Merge pull request #28843 from vespa-engine/mortent/fix-node-cert-refresh

fix node cert refresh MERGEOK
author: Morten Tokle <mortent@yahooinc.com> 2023-10-09 15:26:50 +0200
committer: GitHub <noreply@github.com> 2023-10-09 15:26:50 +0200
commit: 7ecd4ee1dd4e510df359a0f3aff96a3406656907 (patch)
tree: ba1ab1ac9d8acd0bb61dda61e67c1c0a735db3fe
parent: b09acf5a94ff3fe7b70381478fedcc242d965c32 (diff)
parent: 83137e5917d5dc1f0e7552165bed3e351a7a3ea2 (diff)
2 files changed, 16 insertions, 8 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
index 830b7f4ed33..d11adbe696a 100644
--- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
+++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
@@ -297,12 +297,15 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
 
     private void refreshIdentity(NodeAgentContext context, ContainerPath privateKeyFile, ContainerPath certificateFile,
                                  ContainerPath identityDocumentFile, IdentityDocument doc, IdentityType identityType, AthenzIdentity identity) {
-        KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA);
-        CsrGenerator csrGenerator = new CsrGenerator(certificateDnsSuffix, doc.providerService().getFullName());
-        Pkcs10Csr csr = csrGenerator.generateInstanceCsr(
-                identity, doc.providerUniqueId(), doc.ipAddresses(), doc.clusterType(), keyPair);
-
         try {
+            // Do not rotate private key on every refresh.
+            // TODO: rotate key pair only on Vespa upgrade or similar
+            PrivateKey privateKey = readPrivateKeyFromFile(privateKeyFile);
+            KeyPair keyPair = KeyUtils.toKeyPair(privateKey);
+            CsrGenerator csrGenerator = new CsrGenerator(certificateDnsSuffix, doc.providerService().getFullName());
+            Pkcs10Csr csr = csrGenerator.generateInstanceCsr(
+                    identity, doc.providerUniqueId(), doc.ipAddresses(), doc.clusterType(), keyPair);
+
             // Allow all zts hosts while removing SIS
             HostnameVerifier ztsHostNameVerifier = (hostname, sslSession) -> true;
             try (ZtsClient ztsClient = ztsClient(doc.ztsUrl(), privateKeyFile, certificateFile, ztsHostNameVerifier)) {
@@ -347,6 +350,11 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
         return X509CertificateUtils.fromPem(pemEncodedCertificate);
     }
 
+    private static PrivateKey readPrivateKeyFromFile(ContainerPath privateKeyFile) throws IOException {
+        String pemEncodedKey = new String(Files.readAllBytes(privateKeyFile));
+        return KeyUtils.fromPemEncodedPrivateKey(pemEncodedKey);
+    }
+
     private static boolean isCertificateExpired(Instant expiry, Instant now) {
         return now.isAfter(expiry.minus(EXPIRY_MARGIN));
     }
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java
index e97409b40ef..fd297c291c2 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java
@@ -278,17 +278,17 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen
                 identity, role, athenzUniqueInstanceId, null, keyPair);
         try (ZtsClient client = createZtsClient()) {
             X509Certificate roleCertificate = client.getRoleCertificate(role, csr);
-            updateRoleKeyManager(role, roleCertificate);
+            updateRoleKeyManager(role, keyPair.getPrivate(), roleCertificate);
             log.info(String.format("Requester role certificate for role %s, expires: %s", role.toResourceNameString(), roleCertificate.getNotAfter().toInstant().toString()));
             return roleCertificate;
         }
     }
 
-    private void updateRoleKeyManager(AthenzRole role, X509Certificate certificate) {
+    private void updateRoleKeyManager(AthenzRole role, PrivateKey privateKey, X509Certificate certificate) {
         MutableX509KeyManager keyManager = roleKeyManagerCache.computeIfAbsent(role, r -> new MutableX509KeyManager());
         keyManager.updateKeystore(
                 KeyStoreBuilder.withType(PKCS12)
-                        .withKeyEntry("default", autoReloadingX509KeyManager.getCurrentCertificateWithKey().privateKey(), certificate)
+                        .withKeyEntry("default", privateKey, certificate)
                         .build(),
                 new char[0]);
     }
author	Morten Tokle <mortent@yahooinc.com>	2023-10-09 15:26:50 +0200
committer	GitHub <noreply@github.com>	2023-10-09 15:26:50 +0200
commit	7ecd4ee1dd4e510df359a0f3aff96a3406656907 (patch)
tree	ba1ab1ac9d8acd0bb61dda61e67c1c0a735db3fe
parent	b09acf5a94ff3fe7b70381478fedcc242d965c32 (diff)
parent	83137e5917d5dc1f0e7552165bed3e351a7a3ea2 (diff)