summaryrefslogtreecommitdiffstats
path: root/vespa-athenz
diff options
context:
space:
mode:
authorBjørn Christian Seime <bjorncs@verizonmedia.com>2019-08-26 15:15:53 +0200
committerBjørn Christian Seime <bjorncs@verizonmedia.com>2019-08-26 15:15:53 +0200
commitaca45ba95c5fb0b7d9c1fe89ee3a866ff65c76ac (patch)
tree457edb12eda58d61feab5812fe4ebed72763b6e9 /vespa-athenz
parentf49fbf259ea28bf3025580f875885762f12dc651 (diff)
Include instance hostname in Athenz node certificates
Diffstat (limited to 'vespa-athenz')
-rw-r--r--vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java6
-rw-r--r--vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java2
-rw-r--r--vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/InstanceRefreshInformation.java5
-rw-r--r--vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/InstanceRegisterInformation.java4
-rw-r--r--vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java4
-rw-r--r--vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java5
-rw-r--r--vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGeneratorTest.java2
7 files changed, 24 insertions, 4 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java
index 7116bf72ec4..13150158dad 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java
@@ -67,9 +67,10 @@ public class DefaultZtsClient extends ClientBase implements ZtsClient {
public InstanceIdentity registerInstance(AthenzIdentity providerIdentity,
AthenzIdentity instanceIdentity,
String attestationData,
+ String hostname,
Pkcs10Csr csr) {
InstanceRegisterInformation payload =
- new InstanceRegisterInformation(providerIdentity, instanceIdentity, attestationData, csr);
+ new InstanceRegisterInformation(providerIdentity, instanceIdentity, attestationData, hostname, csr);
HttpUriRequest request = RequestBuilder.post()
.setUri(ztsUrl.resolve("instance/"))
.setEntity(toJsonStringEntity(payload))
@@ -81,8 +82,9 @@ public class DefaultZtsClient extends ClientBase implements ZtsClient {
public InstanceIdentity refreshInstance(AthenzIdentity providerIdentity,
AthenzIdentity instanceIdentity,
String instanceId,
+ String hostname,
Pkcs10Csr csr) {
- InstanceRefreshInformation payload = new InstanceRefreshInformation(csr);
+ InstanceRefreshInformation payload = new InstanceRefreshInformation(csr, hostname);
URI uri = ztsUrl.resolve(
String.format("instance/%s/%s/%s/%s",
providerIdentity.getFullName(),
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java
index c09ad8f48a0..4f44dba4864 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java
@@ -29,6 +29,7 @@ public interface ZtsClient extends AutoCloseable {
*/
InstanceIdentity registerInstance(AthenzIdentity providerIdentity,
AthenzIdentity instanceIdentity,
+ String hostname,
String attestationData,
Pkcs10Csr csr);
@@ -40,6 +41,7 @@ public interface ZtsClient extends AutoCloseable {
InstanceIdentity refreshInstance(AthenzIdentity providerIdentity,
AthenzIdentity instanceIdentity,
String instanceId,
+ String hostname,
Pkcs10Csr csr);
/**
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/InstanceRefreshInformation.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/InstanceRefreshInformation.java
index f6c359c09a8..5d101ed31e6 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/InstanceRefreshInformation.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/InstanceRefreshInformation.java
@@ -18,8 +18,11 @@ public class InstanceRefreshInformation {
@JsonProperty("csr")
@JsonSerialize(using = Pkcs10CsrSerializer.class)
private final Pkcs10Csr csr;
+ @JsonProperty("hostname")
+ private final String hostname;
- public InstanceRefreshInformation(Pkcs10Csr csr) {
+ public InstanceRefreshInformation(Pkcs10Csr csr, String hostname) {
this.csr = csr;
+ this.hostname = hostname;
}
}
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/InstanceRegisterInformation.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/InstanceRegisterInformation.java
index cd272ccf685..c5175f19b44 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/InstanceRegisterInformation.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/InstanceRegisterInformation.java
@@ -25,17 +25,21 @@ public class InstanceRegisterInformation {
private final String service;
@JsonProperty("attestationData")
private final String attestationData;
+ @JsonProperty("hostname")
+ private final String hostname;
@JsonProperty("csr")
private final String csr;
public InstanceRegisterInformation(AthenzIdentity providerIdentity,
AthenzIdentity instanceIdentity,
String attestationData,
+ String hostname,
Pkcs10Csr csr) {
this.provider = providerIdentity.getFullName();
this.domain = instanceIdentity.getDomain().getName();
this.service = instanceIdentity.getName();
this.attestationData = attestationData;
this.csr = Pkcs10CsrUtils.toPem(csr);
+ this.hostname = hostname;
}
}
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java
index eccf1088cce..8e0bdb9b19c 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java
@@ -75,6 +75,7 @@ class AthenzCredentialsService {
Pkcs10Csr csr = csrGenerator.generateInstanceCsr(
tenantIdentity,
document.providerUniqueId(),
+ /*hostname*/null, // no hostname in tenant certificates
document.ipAddresses(),
keyPair);
@@ -83,6 +84,7 @@ class AthenzCredentialsService {
ztsClient.registerInstance(
configserverIdentity,
tenantIdentity,
+ /*hostname*/null,
EntityBindingsMapper.toAttestationData(document),
csr);
X509Certificate certificate = instanceIdentity.certificate();
@@ -96,6 +98,7 @@ class AthenzCredentialsService {
Pkcs10Csr csr = csrGenerator.generateInstanceCsr(
tenantIdentity,
document.providerUniqueId(),
+ /*hostname*/null, // no hostname in tenant certificates
document.ipAddresses(),
newKeyPair);
@@ -104,6 +107,7 @@ class AthenzCredentialsService {
ztsClient.refreshInstance(
configserverIdentity,
tenantIdentity,
+ /*hostname*/null,
document.providerUniqueId().asDottedString(),
csr);
X509Certificate certificate = instanceIdentity.certificate();
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java
index f73a52b373b..dff753b9126 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java
@@ -34,11 +34,13 @@ public class CsrGenerator {
public Pkcs10Csr generateInstanceCsr(AthenzIdentity instanceIdentity,
VespaUniqueInstanceId instanceId,
+ String hostname,
Set<String> ipAddresses,
KeyPair keyPair) {
X500Principal subject = new X500Principal(String.format("OU=%s, CN=%s", providerService, instanceIdentity.getFullName()));
// Add SAN dnsname <service>.<domain-with-dashes>.<provider-dnsname-suffix>
// and SAN dnsname <provider-unique-instance-id>.instanceid.athenz.<provider-dnsname-suffix>
+ // and SAN dnsname <hostname> (note: ZTS will verify that there is a DNS A record with hostname having the remote ip)
Pkcs10CsrBuilder pkcs10CsrBuilder = Pkcs10CsrBuilder.fromKeypair(subject, keyPair, SHA256_WITH_RSA)
.addSubjectAlternativeName(
DNS_NAME,
@@ -48,6 +50,9 @@ public class CsrGenerator {
instanceIdentity.getDomainName().replace(".", "-"),
dnsSuffix))
.addSubjectAlternativeName(DNS_NAME, getIdentitySAN(instanceId));
+ if (hostname != null) {
+ pkcs10CsrBuilder.addSubjectAlternativeName(DNS_NAME, hostname);
+ }
ipAddresses.forEach(ip -> pkcs10CsrBuilder.addSubjectAlternativeName(new SubjectAlternativeName(IP_ADDRESS, ip)));
return pkcs10CsrBuilder.build();
}
diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGeneratorTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGeneratorTest.java
index 8b6d2f06777..3b2129821a3 100644
--- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGeneratorTest.java
+++ b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGeneratorTest.java
@@ -31,7 +31,7 @@ public class InstanceCsrGeneratorTest {
VespaUniqueInstanceId vespaUniqueInstanceId = VespaUniqueInstanceId.fromDottedString("0.default.default.foo-app.vespa.us-north-1.prod.node");
KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA);
- Pkcs10Csr csr = csrGenerator.generateInstanceCsr(service, vespaUniqueInstanceId, Collections.emptySet(), keyPair);
+ Pkcs10Csr csr = csrGenerator.generateInstanceCsr(service, vespaUniqueInstanceId, "myhostname", Collections.emptySet(), keyPair);
assertEquals(new X500Principal(String.format("OU=%s, CN=%s", PROVIDER_SERVICE, ATHENZ_SERVICE)), csr.getSubject());
}
}