From b2a503d3eb688aa4ec63371b605bda6597b21c44 Mon Sep 17 00:00:00 2001
From: Valerij Fredriksen <valerijf@verizonmedia.com>
Date: Thu, 5 Sep 2019 18:28:53 +0200
Subject: Trust parent host

---
 .../main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java   | 2 ++
 .../vespa/hosted/provision/provisioning/AclProvisioningTest.java     | 5 +++--
 2 files changed, 5 insertions(+), 2 deletions(-)

(limited to 'node-repository/src')

diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java
index db95915376b..1fbb83c7718 100644
--- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java
+++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java
@@ -207,8 +207,10 @@ public class NodeRepository extends AbstractComponent {
         Set<String> trustedNetworks = new LinkedHashSet<>();
 
         // For all cases below, trust:
+        // - parent host (for health checks and metrics)
         // - nodes in same application
         // - load balancers allocated to application
+        candidates.parentOf(node).ifPresent(trustedNodes::add);
         node.allocation().ifPresent(allocation -> {
             trustedNodes.addAll(candidates.owner(allocation.owner()).asList());
             loadBalancers.owner(allocation.owner()).asList().stream()
diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java
index dc0a001ca1d..24b12c4427f 100644
--- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java
+++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java
@@ -51,10 +51,11 @@ public class AclProvisioningTest {
 
         // Get trusted nodes for the first active node
         Node node = activeNodes.get(0);
+        Node host = node.parentHostname().flatMap(tester.nodeRepository()::getNode).get();
         Supplier<List<NodeAcl>> nodeAcls = () -> tester.nodeRepository().getNodeAcls(node, false);
 
         // Trusted nodes are active nodes in same application, proxy nodes and config servers
-        assertAcls(List.of(activeNodes, proxyNodes, configServers),
+        assertAcls(List.of(activeNodes, proxyNodes, configServers, List.of(host)),
                    Set.of("10.2.3.0/24", "10.4.5.0/24"),
                    nodeAcls.get());
     }
@@ -142,7 +143,7 @@ public class AclProvisioningTest {
                     .findFirst()
                     .orElseThrow(() -> new RuntimeException("Expected to find ACL for node " + dockerNode.hostname()));
             assertEquals(dockerHostNodeUnderTest.hostname(), dockerNode.parentHostname().get());
-            assertAcls(List.of(configServers, dockerNodes), nodeAcl);
+            assertAcls(List.of(configServers, dockerNodes, List.of(dockerHostNodeUnderTest)), nodeAcl);
         }
     }
 
-- 
cgit v1.2.3