Consider notAfter of role cert

author: Ola Aunronning <olaa@yahooinc.com> 2023-05-11 15:27:28 +0200
committer: Ola Aunronning <olaa@yahooinc.com> 2023-05-11 15:27:28 +0200
commit: 3df1628d8a081f9d10d974117bfd71a1ad7e29d4 (patch)
tree: ac0f607cc10a4018efd83838f5321f7c8925c1db /node-admin
parent: 1691b1256f38c26d6d70f47d79ca61535ba2f275 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
index e295241b066..c684487b4f8 100644
--- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
+++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
@@ -215,7 +215,8 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
     private boolean shouldRefreshCertificate(NodeAgentContext context, ContainerPath certificatePath) throws IOException {
         var certificate = readCertificateFromFile(certificatePath);
         var now = timer.currentTime();
-        var shouldRefresh = now.isAfter(certificate.getNotBefore().toInstant().plus(REFRESH_PERIOD));
+        var shouldRefresh = now.isAfter(certificate.getNotAfter().toInstant()) ||
+                now.isAfter(certificate.getNotBefore().toInstant().plus(REFRESH_PERIOD));
         return !shouldThrottleRefreshAttempts(context.containerName(), now) &&
                 shouldRefresh;
     }
author	Ola Aunronning <olaa@yahooinc.com>	2023-05-11 15:27:28 +0200
committer	Ola Aunronning <olaa@yahooinc.com>	2023-05-11 15:27:28 +0200
commit	3df1628d8a081f9d10d974117bfd71a1ad7e29d4 (patch)
tree	ac0f607cc10a4018efd83838f5321f7c8925c1db /node-admin
parent	1691b1256f38c26d6d70f47d79ca61535ba2f275 (diff)