va: Make the primary VA aware of the Perspective and RIR of each remo…

…te (#7839) - Make the primary VA aware of the expected Perspective and RIR of each remote VA. - All Perspectives should be unique, have the primary VA check for duplicate Perspectives at startup. - Update test setup functions to ensure that each remote VA client and corresponding inmem impl have a matching perspective and RIR. Part of #7819
letsencrypt · Nov 25, 2024 · c394831 · c394831
1 parent 7791262
commit c394831
Show file tree

Hide file tree

Showing 8 changed files with 420 additions and 318 deletions.
diff --git a/cmd/boulder-va/main.go b/cmd/boulder-va/main.go
@@ -15,10 +15,44 @@ import (
 	vapb "github.com/letsencrypt/boulder/va/proto"
 )
 
+// RemoteVAGRPCClientConfig  contains the information necessary to setup a gRPC
+// client connection. The following GRPC client configuration field combinations
+// are allowed:
+//
+// ServerIPAddresses, [Timeout]
+// ServerAddress, DNSAuthority, [Timeout], [HostOverride]
+// SRVLookup, DNSAuthority, [Timeout], [HostOverride], [SRVResolver]
+// SRVLookups, DNSAuthority, [Timeout], [HostOverride], [SRVResolver]
+type RemoteVAGRPCClientConfig struct {
+	cmd.GRPCClientConfig
+	// Perspective uniquely identifies the Network Perspective used to
+	// perform the validation, as specified in BRs Section 5.4.1,
+	// Requirement 2.7 ("Multi-Perspective Issuance Corroboration attempts
+	// from each Network Perspective"). It should uniquely identify a group
+	// of RVAs deployed in the same datacenter.
+	//
+	// TODO(#7615): Make mandatory.
+	Perspective string `validate:"omitempty"`
+
+	// RIR indicates the Regional Internet Registry where this RVA is
+	// located. This field is used to identify the RIR region from which a
+	// given validation was performed, as specified in the "Phased
+	// Implementation Timeline" in BRs Section 3.2.2.9. It must be one of
+	// the following values:
+	//   - ARIN
+	//   - RIPE
+	//   - APNIC
+	//   - LACNIC
+	//   - AfriNIC
+	//
+	// TODO(#7615): Make mandatory.
+	RIR string `validate:"omitempty,oneof=ARIN RIPE APNIC LACNIC AfriNIC"`
+}
+
 type Config struct {
 	VA struct {
 		vaConfig.Common
-		RemoteVAs []cmd.GRPCClientConfig `validate:"omitempty,dive"`
+		RemoteVAs []RemoteVAGRPCClientConfig `validate:"omitempty,dive"`
 		// Deprecated and ignored
 		MaxRemoteValidationFailures int `validate:"omitempty,min=0,required_with=RemoteVAs"`
 		Features                    features.Config
@@ -92,7 +126,7 @@ func main() {
 	if len(c.VA.RemoteVAs) > 0 {
 		for _, rva := range c.VA.RemoteVAs {
 			rva := rva
-			vaConn, err := bgrpc.ClientSetup(&rva, tlsConfig, scope, clk)
+			vaConn, err := bgrpc.ClientSetup(&rva.GRPCClientConfig, tlsConfig, scope, clk)
 			cmd.FailOnError(err, "Unable to create remote VA client")
 			remotes = append(
 				remotes,
@@ -101,7 +135,9 @@ func main() {
 						VAClient:  vapb.NewVAClient(vaConn),
 						CAAClient: vapb.NewCAAClient(vaConn),
 					},
-					Address: rva.ServerAddress,
+					Address:     rva.ServerAddress,
+					Perspective: rva.Perspective,
+					RIR:         rva.RIR,
 				},
 			)
 		}

diff --git a/test/config-next/remoteva-a.json b/test/config-next/remoteva-a.json
@@ -37,7 +37,7 @@
 			"http://boulder.service.consul:4000/acme/reg/",
 			"http://boulder.service.consul:4001/acme/acct/"
 		],
-		"perspective": "development",
+		"perspective": "dadaist",
 		"rir": "ARIN"
 	},
 	"syslog": {

diff --git a/test/config-next/remoteva-b.json b/test/config-next/remoteva-b.json
@@ -37,7 +37,7 @@
 			"http://boulder.service.consul:4000/acme/reg/",
 			"http://boulder.service.consul:4001/acme/acct/"
 		],
-		"perspective": "development",
+		"perspective": "surrealist",
 		"rir": "RIPE"
 	},
 	"syslog": {

diff --git a/test/config-next/remoteva-c.json b/test/config-next/remoteva-c.json
@@ -37,7 +37,7 @@
 			"http://boulder.service.consul:4000/acme/reg/",
 			"http://boulder.service.consul:4001/acme/acct/"
 		],
-		"perspective": "development",
+		"perspective": "cubist",
 		"rir": "ARIN"
 	},
 	"syslog": {

diff --git a/test/config-next/va.json b/test/config-next/va.json
@@ -46,17 +46,23 @@
 			{
 				"serverAddress": "rva1.service.consul:9397",
 				"timeout": "15s",
-				"hostOverride": "rva1.boulder"
+				"hostOverride": "rva1.boulder",
+				"perspective": "dadaist",
+				"rir": "ARIN"
 			},
 			{
 				"serverAddress": "rva1.service.consul:9498",
 				"timeout": "15s",
-				"hostOverride": "rva1.boulder"
+				"hostOverride": "rva1.boulder",
+				"perspective": "surrealist",
+				"rir": "RIPE"
 			},
 			{
 				"serverAddress": "rva1.service.consul:9499",
 				"timeout": "15s",
-				"hostOverride": "rva1.boulder"
+				"hostOverride": "rva1.boulder",
+				"perspective": "cubist",
+				"rir": "ARIN"
 			}
 		],
 		"accountURIPrefixes": [