diff options
author | Bjørn Christian Seime <bjorncs@oath.com> | 2018-08-09 13:18:29 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@oath.com> | 2018-08-09 13:49:42 +0200 |
commit | a053d280fc5750b0919a19b176e0eb7471117cd4 (patch) | |
tree | 834f3a581c64962b168e4844ae872c35eb3d5d25 /node-admin | |
parent | b609be23cfdaa7eb6f71b77aa6d480a6ccba97bb (diff) |
Don't fail node-agent when certificate refresh fails
Diffstat (limited to 'node-admin')
-rw-r--r-- | node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java | 37 |
1 files changed, 20 insertions, 17 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java index 9ee2ff58166..c63b1eb02e5 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java @@ -189,24 +189,27 @@ public class AthenzCredentialsMaintainer { .withKeyStore(privateKeyFile.toFile(), certificateFile.toFile()) .withTrustStore(trustStorePath.toFile(), KeyStoreType.JKS) .build(); - try (ZtsClient ztsClient = new DefaultZtsClient(ztsEndpoint, containerIdentity, containerIdentitySslContext)) { - InstanceIdentity instanceIdentity = - ztsClient.refreshInstance( - configserverIdentity, - containerIdentity, - identityDocument.providerUniqueId().asDottedString(), - false, - csr); - writePrivateKeyAndCertificate(keyPair.getPrivate(), instanceIdentity.certificate()); - log.info("Instance successfully refreshed and credentials written to file"); - } catch (ZtsClientException e) { - // TODO Find out why certificate was revoked and hopefully remove this workaround - if (e.getErrorCode() == 403 && e.getDescription().startsWith("Certificate revoked")) { - log.error("Certificate cannot be refreshed as it is revoked by ZTS - re-registering the instance now", e); - registerIdentity(); + try { + try (ZtsClient ztsClient = new DefaultZtsClient(ztsEndpoint, containerIdentity, containerIdentitySslContext)) { + InstanceIdentity instanceIdentity = + ztsClient.refreshInstance( + configserverIdentity, + containerIdentity, + identityDocument.providerUniqueId().asDottedString(), + false, + csr); + writePrivateKeyAndCertificate(keyPair.getPrivate(), instanceIdentity.certificate()); + log.info("Instance successfully refreshed and credentials written to file"); + } catch (ZtsClientException e) { + if (e.getErrorCode() == 403 && e.getDescription().startsWith("Certificate revoked")) { + log.error("Certificate cannot be refreshed as it is revoked by ZTS - re-registering the instance now", e); + registerIdentity(); + } else { + throw e; + } } - } catch (IOException e) { - throw new UncheckedIOException(e); + } catch (Exception e) { + log.error("Certificate refresh failed: " + e.getMessage(), e); } } |