Remove self-signed certificate from configserver truststore

1 files changed, 6 insertions, 46 deletions

diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslTrustStoreConfigurator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslTrustStoreConfigurator.java
index 3091321c47a..a440f96cc49 100644
--- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslTrustStoreConfigurator.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslTrustStoreConfigurator.java
@@ -2,47 +2,37 @@
 package com.yahoo.vespa.hosted.athenz.instanceproviderservice;
 
 import com.google.inject.Inject;
-import com.yahoo.cloud.config.ConfigserverConfig;
 import com.yahoo.jdisc.http.ssl.SslTrustStoreConfigurator;
 import com.yahoo.jdisc.http.ssl.SslTrustStoreContext;
-import com.yahoo.log.LogLevel;
 import com.yahoo.vespa.athenz.tls.KeyStoreBuilder;
 import com.yahoo.vespa.athenz.tls.KeyStoreType;
-import com.yahoo.vespa.athenz.tls.SignatureAlgorithm;
-import com.yahoo.vespa.athenz.tls.X509CertificateBuilder;
 import com.yahoo.vespa.hosted.athenz.instanceproviderservice.config.AthenzProviderServiceConfig;
 
-import javax.security.auth.x500.X500Principal;
 import java.io.File;
-import java.security.KeyPair;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.cert.X509Certificate;
-import java.time.Duration;
 import java.time.Instant;
-import java.util.logging.Logger;
 
 /**
+ * Programmatic configuration of configserver's truststore
+ *
  * @author bjorncs
  */
 public class AthenzSslTrustStoreConfigurator implements SslTrustStoreConfigurator {
 
-    private static final Logger log = Logger.getLogger(AthenzSslTrustStoreConfigurator.class.getName());
     private static final String CERTIFICATE_ALIAS = "cfgselfsigned";
 
     private final KeyStore trustStore;
 
     @Inject
-    public AthenzSslTrustStoreConfigurator(KeyProvider keyProvider,
-                                           ConfigserverConfig configserverConfig,
-                                           AthenzProviderServiceConfig athenzProviderServiceConfig) {
-        this.trustStore = createTrustStore(keyProvider, configserverConfig, athenzProviderServiceConfig);
+    public AthenzSslTrustStoreConfigurator(AthenzProviderServiceConfig athenzProviderServiceConfig) {
+        this.trustStore = createTrustStore(athenzProviderServiceConfig);
     }
 
     @Override
     public void configure(SslTrustStoreContext sslTrustStoreContext) {
         sslTrustStoreContext.updateTrustStore(trustStore);
-        log.log(LogLevel.INFO, "Configured JDisc trust store with self-signed certificate");
     }
 
     Instant getTrustStoreExpiry() throws KeyStoreException {
@@ -50,44 +40,14 @@ public class AthenzSslTrustStoreConfigurator implements SslTrustStoreConfigurato
         return certificate.getNotAfter().toInstant();
     }
 
-    private static KeyStore createTrustStore(KeyProvider keyProvider,
-                                             ConfigserverConfig configserverConfig,
-                                             AthenzProviderServiceConfig athenzProviderServiceConfig) {
+    private static KeyStore createTrustStore(AthenzProviderServiceConfig athenzProviderServiceConfig) {
         try {
-            KeyPair keyPair = getKeyPair(keyProvider, configserverConfig, athenzProviderServiceConfig);
-            X509Certificate selfSignedCertificate = createSelfSignedCertificate(keyPair, configserverConfig);
-            log.log(LogLevel.FINE, "Generated self-signed certificate: " + selfSignedCertificate);
             return KeyStoreBuilder.withType(KeyStoreType.JKS)
-                    .fromFile(new File(athenzProviderServiceConfig.athenzCaTrustStore()), "changeit".toCharArray())
-                    .withCertificateEntry(CERTIFICATE_ALIAS, selfSignedCertificate)
+                    .fromFile(new File(athenzProviderServiceConfig.athenzCaTrustStore()))
                     .build();
         } catch (Exception e) {
             throw new RuntimeException(e);
         }
     }
 
-    private static KeyPair getKeyPair(KeyProvider keyProvider,
-                                      ConfigserverConfig configserverConfig,
-                                      AthenzProviderServiceConfig athenzProviderServiceConfig) {
-        String key = configserverConfig.environment() + "." + configserverConfig.region();
-        AthenzProviderServiceConfig.Zones zoneConfig = athenzProviderServiceConfig.zones(key);
-        return keyProvider.getKeyPair(zoneConfig.secretVersion());
-    }
-
-    private static X509Certificate createSelfSignedCertificate(KeyPair keyPair, ConfigserverConfig config)  {
-        X500Principal subject = new X500Principal("CN="+ config.loadBalancerAddress());
-        Instant now = Instant.now();
-        X509CertificateBuilder builder = X509CertificateBuilder
-                .fromKeypair(
-                        keyPair,
-                        subject,
-                        now,
-                        now.plus(Duration.ofDays(30)),
-                        SignatureAlgorithm.SHA256_WITH_RSA,
-                        now.toEpochMilli())
-                .setBasicConstraints(true, true);
-        config.zookeeperserver().forEach(server -> builder.addSubjectAlternativeName(server.hostname()));
-        return builder.build();
-    }
-
 }