From f5942840a46d6e402265d0c4cabb0772c53e688e Mon Sep 17 00:00:00 2001
From: Bjørn Christian Seime <bjorncs@verizonmedia.com>
Date: Mon, 20 Dec 2021 14:29:35 +0100
Subject: Add feature flag for OCSP Stapling on application container clusters

---
 .../vespa/model/container/ApplicationContainer.java | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

(limited to 'config-model/src/main/java/com/yahoo')

diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/ApplicationContainer.java b/config-model/src/main/java/com/yahoo/vespa/model/container/ApplicationContainer.java
index 9ad257fad04..8b6e7163b6b 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/ApplicationContainer.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/ApplicationContainer.java
@@ -23,6 +23,7 @@ public final class ApplicationContainer extends Container implements
     private static final String defaultHostedJVMArgs = "-XX:+SuppressFatalErrorMessage";
 
     private final boolean isHostedVespa;
+    private final boolean enableServerOcspStapling;
 
     public ApplicationContainer(AbstractConfigProducer<?> parent, String name, int index, DeployState deployState) {
         this(parent, name, false, index, deployState);
@@ -31,6 +32,7 @@ public final class ApplicationContainer extends Container implements
     public ApplicationContainer(AbstractConfigProducer<?> parent, String name, boolean retired, int index, DeployState deployState) {
         super(parent, name, retired, index, deployState);
         this.isHostedVespa = deployState.isHosted();
+        this.enableServerOcspStapling = deployState.featureFlags().enableServerOcspStapling();
 
         addComponent(new SimpleComponent("com.yahoo.container.jdisc.messagebus.NetworkMultiplexerHolder"));
         addComponent(new SimpleComponent("com.yahoo.container.jdisc.messagebus.NetworkMultiplexerProvider"));
@@ -64,10 +66,23 @@ public final class ApplicationContainer extends Container implements
     /** Returns the jvm arguments this should start with */
     @Override
     public String getJvmOptions() {
+        StringBuilder b = new StringBuilder();
+        if (isHostedVespa) {
+            if (hasDocproc()) {
+                b.append(ApplicationContainer.defaultHostedJVMArgs).append(' ');
+            }
+            if (enableServerOcspStapling) {
+                b.append("-Djdk.tls.server.enableStatusRequestExtension=true ")
+                        .append("-Djdk.tls.stapling.responseTimeout=2000 ")
+                        .append("-Djdk.tls.stapling.cacheSize=256 ")
+                        .append("-Djdk.tls.stapling.cacheLifetime=3600 ");
+            }
+        }
         String jvmArgs = super.getJvmOptions();
-        return isHostedVespa && hasDocproc()
-                ? ("".equals(jvmArgs) ? defaultHostedJVMArgs : defaultHostedJVMArgs + " " + jvmArgs)
-                : jvmArgs;
+        if (!jvmArgs.isBlank()) {
+             b.append(jvmArgs.trim()).append(' ');
+        }
+        return b.toString().trim();
     }
 
     private boolean hasDocproc() {
-- 
cgit v1.2.3