Revert "Optional identity document. Skip in public"

This reverts commit 6d58df3ac8ab8e94eb3b7f71d9a3792f97d63e56.
author: Morten Tokle <mortent@yahooinc.com> 2023-04-27 08:50:52 +0200
committer: Morten Tokle <mortent@yahooinc.com> 2023-04-27 08:50:52 +0200
commit: 4fba60cd48d4befbc38d54487e7bba471ec93a89 (patch)
tree: e307fd7d2886ae17191765965e3376e4cc169b60
parent: 58daaccf83103d8b082c8ca724dc5c78f5d84392 (diff)
4 files changed, 23 insertions, 36 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
index 3ab1fdf211b..13c0c5d0bb5 100644
--- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
+++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
@@ -107,10 +107,6 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
     public boolean converge(NodeAgentContext context) {
         var modified = false;
         modified |= maintain(context, NODE);
-
-        if (context.zone().getSystemName().isPublic())
-            return modified;
-
         if (shouldWriteTenantServiceIdentity(context))
             modified |= maintain(context, TENANT);
         else
@@ -125,10 +121,7 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
             context.log(logger, Level.FINE, "Checking certificate");
             ContainerPath siaDirectory = context.paths().of(CONTAINER_SIA_DIRECTORY, context.users().vespa());
             ContainerPath identityDocumentFile = siaDirectory.resolve(identityType.getIdentityDocument());
-            Optional<AthenzIdentity> optionalAthenzIdentity = getAthenzIdentity(context, identityType, identityDocumentFile);
-            if (optionalAthenzIdentity.isEmpty())
-                return false;
-            AthenzIdentity athenzIdentity = optionalAthenzIdentity.get();
+            AthenzIdentity athenzIdentity = getAthenzIdentity(context, identityType, identityDocumentFile);
             ContainerPath privateKeyFile = (ContainerPath) SiaUtils.getPrivateKeyFile(siaDirectory, athenzIdentity);
             ContainerPath certificateFile = (ContainerPath) SiaUtils.getCertificateFile(siaDirectory, athenzIdentity);
             if (!Files.exists(privateKeyFile) || !Files.exists(certificateFile) || !Files.exists(identityDocumentFile)) {
@@ -210,17 +203,16 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
         var siaDirectory = context.paths().of(CONTAINER_SIA_DIRECTORY, context.users().vespa());
         var identityDocumentFile = siaDirectory.resolve(TENANT.getIdentityDocument());
         if (!Files.exists(identityDocumentFile)) return false;
-        return getAthenzIdentity(context, TENANT, identityDocumentFile).map(athenzIdentity -> {
-            var privateKeyFile = (ContainerPath) SiaUtils.getPrivateKeyFile(siaDirectory, athenzIdentity);
-            var certificateFile = (ContainerPath) SiaUtils.getCertificateFile(siaDirectory, athenzIdentity);
-            try {
-                return Files.deleteIfExists(identityDocumentFile) ||
-                        Files.deleteIfExists(privateKeyFile) ||
-                        Files.deleteIfExists(certificateFile);
-            } catch (IOException e) {
-                throw new UncheckedIOException(e);
-            }
-        }).orElse(false);
+        var athenzIdentity = getAthenzIdentity(context, TENANT, identityDocumentFile);
+        var privateKeyFile = (ContainerPath) SiaUtils.getPrivateKeyFile(siaDirectory, athenzIdentity);
+        var certificateFile = (ContainerPath) SiaUtils.getCertificateFile(siaDirectory, athenzIdentity);
+        try {
+            return Files.deleteIfExists(identityDocumentFile) ||
+                    Files.deleteIfExists(privateKeyFile) ||
+                    Files.deleteIfExists(certificateFile);
+        } catch (IOException e) {
+            throw new UncheckedIOException(e);
+        }
     }
 
     private boolean shouldRefreshCredentials(Duration age) {
@@ -329,23 +321,22 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
     private SignedIdentityDocument signedIdentityDocument(NodeAgentContext context, IdentityType identityType) {
         return switch (identityType) {
             case NODE -> identityDocumentClient.getNodeIdentityDocument(context.hostname().value(), documentVersion(context));
-            case TENANT -> identityDocumentClient.getTenantIdentityDocument(context.hostname().value(), documentVersion(context)).get();
+            case TENANT -> identityDocumentClient.getTenantIdentityDocument(context.hostname().value(), documentVersion(context));
         };
     }
 
-    private Optional<AthenzIdentity> getAthenzIdentity(NodeAgentContext context, IdentityType identityType, ContainerPath identityDocumentFile) {
+    private AthenzIdentity getAthenzIdentity(NodeAgentContext context, IdentityType identityType, ContainerPath identityDocumentFile) {
         return switch (identityType) {
-            case NODE -> Optional.of(context.identity());
+            case NODE -> context.identity();
             case TENANT -> getTenantIdentity(context, identityDocumentFile);
         };
     }
 
-    private Optional<AthenzIdentity> getTenantIdentity(NodeAgentContext context, ContainerPath identityDocumentFile) {
+    private AthenzIdentity getTenantIdentity(NodeAgentContext context, ContainerPath identityDocumentFile) {
         if (Files.exists(identityDocumentFile)) {
-            return Optional.of(EntityBindingsMapper.readSignedIdentityDocumentFromFile(identityDocumentFile).identityDocument().serviceIdentity());
+            return EntityBindingsMapper.readSignedIdentityDocumentFromFile(identityDocumentFile).identityDocument().serviceIdentity();
         } else {
-            return identityDocumentClient.getTenantIdentityDocument(context.hostname().value(), documentVersion(context))
-                    .map(doc -> doc.identityDocument().serviceIdentity());
+            return identityDocumentClient.getTenantIdentityDocument(context.hostname().value(), documentVersion(context)).identityDocument().serviceIdentity();
         }
     }
 
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/IdentityDocumentClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/IdentityDocumentClient.java
index a3c2f0264d3..0e13cba8de9 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/IdentityDocumentClient.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/IdentityDocumentClient.java
@@ -1,7 +1,6 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.athenz.identityprovider.api;
 
-import java.util.Optional;
 import java.util.OptionalInt;
 
 /**
@@ -11,5 +10,5 @@ import java.util.OptionalInt;
  */
 public interface IdentityDocumentClient {
     SignedIdentityDocument getNodeIdentityDocument(String host, int documentVersion);
-    Optional<SignedIdentityDocument> getTenantIdentityDocument(String host, int documentVersion);
+    SignedIdentityDocument getTenantIdentityDocument(String host, int documentVersion);
 }
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java
index d26386702d5..1858653c9b4 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java
@@ -76,7 +76,7 @@ class AthenzCredentialsService {
         KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA);
         IdentityDocumentClient identityDocumentClient = createIdentityDocumentClient();
         // Use legacy version for now.
-        SignedIdentityDocument signedDocument = identityDocumentClient.getTenantIdentityDocument(hostname, SignedIdentityDocument.LEGACY_DEFAULT_DOCUMENT_VERSION).orElseThrow();
+        SignedIdentityDocument signedDocument = identityDocumentClient.getTenantIdentityDocument(hostname, SignedIdentityDocument.LEGACY_DEFAULT_DOCUMENT_VERSION);
         IdentityDocument document = signedDocument.identityDocument();
         Pkcs10Csr csr = csrGenerator.generateInstanceCsr(
                 tenantIdentity,
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/DefaultIdentityDocumentClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/DefaultIdentityDocumentClient.java
index f95a3335c24..48fc021dced 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/DefaultIdentityDocumentClient.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/DefaultIdentityDocumentClient.java
@@ -23,7 +23,6 @@ import java.io.IOException;
 import java.io.UncheckedIOException;
 import java.net.URI;
 import java.time.Duration;
-import java.util.Optional;
 import java.util.function.Supplier;
 
 /**
@@ -58,15 +57,15 @@ public class DefaultIdentityDocumentClient implements IdentityDocumentClient {
 
     @Override
     public SignedIdentityDocument getNodeIdentityDocument(String host, int documentVersion) {
-        return getIdentityDocument(host, "node", documentVersion).orElseThrow();
+        return getIdentityDocument(host, "node", documentVersion);
     }
 
     @Override
-    public Optional<SignedIdentityDocument> getTenantIdentityDocument(String host, int documentVersion) {
+    public SignedIdentityDocument getTenantIdentityDocument(String host, int documentVersion) {
         return getIdentityDocument(host, "tenant", documentVersion);
     }
 
-    private Optional<SignedIdentityDocument> getIdentityDocument(String host, String type, int documentVersion) {
+    private SignedIdentityDocument getIdentityDocument(String host, String type, int documentVersion) {
 
         try (CloseableHttpClient client = createHttpClient(sslContextSupplier.get(), hostnameVerifier)) {
             URI uri = configserverUri
@@ -84,9 +83,7 @@ public class DefaultIdentityDocumentClient implements IdentityDocumentClient {
                 int statusCode = response.getStatusLine().getStatusCode();
                 if (statusCode >= 200 && statusCode <= 299) {
                     SignedIdentityDocumentEntity entity = objectMapper.readValue(responseContent, SignedIdentityDocumentEntity.class);
-                    return Optional.of(EntityBindingsMapper.toSignedIdentityDocument(entity));
-                } else if (statusCode == 404) {
-                    return Optional.empty();
+                    return EntityBindingsMapper.toSignedIdentityDocument(entity);
                 } else {
                     throw new RuntimeException(
                             String.format(
author	Morten Tokle <mortent@yahooinc.com>	2023-04-27 08:50:52 +0200
committer	Morten Tokle <mortent@yahooinc.com>	2023-04-27 08:50:52 +0200
commit	4fba60cd48d4befbc38d54487e7bba471ec93a89 (patch)
tree	e307fd7d2886ae17191765965e3376e4cc169b60
parent	58daaccf83103d8b082c8ca724dc5c78f5d84392 (diff)