diff options
| author | Morten Tokle <morten.tokle@gmail.com> | 2018-01-19 07:46:34 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-01-19 07:46:34 +0100 |
| commit | ecf871bfa302fa42d3675eda8156cb4bae9790a9 (patch) | |
| tree | 33c3b131de1c596c582a4fb8728ada40a6774bfc | |
| parent | 6e04d1e721f4a184b4f07b29ee89ff4aa99a7db2 (diff) | |
| parent | dadbafef11b14f1bed87e19f01e9b23cb7e4ac0f (diff) | |
Merge pull request #4712 from vespa-engine/bjorncs/cache-sslcontext
Cache SSLContext in AthenzSslContextProviderImpl
| -rw-r--r-- | controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzSslContextProviderImpl.java | 35 |
1 files changed, 31 insertions, 4 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzSslContextProviderImpl.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzSslContextProviderImpl.java index 1652cb2298e..afa630d8d9b 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzSslContextProviderImpl.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzSslContextProviderImpl.java @@ -9,6 +9,9 @@ import com.yahoo.vespa.hosted.controller.athenz.config.AthenzConfig; import javax.net.ssl.SSLContext; import java.io.File; +import java.time.Duration; +import java.time.Instant; +import java.util.concurrent.atomic.AtomicReference; /** * @author bjorncs @@ -17,6 +20,7 @@ public class AthenzSslContextProviderImpl implements AthenzSslContextProvider { private final AthenzClientFactory clientFactory; private final AthenzConfig config; + private final AtomicReference<CachedSslContext> cachedSslContext = new AtomicReference<>(); @Inject public AthenzSslContextProviderImpl(AthenzClientFactory clientFactory, AthenzConfig config) { @@ -26,9 +30,32 @@ public class AthenzSslContextProviderImpl implements AthenzSslContextProvider { @Override public SSLContext get() { - return new AthenzSslContextBuilder() - .withTrustStore(new File(config.athenzCaTrustStore()), "JKS") - .withIdentityCertificate(clientFactory.createZtsClientWithServicePrincipal().getIdentityCertificate()) - .build(); + CachedSslContext currentCachedSslContext = this.cachedSslContext.get(); + if (currentCachedSslContext == null || currentCachedSslContext.isExpired()) { + SSLContext sslContext = new AthenzSslContextBuilder() + .withTrustStore(new File(config.athenzCaTrustStore()), "JKS") + .withIdentityCertificate(clientFactory.createZtsClientWithServicePrincipal().getIdentityCertificate()) + .build(); + this.cachedSslContext.set(new CachedSslContext(sslContext)); + return sslContext; + } + return currentCachedSslContext.sslContext; + } + + private static class CachedSslContext { + // Conservative expiration. Default expiration for Athenz certificates are 30 days. + static final Duration EXPIRATION = Duration.ofDays(1); + + final SSLContext sslContext; + final Instant createdAt; + + CachedSslContext(SSLContext sslContext) { + this.sslContext = sslContext; + this.createdAt = Instant.now(); + } + + boolean isExpired() { + return createdAt.plus(EXPIRATION).isAfter(Instant.now()); + } } } |