summaryrefslogtreecommitdiffstats
path: root/node-admin
diff options
context:
space:
mode:
authorOla Aunronning <olaa@yahooinc.com>2023-05-02 15:14:03 +0200
committerOla Aunronning <olaa@yahooinc.com>2023-05-02 15:14:03 +0200
commit6ef1d3d860c628ce7c1e09725ad04d5f303f5c86 (patch)
tree0f333537890d82bb5e83c5b23e8881937164f56f /node-admin
parente23486dfb4adaf88242053c9ce27acdc2beeb6ff (diff)
Generate and write separate private key for role creds
Diffstat (limited to 'node-admin')
-rw-r--r--node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java23
1 files changed, 15 insertions, 8 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
index 503e69c8f66..b13161eac75 100644
--- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
+++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
@@ -192,11 +192,13 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
try {
var roleCertificatePath = siaDirectory.resolve("certs")
.resolve(String.format("%s.cert.pem", role));
+ var roleKeyPath = siaDirectory.resolve("keys")
+ .resolve(String.format("%s.key.pem", role));
if (!Files.exists(roleCertificatePath)) {
- writeRoleCertificate(context, privateKeyFile, certificateFile, roleCertificatePath, identity, identityDocument, role);
+ writeRoleCredentials(context, privateKeyFile, certificateFile, roleCertificatePath, roleKeyPath, identity, identityDocument, role);
modified = true;
} else if (shouldRefreshCertificate(context, roleCertificatePath)) {
- writeRoleCertificate(context, privateKeyFile, certificateFile, roleCertificatePath, identity, identityDocument, role);
+ writeRoleCredentials(context, privateKeyFile, certificateFile, roleCertificatePath, roleKeyPath, identity, identityDocument, role);
modified = true;
}
} catch (IOException e) {
@@ -215,26 +217,31 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
shouldRefresh;
}
- private void writeRoleCertificate(NodeAgentContext context,
+ private void writeRoleCredentials(NodeAgentContext context,
ContainerPath privateKeyFile,
ContainerPath certificateFile,
ContainerPath roleCertificatePath,
+ ContainerPath roleKeyPath,
AthenzIdentity identity,
IdentityDocument identityDocument,
String role) throws IOException {
HostnameVerifier ztsHostNameVerifier = (hostname, sslSession) -> true;
+ var keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA);
var athenzRole = AthenzRole.fromResourceNameString(role);
- var privateKey = KeyUtils.fromPemEncodedPrivateKey(new String(Files.readAllBytes(privateKeyFile)));
- var containerIdentitySslContext = new SslContextBuilder().withKeyStore(privateKeyFile, certificateFile)
+ var containerIdentitySslContext = new SslContextBuilder()
+ .withKeyStore(privateKeyFile, certificateFile)
.withTrustStore(ztsTrustStorePath)
.build();
- try (ZtsClient ztsClient = new DefaultZtsClient.Builder(ztsEndpoint(identityDocument)).withSslContext(containerIdentitySslContext).withHostnameVerifier(ztsHostNameVerifier).build()) {
+ try (ZtsClient ztsClient = new DefaultZtsClient.Builder(ztsEndpoint(identityDocument))
+ .withSslContext(containerIdentitySslContext)
+ .withHostnameVerifier(ztsHostNameVerifier)
+ .build()) {
var csrGenerator = new CsrGenerator(certificateDnsSuffix, identityDocument.providerService().getFullName());
var csr = csrGenerator.generateRoleCsr(
- identity, athenzRole, identityDocument.providerUniqueId(), identityDocument.clusterType(), KeyUtils.toKeyPair(privateKey));
+ identity, athenzRole, identityDocument.providerUniqueId(), identityDocument.clusterType(), keyPair);
var roleCertificate = ztsClient.getRoleCertificate(athenzRole, csr);
- writeFile(roleCertificatePath, X509CertificateUtils.toPem(roleCertificate));
+ writePrivateKeyAndCertificate(roleKeyPath, keyPair.getPrivate(), roleCertificatePath, roleCertificate);
context.log(logger, "Role certificate successfully retrieved written to file " + roleCertificatePath.pathInContainer());
}
}