summaryrefslogtreecommitdiffstats
path: root/node-admin
diff options
context:
space:
mode:
authorBjørn Christian Seime <bjorncs@verizonmedia.com>2019-08-26 15:15:53 +0200
committerBjørn Christian Seime <bjorncs@verizonmedia.com>2019-08-26 15:15:53 +0200
commitaca45ba95c5fb0b7d9c1fe89ee3a866ff65c76ac (patch)
tree457edb12eda58d61feab5812fe4ebed72763b6e9 /node-admin
parentf49fbf259ea28bf3025580f875885762f12dc651 (diff)
Include instance hostname in Athenz node certificates
Diffstat (limited to 'node-admin')
-rw-r--r--node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java20
1 files changed, 16 insertions, 4 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
index b952ae096b0..f994530bef4 100644
--- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
+++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
@@ -155,13 +155,19 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
private void registerIdentity(NodeAgentContext context, Path privateKeyFile, Path certificateFile, Path identityDocumentFile) {
KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA);
SignedIdentityDocument signedIdentityDocument = identityDocumentClient.getNodeIdentityDocument(context.hostname().value());
- Pkcs10Csr csr = csrGenerator.generateInstanceCsr(
- context.identity(), signedIdentityDocument.providerUniqueId(), signedIdentityDocument.ipAddresses(), keyPair);
+ Pkcs10Csr csr =
+ csrGenerator.generateInstanceCsr(
+ context.identity(),
+ signedIdentityDocument.providerUniqueId(),
+ signedIdentityDocument.instanceHostname(),
+ signedIdentityDocument.ipAddresses(),
+ keyPair);
try (ZtsClient ztsClient = new DefaultZtsClient(ztsEndpoint, hostIdentityProvider)) {
InstanceIdentity instanceIdentity =
ztsClient.registerInstance(
configserverIdentity,
context.identity(),
+ signedIdentityDocument.instanceHostname(),
EntityBindingsMapper.toAttestationData(signedIdentityDocument),
csr);
EntityBindingsMapper.writeSignedIdentityDocumentToFile(identityDocumentFile, signedIdentityDocument);
@@ -174,8 +180,13 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
private void refreshIdentity(NodeAgentContext context, Path privateKeyFile, Path certificateFile, Path identityDocumentFile) {
SignedIdentityDocument identityDocument = EntityBindingsMapper.readSignedIdentityDocumentFromFile(identityDocumentFile);
KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA);
- Pkcs10Csr csr = csrGenerator.generateInstanceCsr(
- context.identity(), identityDocument.providerUniqueId(), identityDocument.ipAddresses(), keyPair);
+ Pkcs10Csr csr = csrGenerator
+ .generateInstanceCsr(
+ context.identity(),
+ identityDocument.providerUniqueId(),
+ identityDocument.instanceHostname(),
+ identityDocument.ipAddresses(),
+ keyPair);
SSLContext containerIdentitySslContext =
new SslContextBuilder()
.withKeyStore(privateKeyFile, certificateFile)
@@ -188,6 +199,7 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
configserverIdentity,
context.identity(),
identityDocument.providerUniqueId().asDottedString(),
+ identityDocument.instanceHostname(),
csr);
writePrivateKeyAndCertificate(context.vespaUserOnHost(), privateKeyFile, keyPair.getPrivate(),
certificateFile, instanceIdentity.certificate());