Revert "revert new athenz provider MERGEOK"

author: Ola Aunrønning <ola.aunroe@gmail.com> 2023-04-27 09:56:10 +0200
committer: GitHub <noreply@github.com> 2023-04-27 09:56:10 +0200
commit: a0621e8ce686f9a08ac7d619b93ac56c88d45d68 (patch)
tree: 986907d81805f65220354f06c9e39a8bdcc29a7f /node-admin
parent: 139646116e78288ee7c53f92a17802e7e329e6c0 (diff)
1 files changed, 41 insertions, 8 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
index c9c76e1edd3..3ab1fdf211b 100644
--- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
+++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
@@ -1,6 +1,8 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.hosted.node.admin.maintenance.identity;
 
+import com.yahoo.component.Version;
+import com.yahoo.config.provision.ApplicationId;
 import com.yahoo.security.KeyAlgorithm;
 import com.yahoo.security.KeyUtils;
 import com.yahoo.security.Pkcs10Csr;
@@ -105,8 +107,14 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
     public boolean converge(NodeAgentContext context) {
         var modified = false;
         modified |= maintain(context, NODE);
+
+        if (context.zone().getSystemName().isPublic())
+            return modified;
+
         if (shouldWriteTenantServiceIdentity(context))
             modified |= maintain(context, TENANT);
+        else
+            modified |= deleteTenantCredentials(context);
         return modified;
     }
 
@@ -117,7 +125,10 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
             context.log(logger, Level.FINE, "Checking certificate");
             ContainerPath siaDirectory = context.paths().of(CONTAINER_SIA_DIRECTORY, context.users().vespa());
             ContainerPath identityDocumentFile = siaDirectory.resolve(identityType.getIdentityDocument());
-            AthenzIdentity athenzIdentity = getAthenzIdentity(context, identityType, identityDocumentFile);
+            Optional<AthenzIdentity> optionalAthenzIdentity = getAthenzIdentity(context, identityType, identityDocumentFile);
+            if (optionalAthenzIdentity.isEmpty())
+                return false;
+            AthenzIdentity athenzIdentity = optionalAthenzIdentity.get();
             ContainerPath privateKeyFile = (ContainerPath) SiaUtils.getPrivateKeyFile(siaDirectory, athenzIdentity);
             ContainerPath certificateFile = (ContainerPath) SiaUtils.getCertificateFile(siaDirectory, athenzIdentity);
             if (!Files.exists(privateKeyFile) || !Files.exists(certificateFile) || !Files.exists(identityDocumentFile)) {
@@ -195,6 +206,23 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
         return "node-certificate";
     }
 
+    private boolean deleteTenantCredentials(NodeAgentContext context) {
+        var siaDirectory = context.paths().of(CONTAINER_SIA_DIRECTORY, context.users().vespa());
+        var identityDocumentFile = siaDirectory.resolve(TENANT.getIdentityDocument());
+        if (!Files.exists(identityDocumentFile)) return false;
+        return getAthenzIdentity(context, TENANT, identityDocumentFile).map(athenzIdentity -> {
+            var privateKeyFile = (ContainerPath) SiaUtils.getPrivateKeyFile(siaDirectory, athenzIdentity);
+            var certificateFile = (ContainerPath) SiaUtils.getCertificateFile(siaDirectory, athenzIdentity);
+            try {
+                return Files.deleteIfExists(identityDocumentFile) ||
+                        Files.deleteIfExists(privateKeyFile) ||
+                        Files.deleteIfExists(certificateFile);
+            } catch (IOException e) {
+                throw new UncheckedIOException(e);
+            }
+        }).orElse(false);
+    }
+
     private boolean shouldRefreshCredentials(Duration age) {
         return age.compareTo(REFRESH_PERIOD) >= 0;
     }
@@ -301,28 +329,33 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
     private SignedIdentityDocument signedIdentityDocument(NodeAgentContext context, IdentityType identityType) {
         return switch (identityType) {
             case NODE -> identityDocumentClient.getNodeIdentityDocument(context.hostname().value(), documentVersion(context));
-            case TENANT -> identityDocumentClient.getTenantIdentityDocument(context.hostname().value(), documentVersion(context));
+            case TENANT -> identityDocumentClient.getTenantIdentityDocument(context.hostname().value(), documentVersion(context)).get();
         };
     }
 
-    private AthenzIdentity getAthenzIdentity(NodeAgentContext context, IdentityType identityType, ContainerPath identityDocumentFile) {
+    private Optional<AthenzIdentity> getAthenzIdentity(NodeAgentContext context, IdentityType identityType, ContainerPath identityDocumentFile) {
         return switch (identityType) {
-            case NODE -> context.identity();
+            case NODE -> Optional.of(context.identity());
             case TENANT -> getTenantIdentity(context, identityDocumentFile);
         };
     }
 
-    private AthenzIdentity getTenantIdentity(NodeAgentContext context, ContainerPath identityDocumentFile) {
+    private Optional<AthenzIdentity> getTenantIdentity(NodeAgentContext context, ContainerPath identityDocumentFile) {
         if (Files.exists(identityDocumentFile)) {
-            return EntityBindingsMapper.readSignedIdentityDocumentFromFile(identityDocumentFile).identityDocument().serviceIdentity();
+            return Optional.of(EntityBindingsMapper.readSignedIdentityDocumentFromFile(identityDocumentFile).identityDocument().serviceIdentity());
         } else {
-            return identityDocumentClient.getTenantIdentityDocument(context.hostname().value(), documentVersion(context)).identityDocument().serviceIdentity();
+            return identityDocumentClient.getTenantIdentityDocument(context.hostname().value(), documentVersion(context))
+                    .map(doc -> doc.identityDocument().serviceIdentity());
         }
     }
 
     private boolean shouldWriteTenantServiceIdentity(NodeAgentContext context) {
+        var version = context.node().currentVespaVersion()
+                .orElse(context.node().wantedVespaVersion().orElse(Version.emptyVersion));
+        var appId = context.node().owner().orElse(ApplicationId.defaultId());
         return tenantServiceIdentityFlag
-                .with(FetchVector.Dimension.HOSTNAME, context.hostname().value())
+                .with(FetchVector.Dimension.VESPA_VERSION, version.toFullString())
+                .with(FetchVector.Dimension.APPLICATION_ID, appId.serializedForm())
                 .value();
     }
author	Ola Aunrønning <ola.aunroe@gmail.com>	2023-04-27 09:56:10 +0200
committer	GitHub <noreply@github.com>	2023-04-27 09:56:10 +0200
commit	a0621e8ce686f9a08ac7d619b93ac56c88d45d68 (patch)
tree	986907d81805f65220354f06c9e39a8bdcc29a7f /node-admin
parent	139646116e78288ee7c53f92a17802e7e329e6c0 (diff)