From 2ee6905f0c6535fe95cc0516e4634f3ac37414b2 Mon Sep 17 00:00:00 2001
From: Andreas Eriksen <andreer@yahooinc.com>
Date: Mon, 16 Jan 2023 15:48:29 +0100
Subject: open wireguard port for config servers (#25586)

---
 .../main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

(limited to 'node-repository/src/main/java/com/yahoo')

diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java
index e61f9b79d75..1baa8086772 100644
--- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java
+++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java
@@ -26,9 +26,11 @@ import java.util.stream.StreamSupport;
 public record NodeAcl(Node node,
                       Set<TrustedNode> trustedNodes,
                       Set<String> trustedNetworks,
-                      Set<Integer> trustedPorts) {
+                      Set<Integer> trustedPorts,
+                      Set<Integer> trustedUdpPorts) {
 
     private static final Set<Integer> RPC_PORTS = Set.of(19070);
+    private static final int WIREGUARD_PORT = 51820;
 
     public NodeAcl {
         Objects.requireNonNull(node, "node must be non-null");
@@ -40,6 +42,7 @@ public record NodeAcl(Node node,
     public static NodeAcl from(Node node, NodeList allNodes, LoadBalancers loadBalancers) {
         Set<TrustedNode> trustedNodes = new TreeSet<>(Comparator.comparing(TrustedNode::hostname));
         Set<Integer> trustedPorts = new LinkedHashSet<>();
+        Set<Integer> trustedUdpPorts = new LinkedHashSet<>();
         Set<String> trustedNetworks = new LinkedHashSet<>();
 
         // For all cases below, trust:
@@ -86,10 +89,12 @@ public record NodeAcl(Node node,
                 // - port 19070 (RPC) from all tenant nodes (and their hosts, in case traffic is NAT-ed via parent)
                 // - port 19070 (RPC) from all proxy nodes (and their hosts, in case traffic is NAT-ed via parent)
                 // - port 4443 from the world
+                // - udp port 51820 from the world
                 trustedNodes.addAll(TrustedNode.of(allNodes.nodeType(NodeType.host, NodeType.tenant,
                                                                      NodeType.proxyhost, NodeType.proxy),
                                                    RPC_PORTS));
                 trustedPorts.add(4443);
+                trustedUdpPorts.add(WIREGUARD_PORT);
             }
             case proxy -> {
                 // Proxy nodes trust:
@@ -109,7 +114,7 @@ public record NodeAcl(Node node,
             default -> throw new IllegalArgumentException("Don't know how to create ACL for " + node +
                                                           " of type " + node.type());
         }
-        return new NodeAcl(node, trustedNodes, trustedNetworks, trustedPorts);
+        return new NodeAcl(node, trustedNodes, trustedNetworks, trustedPorts, trustedUdpPorts);
     }
 
     public record TrustedNode(String hostname, NodeType type, Set<String> ipAddresses, Set<Integer> ports) {
-- 
cgit v1.2.3