diff options
Diffstat (limited to 'config-model/src/main/java/com/yahoo/vespa/model/application/validation')
2 files changed, 49 insertions, 3 deletions
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/application/validation/CloudHttpConnectorValidator.java b/config-model/src/main/java/com/yahoo/vespa/model/application/validation/CloudHttpConnectorValidator.java new file mode 100644 index 00000000000..737042a3695 --- /dev/null +++ b/config-model/src/main/java/com/yahoo/vespa/model/application/validation/CloudHttpConnectorValidator.java @@ -0,0 +1,47 @@ +// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + +package com.yahoo.vespa.model.application.validation; + +import com.yahoo.config.model.deploy.DeployState; +import com.yahoo.vespa.model.VespaModel; +import com.yahoo.vespa.model.container.Container; +import com.yahoo.vespa.model.container.http.JettyHttpServer; +import com.yahoo.vespa.model.container.http.ssl.ConfiguredDirectSslProvider; +import com.yahoo.vespa.model.container.http.ssl.DefaultSslProvider; +import com.yahoo.vespa.model.container.xml.ContainerModelBuilder; + +import java.util.List; + +/** + * Enforces that Cloud applications cannot + * 1) override connector specific TLS configuration + * 2) add additional HTTP connectors + * + * @author bjorncs + */ +public class CloudHttpConnectorValidator extends Validator { + @Override + public void validate(VespaModel model, DeployState state) { + if (!state.isHostedTenantApplication(model.getAdmin().getApplicationType())) return; + + model.getContainerClusters().forEach((__, cluster) -> { + var http = cluster.getHttp(); + if (http == null) return; + var connectors = http.getHttpServer().map(JettyHttpServer::getConnectorFactories).orElse(List.of()); + for (var connector : connectors) { + int port = connector.getListenPort(); + if (!List.of(ContainerModelBuilder.HOSTED_VESPA_DATAPLANE_PORT, Container.BASEPORT).contains(port)) { + throw new IllegalArgumentException( + "Adding additional HTTP connectors is not allowed for Vespa Cloud applications. " + + "See https://cloud.vespa.ai/en/security/whitepaper."); + } + var sslProvider = connector.sslProvider(); + if (!(sslProvider instanceof ConfiguredDirectSslProvider || sslProvider instanceof DefaultSslProvider)) { + throw new IllegalArgumentException( + "Overriding connector specific TLS configuration is not allowed in Vespa Cloud. " + + "See https://cloud.vespa.ai/en/security/guide#data-plane."); + } + } + }); + } +} diff --git a/config-model/src/main/java/com/yahoo/vespa/model/application/validation/Validation.java b/config-model/src/main/java/com/yahoo/vespa/model/application/validation/Validation.java index 4f2f8e7932c..efa02781f7e 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/application/validation/Validation.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/application/validation/Validation.java @@ -1,7 +1,6 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.model.application.validation; -import com.yahoo.config.application.api.DeployLogger; import com.yahoo.config.application.api.ValidationId; import com.yahoo.config.application.api.ValidationOverrides; import com.yahoo.config.model.api.ConfigChangeAction; @@ -13,7 +12,6 @@ import com.yahoo.vespa.model.VespaModel; import com.yahoo.vespa.model.application.validation.change.CertificateRemovalChangeValidator; import com.yahoo.vespa.model.application.validation.change.ChangeValidator; import com.yahoo.vespa.model.application.validation.change.CloudAccountChangeValidator; -import com.yahoo.vespa.model.application.validation.change.ResourcesReductionValidator; import com.yahoo.vespa.model.application.validation.change.ConfigValueChangeValidator; import com.yahoo.vespa.model.application.validation.change.ContainerRestartValidator; import com.yahoo.vespa.model.application.validation.change.ContentClusterRemovalValidator; @@ -23,11 +21,11 @@ import com.yahoo.vespa.model.application.validation.change.IndexedSearchClusterC import com.yahoo.vespa.model.application.validation.change.IndexingModeChangeValidator; import com.yahoo.vespa.model.application.validation.change.NodeResourceChangeValidator; import com.yahoo.vespa.model.application.validation.change.RedundancyIncreaseValidator; +import com.yahoo.vespa.model.application.validation.change.ResourcesReductionValidator; import com.yahoo.vespa.model.application.validation.change.StartupCommandChangeValidator; import com.yahoo.vespa.model.application.validation.change.StreamingSearchClusterChangeValidator; import com.yahoo.vespa.model.application.validation.first.RedundancyValidator; -import java.time.Instant; import java.util.Arrays; import java.util.Collection; import java.util.Collections; @@ -88,6 +86,7 @@ public class Validation { new CloudDataPlaneFilterValidator().validate(model, deployState); new AccessControlFilterExcludeValidator().validate(model, deployState); new CloudUserFilterValidator().validate(model, deployState); + new CloudHttpConnectorValidator().validate(model, deployState); additionalValidators.forEach(v -> v.validate(model, deployState)); |