Merge pull request #27694 from vespa-engine/freva/fix-zts-trust-store

Set ZTS trust store for in registerIdentity() as well
author: Jon Marius Venstad <jonmv@users.noreply.github.com> 2023-07-07 13:35:20 +0200
committer: GitHub <noreply@github.com> 2023-07-07 13:35:20 +0200
commit: a5d2b34d3ebeee52ed4cc432113bba6826d5961f (patch)
tree: 01b2f9967428628548c81b7c0664f81960ae9204
parent: bc17718b916547d1088d9380c397b665d567452b (diff)
parent: 498fbe9b762c32cef084aaa66ccd233c05016613 (diff)
1 files changed, 15 insertions, 16 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
index f1972ccf000..b6ec0ebbd94 100644
--- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
+++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
@@ -85,8 +85,7 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
     // Used as an optimization to ensure ZTS is not DDoS'ed on continuously failing refresh attempts
     private final Map<ContainerName, Instant> lastRefreshAttempt = new ConcurrentHashMap<>();
 
-    public AthenzCredentialsMaintainer(URI ztsEndpoint,
-                                       Path ztsTrustStorePath,
+    public AthenzCredentialsMaintainer(Path ztsTrustStorePath,
                                        ConfigServerInfo configServerInfo,
                                        String certificateDnsSuffix,
                                        ServiceIdentityProvider hostIdentityProvider,
@@ -228,14 +227,7 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
         var keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA);
         var athenzRole = AthenzRole.fromResourceNameString(role);
 
-        var containerIdentitySslContext = new SslContextBuilder()
-                .withKeyStore(privateKeyFile, certificateFile)
-                .withTrustStore(ztsTrustStorePath)
-                .build();
-        try (ZtsClient ztsClient = new DefaultZtsClient.Builder(identityDocument.ztsUrl())
-                .withSslContext(containerIdentitySslContext)
-                .withHostnameVerifier(ztsHostNameVerifier)
-                .build()) {
+        try (ZtsClient ztsClient = ztsClient(identityDocument.ztsUrl(), privateKeyFile, certificateFile, ztsHostNameVerifier)) {
             var csrGenerator = new CsrGenerator(certificateDnsSuffix, identityDocument.providerService().getFullName());
             var csr = csrGenerator.generateRoleCsr(
                     identity, athenzRole, identityDocument.providerUniqueId(), identityDocument.clusterType(), keyPair);
@@ -315,7 +307,7 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
 
         // Allow all zts hosts while removing SIS
         HostnameVerifier ztsHostNameVerifier = (hostname, sslSession) -> true;
-        try (ZtsClient ztsClient = new DefaultZtsClient.Builder(doc.ztsUrl()).withIdentityProvider(hostIdentityProvider).withHostnameVerifier(ztsHostNameVerifier).build()) {
+        try (ZtsClient ztsClient = ztsClient(doc.ztsUrl(), hostIdentityProvider.privateKeyPath(), hostIdentityProvider.certificatePath(), ztsHostNameVerifier)) {
             InstanceIdentity instanceIdentity =
                     ztsClient.registerInstance(
                             doc.providerService(),
@@ -335,14 +327,10 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
         Pkcs10Csr csr = csrGenerator.generateInstanceCsr(
                 identity, doc.providerUniqueId(), doc.ipAddresses(), doc.clusterType(), keyPair);
 
-        SSLContext containerIdentitySslContext = new SslContextBuilder().withKeyStore(privateKeyFile, certificateFile)
-                                                                        .withTrustStore(ztsTrustStorePath)
-                                                                        .build();
-
         try {
             // Allow all zts hosts while removing SIS
             HostnameVerifier ztsHostNameVerifier = (hostname, sslSession) -> true;
-            try (ZtsClient ztsClient = new DefaultZtsClient.Builder(doc.ztsUrl()).withSslContext(containerIdentitySslContext).withHostnameVerifier(ztsHostNameVerifier).build()) {
+            try (ZtsClient ztsClient = ztsClient(doc.ztsUrl(), privateKeyFile, certificateFile, ztsHostNameVerifier)) {
                 InstanceIdentity instanceIdentity =
                         ztsClient.refreshInstance(
                                 doc.providerService(),
@@ -436,6 +424,17 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
         return SignedIdentityDocument.DEFAULT_DOCUMENT_VERSION;
     }
 
+    private ZtsClient ztsClient(URI ztsEndpoint, Path privateKeyFile, Path certificateFile, HostnameVerifier hostnameVerifier) {
+        SSLContext sslContext = new SslContextBuilder()
+                .withKeyStore(privateKeyFile, certificateFile)
+                .withTrustStore(ztsTrustStorePath)
+                .build();
+        return new DefaultZtsClient.Builder(ztsEndpoint)
+                .withSslContext(sslContext)
+                .withHostnameVerifier(hostnameVerifier)
+                .build();
+    }
+
     private List<String> getRoleList(NodeAgentContext context) {
         try {
             return identityDocumentClient.getNodeRoles(context.hostname().value());
author	Jon Marius Venstad <jonmv@users.noreply.github.com>	2023-07-07 13:35:20 +0200
committer	GitHub <noreply@github.com>	2023-07-07 13:35:20 +0200
commit	a5d2b34d3ebeee52ed4cc432113bba6826d5961f (patch)
tree	01b2f9967428628548c81b7c0664f81960ae9204
parent	bc17718b916547d1088d9380c397b665d567452b (diff)
parent	498fbe9b762c32cef084aaa66ccd233c05016613 (diff)