diff options
author | Valerij Fredriksen <valerijf@oath.com> | 2018-10-15 14:54:47 +0200 |
---|---|---|
committer | Valerij Fredriksen <valerijf@oath.com> | 2018-10-15 14:54:47 +0200 |
commit | 4c7270b6176c5371055f6eb669186fce6b7e3ab9 (patch) | |
tree | 6b3644b21cfb7c856e41621615847e1ee28430bb /node-admin | |
parent | 841a023378da6a6f0cecbb5ad0c4ccdb69d95a4c (diff) |
Use NodeAgentContext for logging
Diffstat (limited to 'node-admin')
3 files changed, 48 insertions, 41 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/component/ConfigServerInfo.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/component/ConfigServerInfo.java index 9e94f6ed7e4..7b484dfc481 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/component/ConfigServerInfo.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/component/ConfigServerInfo.java @@ -24,14 +24,18 @@ public class ConfigServerInfo { private final Map<String, URI> configServerURIs; private final AthenzService configServerIdentity; + // TODO: Remove public ConfigServerInfo(ConfigServerConfig config) { - this.configServerHostNames = config.hosts(); - this.configServerURIs = createConfigServerUris( - config.scheme(), - config.hosts(), - config.port()); - this.loadBalancerEndpoint = createLoadBalancerEndpoint(config.loadBalancerHost(), config.scheme(), config.port()); - this.configServerIdentity = (AthenzService) AthenzIdentities.from(config.configserverAthenzIdentity()); + this(config.loadBalancerHost(), config.hosts(), config.scheme(), config.port(), + (AthenzService) AthenzIdentities.from(config.configserverAthenzIdentity())); + } + + public ConfigServerInfo(String loadBalancerHostName, List<String> configServerHostNames, + String scheme, int port, AthenzService configServerAthenzIdentity) { + this.configServerHostNames = configServerHostNames; + this.configServerURIs = createConfigServerUris(scheme, configServerHostNames, port); + this.loadBalancerEndpoint = createLoadBalancerEndpoint(loadBalancerHostName, scheme, port); + this.configServerIdentity = configServerAthenzIdentity; } private static URI createLoadBalancerEndpoint(String loadBalancerHost, String scheme, int port) { diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java index 22957124da1..216878b92f4 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java @@ -1,6 +1,7 @@ // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.hosted.node.admin.maintenance.identity; +import com.yahoo.log.LogLevel; import com.yahoo.security.KeyAlgorithm; import com.yahoo.security.KeyStoreType; import com.yahoo.security.KeyUtils; @@ -21,6 +22,7 @@ import com.yahoo.vespa.athenz.tls.AthenzIdentityVerifier; import com.yahoo.vespa.athenz.utils.SiaUtils; import com.yahoo.vespa.hosted.dockerapi.ContainerName; import com.yahoo.vespa.hosted.node.admin.component.Environment; +import com.yahoo.vespa.hosted.node.admin.nodeagent.NodeAgentContext; import com.yahoo.vespa.hosted.node.admin.util.PrefixLogger; import javax.net.ssl.SSLContext; @@ -37,6 +39,7 @@ import java.security.cert.X509Certificate; import java.time.Clock; import java.time.Duration; import java.time.Instant; +import java.util.logging.Logger; import static java.util.Collections.singleton; @@ -47,6 +50,8 @@ import static java.util.Collections.singleton; */ public class AthenzCredentialsMaintainer { + private static final Logger logger = Logger.getLogger(AthenzCredentialsMaintainer.class.getName()); + private static final Duration EXPIRY_MARGIN = Duration.ofDays(1); private static final Duration REFRESH_PERIOD = Duration.ofDays(1); private static final Duration REFRESH_BACKOFF = Duration.ofHours(1); // Backoff when refresh fails to ensure ZTS is not DDoS'ed. @@ -95,43 +100,42 @@ public class AthenzCredentialsMaintainer { this.clock = Clock.systemUTC(); } - public void converge() { + public void converge(NodeAgentContext context) { try { - if (!enabled) { - log.debug("Feature disabled on this host - not fetching certificate"); - return; - } - log.debug("Checking certificate"); - Instant now = clock.instant(); + context.log(logger, LogLevel.DEBUG, "Checking certificate"); if (!Files.exists(privateKeyFile) || !Files.exists(certificateFile) || !Files.exists(identityDocumentFile)) { - log.info("Certificate/private key/identity document file does not exist"); + context.log(logger, "Certificate/private key/identity document file does not exist"); Files.createDirectories(privateKeyFile.getParent()); Files.createDirectories(certificateFile.getParent()); Files.createDirectories(identityDocumentFile.getParent()); - registerIdentity(); + registerIdentity(context); return; } - X509Certificate certificate = readCertificateFromFile(); + + X509Certificate certificate = readCertificateFromFile(certificateFile); + Instant now = clock.instant(); Instant expiry = certificate.getNotAfter().toInstant(); if (isCertificateExpired(expiry, now)) { - log.info(String.format("Certificate has expired (expiry=%s)", expiry.toString())); - registerIdentity(); + context.log(logger, "Certificate has expired (expiry=%s)", expiry.toString()); + registerIdentity(context); return; } + Duration age = Duration.between(certificate.getNotBefore().toInstant(), now); if (shouldRefreshCredentials(age)) { - log.info(String.format("Certificate is ready to be refreshed (age=%s)", age.toString())); + context.log(logger, "Certificate is ready to be refreshed (age=%s)", age.toString()); if (shouldThrottleRefreshAttempts(now)) { - log.warning(String.format("Skipping refresh attempt as last refresh was on %s (less than %s ago)", - lastRefreshAttempt.toString(), REFRESH_BACKOFF.toString())); + context.log(logger, LogLevel.WARNING, String.format( + "Skipping refresh attempt as last refresh was on %s (less than %s ago)", + lastRefreshAttempt.toString(), REFRESH_BACKOFF.toString())); return; } else { lastRefreshAttempt = now; - refreshIdentity(); + refreshIdentity(context); return; } } - log.debug("Certificate is still valid"); + context.log(logger, LogLevel.DEBUG, "Certificate is still valid"); } catch (IOException e) { throw new UncheckedIOException(e); } @@ -159,17 +163,8 @@ public class AthenzCredentialsMaintainer { return REFRESH_BACKOFF.compareTo(Duration.between(lastRefreshAttempt, now)) > 0; } - private X509Certificate readCertificateFromFile() throws IOException { - String pemEncodedCertificate = new String(Files.readAllBytes(certificateFile)); - return X509CertificateUtils.fromPem(pemEncodedCertificate); - } - - private boolean isCertificateExpired(Instant expiry, Instant now) { - return now.isAfter(expiry.minus(EXPIRY_MARGIN)); - } - @SuppressWarnings("deprecation") - private void registerIdentity() { + private void registerIdentity(NodeAgentContext context) { KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA); SignedIdentityDocument signedIdentityDocument = identityDocumentClient.getNodeIdentityDocument(hostname); com.yahoo.vespa.athenz.tls.Pkcs10Csr csr = csrGenerator.generateInstanceCsr( @@ -185,14 +180,14 @@ public class AthenzCredentialsMaintainer { csr); EntityBindingsMapper.writeSignedIdentityDocumentToFile(identityDocumentFile, signedIdentityDocument); writePrivateKeyAndCertificate(keyPair.getPrivate(), instanceIdentity.certificate()); - log.info("Instance successfully registered and credentials written to file"); + context.log(logger, "Instance successfully registered and credentials written to file"); } catch (IOException e) { throw new UncheckedIOException(e); } } @SuppressWarnings("deprecation") - private void refreshIdentity() { + private void refreshIdentity(NodeAgentContext context) { SignedIdentityDocument identityDocument = EntityBindingsMapper.readSignedIdentityDocumentFromFile(identityDocumentFile); KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA); com.yahoo.vespa.athenz.tls.Pkcs10Csr csr = csrGenerator.generateInstanceCsr(containerIdentity, identityDocument.providerUniqueId(), identityDocument.ipAddresses(), keyPair); @@ -211,17 +206,17 @@ public class AthenzCredentialsMaintainer { false, csr); writePrivateKeyAndCertificate(keyPair.getPrivate(), instanceIdentity.certificate()); - log.info("Instance successfully refreshed and credentials written to file"); + context.log(logger, "Instance successfully refreshed and credentials written to file"); } catch (ZtsClientException e) { if (e.getErrorCode() == 403 && e.getDescription().startsWith("Certificate revoked")) { - log.error("Certificate cannot be refreshed as it is revoked by ZTS - re-registering the instance now", e); - registerIdentity(); + context.log(logger, LogLevel.ERROR, "Certificate cannot be refreshed as it is revoked by ZTS - re-registering the instance now", e); + registerIdentity(context); } else { throw e; } } } catch (Exception e) { - log.error("Certificate refresh failed: " + e.getMessage(), e); + context.log(logger, LogLevel.ERROR, "Certificate refresh failed: " + e.getMessage(), e); } } @@ -239,4 +234,12 @@ public class AthenzCredentialsMaintainer { return Paths.get(file.toAbsolutePath().toString() + ".tmp"); } + private static X509Certificate readCertificateFromFile(Path certificateFile) throws IOException { + String pemEncodedCertificate = new String(Files.readAllBytes(certificateFile)); + return X509CertificateUtils.fromPem(pemEncodedCertificate); + } + + private static boolean isCertificateExpired(Instant expiry, Instant now) { + return now.isAfter(expiry.minus(EXPIRY_MARGIN)); + } } diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/nodeagent/NodeAgentImpl.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/nodeagent/NodeAgentImpl.java index 350ca2263ef..a7ed5392e14 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/nodeagent/NodeAgentImpl.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/nodeagent/NodeAgentImpl.java @@ -516,7 +516,7 @@ public class NodeAgentImpl implements NodeAgent { startServicesIfNeeded(); resumeNodeIfNeeded(node); - athenzCredentialsMaintainer.converge(); + athenzCredentialsMaintainer.converge(context); doBeforeConverge(node); |