diff options
2 files changed, 21 insertions, 1 deletions
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/application/validation/change/CertificateRemovalChangeValidator.java b/config-model/src/main/java/com/yahoo/vespa/model/application/validation/change/CertificateRemovalChangeValidator.java index 1df33ab8517..5e5d5e3437c 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/application/validation/change/CertificateRemovalChangeValidator.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/application/validation/change/CertificateRemovalChangeValidator.java @@ -1,3 +1,4 @@ +// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.model.application.validation.change; import com.yahoo.config.application.api.ValidationId; @@ -10,8 +11,19 @@ import java.security.cert.X509Certificate; import java.time.Instant; import java.util.Collection; import java.util.List; +import java.util.logging.Level; +import java.util.logging.Logger; +import java.util.stream.Collectors; +/** + * Check that data plane certificates are not removed from a cluster. + * + * @author mortent + */ public class CertificateRemovalChangeValidator implements ChangeValidator { + + private static final Logger logger = Logger.getLogger(CertificateRemovalChangeValidator.class.getName()); + @Override public List<ConfigChangeAction> validate(VespaModel current, VespaModel next, ValidationOverrides overrides, Instant now) { @@ -25,7 +37,6 @@ public class CertificateRemovalChangeValidator implements ChangeValidator { } void validateClients(String clusterId, List<Client> current, List<Client> next, ValidationOverrides overrides, Instant now) { - List<X509Certificate> currentCertificates = current.stream() .map(Client::certificates) .flatMap(Collection::stream) @@ -35,6 +46,11 @@ public class CertificateRemovalChangeValidator implements ChangeValidator { .flatMap(Collection::stream) .toList(); + logger.log(Level.FINE, "Certificates for cluster %s: Current: [%s], Next: [%s]" + .formatted(clusterId, + currentCertificates.stream().map(cert -> cert.getSubjectX500Principal().getName()).collect(Collectors.joining(", ")), + nextCertificates.stream().map(cert -> cert.getSubjectX500Principal().getName()).collect(Collectors.joining(", ")))); + List<X509Certificate> missingCerts = currentCertificates.stream().filter(cert -> !nextCertificates.contains(cert)).toList(); if (!missingCerts.isEmpty()) { overrides.invalid(ValidationId.certificateRemoval, diff --git a/config-model/src/test/java/com/yahoo/vespa/model/application/validation/change/CertificateRemovalChangeValidatorTest.java b/config-model/src/test/java/com/yahoo/vespa/model/application/validation/change/CertificateRemovalChangeValidatorTest.java index f89c75362da..b6815db8b99 100644 --- a/config-model/src/test/java/com/yahoo/vespa/model/application/validation/change/CertificateRemovalChangeValidatorTest.java +++ b/config-model/src/test/java/com/yahoo/vespa/model/application/validation/change/CertificateRemovalChangeValidatorTest.java @@ -1,3 +1,4 @@ +// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.model.application.validation.change; import com.yahoo.config.application.api.ValidationOverrides; @@ -15,6 +16,9 @@ import java.util.List; import static org.junit.jupiter.api.Assertions.assertThrows; +/** + * @author mortent + */ public class CertificateRemovalChangeValidatorTest { private static final String validationOverrides = |