diff options
2 files changed, 21 insertions, 1 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificates.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificates.java index 5d0ee7b74c5..12beaa635ac 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificates.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificates.java @@ -115,8 +115,9 @@ public class EndpointCertificates { // certificate because application endpoints can span instances Optional<InstanceName> instanceName = zone.environment().isManuallyDeployed() ? Optional.of(instance.name()) : Optional.empty(); TenantAndApplicationId application = TenantAndApplicationId.from(instance.id()); + // Re-use existing certificate if it contains a randomized ID Optional<AssignedCertificate> assignedCertificate = curator.readAssignedCertificate(application, instanceName); - if (assignedCertificate.isPresent()) { + if (assignedCertificate.isPresent() && assignedCertificate.get().certificate().randomizedId().isPresent()) { AssignedCertificate updated = assignedCertificate.get().with(assignedCertificate.get().certificate().withLastRequested(clock.instant().getEpochSecond())); curator.writeAssignedCertificate(updated); return updated.certificate(); @@ -193,6 +194,16 @@ public class EndpointCertificates { instanceSpec.get().deploysTo(zone.environment(), zone.region()))) .forEach(requiredZones::add); } + /* TODO(andreer/mpolden): To allow a seamless transition of existing deployments to using generated endpoints, + we need to something like this: + 1) All current certificates must be re-provisioned to contain the same wildcard names + as CertificatePoolMaintainer, and a randomized ID + 2) Generated endpoints must be exposed *before* switching deployment to a + pre-provisioned certificate + 3) Tenants must shift their traffic to generated endpoints + 4) We can switch to the pre-provisioned certificate. This will invalidate + non-generated endpoints + */ Set<String> requiredNames = requiredZones.stream() .flatMap(zone -> controller.routing().certificateDnsNames(new DeploymentId(deployment.applicationId(), zone), deploymentSpec) diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificatesTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificatesTest.java index 9c84ab48229..f151b90d760 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificatesTest.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/certificate/EndpointCertificatesTest.java @@ -45,6 +45,7 @@ import java.util.Set; import java.util.stream.Stream; import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertFalse; import static org.junit.jupiter.api.Assertions.assertNotEquals; import static org.junit.jupiter.api.Assertions.assertTrue; import static org.junit.jupiter.api.Assertions.fail; @@ -290,6 +291,12 @@ public class EndpointCertificatesTest { @Test public void assign_certificate_from_pool() { + // Initial certificate is requested directly from provider + Optional<EndpointCertificate> certFromProvider = endpointCertificates.get(instance, prodZone, DeploymentSpec.empty); + assertTrue(certFromProvider.isPresent()); + assertFalse(certFromProvider.get().randomizedId().isPresent()); + + // Pooled certificates become available tester.flagSource().withBooleanFlag(Flags.RANDOMIZED_ENDPOINT_NAMES.id(), true); try { addCertificateToPool("pool-cert-1", UnassignedCertificate.State.requested); @@ -297,6 +304,8 @@ public class EndpointCertificatesTest { fail("Expected exception as certificate is not ready"); } catch (IllegalArgumentException ignored) {} + // Certificate is assigned from pool instead. The previously assigned certificate will eventually be cleaned up + // by EndpointCertificateMaintainer { // prod String certId = "pool-cert-1"; addCertificateToPool(certId, UnassignedCertificate.State.ready); |