diff options
author | Ola Aunrønning <olaa@yahooinc.com> | 2023-05-02 15:51:36 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-05-02 15:51:36 +0200 |
commit | 924b8368f9fc7034825db0db66559ba268f33020 (patch) | |
tree | bee47008e863d041f9eaecfa97fdf61ba977f4d0 /node-admin | |
parent | 1249adea9bd64216863550f0904e8f1c9b75227c (diff) | |
parent | 6ef1d3d860c628ce7c1e09725ad04d5f303f5c86 (diff) |
Merge pull request #26941 from vespa-engine/olaa/generate-role-private-key
Generate and write separate private key for role creds
Diffstat (limited to 'node-admin')
-rw-r--r-- | node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java | 23 |
1 files changed, 15 insertions, 8 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java index f959d1a0ec4..6119c77242c 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java @@ -192,11 +192,13 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer { try { var roleCertificatePath = siaDirectory.resolve("certs") .resolve(String.format("%s.cert.pem", role)); + var roleKeyPath = siaDirectory.resolve("keys") + .resolve(String.format("%s.key.pem", role)); if (!Files.exists(roleCertificatePath)) { - writeRoleCertificate(context, privateKeyFile, certificateFile, roleCertificatePath, identity, identityDocument, role); + writeRoleCredentials(context, privateKeyFile, certificateFile, roleCertificatePath, roleKeyPath, identity, identityDocument, role); modified = true; } else if (shouldRefreshCertificate(context, roleCertificatePath)) { - writeRoleCertificate(context, privateKeyFile, certificateFile, roleCertificatePath, identity, identityDocument, role); + writeRoleCredentials(context, privateKeyFile, certificateFile, roleCertificatePath, roleKeyPath, identity, identityDocument, role); modified = true; } } catch (IOException e) { @@ -215,26 +217,31 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer { shouldRefresh; } - private void writeRoleCertificate(NodeAgentContext context, + private void writeRoleCredentials(NodeAgentContext context, ContainerPath privateKeyFile, ContainerPath certificateFile, ContainerPath roleCertificatePath, + ContainerPath roleKeyPath, AthenzIdentity identity, IdentityDocument identityDocument, String role) throws IOException { HostnameVerifier ztsHostNameVerifier = (hostname, sslSession) -> true; + var keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA); var athenzRole = AthenzRole.fromResourceNameString(role); - var privateKey = KeyUtils.fromPemEncodedPrivateKey(new String(Files.readAllBytes(privateKeyFile))); - var containerIdentitySslContext = new SslContextBuilder().withKeyStore(privateKeyFile, certificateFile) + var containerIdentitySslContext = new SslContextBuilder() + .withKeyStore(privateKeyFile, certificateFile) .withTrustStore(ztsTrustStorePath) .build(); - try (ZtsClient ztsClient = new DefaultZtsClient.Builder(ztsEndpoint(identityDocument)).withSslContext(containerIdentitySslContext).withHostnameVerifier(ztsHostNameVerifier).build()) { + try (ZtsClient ztsClient = new DefaultZtsClient.Builder(ztsEndpoint(identityDocument)) + .withSslContext(containerIdentitySslContext) + .withHostnameVerifier(ztsHostNameVerifier) + .build()) { var csrGenerator = new CsrGenerator(certificateDnsSuffix, identityDocument.providerService().getFullName()); var csr = csrGenerator.generateRoleCsr( - identity, athenzRole, identityDocument.providerUniqueId(), identityDocument.clusterType(), KeyUtils.toKeyPair(privateKey)); + identity, athenzRole, identityDocument.providerUniqueId(), identityDocument.clusterType(), keyPair); var roleCertificate = ztsClient.getRoleCertificate(athenzRole, csr); - writeFile(roleCertificatePath, X509CertificateUtils.toPem(roleCertificate)); + writePrivateKeyAndCertificate(roleKeyPath, keyPair.getPrivate(), roleCertificatePath, roleCertificate); context.log(logger, "Role certificate successfully retrieved written to file " + roleCertificatePath.pathInContainer()); } } |