diff options
author | Andreas Eriksen <andreer@verizonmedia.com> | 2020-02-05 12:33:26 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-02-05 12:33:26 +0100 |
commit | d05911599c0b9706d54ff7819349cbcadd30ed0a (patch) | |
tree | 95a7d5663d85b1e8518d04c7a07f16a1a5f735b1 | |
parent | fde5808fdecd1f08afbca417bcaccd65105f8e2f (diff) | |
parent | 0116cde0673ea2897df5e83c8620911c7331d342 (diff) |
Merge pull request #12072 from vespa-engine/andreer/reduce-certificate-log-spam
reduce certificate log spam
3 files changed, 31 insertions, 4 deletions
diff --git a/container-disc/abi-spec.json b/container-disc/abi-spec.json index 29ca56fa9bc..81de014c6ad 100644 --- a/container-disc/abi-spec.json +++ b/container-disc/abi-spec.json @@ -33,6 +33,17 @@ ], "fields": [] }, + "com.yahoo.container.jdisc.secretstore.SecretNotFoundException": { + "superClass": "java.lang.RuntimeException", + "interfaces": [], + "attributes": [ + "public" + ], + "methods": [ + "public void <init>(java.lang.String)" + ], + "fields": [] + }, "com.yahoo.container.jdisc.secretstore.SecretStore": { "superClass": "java.lang.Object", "interfaces": [], diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/secretstore/SecretNotFoundException.java b/container-disc/src/main/java/com/yahoo/container/jdisc/secretstore/SecretNotFoundException.java new file mode 100644 index 00000000000..b9439432c06 --- /dev/null +++ b/container-disc/src/main/java/com/yahoo/container/jdisc/secretstore/SecretNotFoundException.java @@ -0,0 +1,12 @@ +// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.container.jdisc.secretstore; + +/** + * @author mortent + */ +public class SecretNotFoundException extends RuntimeException { + + public SecretNotFoundException(String message) { + super(message); + } +} diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/endpointcertificates/EndpointCertificateManager.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/endpointcertificates/EndpointCertificateManager.java index cf43e83d735..c90d5886777 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/endpointcertificates/EndpointCertificateManager.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/endpointcertificates/EndpointCertificateManager.java @@ -5,6 +5,7 @@ import com.yahoo.config.provision.ApplicationId; import com.yahoo.config.provision.ClusterSpec; import com.yahoo.config.provision.zone.ZoneApi; import com.yahoo.config.provision.zone.ZoneId; +import com.yahoo.container.jdisc.secretstore.SecretNotFoundException; import com.yahoo.container.jdisc.secretstore.SecretStore; import com.yahoo.log.LogLevel; import com.yahoo.security.SubjectAlternativeName; @@ -20,7 +21,6 @@ import com.yahoo.vespa.hosted.controller.api.integration.zone.ZoneRegistry; import com.yahoo.vespa.hosted.controller.application.Endpoint; import com.yahoo.vespa.hosted.controller.application.EndpointId; import com.yahoo.vespa.hosted.controller.persistence.CuratorDb; -import com.yahoo.vespa.hosted.controller.persistence.EndpointCertificateMetadataSerializer; import java.security.cert.X509Certificate; import java.time.Clock; @@ -116,7 +116,8 @@ public class EndpointCertificateManager { try { var pemEncodedEndpointCertificate = secretStore.getSecret(endpointCertificateMetadata.certName(), endpointCertificateMetadata.version()); - if (pemEncodedEndpointCertificate == null) return logWarning(warningPrefix, "Certificate not found in secret store"); + if (pemEncodedEndpointCertificate == null) + return logWarning(warningPrefix, "Secret store returned null for certificate"); List<X509Certificate> x509CertificateList = X509CertificateUtils.certificateListFromPem(pemEncodedEndpointCertificate); @@ -139,10 +140,13 @@ public class EndpointCertificateManager { .filter(san -> san.getType().equals(SubjectAlternativeName.Type.DNS_NAME)) .map(SubjectAlternativeName::getValue).collect(Collectors.toSet()); - if (!subjectAlternativeNames.equals(Set.copyOf(dnsNamesOf(instance.id(), List.of(zone))))) - return logWarning(warningPrefix, "The list of SANs in the certificate does not match what we expect"); + if(Sets.intersection(subjectAlternativeNames, Set.copyOf(dnsNamesOf(instance.id(), List.of(zone)))).isEmpty()) { + return logWarning(warningPrefix, "No overlap between SANs in certificate and expected SANs"); + } return true; // All good then, hopefully + } catch (SecretNotFoundException s) { + return logWarning(warningPrefix, "Certificate not found in secret store"); } catch (Exception e) { log.log(LogLevel.WARNING, "Exception thrown when verifying endpoint certificate", e); return false; |