Merge pull request #26880 from vespa-engine/mortent/revert-new-athenz-provider

revert new athenz provider MERGEOK
author: Morten Tokle <mortent@yahooinc.com> 2023-04-27 09:23:06 +0200
committer: GitHub <noreply@github.com> 2023-04-27 09:23:06 +0200
commit: 139646116e78288ee7c53f92a17802e7e329e6c0 (patch)
tree: 35a9365cbbef0414999f72626b052a36d9403f4e /node-admin/src
parent: 58daaccf83103d8b082c8ca724dc5c78f5d84392 (diff)
parent: c07f807a15db8e65f2f474f3bbf07bd3f8fab023 (diff)
1 files changed, 8 insertions, 41 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
index 3ab1fdf211b..c9c76e1edd3 100644
--- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
+++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
@@ -1,8 +1,6 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.hosted.node.admin.maintenance.identity;
 
-import com.yahoo.component.Version;
-import com.yahoo.config.provision.ApplicationId;
 import com.yahoo.security.KeyAlgorithm;
 import com.yahoo.security.KeyUtils;
 import com.yahoo.security.Pkcs10Csr;
@@ -107,14 +105,8 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
     public boolean converge(NodeAgentContext context) {
         var modified = false;
         modified |= maintain(context, NODE);
-
-        if (context.zone().getSystemName().isPublic())
-            return modified;
-
         if (shouldWriteTenantServiceIdentity(context))
             modified |= maintain(context, TENANT);
-        else
-            modified |= deleteTenantCredentials(context);
         return modified;
     }
 
@@ -125,10 +117,7 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
             context.log(logger, Level.FINE, "Checking certificate");
             ContainerPath siaDirectory = context.paths().of(CONTAINER_SIA_DIRECTORY, context.users().vespa());
             ContainerPath identityDocumentFile = siaDirectory.resolve(identityType.getIdentityDocument());
-            Optional<AthenzIdentity> optionalAthenzIdentity = getAthenzIdentity(context, identityType, identityDocumentFile);
-            if (optionalAthenzIdentity.isEmpty())
-                return false;
-            AthenzIdentity athenzIdentity = optionalAthenzIdentity.get();
+            AthenzIdentity athenzIdentity = getAthenzIdentity(context, identityType, identityDocumentFile);
             ContainerPath privateKeyFile = (ContainerPath) SiaUtils.getPrivateKeyFile(siaDirectory, athenzIdentity);
             ContainerPath certificateFile = (ContainerPath) SiaUtils.getCertificateFile(siaDirectory, athenzIdentity);
             if (!Files.exists(privateKeyFile) || !Files.exists(certificateFile) || !Files.exists(identityDocumentFile)) {
@@ -206,23 +195,6 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
         return "node-certificate";
     }
 
-    private boolean deleteTenantCredentials(NodeAgentContext context) {
-        var siaDirectory = context.paths().of(CONTAINER_SIA_DIRECTORY, context.users().vespa());
-        var identityDocumentFile = siaDirectory.resolve(TENANT.getIdentityDocument());
-        if (!Files.exists(identityDocumentFile)) return false;
-        return getAthenzIdentity(context, TENANT, identityDocumentFile).map(athenzIdentity -> {
-            var privateKeyFile = (ContainerPath) SiaUtils.getPrivateKeyFile(siaDirectory, athenzIdentity);
-            var certificateFile = (ContainerPath) SiaUtils.getCertificateFile(siaDirectory, athenzIdentity);
-            try {
-                return Files.deleteIfExists(identityDocumentFile) ||
-                        Files.deleteIfExists(privateKeyFile) ||
-                        Files.deleteIfExists(certificateFile);
-            } catch (IOException e) {
-                throw new UncheckedIOException(e);
-            }
-        }).orElse(false);
-    }
-
     private boolean shouldRefreshCredentials(Duration age) {
         return age.compareTo(REFRESH_PERIOD) >= 0;
     }
@@ -329,33 +301,28 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
     private SignedIdentityDocument signedIdentityDocument(NodeAgentContext context, IdentityType identityType) {
         return switch (identityType) {
             case NODE -> identityDocumentClient.getNodeIdentityDocument(context.hostname().value(), documentVersion(context));
-            case TENANT -> identityDocumentClient.getTenantIdentityDocument(context.hostname().value(), documentVersion(context)).get();
+            case TENANT -> identityDocumentClient.getTenantIdentityDocument(context.hostname().value(), documentVersion(context));
         };
     }
 
-    private Optional<AthenzIdentity> getAthenzIdentity(NodeAgentContext context, IdentityType identityType, ContainerPath identityDocumentFile) {
+    private AthenzIdentity getAthenzIdentity(NodeAgentContext context, IdentityType identityType, ContainerPath identityDocumentFile) {
         return switch (identityType) {
-            case NODE -> Optional.of(context.identity());
+            case NODE -> context.identity();
             case TENANT -> getTenantIdentity(context, identityDocumentFile);
         };
     }
 
-    private Optional<AthenzIdentity> getTenantIdentity(NodeAgentContext context, ContainerPath identityDocumentFile) {
+    private AthenzIdentity getTenantIdentity(NodeAgentContext context, ContainerPath identityDocumentFile) {
         if (Files.exists(identityDocumentFile)) {
-            return Optional.of(EntityBindingsMapper.readSignedIdentityDocumentFromFile(identityDocumentFile).identityDocument().serviceIdentity());
+            return EntityBindingsMapper.readSignedIdentityDocumentFromFile(identityDocumentFile).identityDocument().serviceIdentity();
         } else {
-            return identityDocumentClient.getTenantIdentityDocument(context.hostname().value(), documentVersion(context))
-                    .map(doc -> doc.identityDocument().serviceIdentity());
+            return identityDocumentClient.getTenantIdentityDocument(context.hostname().value(), documentVersion(context)).identityDocument().serviceIdentity();
         }
     }
 
     private boolean shouldWriteTenantServiceIdentity(NodeAgentContext context) {
-        var version = context.node().currentVespaVersion()
-                .orElse(context.node().wantedVespaVersion().orElse(Version.emptyVersion));
-        var appId = context.node().owner().orElse(ApplicationId.defaultId());
         return tenantServiceIdentityFlag
-                .with(FetchVector.Dimension.VESPA_VERSION, version.toFullString())
-                .with(FetchVector.Dimension.APPLICATION_ID, appId.serializedForm())
+                .with(FetchVector.Dimension.HOSTNAME, context.hostname().value())
                 .value();
     }
author	Morten Tokle <mortent@yahooinc.com>	2023-04-27 09:23:06 +0200
committer	GitHub <noreply@github.com>	2023-04-27 09:23:06 +0200
commit	139646116e78288ee7c53f92a17802e7e329e6c0 (patch)
tree	35a9365cbbef0414999f72626b052a36d9403f4e /node-admin/src
parent	58daaccf83103d8b082c8ca724dc5c78f5d84392 (diff)
parent	c07f807a15db8e65f2f474f3bbf07bd3f8fab023 (diff)