 deletions
diff --git a/config-model-api/abi-spec.json b/config-model-api/abi-spec.json index dc67b6537e5..ada3119f5bb 100644 --- a/config-model-api/abi-spec.json +++ b/config-model-api/abi-spec.json @@ -883,7 +883,8 @@ "public abstract boolean useBucketSpaceMetric()", "public boolean useNewAthenzFilter()", "public boolean usePhraseSegmenting()", - "public java.lang.String proxyProtocol()" + "public java.lang.String proxyProtocol()", + "public java.util.Optional athenzDomain()" ], "fields": [] }, diff --git a/config-model-api/src/main/java/com/yahoo/config/model/api/ModelContext.java b/config-model-api/src/main/java/com/yahoo/config/model/api/ModelContext.java index 39d1f8096b6..7fcde1b5e6b 100644 --- a/config-model-api/src/main/java/com/yahoo/config/model/api/ModelContext.java +++ b/config-model-api/src/main/java/com/yahoo/config/model/api/ModelContext.java @@ -6,6 +6,7 @@ import com.yahoo.config.application.api.ApplicationPackage; import com.yahoo.config.application.api.DeployLogger; import com.yahoo.config.application.api.FileRegistry; import com.yahoo.config.provision.ApplicationId; +import com.yahoo.config.provision.AthenzDomain; import com.yahoo.config.provision.HostName; import com.yahoo.config.provision.Zone; @@ -65,6 +66,7 @@ public interface ModelContext { default boolean useNewAthenzFilter() { return false; } default boolean usePhraseSegmenting() { return false; } default String proxyProtocol() { return "https-only"; } + default Optional<AthenzDomain> athenzDomain() { return Optional.empty(); } } } diff --git a/config-model/src/main/java/com/yahoo/config/model/deploy/DeployState.java b/config-model/src/main/java/com/yahoo/config/model/deploy/DeployState.java index 5995a52c433..696ce4195eb 100644 --- a/config-model/src/main/java/com/yahoo/config/model/deploy/DeployState.java +++ b/config-model/src/main/java/com/yahoo/config/model/deploy/DeployState.java @@ -12,10 +12,10 @@ import com.yahoo.config.application.api.UnparsedConfigDefinition; import com.yahoo.config.application.api.ValidationOverrides; import com.yahoo.config.model.api.ConfigDefinitionRepo; import com.yahoo.config.model.api.ContainerEndpoint; +import com.yahoo.config.model.api.EndpointCertificateSecrets; import com.yahoo.config.model.api.HostProvisioner; import com.yahoo.config.model.api.Model; import com.yahoo.config.model.api.ModelContext; -import com.yahoo.config.model.api.EndpointCertificateSecrets; import com.yahoo.config.model.api.ValidationParameters; import com.yahoo.config.model.application.provider.BaseDeployLogger; import com.yahoo.config.model.application.provider.MockFileRegistry; diff --git a/configserver/src/main/java/com/yahoo/vespa/config/server/deploy/ModelContextImpl.java b/configserver/src/main/java/com/yahoo/vespa/config/server/deploy/ModelContextImpl.java index 55a1482cde8..930bdaadcea 100644 --- a/configserver/src/main/java/com/yahoo/vespa/config/server/deploy/ModelContextImpl.java +++ b/configserver/src/main/java/com/yahoo/vespa/config/server/deploy/ModelContextImpl.java @@ -14,6 +14,7 @@ import com.yahoo.config.model.api.ModelContext; import com.yahoo.config.model.api.EndpointCertificateSecrets; import com.yahoo.config.model.api.TlsSecrets; import com.yahoo.config.provision.ApplicationId; +import com.yahoo.config.provision.AthenzDomain; import com.yahoo.config.provision.HostName; import com.yahoo.config.provision.Zone; import com.yahoo.vespa.flags.FetchVector; @@ -144,6 +145,7 @@ public class ModelContextImpl implements ModelContext { private final boolean useNewAthenzFilter; private final boolean usePhraseSegmenting; private final String proxyProtocol; + private final Optional<AthenzDomain> athenzDomain; public Properties(ApplicationId applicationId, boolean multitenantFromConfig, @@ -157,7 +159,8 @@ public class ModelContextImpl implements ModelContext { boolean isBootstrap, boolean isFirstTimeDeployment, FlagSource flagSource, - Optional<EndpointCertificateSecrets> endpointCertificateSecrets) { + Optional<EndpointCertificateSecrets> endpointCertificateSecrets, + Optional<AthenzDomain> athenzDomain) { this.applicationId = applicationId; this.multitenant = multitenantFromConfig || hostedVespa || Boolean.getBoolean("multitenant"); this.configServerSpecs = configServerSpecs; @@ -182,6 +185,7 @@ public class ModelContextImpl implements ModelContext { .with(FetchVector.Dimension.APPLICATION_ID, applicationId.serializedForm()).value(); this.proxyProtocol = Flags.PROXY_PROTOCOL.bindTo(flagSource) .with(FetchVector.Dimension.APPLICATION_ID, applicationId.serializedForm()).value(); + this.athenzDomain = athenzDomain; } @Override @@ -244,6 +248,9 @@ public class ModelContextImpl implements ModelContext { @Override public String proxyProtocol() { return proxyProtocol; } + + @Override + public Optional<AthenzDomain> athenzDomain() { return athenzDomain; } } } diff --git a/configserver/src/main/java/com/yahoo/vespa/config/server/modelfactory/ActivatedModelsBuilder.java b/configserver/src/main/java/com/yahoo/vespa/config/server/modelfactory/ActivatedModelsBuilder.java index 70faf3ff36f..46a0c44674b 100644 --- a/configserver/src/main/java/com/yahoo/vespa/config/server/modelfactory/ActivatedModelsBuilder.java +++ b/configserver/src/main/java/com/yahoo/vespa/config/server/modelfactory/ActivatedModelsBuilder.java @@ -140,7 +140,8 @@ public class ActivatedModelsBuilder extends ModelsBuilder<Application> { flagSource, new EndpointCertificateMetadataStore(curator, TenantRepository.getTenantPath(tenant)) .readEndpointCertificateMetadata(applicationId) - .flatMap(new EndpointCertificateRetriever(secretStore)::readEndpointCertificateSecrets)); + .flatMap(new EndpointCertificateRetriever(secretStore)::readEndpointCertificateSecrets), + zkClient.readAthenzDomain()); } diff --git a/configserver/src/main/java/com/yahoo/vespa/config/server/session/PrepareParams.java b/configserver/src/main/java/com/yahoo/vespa/config/server/session/PrepareParams.java index e217bb39b39..6a671648b27 100644 --- a/configserver/src/main/java/com/yahoo/vespa/config/server/session/PrepareParams.java +++ b/configserver/src/main/java/com/yahoo/vespa/config/server/session/PrepareParams.java @@ -5,6 +5,7 @@ import com.yahoo.component.Version; import com.yahoo.config.model.api.ContainerEndpoint; import com.yahoo.config.model.api.EndpointCertificateMetadata; import com.yahoo.config.provision.ApplicationId; +import com.yahoo.config.provision.AthenzDomain; import com.yahoo.config.provision.TenantName; import com.yahoo.container.jdisc.HttpRequest; import com.yahoo.slime.Slime; @@ -36,6 +37,7 @@ public final class PrepareParams { static final String TLS_SECRETS_KEY_NAME_PARAM_NAME = "tlsSecretsKeyName"; static final String ENDPOINT_CERTIFICATE_METADATA_PARAM_NAME = "endpointCertificateMetadata"; static final String DOCKER_IMAGE_REPOSITORY = "dockerImageRepository"; + static final String ATHENZ_DOMAIN = "athenzDomain"; private final ApplicationId applicationId; private final TimeoutBudget timeoutBudget; @@ -48,12 +50,13 @@ public final class PrepareParams { private final Optional<String> tlsSecretsKeyName; private final Optional<EndpointCertificateMetadata> endpointCertificateMetadata; private final Optional<String> dockerImageRepository; + private final Optional<AthenzDomain> athenzDomain; private PrepareParams(ApplicationId applicationId, TimeoutBudget timeoutBudget, boolean ignoreValidationErrors, boolean dryRun, boolean verbose, boolean isBootstrap, Optional<Version> vespaVersion, List<ContainerEndpoint> containerEndpoints, Optional<String> tlsSecretsKeyName, Optional<EndpointCertificateMetadata> endpointCertificateMetadata, - Optional<String> dockerImageRepository) { + Optional<String> dockerImageRepository, Optional<AthenzDomain> athenzDomain) { this.timeoutBudget = timeoutBudget; this.applicationId = applicationId; this.ignoreValidationErrors = ignoreValidationErrors; @@ -65,6 +68,7 @@ public final class PrepareParams { this.tlsSecretsKeyName = tlsSecretsKeyName; this.endpointCertificateMetadata = endpointCertificateMetadata; this.dockerImageRepository = dockerImageRepository; + this.athenzDomain = athenzDomain; } public static class Builder { @@ -80,6 +84,7 @@ public final class PrepareParams { private Optional<String> tlsSecretsKeyName = Optional.empty(); private Optional<EndpointCertificateMetadata> endpointCertificateMetadata = Optional.empty(); private Optional<String> dockerImageRepository = Optional.empty(); + private Optional<AthenzDomain> athenzDomain = Optional.empty(); public Builder() { } @@ -153,10 +158,15 @@ public final class PrepareParams { return this; } + public Builder athenzDomain(String athenzDomain) { + this.athenzDomain = Optional.ofNullable(athenzDomain).map(AthenzDomain::from); + return this; + } + public PrepareParams build() { return new PrepareParams(applicationId, timeoutBudget, ignoreValidationErrors, dryRun, verbose, isBootstrap, vespaVersion, containerEndpoints, tlsSecretsKeyName, - endpointCertificateMetadata, dockerImageRepository); + endpointCertificateMetadata, dockerImageRepository, athenzDomain); } } @@ -172,6 +182,7 @@ public final class PrepareParams { .tlsSecretsKeyName(request.getProperty(TLS_SECRETS_KEY_NAME_PARAM_NAME)) .endpointCertificateMetadata(request.getProperty(ENDPOINT_CERTIFICATE_METADATA_PARAM_NAME)) .dockerImageRepository(request.getProperty(DOCKER_IMAGE_REPOSITORY)) + .athenzDomain(request.getProperty(ATHENZ_DOMAIN)) .build(); } @@ -237,4 +248,6 @@ public final class PrepareParams { return dockerImageRepository; } + public Optional<AthenzDomain> athenzDomain() { return athenzDomain; } + } diff --git a/configserver/src/main/java/com/yahoo/vespa/config/server/session/SessionPreparer.java b/configserver/src/main/java/com/yahoo/vespa/config/server/session/SessionPreparer.java index c65af076e54..b88fdc90316 100644 --- a/configserver/src/main/java/com/yahoo/vespa/config/server/session/SessionPreparer.java +++ b/configserver/src/main/java/com/yahoo/vespa/config/server/session/SessionPreparer.java @@ -17,6 +17,7 @@ import com.yahoo.config.model.api.ModelContext; import com.yahoo.config.model.api.EndpointCertificateSecrets; import com.yahoo.config.provision.AllocatedHosts; import com.yahoo.config.provision.ApplicationId; +import com.yahoo.config.provision.AthenzDomain; import com.yahoo.config.provision.HostName; import com.yahoo.config.provision.Zone; import com.yahoo.container.jdisc.secretstore.SecretStore; @@ -152,6 +153,7 @@ public class SessionPreparer { private final EndpointCertificateRetriever endpointCertificateRetriever; private final Optional<EndpointCertificateMetadata> endpointCertificateMetadata; private final Optional<EndpointCertificateSecrets> endpointCertificateSecrets; + private final Optional<AthenzDomain> athenzDomain; private ApplicationPackage applicationPackage; private List<PreparedModelsBuilder.PreparedModelResult> modelResultList; @@ -182,6 +184,7 @@ public class SessionPreparer { .flatMap(endpointCertificateRetriever::readEndpointCertificateSecrets); this.endpointsSet = getEndpoints(params.containerEndpoints()); + this.athenzDomain = params.athenzDomain(); this.properties = new ModelContextImpl.Properties(params.getApplicationId(), configserverConfig.multitenant(), @@ -195,7 +198,8 @@ public class SessionPreparer { params.isBootstrap(), ! currentActiveApplicationSet.isPresent(), context.getFlagSource(), - endpointCertificateSecrets); + endpointCertificateSecrets, + athenzDomain); this.preparedModelsBuilder = new PreparedModelsBuilder(modelFactoryRegistry, permanentApplicationPackage, configDefinitionRepo, @@ -247,7 +251,8 @@ public class SessionPreparer { vespaVersion, logger, prepareResult.getFileRegistries(), - prepareResult.allocatedHosts()); + prepareResult.allocatedHosts(), + athenzDomain); checkTimeout("write state to zookeeper"); } @@ -290,13 +295,15 @@ public class SessionPreparer { Version vespaVersion, DeployLogger deployLogger, Map<Version, FileRegistry> fileRegistryMap, - AllocatedHosts allocatedHosts) { + AllocatedHosts allocatedHosts, + Optional<AthenzDomain> athenzDomain) { ZooKeeperDeployer zkDeployer = zooKeeperClient.createDeployer(deployLogger); try { zkDeployer.deploy(applicationPackage, fileRegistryMap, allocatedHosts); zooKeeperClient.writeApplicationId(applicationId); zooKeeperClient.writeVespaVersion(vespaVersion); zooKeeperClient.writeDockerImageRepository(dockerImageRepository); + zooKeeperClient.writeAthenzDomain(athenzDomain); } catch (RuntimeException | IOException e) { zkDeployer.cleanup(); throw new RuntimeException("Error preparing session", e); diff --git a/configserver/src/main/java/com/yahoo/vespa/config/server/session/SessionZooKeeperClient.java b/configserver/src/main/java/com/yahoo/vespa/config/server/session/SessionZooKeeperClient.java index 4c64bdd380f..44cf3cec1b7 100644 --- a/configserver/src/main/java/com/yahoo/vespa/config/server/session/SessionZooKeeperClient.java +++ b/configserver/src/main/java/com/yahoo/vespa/config/server/session/SessionZooKeeperClient.java @@ -5,23 +5,24 @@ import com.yahoo.component.Version; import com.yahoo.component.Vtag; import com.yahoo.config.application.api.ApplicationPackage; import com.yahoo.config.application.api.DeployLogger; -import com.yahoo.config.provision.NodeFlavors; +import com.yahoo.config.model.api.ConfigDefinitionRepo; import com.yahoo.config.provision.AllocatedHosts; -import com.yahoo.transaction.NestedTransaction; -import com.yahoo.transaction.Transaction; +import com.yahoo.config.provision.ApplicationId; +import com.yahoo.config.provision.AthenzDomain; +import com.yahoo.config.provision.NodeFlavors; import com.yahoo.log.LogLevel; import com.yahoo.path.Path; -import com.yahoo.config.model.api.ConfigDefinitionRepo; import com.yahoo.text.Utf8; -import com.yahoo.config.provision.ApplicationId; +import com.yahoo.transaction.NestedTransaction; +import com.yahoo.transaction.Transaction; import com.yahoo.vespa.config.server.UserConfigDefinitionRepo; import com.yahoo.vespa.config.server.deploy.ZooKeeperClient; import com.yahoo.vespa.config.server.deploy.ZooKeeperDeployer; +import com.yahoo.vespa.config.server.zookeeper.ConfigCurator; import com.yahoo.vespa.config.server.zookeeper.ZKApplicationPackage; import com.yahoo.vespa.curator.Curator; import com.yahoo.vespa.curator.transaction.CuratorOperations; import com.yahoo.vespa.curator.transaction.CuratorTransaction; -import com.yahoo.vespa.config.server.zookeeper.ConfigCurator; import java.util.Optional; import java.util.concurrent.TimeUnit; @@ -42,6 +43,7 @@ public class SessionZooKeeperClient { private static final String VERSION_PATH = "version"; private static final String CREATE_TIME_PATH = "createTime"; private static final String DOCKER_IMAGE_REPOSITORY_PATH = "dockerImageRepository"; + private static final String ATHENZ_DOMAIN = "athenzDomain"; private final Curator curator; private final ConfigCurator configCurator; private final Path sessionPath; @@ -170,6 +172,10 @@ public class SessionZooKeeperClient { return sessionPath.append(DOCKER_IMAGE_REPOSITORY_PATH).getAbsolute(); } + private String athenzDomainPath() { + return sessionPath.append(ATHENZ_DOMAIN).getAbsolute(); + } + public void writeVespaVersion(Version version) { configCurator.putData(versionPath(), version.toString()); } @@ -221,6 +227,17 @@ public class SessionZooKeeperClient { return transaction; } + public void writeAthenzDomain(Optional<AthenzDomain> athenzDomain) { + athenzDomain.ifPresent(domain -> configCurator.putData(athenzDomainPath(), domain.toString())); + } + + public Optional<AthenzDomain> readAthenzDomain() { + if ( ! configCurator.exists(athenzDomainPath())) return Optional.empty(); + return Optional.ofNullable(configCurator.getData(athenzDomainPath())) + .filter(domain -> ! domain.isBlank()) + .map(AthenzDomain::from); + } + /** * Create necessary paths atomically for a new session. * diff --git a/configserver/src/test/java/com/yahoo/vespa/config/server/ModelContextImplTest.java b/configserver/src/test/java/com/yahoo/vespa/config/server/ModelContextImplTest.java index 339c676000b..c3124fd3ed6 100644 --- a/configserver/src/test/java/com/yahoo/vespa/config/server/ModelContextImplTest.java +++ b/configserver/src/test/java/com/yahoo/vespa/config/server/ModelContextImplTest.java @@ -59,7 +59,8 @@ public class ModelContextImplTest { false, false, flagSource, - null), + null, + Optional.empty()), Optional.empty(), Optional.empty(), new Version(7), diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/application/v4/model/DeploymentData.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/application/v4/model/DeploymentData.java index ee2e292ade9..0afe9347341 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/application/v4/model/DeploymentData.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/application/v4/model/DeploymentData.java @@ -4,6 +4,7 @@ import com.yahoo.component.Version; import com.yahoo.config.provision.ApplicationId; import com.yahoo.config.provision.DockerImage; import com.yahoo.config.provision.zone.ZoneId; +import com.yahoo.vespa.athenz.api.AthenzDomain; import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateMetadata; import com.yahoo.vespa.hosted.controller.api.integration.configserver.ContainerEndpoint; @@ -26,11 +27,13 @@ public class DeploymentData { private final Set<ContainerEndpoint> containerEndpoints; private final Optional<EndpointCertificateMetadata> endpointCertificateMetadata; private final Optional<DockerImage> dockerImageRepo; + private final Optional<AthenzDomain> athenzDomain; public DeploymentData(ApplicationId instance, ZoneId zone, byte[] applicationPackage, Version platform, Set<ContainerEndpoint> containerEndpoints, Optional<EndpointCertificateMetadata> endpointCertificateMetadata, - Optional<DockerImage> dockerImageRepo) { + Optional<DockerImage> dockerImageRepo, + Optional<AthenzDomain> athenzDomain) { this.instance = requireNonNull(instance); this.zone = requireNonNull(zone); this.applicationPackage = requireNonNull(applicationPackage); @@ -38,6 +41,7 @@ public class DeploymentData { this.containerEndpoints = requireNonNull(containerEndpoints); this.endpointCertificateMetadata = requireNonNull(endpointCertificateMetadata); this.dockerImageRepo = requireNonNull(dockerImageRepo); + this.athenzDomain = athenzDomain; } public ApplicationId instance() { @@ -67,4 +71,8 @@ public class DeploymentData { public Optional<DockerImage> dockerImageRepo() { return dockerImageRepo; } + + public Optional<AthenzDomain> athenzDomain() { + return athenzDomain; + } } diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java index cb6d02b4b77..e5e92117849 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java @@ -498,9 +498,14 @@ public class ApplicationController { .value()) .filter(s -> !s.isBlank()) .map(DockerImage::fromString); + + Optional<AthenzDomain> domain = controller.tenants().get(application.tenant()) + .filter(tenant-> tenant instanceof AthenzTenant) + .map(tenant -> ((AthenzTenant)tenant).domain()); + ConfigServer.PreparedApplication preparedApplication = configServer.deploy(new DeploymentData(application, zone, applicationPackage.zippedContent(), platform, - endpoints, endpointCertificateMetadata, dockerImageRepo)); + endpoints, endpointCertificateMetadata, dockerImageRepo, domain)); return new ActivateResult(new RevisionId(applicationPackage.hash()), preparedApplication.prepareResponse(), applicationPackage.zippedContent().length); } finally { |