diff options
3 files changed, 37 insertions, 14 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/ApplicationCertificate.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/ApplicationCertificate.java index dbcb44d1711..e079458ba78 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/ApplicationCertificate.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/ApplicationCertificate.java @@ -14,9 +14,10 @@ public class ApplicationCertificate { private final String secretsKeyNamePrefix; public ApplicationCertificate(String secretsKeyNamePrefix) { - this.secretsKeyNamePrefix = secretsKeyNamePrefix; + this.secretsKeyNamePrefix = Objects.requireNonNull(secretsKeyNamePrefix, "secretsKeyNamePrefix must be non-null"); } + /** The prefix of keys identifying this certificate and its private key in a key store */ public String secretsKeyNamePrefix() { return secretsKeyNamePrefix; } diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java index 677e9e960e8..54518cad511 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java @@ -300,7 +300,7 @@ public class ApplicationController { ApplicationPackage applicationPackage; Set<String> legacyRotations = new LinkedHashSet<>(); Set<ContainerEndpoint> endpoints = new LinkedHashSet<>(); - ApplicationCertificate applicationCertificate; + Optional<ApplicationCertificate> applicationCertificate; try (Lock lock = lock(applicationId)) { LockedApplication application = new LockedApplication(require(applicationId), lock); @@ -369,8 +369,7 @@ public class ApplicationController { // Get application certificate (provisions a new certificate if missing) - application = withApplicationCertificate(application); - applicationCertificate = application.get().applicationCertificate().orElse(null); + applicationCertificate = getApplicationCertificate(applicationId); // Update application with information from application package if ( ! preferOldestVersion @@ -382,11 +381,13 @@ public class ApplicationController { // Carry out deployment without holding the application lock. options = withVersion(platformVersion, options); - ActivateResult result = deploy(applicationId, applicationPackage, zone, options, legacyRotations, endpoints, applicationCertificate); + ActivateResult result = deploy(applicationId, applicationPackage, zone, options, legacyRotations, endpoints, + applicationCertificate.orElse(null)); lockOrThrow(applicationId, application -> store(application.withNewDeployment(zone, applicationVersion, platformVersion, clock.instant(), - warningsFrom(result)))); + warningsFrom(result)) + .withApplicationCertificate(applicationCertificate))); return result; } } @@ -536,16 +537,13 @@ public class ApplicationController { }); } - private LockedApplication withApplicationCertificate(LockedApplication application) { - ApplicationId applicationId = application.get().id(); - + private Optional<ApplicationCertificate> getApplicationCertificate(ApplicationId application) { // TODO(tokle): Verify that the application is deploying to a zone where certificate provisioning is enabled - boolean provisionCertificate = provisionApplicationCertificate.with(FetchVector.Dimension.APPLICATION_ID, applicationId.serializedForm()).value(); - if (provisionCertificate) { - application = application.withApplicationCertificate( - Optional.of(applicationCertificateProvider.requestCaSignedCertificate(applicationId))); + boolean provisionCertificate = provisionApplicationCertificate.with(FetchVector.Dimension.APPLICATION_ID, application.serializedForm()).value(); + if (!provisionCertificate) { + return Optional.empty(); } - return application; + return Optional.of(applicationCertificateProvider.requestCaSignedCertificate(application)); } private ActivateResult unexpectedDeployment(ApplicationId application, ZoneId zone) { diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/ControllerTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/ControllerTest.java index 17ba19d8f7d..7fe099ff276 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/ControllerTest.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/ControllerTest.java @@ -695,6 +695,30 @@ public class ControllerTest { .metrics().warnings().get(DeploymentMetrics.Warning.all).intValue()); } + @Test + public void testDeployProvisionsCertificate() { + ((InMemoryFlagSource) tester.controller().flagSource()).withBooleanFlag(Flags.PROVISION_APPLICATION_CERTIFICATE.id(), true); + + // Create app1 + Application app1 = tester.createApplication("app1", "tenant1", 1, 2L); + ApplicationPackage applicationPackage = new ApplicationPackageBuilder().environment(Environment.prod) + .region("us-west-1") + .build(); + // Deploy app1 in production + tester.deployCompletely(app1, applicationPackage); + assertTrue("Provisions certificate in " + Environment.prod, tester.application(app1.id()).applicationCertificate().isPresent()); + + // Create app2 + Application app2 = tester.createApplication("app2", "tenant2", 3, 4L); + ZoneId zone = ZoneId.from("dev", "us-east-1"); + + // Deploy app2 in dev + tester.controller().applications().deploy(app2.id(), zone, Optional.of(applicationPackage), DeployOptions.none()); + assertTrue("Application deployed and activated", + tester.controllerTester().configServer().application(app2.id()).get().activated()); + assertTrue("Provisions certificate in " + Environment.dev, tester.application(app2.id()).applicationCertificate().isPresent()); + } + private void runUpgrade(DeploymentTester tester, ApplicationId application, ApplicationVersion version) { Version next = Version.fromString("6.2"); tester.upgradeSystem(next); |