diff options
4 files changed, 27 insertions, 25 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java index 42ac73a61d9..5eb7fb6e03d 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java @@ -131,7 +131,6 @@ public class ApplicationController { private final ApplicationPackageValidator applicationPackageValidator; private final EndpointCertificateManager endpointCertificateManager; private final StringFlag dockerImageRepoFlag; - private final BooleanFlag provisionApplicationRoles; private final BillingController billingController; ApplicationController(Controller controller, CuratorDb curator, AccessControl accessControl, Clock clock, @@ -145,7 +144,6 @@ public class ApplicationController { this.artifactRepository = controller.serviceRegistry().artifactRepository(); this.applicationStore = controller.serviceRegistry().applicationStore(); this.dockerImageRepoFlag = PermanentFlags.DOCKER_IMAGE_REPO.bindTo(flagSource); - this.provisionApplicationRoles = Flags.PROVISION_APPLICATION_ROLES.bindTo(flagSource); this.billingController = billingController; deploymentTrigger = new DeploymentTrigger(controller, clock); @@ -403,15 +401,6 @@ public class ApplicationController { endpoints = controller.routing().registerEndpointsInDns(application.get(), job.application().instance(), zone); - // Provision application roles if enabled for the zone - if (provisionApplicationRoles.with(FetchVector.Dimension.ZONE_ID, zone.value()).value()) { - try { - applicationRoles = controller.serviceRegistry().roleService().createApplicationRoles(instance.id()); - } catch (Exception e) { - log.log(Level.SEVERE, "Exception creating application roles for application: " + instance.id(), e); - throw new RuntimeException("Unable to provision iam roles for application"); - } - } } // Release application lock while doing the deployment, which is a lengthy task. // Carry out deployment without holding the application lock. diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/Controller.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/Controller.java index aa5f0ae0fdc..ffe80866086 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/Controller.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/Controller.java @@ -111,7 +111,7 @@ public class Controller extends AbstractComponent { nameServiceForwarder = new NameServiceForwarder(curator); jobController = new JobController(this); applicationController = new ApplicationController(this, curator, accessControl, clock, secretStore, flagSource, serviceRegistry.billingController()); - tenantController = new TenantController(this, curator, accessControl); + tenantController = new TenantController(this, curator, accessControl, flagSource); routingController = new RoutingController(this, Objects.requireNonNull(rotationsConfig, "RotationsConfig cannot be null")); auditLogger = new AuditLogger(curator, clock); jobControl = new JobControl(new JobControlFlags(curator, flagSource)); diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/TenantController.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/TenantController.java index 24b9efc3c77..d3992290f20 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/TenantController.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/TenantController.java @@ -3,6 +3,10 @@ package com.yahoo.vespa.hosted.controller; import com.yahoo.config.provision.TenantName; import com.yahoo.vespa.curator.Lock; +import com.yahoo.vespa.flags.BooleanFlag; +import com.yahoo.vespa.flags.FetchVector; +import com.yahoo.vespa.flags.FlagSource; +import com.yahoo.vespa.flags.Flags; import com.yahoo.vespa.hosted.controller.api.identifiers.TenantId; import com.yahoo.vespa.hosted.controller.athenz.impl.AthenzFacade; import com.yahoo.vespa.hosted.controller.concurrent.Once; @@ -37,11 +41,15 @@ public class TenantController { private final Controller controller; private final CuratorDb curator; private final AccessControl accessControl; + private final BooleanFlag provisionTenantRoles; - public TenantController(Controller controller, CuratorDb curator, AccessControl accessControl) { + + public TenantController(Controller controller, CuratorDb curator, AccessControl accessControl, FlagSource flagSource) { this.controller = Objects.requireNonNull(controller, "controller must be non-null"); this.curator = Objects.requireNonNull(curator, "curator must be non-null"); this.accessControl = accessControl; + this.provisionTenantRoles = Flags.PROVISION_TENANT_ROLES.bindTo(flagSource); + // Update serialization format of all tenants Once.after(Duration.ofMinutes(1), () -> { @@ -101,7 +109,16 @@ public class TenantController { requireNonExistent(tenantSpec.tenant()); TenantId.validate(tenantSpec.tenant().value()); curator.writeTenant(accessControl.createTenant(tenantSpec, controller.clock().instant(), credentials, asList())); - controller.serviceRegistry().roleService().createTenantRole(tenantSpec.tenant()); + + // Provision tenant role if enabled + if (provisionTenantRoles.with(FetchVector.Dimension.TENANT_ID, tenantSpec.tenant().value()).value()) { + try { + controller.serviceRegistry().roleService().createTenantRole(tenantSpec.tenant()); + } catch (Exception e) { + throw new RuntimeException("Unable to create tenant role for tenant: " + tenantSpec.tenant()); + } + } + } } diff --git a/flags/src/main/java/com/yahoo/vespa/flags/Flags.java b/flags/src/main/java/com/yahoo/vespa/flags/Flags.java index e216fc131eb..3a67ca3c374 100644 --- a/flags/src/main/java/com/yahoo/vespa/flags/Flags.java +++ b/flags/src/main/java/com/yahoo/vespa/flags/Flags.java @@ -12,11 +12,7 @@ import java.util.List; import java.util.Optional; import java.util.TreeMap; -import static com.yahoo.vespa.flags.FetchVector.Dimension.APPLICATION_ID; -import static com.yahoo.vespa.flags.FetchVector.Dimension.HOSTNAME; -import static com.yahoo.vespa.flags.FetchVector.Dimension.NODE_TYPE; -import static com.yahoo.vespa.flags.FetchVector.Dimension.VESPA_VERSION; -import static com.yahoo.vespa.flags.FetchVector.Dimension.ZONE_ID; +import static com.yahoo.vespa.flags.FetchVector.Dimension.*; /** * Definitions of feature flags. @@ -178,19 +174,19 @@ public class Flags { "Whether to provision and use endpoint certs for apps in shared routing zones", "Takes effect on next deployment of the application", APPLICATION_ID); - public static final UnboundBooleanFlag PROVISION_APPLICATION_ROLES = defineFeatureFlag( + public static final UnboundBooleanFlag PROVISION_TENANT_ROLES = defineFeatureFlag( "provision-application-roles", false, - List.of("tokle"), "2020-12-02", "2021-02-01", + List.of("tokle"), "2020-12-02", "2021-08-01", "Whether application roles should be provisioned", "Takes effect on next deployment (controller)", - ZONE_ID); + TENANT_ID); - public static final UnboundBooleanFlag APPLICATION_IAM_ROLE = defineFeatureFlag( + public static final UnboundBooleanFlag TENANT_IAM_ROLE = defineFeatureFlag( "application-iam-roles", false, - List.of("tokle"), "2020-12-02", "2021-02-01", + List.of("tokle"), "2020-12-02", "2021-08-01", "Allow separate iam roles when provisioning/assigning hosts", "Takes effect immediately on new hosts, on next redeploy for applications", - APPLICATION_ID); + TENANT_ID); public static final UnboundIntFlag MAX_TRIAL_TENANTS = defineIntFlag( "max-trial-tenants", -1, |