diff options
author | Valerij Fredriksen <valerijf@yahooinc.com> | 2023-07-07 12:00:12 +0200 |
---|---|---|
committer | Valerij Fredriksen <valerijf@yahooinc.com> | 2023-07-07 12:00:12 +0200 |
commit | 498fbe9b762c32cef084aaa66ccd233c05016613 (patch) | |
tree | 0a82566652475157c87d8a204f856fb8fa7e0e90 /node-admin | |
parent | 99013661328b21ce7135206d4b2f43fa7ad3df58 (diff) |
Set ZTS trust store for in registerIdentity() as well
Diffstat (limited to 'node-admin')
-rw-r--r-- | node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java | 31 |
1 files changed, 15 insertions, 16 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java index f1972ccf000..b6ec0ebbd94 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java @@ -85,8 +85,7 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer { // Used as an optimization to ensure ZTS is not DDoS'ed on continuously failing refresh attempts private final Map<ContainerName, Instant> lastRefreshAttempt = new ConcurrentHashMap<>(); - public AthenzCredentialsMaintainer(URI ztsEndpoint, - Path ztsTrustStorePath, + public AthenzCredentialsMaintainer(Path ztsTrustStorePath, ConfigServerInfo configServerInfo, String certificateDnsSuffix, ServiceIdentityProvider hostIdentityProvider, @@ -228,14 +227,7 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer { var keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA); var athenzRole = AthenzRole.fromResourceNameString(role); - var containerIdentitySslContext = new SslContextBuilder() - .withKeyStore(privateKeyFile, certificateFile) - .withTrustStore(ztsTrustStorePath) - .build(); - try (ZtsClient ztsClient = new DefaultZtsClient.Builder(identityDocument.ztsUrl()) - .withSslContext(containerIdentitySslContext) - .withHostnameVerifier(ztsHostNameVerifier) - .build()) { + try (ZtsClient ztsClient = ztsClient(identityDocument.ztsUrl(), privateKeyFile, certificateFile, ztsHostNameVerifier)) { var csrGenerator = new CsrGenerator(certificateDnsSuffix, identityDocument.providerService().getFullName()); var csr = csrGenerator.generateRoleCsr( identity, athenzRole, identityDocument.providerUniqueId(), identityDocument.clusterType(), keyPair); @@ -315,7 +307,7 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer { // Allow all zts hosts while removing SIS HostnameVerifier ztsHostNameVerifier = (hostname, sslSession) -> true; - try (ZtsClient ztsClient = new DefaultZtsClient.Builder(doc.ztsUrl()).withIdentityProvider(hostIdentityProvider).withHostnameVerifier(ztsHostNameVerifier).build()) { + try (ZtsClient ztsClient = ztsClient(doc.ztsUrl(), hostIdentityProvider.privateKeyPath(), hostIdentityProvider.certificatePath(), ztsHostNameVerifier)) { InstanceIdentity instanceIdentity = ztsClient.registerInstance( doc.providerService(), @@ -335,14 +327,10 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer { Pkcs10Csr csr = csrGenerator.generateInstanceCsr( identity, doc.providerUniqueId(), doc.ipAddresses(), doc.clusterType(), keyPair); - SSLContext containerIdentitySslContext = new SslContextBuilder().withKeyStore(privateKeyFile, certificateFile) - .withTrustStore(ztsTrustStorePath) - .build(); - try { // Allow all zts hosts while removing SIS HostnameVerifier ztsHostNameVerifier = (hostname, sslSession) -> true; - try (ZtsClient ztsClient = new DefaultZtsClient.Builder(doc.ztsUrl()).withSslContext(containerIdentitySslContext).withHostnameVerifier(ztsHostNameVerifier).build()) { + try (ZtsClient ztsClient = ztsClient(doc.ztsUrl(), privateKeyFile, certificateFile, ztsHostNameVerifier)) { InstanceIdentity instanceIdentity = ztsClient.refreshInstance( doc.providerService(), @@ -436,6 +424,17 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer { return SignedIdentityDocument.DEFAULT_DOCUMENT_VERSION; } + private ZtsClient ztsClient(URI ztsEndpoint, Path privateKeyFile, Path certificateFile, HostnameVerifier hostnameVerifier) { + SSLContext sslContext = new SslContextBuilder() + .withKeyStore(privateKeyFile, certificateFile) + .withTrustStore(ztsTrustStorePath) + .build(); + return new DefaultZtsClient.Builder(ztsEndpoint) + .withSslContext(sslContext) + .withHostnameVerifier(hostnameVerifier) + .build(); + } + private List<String> getRoleList(NodeAgentContext context) { try { return identityDocumentClient.getNodeRoles(context.hostname().value()); |