diff options
author | Bjørn Christian Seime <bjorncs@oath.com> | 2018-01-18 16:20:03 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@oath.com> | 2018-01-18 16:20:03 +0100 |
commit | dadbafef11b14f1bed87e19f01e9b23cb7e4ac0f (patch) | |
tree | 23a6e71aee31bd35457d9813b524d975456aa8fd /controller-server | |
parent | 5b92c182703c4796e053eaa5a8dc353d29fd2065 (diff) |
Cache SSLContext in AthenzSslContextProviderImpl
Caching the SSLContext stops controller from fetching new certificate on
each invocation to get(), which in worst case is per http request.
Diffstat (limited to 'controller-server')
-rw-r--r-- | controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzSslContextProviderImpl.java | 35 |
1 files changed, 31 insertions, 4 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzSslContextProviderImpl.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzSslContextProviderImpl.java index 1652cb2298e..afa630d8d9b 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzSslContextProviderImpl.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzSslContextProviderImpl.java @@ -9,6 +9,9 @@ import com.yahoo.vespa.hosted.controller.athenz.config.AthenzConfig; import javax.net.ssl.SSLContext; import java.io.File; +import java.time.Duration; +import java.time.Instant; +import java.util.concurrent.atomic.AtomicReference; /** * @author bjorncs @@ -17,6 +20,7 @@ public class AthenzSslContextProviderImpl implements AthenzSslContextProvider { private final AthenzClientFactory clientFactory; private final AthenzConfig config; + private final AtomicReference<CachedSslContext> cachedSslContext = new AtomicReference<>(); @Inject public AthenzSslContextProviderImpl(AthenzClientFactory clientFactory, AthenzConfig config) { @@ -26,9 +30,32 @@ public class AthenzSslContextProviderImpl implements AthenzSslContextProvider { @Override public SSLContext get() { - return new AthenzSslContextBuilder() - .withTrustStore(new File(config.athenzCaTrustStore()), "JKS") - .withIdentityCertificate(clientFactory.createZtsClientWithServicePrincipal().getIdentityCertificate()) - .build(); + CachedSslContext currentCachedSslContext = this.cachedSslContext.get(); + if (currentCachedSslContext == null || currentCachedSslContext.isExpired()) { + SSLContext sslContext = new AthenzSslContextBuilder() + .withTrustStore(new File(config.athenzCaTrustStore()), "JKS") + .withIdentityCertificate(clientFactory.createZtsClientWithServicePrincipal().getIdentityCertificate()) + .build(); + this.cachedSslContext.set(new CachedSslContext(sslContext)); + return sslContext; + } + return currentCachedSslContext.sslContext; + } + + private static class CachedSslContext { + // Conservative expiration. Default expiration for Athenz certificates are 30 days. + static final Duration EXPIRATION = Duration.ofDays(1); + + final SSLContext sslContext; + final Instant createdAt; + + CachedSslContext(SSLContext sslContext) { + this.sslContext = sslContext; + this.createdAt = Instant.now(); + } + + boolean isExpired() { + return createdAt.plus(EXPIRATION).isAfter(Instant.now()); + } } } |