diff options
author | Morten Tokle <mortent@verizonmedia.com> | 2019-10-03 14:04:24 +0200 |
---|---|---|
committer | Morten Tokle <mortent@verizonmedia.com> | 2019-10-03 14:04:24 +0200 |
commit | 149dac45cedc22a5a7e0dfdcc402cd1780c141ae (patch) | |
tree | 02c9cb95b11aec099ee5b02c27e76a52becaa81d /node-admin | |
parent | adf22d3886ccd6de163278434a1a6d502584d0f9 (diff) |
Support internal zts
Diffstat (limited to 'node-admin')
-rw-r--r-- | node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java index 865bcc61837..058317ffd25 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java @@ -27,6 +27,7 @@ import com.yahoo.vespa.hosted.node.admin.nodeagent.NodeAgentContext; import com.yahoo.vespa.hosted.node.admin.task.util.file.FileFinder; import com.yahoo.vespa.hosted.node.admin.task.util.file.UnixPath; +import javax.net.ssl.HostnameVerifier; import javax.net.ssl.SSLContext; import java.io.IOException; import java.io.UncheckedIOException; @@ -68,6 +69,7 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer { private final ServiceIdentityProvider hostIdentityProvider; private final IdentityDocumentClient identityDocumentClient; private final CsrGenerator csrGenerator; + private final boolean useInternalZts; // Used as an optimization to ensure ZTS is not DDoS'ed on continuously failing refresh attempts private final Map<ContainerName, Instant> lastRefreshAttempt = new ConcurrentHashMap<>(); @@ -76,7 +78,8 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer { Path trustStorePath, ConfigServerInfo configServerInfo, String certificateDnsSuffix, - ServiceIdentityProvider hostIdentityProvider) { + ServiceIdentityProvider hostIdentityProvider, + boolean useInternalZts) { this.ztsEndpoint = ztsEndpoint; this.trustStorePath = trustStorePath; this.configserverIdentity = configServerInfo.getConfigServerIdentity(); @@ -87,6 +90,7 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer { hostIdentityProvider, new AthenzIdentityVerifier(singleton(configserverIdentity))); this.clock = Clock.systemUTC(); + this.useInternalZts = useInternalZts; } public boolean converge(NodeAgentContext context) { @@ -157,7 +161,12 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer { SignedIdentityDocument signedIdentityDocument = identityDocumentClient.getNodeIdentityDocument(context.hostname().value()); Pkcs10Csr csr = csrGenerator.generateInstanceCsr( context.identity(), signedIdentityDocument.providerUniqueId(), signedIdentityDocument.ipAddresses(), keyPair); - try (ZtsClient ztsClient = new DefaultZtsClient(ztsEndpoint, hostIdentityProvider)) { + + // Set up a hostname verified for zts if this is configured to use the config server (internal zts) apis + HostnameVerifier ztsHostNameVerifier = useInternalZts + ? new AthenzIdentityVerifier(singleton(configserverIdentity)) + : null; + try (ZtsClient ztsClient = new DefaultZtsClient(ztsEndpoint, hostIdentityProvider, ztsHostNameVerifier)) { InstanceIdentity instanceIdentity = ztsClient.registerInstance( configserverIdentity, |