diff options
author | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2023-02-15 10:43:51 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2023-02-15 10:43:51 +0100 |
commit | 80c87fb7f98bfe4371341f89894dc120b9b7a16a (patch) | |
tree | efc2e12ce4db61808784405f02d5d686ea94a861 /node-admin | |
parent | c5fe5b6be07e57115cd72738a5afd928b0df60ef (diff) |
Re-register if identity document is outdated
Diffstat (limited to 'node-admin')
-rw-r--r-- | node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java index 2e5d269b720..fc49dcc744c 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java @@ -14,6 +14,7 @@ import com.yahoo.vespa.athenz.client.zts.ZtsClientException; import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider; import com.yahoo.vespa.athenz.identityprovider.api.EntityBindingsMapper; import com.yahoo.vespa.athenz.identityprovider.api.IdentityDocumentClient; +import com.yahoo.vespa.athenz.identityprovider.api.SignedIdentityDocument; import com.yahoo.vespa.athenz.identityprovider.client.CsrGenerator; import com.yahoo.vespa.athenz.identityprovider.client.DefaultIdentityDocumentClient; import com.yahoo.vespa.athenz.tls.AthenzIdentityVerifier; @@ -113,7 +114,12 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer { X509Certificate certificate = readCertificateFromFile(certificateFile); Instant now = clock.instant(); Instant expiry = certificate.getNotAfter().toInstant(); - if (isCertificateExpired(expiry, now)) { + var doc = EntityBindingsMapper.readSignedIdentityDocumentFromFile(identityDocumentFile); + if (doc.outdated()) { + context.log(logger, "Identity document is outdated (version=%d)", doc.documentVersion()); + registerIdentity(context, privateKeyFile, certificateFile, identityDocumentFile); + return true; + } else if (isCertificateExpired(expiry, now)) { context.log(logger, "Certificate has expired (expiry=%s)", expiry.toString()); registerIdentity(context, privateKeyFile, certificateFile, identityDocumentFile); return true; @@ -129,7 +135,7 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer { return false; } else { lastRefreshAttempt.put(context.containerName(), now); - refreshIdentity(context, privateKeyFile, certificateFile, identityDocumentFile); + refreshIdentity(context, privateKeyFile, certificateFile, identityDocumentFile, doc); return true; } } @@ -200,8 +206,8 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer { } } - private void refreshIdentity(NodeAgentContext context, ContainerPath privateKeyFile, ContainerPath certificateFile, ContainerPath identityDocumentFile) { - var doc = EntityBindingsMapper.readSignedIdentityDocumentFromFile(identityDocumentFile); + private void refreshIdentity(NodeAgentContext context, ContainerPath privateKeyFile, ContainerPath certificateFile, + ContainerPath identityDocumentFile, SignedIdentityDocument doc) { KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA); Pkcs10Csr csr = csrGenerator.generateInstanceCsr( context.identity(), doc.providerUniqueId(), doc.ipAddresses(), doc.clusterType(), keyPair); |