Merge pull request #26941 from vespa-engine/olaa/generate-role-private-key

Generate and write separate private key for role creds
author: Ola Aunrønning <olaa@yahooinc.com> 2023-05-02 15:51:36 +0200
committer: GitHub <noreply@github.com> 2023-05-02 15:51:36 +0200
commit: 924b8368f9fc7034825db0db66559ba268f33020 (patch)
tree: bee47008e863d041f9eaecfa97fdf61ba977f4d0 /node-admin
parent: 1249adea9bd64216863550f0904e8f1c9b75227c (diff)
parent: 6ef1d3d860c628ce7c1e09725ad04d5f303f5c86 (diff)
1 files changed, 15 insertions, 8 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
index f959d1a0ec4..6119c77242c 100644
--- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
+++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
@@ -192,11 +192,13 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
                 try {
                     var roleCertificatePath = siaDirectory.resolve("certs")
                             .resolve(String.format("%s.cert.pem", role));
+                    var roleKeyPath = siaDirectory.resolve("keys")
+                            .resolve(String.format("%s.key.pem", role));
                     if (!Files.exists(roleCertificatePath)) {
-                        writeRoleCertificate(context, privateKeyFile, certificateFile, roleCertificatePath, identity, identityDocument, role);
+                        writeRoleCredentials(context, privateKeyFile, certificateFile, roleCertificatePath, roleKeyPath, identity, identityDocument, role);
                         modified = true;
                     } else if (shouldRefreshCertificate(context, roleCertificatePath)) {
-                        writeRoleCertificate(context, privateKeyFile, certificateFile, roleCertificatePath, identity, identityDocument, role);
+                        writeRoleCredentials(context, privateKeyFile, certificateFile, roleCertificatePath, roleKeyPath, identity, identityDocument, role);
                         modified = true;
                     }
                 } catch (IOException e) {
@@ -215,26 +217,31 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
                 shouldRefresh;
     }
 
-    private void writeRoleCertificate(NodeAgentContext context,
+    private void writeRoleCredentials(NodeAgentContext context,
                                       ContainerPath privateKeyFile,
                                       ContainerPath certificateFile,
                                       ContainerPath roleCertificatePath,
+                                      ContainerPath roleKeyPath,
                                       AthenzIdentity identity,
                                       IdentityDocument identityDocument,
                                       String role) throws IOException {
         HostnameVerifier ztsHostNameVerifier = (hostname, sslSession) -> true;
+        var keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA);
         var athenzRole = AthenzRole.fromResourceNameString(role);
-        var privateKey = KeyUtils.fromPemEncodedPrivateKey(new String(Files.readAllBytes(privateKeyFile)));
 
-        var containerIdentitySslContext = new SslContextBuilder().withKeyStore(privateKeyFile, certificateFile)
+        var containerIdentitySslContext = new SslContextBuilder()
+                .withKeyStore(privateKeyFile, certificateFile)
                 .withTrustStore(ztsTrustStorePath)
                 .build();
-        try (ZtsClient ztsClient = new DefaultZtsClient.Builder(ztsEndpoint(identityDocument)).withSslContext(containerIdentitySslContext).withHostnameVerifier(ztsHostNameVerifier).build()) {
+        try (ZtsClient ztsClient = new DefaultZtsClient.Builder(ztsEndpoint(identityDocument))
+                .withSslContext(containerIdentitySslContext)
+                .withHostnameVerifier(ztsHostNameVerifier)
+                .build()) {
             var csrGenerator = new CsrGenerator(certificateDnsSuffix, identityDocument.providerService().getFullName());
             var csr = csrGenerator.generateRoleCsr(
-                    identity, athenzRole, identityDocument.providerUniqueId(), identityDocument.clusterType(), KeyUtils.toKeyPair(privateKey));
+                    identity, athenzRole, identityDocument.providerUniqueId(), identityDocument.clusterType(), keyPair);
             var roleCertificate = ztsClient.getRoleCertificate(athenzRole, csr);
-            writeFile(roleCertificatePath, X509CertificateUtils.toPem(roleCertificate));
+            writePrivateKeyAndCertificate(roleKeyPath, keyPair.getPrivate(), roleCertificatePath, roleCertificate);
             context.log(logger, "Role certificate successfully retrieved written to file " + roleCertificatePath.pathInContainer());
         }
     }
author	Ola Aunrønning <olaa@yahooinc.com>	2023-05-02 15:51:36 +0200
committer	GitHub <noreply@github.com>	2023-05-02 15:51:36 +0200
commit	924b8368f9fc7034825db0db66559ba268f33020 (patch)
tree	bee47008e863d041f9eaecfa97fdf61ba977f4d0 /node-admin
parent	1249adea9bd64216863550f0904e8f1c9b75227c (diff)
parent	6ef1d3d860c628ce7c1e09725ad04d5f303f5c86 (diff)