diff options
| author | Harald Musum <musum@verizonmedia.com> | 2019-06-10 21:13:05 +0200 |
|---|---|---|
| committer | Harald Musum <musum@verizonmedia.com> | 2019-06-10 21:13:05 +0200 |
| commit | 7b1671726ec97d387f6acbe0b0774756d7cfac2d (patch) | |
| tree | 2683c0811f94e39af592eccadd5309120deeaaac | |
| parent | 79cd883d5df45dc236e5cebf2c21b5487c791df6 (diff) | |
Change schema for athenz-provider-service so that it will be generated per zone
6 files changed, 21 insertions, 35 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ConfigserverSslContextFactoryProvider.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ConfigserverSslContextFactoryProvider.java index bb3216ba3ba..2bda2eb3627 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ConfigserverSslContextFactoryProvider.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ConfigserverSslContextFactoryProvider.java @@ -37,8 +37,6 @@ import java.util.concurrent.ScheduledExecutorService; import java.util.concurrent.TimeUnit; import java.util.logging.Logger; -import static com.yahoo.vespa.hosted.athenz.instanceproviderservice.impl.Utils.getZoneConfig; - /** * Configures the JDisc https connector with the configserver's Athenz provider certificate and private key. * @@ -56,7 +54,7 @@ public class ConfigserverSslContextFactoryProvider extends AbstractComponent imp Executors.newSingleThreadScheduledExecutor(runnable -> new Thread(runnable, "configserver-ssl-context-factory-provider")); private final ZtsClient ztsClient; private final KeyProvider keyProvider; - private final AthenzProviderServiceConfig.Zones zoneConfig; + private final AthenzProviderServiceConfig athenzProviderServiceConfig; private final AthenzService configserverIdentity; @Inject @@ -64,14 +62,14 @@ public class ConfigserverSslContextFactoryProvider extends AbstractComponent imp KeyProvider keyProvider, AthenzProviderServiceConfig config, Zone zone) { - this.zoneConfig = getZoneConfig(config, zone); - this.ztsClient = new DefaultZtsClient(URI.create(zoneConfig.ztsUrl()), bootstrapIdentity); + this.athenzProviderServiceConfig = config; + this.ztsClient = new DefaultZtsClient(URI.create(athenzProviderServiceConfig.ztsUrl()), bootstrapIdentity); this.keyProvider = keyProvider; - this.configserverIdentity = new AthenzService(zoneConfig.domain(), zoneConfig.serviceName()); + this.configserverIdentity = new AthenzService(athenzProviderServiceConfig.domain(), athenzProviderServiceConfig.serviceName()); Duration updatePeriod = Duration.ofDays(config.updatePeriodDays()); Path trustStoreFile = Paths.get(config.athenzCaTrustStore()); - this.sslContextFactory = initializeSslContextFactory(keyProvider, trustStoreFile, updatePeriod, configserverIdentity, ztsClient, zoneConfig); + this.sslContextFactory = initializeSslContextFactory(keyProvider, trustStoreFile, updatePeriod, configserverIdentity, ztsClient, athenzProviderServiceConfig); scheduler.scheduleAtFixedRate(new KeystoreUpdater(sslContextFactory), updatePeriod.toDays()/*initial delay*/, updatePeriod.toDays(), @@ -108,7 +106,7 @@ public class ConfigserverSslContextFactoryProvider extends AbstractComponent imp Duration updatePeriod, AthenzService configserverIdentity, ZtsClient ztsClient, - AthenzProviderServiceConfig.Zones zoneConfig) { + AthenzProviderServiceConfig zoneConfig) { // TODO Use DefaultTlsContext to configure SslContextFactory (ensure that cipher/protocol configuration is same across all TLS endpoints) @@ -150,7 +148,7 @@ public class ConfigserverSslContextFactoryProvider extends AbstractComponent imp char[] keystorePwd, KeyProvider keyProvider, ZtsClient ztsClient, - AthenzProviderServiceConfig.Zones zoneConfig) { + AthenzProviderServiceConfig zoneConfig) { PrivateKey privateKey = keyProvider.getPrivateKey(zoneConfig.secretVersion()); PublicKey publicKey = KeyUtils.extractPublicKey(privateKey); Identity serviceIdentity = ztsClient.getServiceIdentity(configserverIdentity, @@ -184,7 +182,7 @@ public class ConfigserverSslContextFactoryProvider extends AbstractComponent imp try { log.log(LogLevel.INFO, "Updating configserver provider certificate from ZTS"); char[] keystorePwd = generateKeystorePassword(); - KeyStore keyStore = updateKeystore(configserverIdentity, keystorePwd, keyProvider, ztsClient, zoneConfig); + KeyStore keyStore = updateKeystore(configserverIdentity, keystorePwd, keyProvider, ztsClient, athenzProviderServiceConfig); sslContextFactory.reload(scf -> { scf.setKeyStore(keyStore); scf.setKeyStorePassword(new String(keystorePwd)); diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java index 8d3e37e1ebd..c328b8b6c21 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java @@ -11,7 +11,6 @@ import com.yahoo.vespa.athenz.identityprovider.api.VespaUniqueInstanceId; import com.yahoo.vespa.athenz.identityprovider.client.IdentityDocumentSigner; import com.yahoo.vespa.hosted.athenz.instanceproviderservice.KeyProvider; import com.yahoo.vespa.hosted.athenz.instanceproviderservice.config.AthenzProviderServiceConfig; -import com.yahoo.vespa.hosted.athenz.instanceproviderservice.impl.Utils; import com.yahoo.vespa.hosted.provision.Node; import com.yahoo.vespa.hosted.provision.NodeRepository; import com.yahoo.vespa.hosted.provision.node.Allocation; @@ -33,14 +32,14 @@ public class IdentityDocumentGenerator { private final NodeRepository nodeRepository; private final Zone zone; private final KeyProvider keyProvider; - private final AthenzProviderServiceConfig.Zones zoneConfig; + private final AthenzProviderServiceConfig athenzProviderServiceConfig; @Inject public IdentityDocumentGenerator(AthenzProviderServiceConfig config, NodeRepository nodeRepository, Zone zone, KeyProvider keyProvider) { - this.zoneConfig = Utils.getZoneConfig(config, zone); + this.athenzProviderServiceConfig = config; this.nodeRepository = nodeRepository; this.zone = zone; this.keyProvider = keyProvider; @@ -62,8 +61,8 @@ public class IdentityDocumentGenerator { Set<String> ips = new HashSet<>(node.ipAddresses()); - PrivateKey privateKey = keyProvider.getPrivateKey(zoneConfig.secretVersion()); - AthenzService providerService = new AthenzService(zoneConfig.domain(), zoneConfig.serviceName()); + PrivateKey privateKey = keyProvider.getPrivateKey(athenzProviderServiceConfig.secretVersion()); + AthenzService providerService = new AthenzService(athenzProviderServiceConfig.domain(), athenzProviderServiceConfig.serviceName()); String configServerHostname = HostName.getLocalhost(); Instant createdAt = Instant.now(); diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/CkmsKeyProvider.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/CkmsKeyProvider.java index 40003d4ccf3..bc044f12b15 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/CkmsKeyProvider.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/CkmsKeyProvider.java @@ -14,8 +14,6 @@ import java.security.PublicKey; import java.util.HashMap; import java.util.Map; -import static com.yahoo.vespa.hosted.athenz.instanceproviderservice.impl.Utils.getZoneConfig; - /** * @author mortent * @author bjorncs @@ -32,7 +30,7 @@ public class CkmsKeyProvider implements KeyProvider { Zone zone, AthenzProviderServiceConfig config) { this.secretStore = secretStore; - this.secretName = getZoneConfig(config, zone).secretName(); + this.secretName = config.secretName(); this.secrets = new HashMap<>(); } diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/Utils.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/Utils.java index ad54aa341bf..f52493375f1 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/Utils.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/Utils.java @@ -3,8 +3,6 @@ package com.yahoo.vespa.hosted.athenz.instanceproviderservice.impl; import com.fasterxml.jackson.databind.ObjectMapper; import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule; -import com.yahoo.config.provision.Zone; -import com.yahoo.vespa.hosted.athenz.instanceproviderservice.config.AthenzProviderServiceConfig; /** * @author bjorncs @@ -23,9 +21,4 @@ public class Utils { return mapper; } - public static AthenzProviderServiceConfig.Zones getZoneConfig(AthenzProviderServiceConfig config, Zone zone) { - String key = zone.environment().value() + "." + zone.region().value(); - return config.zones(key); - } - } diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/TestUtils.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/TestUtils.java index 9271fa74363..de623b7bcf8 100644 --- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/TestUtils.java +++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/TestUtils.java @@ -1,7 +1,6 @@ // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.hosted.athenz.instanceproviderservice; -import com.google.common.collect.ImmutableMap; import com.yahoo.config.provision.Zone; import com.yahoo.vespa.hosted.athenz.instanceproviderservice.config.AthenzProviderServiceConfig; @@ -14,8 +13,8 @@ public class TestUtils { String service, String dnsSuffix, Zone zone) { - AthenzProviderServiceConfig.Zones.Builder zoneConfig = - new AthenzProviderServiceConfig.Zones.Builder() + AthenzProviderServiceConfig.Builder zoneConfig = + new AthenzProviderServiceConfig.Builder() .serviceName(service) .secretVersion(0) .domain(domain) @@ -24,7 +23,6 @@ public class TestUtils { .secretName("s3cr3t"); return new AthenzProviderServiceConfig( new AthenzProviderServiceConfig.Builder() - .zones(ImmutableMap.of(zone.environment().value() + "." + zone.region().value(), zoneConfig)) .athenzCaTrustStore("/dummy/path/to/athenz-ca.jks")); } diff --git a/configdefinitions/src/vespa/athenz-provider-service.def b/configdefinitions/src/vespa/athenz-provider-service.def index 281db6fb43d..7a06b13d435 100644 --- a/configdefinitions/src/vespa/athenz-provider-service.def +++ b/configdefinitions/src/vespa/athenz-provider-service.def @@ -2,22 +2,22 @@ namespace=vespa.hosted.athenz.instanceproviderservice.config # Athenz domain -zones{}.domain string +domain string # Athenz service name -zones{}.serviceName string +serviceName string # Secret name of private Key -zones{}.secretName string +secretName string # Secret version -zones{}.secretVersion int +secretVersion int # Certificate DNS suffix -zones{}.certDnsSuffix string +certDnsSuffix string # Athenz ZTS server url -zones{}.ztsUrl string +ztsUrl string # Path to Athenz CA JKS trust store athenzCaTrustStore string |