Revert "Skip hostname verifier while removing sis"

This reverts commit 7c7c1308bb1fbfc9f9cc9c3c50b4b604b8003760.
author: Morten Tokle <mortent@yahooinc.com> 2023-03-01 08:08:41 +0100
committer: Morten Tokle <mortent@yahooinc.com> 2023-03-01 08:08:41 +0100
commit: db79672ed6e23c031a5827c7f171ab6a66fbbefa (patch)
tree: 5e8704ff0831002fb01916369a1c5b7051016b06 /node-admin
parent: 495631b7cc9544843984ce73a0fda3cd897f486b (diff)
1 files changed, 8 insertions, 4 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
index 6bd7d98e207..9f3763cf25c 100644
--- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
+++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
@@ -190,8 +190,10 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
         Pkcs10Csr csr = csrGenerator.generateInstanceCsr(
                 context.identity(), doc.providerUniqueId(), doc.ipAddresses(), doc.clusterType(), keyPair);
 
-        // Allow all zts hosts while removing SIS
-        HostnameVerifier ztsHostNameVerifier = (hostname, sslSession) -> true;
+        // Set up a hostname verified for zts if this is configured to use the config server (internal zts) apis
+        HostnameVerifier ztsHostNameVerifier = useInternalZts
+                ? new AthenzIdentityVerifier(Set.of(configserverIdentity))
+                : null;
         try (ZtsClient ztsClient = new DefaultZtsClient.Builder(ztsEndpoint(doc)).withIdentityProvider(hostIdentityProvider).withHostnameVerifier(ztsHostNameVerifier).build()) {
             InstanceIdentity instanceIdentity =
                     ztsClient.registerInstance(
@@ -225,8 +227,10 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
                                                                         .build();
 
         try {
-            // Allow all zts hosts while removing SIS
-            HostnameVerifier ztsHostNameVerifier = (hostname, sslSession) -> true;
+            // Set up a hostname verified for zts if this is configured to use the config server (internal zts) apis
+            HostnameVerifier ztsHostNameVerifier = useInternalZts
+                    ? new AthenzIdentityVerifier(Set.of(configserverIdentity))
+                    : null;
             try (ZtsClient ztsClient = new DefaultZtsClient.Builder(ztsEndpoint(doc)).withSslContext(containerIdentitySslContext).withHostnameVerifier(ztsHostNameVerifier).build()) {
                 InstanceIdentity instanceIdentity =
                         ztsClient.refreshInstance(
author	Morten Tokle <mortent@yahooinc.com>	2023-03-01 08:08:41 +0100
committer	Morten Tokle <mortent@yahooinc.com>	2023-03-01 08:08:41 +0100
commit	db79672ed6e23c031a5827c7f171ab6a66fbbefa (patch)
tree	5e8704ff0831002fb01916369a1c5b7051016b06 /node-admin
parent	495631b7cc9544843984ce73a0fda3cd897f486b (diff)