Skip hostname verifier while removing sis

author: Morten Tokle <mortent@yahooinc.com> 2023-02-23 12:45:22 +0100
committer: Morten Tokle <mortent@yahooinc.com> 2023-02-27 14:23:11 +0100
commit: 7c7c1308bb1fbfc9f9cc9c3c50b4b604b8003760 (patch)
tree: 350037cbbf951e5b60adf1c14d552f4aeecbc6e9 /node-admin/src
parent: 45c17559d689c6654a00fda220cf52ce7431fbdf (diff)
1 files changed, 4 insertions, 8 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
index 9f3763cf25c..6bd7d98e207 100644
--- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
+++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
@@ -190,10 +190,8 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
         Pkcs10Csr csr = csrGenerator.generateInstanceCsr(
                 context.identity(), doc.providerUniqueId(), doc.ipAddresses(), doc.clusterType(), keyPair);
 
-        // Set up a hostname verified for zts if this is configured to use the config server (internal zts) apis
-        HostnameVerifier ztsHostNameVerifier = useInternalZts
-                ? new AthenzIdentityVerifier(Set.of(configserverIdentity))
-                : null;
+        // Allow all zts hosts while removing SIS
+        HostnameVerifier ztsHostNameVerifier = (hostname, sslSession) -> true;
         try (ZtsClient ztsClient = new DefaultZtsClient.Builder(ztsEndpoint(doc)).withIdentityProvider(hostIdentityProvider).withHostnameVerifier(ztsHostNameVerifier).build()) {
             InstanceIdentity instanceIdentity =
                     ztsClient.registerInstance(
@@ -227,10 +225,8 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
                                                                         .build();
 
         try {
-            // Set up a hostname verified for zts if this is configured to use the config server (internal zts) apis
-            HostnameVerifier ztsHostNameVerifier = useInternalZts
-                    ? new AthenzIdentityVerifier(Set.of(configserverIdentity))
-                    : null;
+            // Allow all zts hosts while removing SIS
+            HostnameVerifier ztsHostNameVerifier = (hostname, sslSession) -> true;
             try (ZtsClient ztsClient = new DefaultZtsClient.Builder(ztsEndpoint(doc)).withSslContext(containerIdentitySslContext).withHostnameVerifier(ztsHostNameVerifier).build()) {
                 InstanceIdentity instanceIdentity =
                         ztsClient.refreshInstance(
author	Morten Tokle <mortent@yahooinc.com>	2023-02-23 12:45:22 +0100
committer	Morten Tokle <mortent@yahooinc.com>	2023-02-27 14:23:11 +0100
commit	7c7c1308bb1fbfc9f9cc9c3c50b4b604b8003760 (patch)
tree	350037cbbf951e5b60adf1c14d552f4aeecbc6e9 /node-admin/src
parent	45c17559d689c6654a00fda220cf52ce7431fbdf (diff)