diff options
| author | Morten Tokle <mortent@verizonmedia.com> | 2019-10-23 12:28:27 +0200 |
|---|---|---|
| committer | Morten Tokle <mortent@verizonmedia.com> | 2019-10-23 12:44:54 +0200 |
| commit | 6e0c0f582cfb2d18d47a2b83589ee12a4ce3c77a (patch) | |
| tree | f8bc934338c49de4df0b1c0c7e4d50063c251e7d /node-admin | |
| parent | e87cd4be6d717807246d20204954739118160126 (diff) | |
Add method for collecting certificate expiry
Diffstat (limited to 'node-admin')
3 files changed, 40 insertions, 1 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java index 59b4a671c55..17dc61978cf 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java @@ -32,6 +32,8 @@ import javax.net.ssl.SSLContext; import java.io.IOException; import java.io.UncheckedIOException; import java.net.URI; +import java.nio.file.FileSystem; +import java.nio.file.FileSystems; import java.nio.file.Files; import java.nio.file.Path; import java.nio.file.Paths; @@ -67,6 +69,7 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer { private final AthenzIdentity configserverIdentity; private final Clock clock; private final ServiceIdentityProvider hostIdentityProvider; + private final FileSystem fileSystem; private final IdentityDocumentClient identityDocumentClient; private final CsrGenerator csrGenerator; private final boolean useInternalZts; @@ -80,16 +83,28 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer { String certificateDnsSuffix, ServiceIdentityProvider hostIdentityProvider, boolean useInternalZts) { + this(ztsEndpoint, trustStorePath, configServerInfo, certificateDnsSuffix, hostIdentityProvider, useInternalZts, Clock.systemUTC(), FileSystems.getDefault()); + } + + public AthenzCredentialsMaintainer(URI ztsEndpoint, + Path trustStorePath, + ConfigServerInfo configServerInfo, + String certificateDnsSuffix, + ServiceIdentityProvider hostIdentityProvider, + boolean useInternalZts, + Clock clock, + FileSystem fileSystem) { this.ztsEndpoint = ztsEndpoint; this.trustStorePath = trustStorePath; this.configserverIdentity = configServerInfo.getConfigServerIdentity(); this.csrGenerator = new CsrGenerator(certificateDnsSuffix, configserverIdentity.getFullName()); this.hostIdentityProvider = hostIdentityProvider; + this.fileSystem = fileSystem; this.identityDocumentClient = new DefaultIdentityDocumentClient( configServerInfo.getLoadBalancerEndpoint(), hostIdentityProvider, new AthenzIdentityVerifier(singleton(configserverIdentity))); - this.clock = Clock.systemUTC(); + this.clock = clock; this.useInternalZts = useInternalZts; } @@ -145,6 +160,21 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer { lastRefreshAttempt.remove(context.containerName()); } + @Override + public Duration certificateLifetime(NodeAgentContext context) { + Path containerSiaDirectory = fileSystem.getPath(context.pathOnHostFromPathInNode(CONTAINER_SIA_DIRECTORY).toString()); + Path certificateFile = SiaUtils.getCertificateFile(containerSiaDirectory, context.identity()); + try { + X509Certificate certificate = readCertificateFromFile(certificateFile); + Instant now = clock.instant(); + Instant expiry = certificate.getNotAfter().toInstant(); + return Duration.between(now, expiry); + } catch (IOException e) { + context.log(logger, LogLevel.ERROR, "Unable to read certificate at " + certificateFile, e); + return Duration.ZERO; + } + } + private boolean shouldRefreshCredentials(Duration age) { return age.compareTo(REFRESH_PERIOD) >= 0; } diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/CredentialsMaintainer.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/CredentialsMaintainer.java index 58c3585a48f..ca734d73925 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/CredentialsMaintainer.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/CredentialsMaintainer.java @@ -3,6 +3,8 @@ package com.yahoo.vespa.hosted.node.admin.maintenance.identity; import com.yahoo.vespa.hosted.node.admin.nodeagent.NodeAgentContext; +import java.time.Duration; + /** * A maintainer that is responsible for providing and refreshing credentials for a container. * @@ -18,4 +20,7 @@ public interface CredentialsMaintainer { /** Remove any existing credentials. This method is called just before container data is archived. */ void clearCredentials(NodeAgentContext context); + + /** Get time until the certificate expires. Invoked each time metrics are collected. */ + Duration certificateLifetime(NodeAgentContext context); } diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/nodeagent/NodeAgentImpl.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/nodeagent/NodeAgentImpl.java index 480105f9076..eee0c2cb002 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/nodeagent/NodeAgentImpl.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/nodeagent/NodeAgentImpl.java @@ -547,4 +547,8 @@ public class NodeAgentImpl implements NodeAgent { } }; } + + protected Optional<CredentialsMaintainer> credentialsMaintainer() { + return credentialsMaintainer; + } } |