diff options
author | Bjørn Christian Seime <bjorn.christian@seime.no> | 2023-11-24 09:37:56 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-11-24 09:37:56 +0100 |
commit | 7e1fc00d718e3c80f837d50da4e48cadf146987c (patch) | |
tree | 4b5b187881e138fcde1da1f75c76a4e9f55bb838 | |
parent | e7a5527f8c24d6f58f2b166e64a30aa73462de76 (diff) | |
parent | 761c86dc78215a8cc7a407953cbb87aba9c6ecda (diff) |
Merge pull request #29451 from vespa-engine/mortent/spiffe-uri
Add spiffe uri to role and service certs
2 files changed, 6 insertions, 3 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java index 6d79e96a635..06a7c59b959 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java @@ -50,7 +50,8 @@ public class CsrGenerator { instanceIdentity.getName(), instanceIdentity.getDomainName().replace(".", "-"), dnsSuffix)) - .addSubjectAlternativeName(DNS, getIdentitySAN(instanceId)); + .addSubjectAlternativeName(DNS, getIdentitySAN(instanceId)) + .addSubjectAlternativeName(URI, instanceIdentity.spiffeUri().toString()); if (clusterType != null) pkcs10CsrBuilder.addSubjectAlternativeName(URI, clusterType.asCertificateSanUri().toString()); ipAddresses.forEach(ip -> pkcs10CsrBuilder.addSubjectAlternativeName(new SubjectAlternativeName(IP, ip))); return pkcs10CsrBuilder.build(); @@ -64,7 +65,8 @@ public class CsrGenerator { X500Principal principal = new X500Principal(String.format("OU=%s, cn=%s:role.%s", providerService, role.domain().getName(), role.roleName())); var b = Pkcs10CsrBuilder.fromKeypair(principal, keyPair, SHA256_WITH_RSA) .addSubjectAlternativeName(DNS, getIdentitySAN(instanceId)) - .addSubjectAlternativeName(EMAIL, String.format("%s.%s@%s", identity.getDomainName(), identity.getName(), dnsSuffix)); + .addSubjectAlternativeName(EMAIL, String.format("%s.%s@%s", identity.getDomainName(), identity.getName(), dnsSuffix)) + .addSubjectAlternativeName(URI, "spiffe://%s/ra/%s".formatted(role.domain().getName(), role.roleName())); if (clusterType != null) b.addSubjectAlternativeName(URI, clusterType.asCertificateSanUri().toString()); return b.build(); } diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGeneratorTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGeneratorTest.java index cb2aac372ff..1f9ad2ced64 100644 --- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGeneratorTest.java +++ b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGeneratorTest.java @@ -42,7 +42,8 @@ public class InstanceCsrGeneratorTest { var expectedSans = Set.of( new SubjectAlternativeName(DNS, "bar.foo.prod-us-north-1.vespa.yahoo.cloud"), new SubjectAlternativeName(DNS, "0.default.default.foo-app.vespa.us-north-1.prod.node.instanceid.athenz.prod-us-north-1.vespa.yahoo.cloud"), - new SubjectAlternativeName(URI, "vespa://cluster-type/container")); + new SubjectAlternativeName(URI, "vespa://cluster-type/container"), + new SubjectAlternativeName(URI, "spiffe://foo/sa/bar")); assertEquals(expectedSans, actualSans); } } |