diff options
| author | Harald Musum <musum@verizonmedia.com> | 2022-09-20 10:23:27 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-09-20 10:23:27 +0200 |
| commit | 8464330e786c1f24d75fd789cd765d0762180e8f (patch) | |
| tree | 2a77edcb69ef955643afffbe1e83f65fc57c9fff /node-admin | |
| parent | 724af959b75915756818bcb03e85e25a8d21f616 (diff) | |
| parent | 3c0e2f07b385f65f868f97b1a397bed5de481167 (diff) | |
Merge pull request #24130 from vespa-engine/hakonhall/refresh-identity-from-pem-trust-store
Refresh identity from PEM trust store
Diffstat (limited to 'node-admin')
| -rw-r--r-- | node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java | 32 |
1 files changed, 15 insertions, 17 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java index 71e278ab23b..9279442a345 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java @@ -63,7 +63,8 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer { private static final String CONTAINER_SIA_DIRECTORY = "/var/lib/sia"; private final URI ztsEndpoint; - private final Path trustStorePath; + private final Path jksTrustStorePath; + private final Path pemTrustStorePath; private final AthenzIdentity configserverIdentity; private final Clock clock; private final ServiceIdentityProvider hostIdentityProvider; @@ -75,23 +76,16 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer { private final Map<ContainerName, Instant> lastRefreshAttempt = new ConcurrentHashMap<>(); public AthenzCredentialsMaintainer(URI ztsEndpoint, - Path trustStorePath, - ConfigServerInfo configServerInfo, - String certificateDnsSuffix, - ServiceIdentityProvider hostIdentityProvider, - boolean useInternalZts) { - this(ztsEndpoint, trustStorePath, configServerInfo, certificateDnsSuffix, hostIdentityProvider, useInternalZts, Clock.systemUTC()); - } - - public AthenzCredentialsMaintainer(URI ztsEndpoint, - Path trustStorePath, + Path jksTrustStorePath, + Path pemTrustStorePath, ConfigServerInfo configServerInfo, String certificateDnsSuffix, ServiceIdentityProvider hostIdentityProvider, boolean useInternalZts, Clock clock) { this.ztsEndpoint = ztsEndpoint; - this.trustStorePath = trustStorePath; + this.jksTrustStorePath = jksTrustStorePath; + this.pemTrustStorePath = pemTrustStorePath; this.configserverIdentity = configServerInfo.getConfigServerIdentity(); this.csrGenerator = new CsrGenerator(certificateDnsSuffix, configserverIdentity.getFullName()); this.hostIdentityProvider = hostIdentityProvider; @@ -216,11 +210,15 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer { KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA); Pkcs10Csr csr = csrGenerator.generateInstanceCsr( context.identity(), identityDocument.providerUniqueId(), identityDocument.ipAddresses(), keyPair); - SSLContext containerIdentitySslContext = - new SslContextBuilder() - .withKeyStore(privateKeyFile, certificateFile) - .withTrustStore(trustStorePath, KeyStoreType.JKS) - .build(); + + var sslContextBuilder = new SslContextBuilder().withKeyStore(privateKeyFile, certificateFile); + if (pemTrustStorePath != null) { + sslContextBuilder.withTrustStore(pemTrustStorePath); + } else { + sslContextBuilder.withTrustStore(jksTrustStorePath, KeyStoreType.JKS); + } + SSLContext containerIdentitySslContext = sslContextBuilder.build(); + try { // Set up a hostname verified for zts if this is configured to use the config server (internal zts) apis HostnameVerifier ztsHostNameVerifier = useInternalZts |