summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBjørn Christian Seime <bjorn.christian@seime.no>2023-11-24 09:37:56 +0100
committerGitHub <noreply@github.com>2023-11-24 09:37:56 +0100
commit7e1fc00d718e3c80f837d50da4e48cadf146987c (patch)
tree4b5b187881e138fcde1da1f75c76a4e9f55bb838
parente7a5527f8c24d6f58f2b166e64a30aa73462de76 (diff)
parent761c86dc78215a8cc7a407953cbb87aba9c6ecda (diff)
Merge pull request #29451 from vespa-engine/mortent/spiffe-uri
Add spiffe uri to role and service certs
Diffstat
-rw-r--r--vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java6
-rw-r--r--vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGeneratorTest.java3
2 files changed, 6 insertions, 3 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java
index 6d79e96a635..06a7c59b959 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java
@@ -50,7 +50,8 @@ public class CsrGenerator {
instanceIdentity.getName(),
instanceIdentity.getDomainName().replace(".", "-"),
dnsSuffix))
- .addSubjectAlternativeName(DNS, getIdentitySAN(instanceId));
+ .addSubjectAlternativeName(DNS, getIdentitySAN(instanceId))
+ .addSubjectAlternativeName(URI, instanceIdentity.spiffeUri().toString());
if (clusterType != null) pkcs10CsrBuilder.addSubjectAlternativeName(URI, clusterType.asCertificateSanUri().toString());
ipAddresses.forEach(ip -> pkcs10CsrBuilder.addSubjectAlternativeName(new SubjectAlternativeName(IP, ip)));
return pkcs10CsrBuilder.build();
@@ -64,7 +65,8 @@ public class CsrGenerator {
X500Principal principal = new X500Principal(String.format("OU=%s, cn=%s:role.%s", providerService, role.domain().getName(), role.roleName()));
var b = Pkcs10CsrBuilder.fromKeypair(principal, keyPair, SHA256_WITH_RSA)
.addSubjectAlternativeName(DNS, getIdentitySAN(instanceId))
- .addSubjectAlternativeName(EMAIL, String.format("%s.%s@%s", identity.getDomainName(), identity.getName(), dnsSuffix));
+ .addSubjectAlternativeName(EMAIL, String.format("%s.%s@%s", identity.getDomainName(), identity.getName(), dnsSuffix))
+ .addSubjectAlternativeName(URI, "spiffe://%s/ra/%s".formatted(role.domain().getName(), role.roleName()));
if (clusterType != null) b.addSubjectAlternativeName(URI, clusterType.asCertificateSanUri().toString());
return b.build();
}
diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGeneratorTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGeneratorTest.java
index cb2aac372ff..1f9ad2ced64 100644
--- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGeneratorTest.java
+++ b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGeneratorTest.java
@@ -42,7 +42,8 @@ public class InstanceCsrGeneratorTest {
var expectedSans = Set.of(
new SubjectAlternativeName(DNS, "bar.foo.prod-us-north-1.vespa.yahoo.cloud"),
new SubjectAlternativeName(DNS, "0.default.default.foo-app.vespa.us-north-1.prod.node.instanceid.athenz.prod-us-north-1.vespa.yahoo.cloud"),
- new SubjectAlternativeName(URI, "vespa://cluster-type/container"));
+ new SubjectAlternativeName(URI, "vespa://cluster-type/container"),
+ new SubjectAlternativeName(URI, "spiffe://foo/sa/bar"));
assertEquals(expectedSans, actualSans);
}
}