diff options
author | andreer <andreer@verizonmedia.com> | 2020-02-05 11:31:48 +0100 |
---|---|---|
committer | andreer <andreer@verizonmedia.com> | 2020-02-05 11:31:48 +0100 |
commit | d55929be2d6d498c0df66691c99d6202651f8c85 (patch) | |
tree | f43eed4cbb750d25698c50040aca0fd7b94a0456 /controller-server | |
parent | 2a7f13ab9f019586fc38275735ead7ad02afbd54 (diff) |
reduce certificate log spam
Diffstat (limited to 'controller-server')
-rw-r--r-- | controller-server/src/main/java/com/yahoo/vespa/hosted/controller/endpointcertificates/EndpointCertificateManager.java | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/endpointcertificates/EndpointCertificateManager.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/endpointcertificates/EndpointCertificateManager.java index cf43e83d735..c90d5886777 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/endpointcertificates/EndpointCertificateManager.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/endpointcertificates/EndpointCertificateManager.java @@ -5,6 +5,7 @@ import com.yahoo.config.provision.ApplicationId; import com.yahoo.config.provision.ClusterSpec; import com.yahoo.config.provision.zone.ZoneApi; import com.yahoo.config.provision.zone.ZoneId; +import com.yahoo.container.jdisc.secretstore.SecretNotFoundException; import com.yahoo.container.jdisc.secretstore.SecretStore; import com.yahoo.log.LogLevel; import com.yahoo.security.SubjectAlternativeName; @@ -20,7 +21,6 @@ import com.yahoo.vespa.hosted.controller.api.integration.zone.ZoneRegistry; import com.yahoo.vespa.hosted.controller.application.Endpoint; import com.yahoo.vespa.hosted.controller.application.EndpointId; import com.yahoo.vespa.hosted.controller.persistence.CuratorDb; -import com.yahoo.vespa.hosted.controller.persistence.EndpointCertificateMetadataSerializer; import java.security.cert.X509Certificate; import java.time.Clock; @@ -116,7 +116,8 @@ public class EndpointCertificateManager { try { var pemEncodedEndpointCertificate = secretStore.getSecret(endpointCertificateMetadata.certName(), endpointCertificateMetadata.version()); - if (pemEncodedEndpointCertificate == null) return logWarning(warningPrefix, "Certificate not found in secret store"); + if (pemEncodedEndpointCertificate == null) + return logWarning(warningPrefix, "Secret store returned null for certificate"); List<X509Certificate> x509CertificateList = X509CertificateUtils.certificateListFromPem(pemEncodedEndpointCertificate); @@ -139,10 +140,13 @@ public class EndpointCertificateManager { .filter(san -> san.getType().equals(SubjectAlternativeName.Type.DNS_NAME)) .map(SubjectAlternativeName::getValue).collect(Collectors.toSet()); - if (!subjectAlternativeNames.equals(Set.copyOf(dnsNamesOf(instance.id(), List.of(zone))))) - return logWarning(warningPrefix, "The list of SANs in the certificate does not match what we expect"); + if(Sets.intersection(subjectAlternativeNames, Set.copyOf(dnsNamesOf(instance.id(), List.of(zone)))).isEmpty()) { + return logWarning(warningPrefix, "No overlap between SANs in certificate and expected SANs"); + } return true; // All good then, hopefully + } catch (SecretNotFoundException s) { + return logWarning(warningPrefix, "Certificate not found in secret store"); } catch (Exception e) { log.log(LogLevel.WARNING, "Exception thrown when verifying endpoint certificate", e); return false; |