aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndreas Eriksen <andreer@verizonmedia.com>2020-02-05 12:33:26 +0100
committerGitHub <noreply@github.com>2020-02-05 12:33:26 +0100
commitd05911599c0b9706d54ff7819349cbcadd30ed0a (patch)
tree95a7d5663d85b1e8518d04c7a07f16a1a5f735b1
parentfde5808fdecd1f08afbca417bcaccd65105f8e2f (diff)
parent0116cde0673ea2897df5e83c8620911c7331d342 (diff)
Merge pull request #12072 from vespa-engine/andreer/reduce-certificate-log-spam
reduce certificate log spam
Diffstat
-rw-r--r--container-disc/abi-spec.json11
-rw-r--r--container-disc/src/main/java/com/yahoo/container/jdisc/secretstore/SecretNotFoundException.java12
-rw-r--r--controller-server/src/main/java/com/yahoo/vespa/hosted/controller/endpointcertificates/EndpointCertificateManager.java12
3 files changed, 31 insertions, 4 deletions
diff --git a/container-disc/abi-spec.json b/container-disc/abi-spec.json
index 29ca56fa9bc..81de014c6ad 100644
--- a/container-disc/abi-spec.json
+++ b/container-disc/abi-spec.json
@@ -33,6 +33,17 @@
],
"fields": []
},
+ "com.yahoo.container.jdisc.secretstore.SecretNotFoundException": {
+ "superClass": "java.lang.RuntimeException",
+ "interfaces": [],
+ "attributes": [
+ "public"
+ ],
+ "methods": [
+ "public void <init>(java.lang.String)"
+ ],
+ "fields": []
+ },
"com.yahoo.container.jdisc.secretstore.SecretStore": {
"superClass": "java.lang.Object",
"interfaces": [],
diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/secretstore/SecretNotFoundException.java b/container-disc/src/main/java/com/yahoo/container/jdisc/secretstore/SecretNotFoundException.java
new file mode 100644
index 00000000000..b9439432c06
--- /dev/null
+++ b/container-disc/src/main/java/com/yahoo/container/jdisc/secretstore/SecretNotFoundException.java
@@ -0,0 +1,12 @@
+// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.container.jdisc.secretstore;
+
+/**
+ * @author mortent
+ */
+public class SecretNotFoundException extends RuntimeException {
+
+ public SecretNotFoundException(String message) {
+ super(message);
+ }
+}
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/endpointcertificates/EndpointCertificateManager.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/endpointcertificates/EndpointCertificateManager.java
index cf43e83d735..c90d5886777 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/endpointcertificates/EndpointCertificateManager.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/endpointcertificates/EndpointCertificateManager.java
@@ -5,6 +5,7 @@ import com.yahoo.config.provision.ApplicationId;
import com.yahoo.config.provision.ClusterSpec;
import com.yahoo.config.provision.zone.ZoneApi;
import com.yahoo.config.provision.zone.ZoneId;
+import com.yahoo.container.jdisc.secretstore.SecretNotFoundException;
import com.yahoo.container.jdisc.secretstore.SecretStore;
import com.yahoo.log.LogLevel;
import com.yahoo.security.SubjectAlternativeName;
@@ -20,7 +21,6 @@ import com.yahoo.vespa.hosted.controller.api.integration.zone.ZoneRegistry;
import com.yahoo.vespa.hosted.controller.application.Endpoint;
import com.yahoo.vespa.hosted.controller.application.EndpointId;
import com.yahoo.vespa.hosted.controller.persistence.CuratorDb;
-import com.yahoo.vespa.hosted.controller.persistence.EndpointCertificateMetadataSerializer;
import java.security.cert.X509Certificate;
import java.time.Clock;
@@ -116,7 +116,8 @@ public class EndpointCertificateManager {
try {
var pemEncodedEndpointCertificate = secretStore.getSecret(endpointCertificateMetadata.certName(), endpointCertificateMetadata.version());
- if (pemEncodedEndpointCertificate == null) return logWarning(warningPrefix, "Certificate not found in secret store");
+ if (pemEncodedEndpointCertificate == null)
+ return logWarning(warningPrefix, "Secret store returned null for certificate");
List<X509Certificate> x509CertificateList = X509CertificateUtils.certificateListFromPem(pemEncodedEndpointCertificate);
@@ -139,10 +140,13 @@ public class EndpointCertificateManager {
.filter(san -> san.getType().equals(SubjectAlternativeName.Type.DNS_NAME))
.map(SubjectAlternativeName::getValue).collect(Collectors.toSet());
- if (!subjectAlternativeNames.equals(Set.copyOf(dnsNamesOf(instance.id(), List.of(zone)))))
- return logWarning(warningPrefix, "The list of SANs in the certificate does not match what we expect");
+ if(Sets.intersection(subjectAlternativeNames, Set.copyOf(dnsNamesOf(instance.id(), List.of(zone)))).isEmpty()) {
+ return logWarning(warningPrefix, "No overlap between SANs in certificate and expected SANs");
+ }
return true; // All good then, hopefully
+ } catch (SecretNotFoundException s) {
+ return logWarning(warningPrefix, "Certificate not found in secret store");
} catch (Exception e) {
log.log(LogLevel.WARNING, "Exception thrown when verifying endpoint certificate", e);
return false;