Merge pull request #26208 from vespa-engine/mortent/reapply-public-vespa-provider

reapply public vespa provider

1 files changed, 16 insertions, 10 deletions

diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
index fc49dcc744c..6bd7d98e207 100644
--- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
+++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
@@ -41,6 +41,7 @@ import java.time.Clock;
 import java.time.Duration;
 import java.time.Instant;
 import java.util.Map;
+import java.util.Optional;
 import java.util.Set;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.logging.Level;
@@ -189,11 +190,9 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
         Pkcs10Csr csr = csrGenerator.generateInstanceCsr(
                 context.identity(), doc.providerUniqueId(), doc.ipAddresses(), doc.clusterType(), keyPair);
 
-        // Set up a hostname verified for zts if this is configured to use the config server (internal zts) apis
-        HostnameVerifier ztsHostNameVerifier = useInternalZts
-                ? new AthenzIdentityVerifier(Set.of(configserverIdentity))
-                : null;
-        try (ZtsClient ztsClient = new DefaultZtsClient.Builder(ztsEndpoint).withIdentityProvider(hostIdentityProvider).withHostnameVerifier(ztsHostNameVerifier).build()) {
+        // Allow all zts hosts while removing SIS
+        HostnameVerifier ztsHostNameVerifier = (hostname, sslSession) -> true;
+        try (ZtsClient ztsClient = new DefaultZtsClient.Builder(ztsEndpoint(doc)).withIdentityProvider(hostIdentityProvider).withHostnameVerifier(ztsHostNameVerifier).build()) {
             InstanceIdentity instanceIdentity =
                     ztsClient.registerInstance(
                             configserverIdentity,
@@ -206,6 +205,15 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
         }
     }
 
+    /**
+     * Return zts url from identity document, fallback to ztsEndpoint
+     */
+    private URI ztsEndpoint(SignedIdentityDocument doc) {
+        return Optional.ofNullable(doc.ztsUrl())
+                .filter(s -> !s.isBlank())
+                .map(URI::create)
+                .orElse(ztsEndpoint);
+    }
     private void refreshIdentity(NodeAgentContext context, ContainerPath privateKeyFile, ContainerPath certificateFile,
                                  ContainerPath identityDocumentFile, SignedIdentityDocument doc) {
         KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA);
@@ -217,11 +225,9 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
                                                                         .build();
 
         try {
-            // Set up a hostname verified for zts if this is configured to use the config server (internal zts) apis
-            HostnameVerifier ztsHostNameVerifier = useInternalZts
-                    ? new AthenzIdentityVerifier(Set.of(configserverIdentity))
-                    : null;
-            try (ZtsClient ztsClient = new DefaultZtsClient.Builder(ztsEndpoint).withSslContext(containerIdentitySslContext).withHostnameVerifier(ztsHostNameVerifier).build()) {
+            // Allow all zts hosts while removing SIS
+            HostnameVerifier ztsHostNameVerifier = (hostname, sslSession) -> true;
+            try (ZtsClient ztsClient = new DefaultZtsClient.Builder(ztsEndpoint(doc)).withSslContext(containerIdentitySslContext).withHostnameVerifier(ztsHostNameVerifier).build()) {
                 InstanceIdentity instanceIdentity =
                         ztsClient.refreshInstance(
                                 configserverIdentity,