Don't fail node-agent when certificate refresh fails

author: Bjørn Christian Seime <bjorncs@oath.com> 2018-08-09 13:18:29 +0200
committer: Bjørn Christian Seime <bjorncs@oath.com> 2018-08-09 13:49:42 +0200
commit: a053d280fc5750b0919a19b176e0eb7471117cd4 (patch)
tree: 834f3a581c64962b168e4844ae872c35eb3d5d25 /node-admin
parent: b609be23cfdaa7eb6f71b77aa6d480a6ccba97bb (diff)
1 files changed, 20 insertions, 17 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
index 9ee2ff58166..c63b1eb02e5 100644
--- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
+++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
@@ -189,24 +189,27 @@ public class AthenzCredentialsMaintainer {
                         .withKeyStore(privateKeyFile.toFile(), certificateFile.toFile())
                         .withTrustStore(trustStorePath.toFile(), KeyStoreType.JKS)
                         .build();
-        try (ZtsClient ztsClient = new DefaultZtsClient(ztsEndpoint, containerIdentity, containerIdentitySslContext)) {
-            InstanceIdentity instanceIdentity =
-                    ztsClient.refreshInstance(
-                            configserverIdentity,
-                            containerIdentity,
-                            identityDocument.providerUniqueId().asDottedString(),
-                            false,
-                            csr);
-            writePrivateKeyAndCertificate(keyPair.getPrivate(), instanceIdentity.certificate());
-            log.info("Instance successfully refreshed and credentials written to file");
-        } catch (ZtsClientException e) {
-            // TODO Find out why certificate was revoked and hopefully remove this workaround
-            if (e.getErrorCode() == 403 && e.getDescription().startsWith("Certificate revoked")) {
-                log.error("Certificate cannot be refreshed as it is revoked by ZTS - re-registering the instance now", e);
-                registerIdentity();
+        try {
+            try (ZtsClient ztsClient = new DefaultZtsClient(ztsEndpoint, containerIdentity, containerIdentitySslContext)) {
+                InstanceIdentity instanceIdentity =
+                        ztsClient.refreshInstance(
+                                configserverIdentity,
+                                containerIdentity,
+                                identityDocument.providerUniqueId().asDottedString(),
+                                false,
+                                csr);
+                writePrivateKeyAndCertificate(keyPair.getPrivate(), instanceIdentity.certificate());
+                log.info("Instance successfully refreshed and credentials written to file");
+            } catch (ZtsClientException e) {
+                if (e.getErrorCode() == 403 && e.getDescription().startsWith("Certificate revoked")) {
+                    log.error("Certificate cannot be refreshed as it is revoked by ZTS - re-registering the instance now", e);
+                    registerIdentity();
+                } else {
+                    throw e;
+                }
             }
-        } catch (IOException e) {
-            throw new UncheckedIOException(e);
+        } catch (Exception e) {
+            log.error("Certificate refresh failed: " + e.getMessage(), e);
         }
     }
author	Bjørn Christian Seime <bjorncs@oath.com>	2018-08-09 13:18:29 +0200
committer	Bjørn Christian Seime <bjorncs@oath.com>	2018-08-09 13:49:42 +0200
commit	a053d280fc5750b0919a19b176e0eb7471117cd4 (patch)
tree	834f3a581c64962b168e4844ae872c35eb3d5d25 /node-admin
parent	b609be23cfdaa7eb6f71b77aa6d480a6ccba97bb (diff)