summaryrefslogtreecommitdiffstats
path: root/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
diff options
context:
space:
mode:
Diffstat (limited to 'config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java')
-rw-r--r--config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java64
1 files changed, 30 insertions, 34 deletions
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
index 00feb0a1c76..c97ea6671e8 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
@@ -16,7 +16,6 @@ import com.yahoo.config.model.ConfigModelContext;
import com.yahoo.config.model.api.ApplicationClusterEndpoint;
import com.yahoo.config.model.api.ConfigServerSpec;
import com.yahoo.config.model.api.ContainerEndpoint;
-import com.yahoo.config.model.api.EndpointCertificateSecrets;
import com.yahoo.config.model.api.TenantSecretStore;
import com.yahoo.config.model.application.provider.IncludeDirs;
import com.yahoo.config.model.builder.xml.ConfigModelBuilder;
@@ -95,6 +94,7 @@ import com.yahoo.vespa.model.container.http.Http;
import com.yahoo.vespa.model.container.http.HttpFilterChain;
import com.yahoo.vespa.model.container.http.JettyHttpServer;
import com.yahoo.vespa.model.container.http.ssl.HostedSslConnectorFactory;
+import com.yahoo.vespa.model.container.http.ssl.HostedSslConnectorFactory.SslClientAuth;
import com.yahoo.vespa.model.container.http.xml.HttpBuilder;
import com.yahoo.vespa.model.container.processing.ProcessingChains;
import com.yahoo.vespa.model.container.search.ContainerSearch;
@@ -109,7 +109,6 @@ import java.io.IOException;
import java.io.Reader;
import java.net.URI;
import java.security.cert.X509Certificate;
-import java.time.Duration;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
@@ -600,31 +599,36 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> {
.ifPresent(accessControl -> accessControl.configureDefaultHostedConnector(cluster.getHttp())); ;
}
- private void addAdditionalHostedConnector(DeployState deployState, ApplicationContainerCluster cluster) {
+ private void addAdditionalHostedConnector(DeployState state, ApplicationContainerCluster cluster) {
JettyHttpServer server = cluster.getHttp().getHttpServer().get();
String serverName = server.getComponentId().getName();
// If the deployment contains certificate/private key reference, setup TLS port
- HostedSslConnectorFactory connectorFactory;
- Collection<String> tlsCiphersOverride = deployState.getProperties().tlsCiphersOverride();
- boolean proxyProtocolMixedMode = deployState.getProperties().featureFlags().enableProxyProtocolMixedMode();
- Duration endpointConnectionTtl = deployState.getProperties().endpointConnectionTtl();
- var port = getDataplanePort(deployState);
- if (deployState.endpointCertificateSecrets().isPresent()) {
- boolean authorizeClient = deployState.zone().system().isPublic();
+ var builder = HostedSslConnectorFactory.builder(serverName, getDataplanePort(state))
+ .proxyProtocol(true, state.getProperties().featureFlags().enableProxyProtocolMixedMode())
+ .tlsCiphersOverride(state.getProperties().tlsCiphersOverride())
+ .endpointConnectionTtl(state.getProperties().endpointConnectionTtl());
+ var endpointCert = state.endpointCertificateSecrets().orElse(null);
+ if (endpointCert != null) {
+ builder.endpointCertificate(endpointCert);
+ boolean isPublic = state.zone().system().isPublic();
List<X509Certificate> clientCertificates = getClientCertificates(cluster);
- if (authorizeClient && clientCertificates.isEmpty()) {
- throw new IllegalArgumentException("Client certificate authority security/clients.pem is missing - " +
- "see: https://cloud.vespa.ai/en/security/guide#data-plane");
+ if (isPublic) {
+ if (clientCertificates.isEmpty())
+ throw new IllegalArgumentException("Client certificate authority security/clients.pem is missing - " +
+ "see: https://cloud.vespa.ai/en/security/guide#data-plane");
+ builder.tlsCaCertificatesPem(X509CertificateUtils.toPem(clientCertificates))
+ .clientAuth(SslClientAuth.WANT_WITH_ENFORCER);
+ } else {
+ builder.tlsCaCertificatesPath("/opt/yahoo/share/ssl/certs/athenz_certificate_bundle.pem");
+ var needAuth = cluster.getHttp().getAccessControl()
+ .map(accessControl -> accessControl.clientAuthentication)
+ .map(clientAuth -> clientAuth == AccessControl.ClientAuthentication.need)
+ .orElse(false);
+ builder.clientAuth(needAuth ? SslClientAuth.NEED : SslClientAuth.WANT);
}
- EndpointCertificateSecrets endpointCertificateSecrets = deployState.endpointCertificateSecrets().get();
-
- boolean enforceHandshakeClientAuth = cluster.getHttp().getAccessControl()
- .map(accessControl -> accessControl.clientAuthentication)
- .map(clientAuth -> clientAuth == AccessControl.ClientAuthentication.need)
- .orElse(false);
- boolean enableTokenSupport = deployState.featureFlags().enableDataplaneProxy()
+ boolean enableTokenSupport = state.featureFlags().enableDataplaneProxy()
&& cluster.getClients().stream().anyMatch(c -> !c.tokens().isEmpty());
// Set up component to generate proxy cert if token support is enabled
@@ -633,24 +637,16 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> {
cluster.addSimpleComponent(DataplaneProxyService.class);
var dataplaneProxy = new DataplaneProxy(
- getDataplanePort(deployState),
- endpointCertificateSecrets.certificate(),
- endpointCertificateSecrets.key());
+ getDataplanePort(state),
+ endpointCert.certificate(),
+ endpointCert.key());
cluster.addComponent(dataplaneProxy);
+ builder.tokenEndpoint(true);
}
-
- connectorFactory = authorizeClient
- ? HostedSslConnectorFactory.withProvidedCertificateAndTruststore(
- serverName, endpointCertificateSecrets, X509CertificateUtils.toPem(clientCertificates),
- tlsCiphersOverride, proxyProtocolMixedMode, port, endpointConnectionTtl, enableTokenSupport)
- : HostedSslConnectorFactory.withProvidedCertificate(
- serverName, endpointCertificateSecrets, enforceHandshakeClientAuth, tlsCiphersOverride,
- proxyProtocolMixedMode, port, endpointConnectionTtl, enableTokenSupport);
} else {
- connectorFactory = HostedSslConnectorFactory.withDefaultCertificateAndTruststore(
- serverName, tlsCiphersOverride, proxyProtocolMixedMode, port,
- endpointConnectionTtl);
+ builder.clientAuth(SslClientAuth.WANT_WITH_ENFORCER);
}
+ var connectorFactory = builder.build();
cluster.getHttp().getAccessControl().ifPresent(accessControl -> accessControl.configureHostedConnector(connectorFactory));
server.addConnector(connectorFactory);
}