summaryrefslogtreecommitdiffstats
path: root/vespa-athenz
diff options
context:
space:
mode:
authorMorten Tokle <mortent@yahooinc.com>2023-11-23 08:35:46 +0100
committerMorten Tokle <mortent@yahooinc.com>2023-11-24 08:11:28 +0100
commit761c86dc78215a8cc7a407953cbb87aba9c6ecda (patch)
treed4246b98e84b9701dc14eb988e24dab9696c2ac5 /vespa-athenz
parent63fa2455fd0dc5c622f51278ad446e75711e70a0 (diff)
Add spiffe uri to role and service certs
Diffstat (limited to 'vespa-athenz')
-rw-r--r--vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java6
-rw-r--r--vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGeneratorTest.java3
2 files changed, 6 insertions, 3 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java
index 6d79e96a635..06a7c59b959 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java
@@ -50,7 +50,8 @@ public class CsrGenerator {
instanceIdentity.getName(),
instanceIdentity.getDomainName().replace(".", "-"),
dnsSuffix))
- .addSubjectAlternativeName(DNS, getIdentitySAN(instanceId));
+ .addSubjectAlternativeName(DNS, getIdentitySAN(instanceId))
+ .addSubjectAlternativeName(URI, instanceIdentity.spiffeUri().toString());
if (clusterType != null) pkcs10CsrBuilder.addSubjectAlternativeName(URI, clusterType.asCertificateSanUri().toString());
ipAddresses.forEach(ip -> pkcs10CsrBuilder.addSubjectAlternativeName(new SubjectAlternativeName(IP, ip)));
return pkcs10CsrBuilder.build();
@@ -64,7 +65,8 @@ public class CsrGenerator {
X500Principal principal = new X500Principal(String.format("OU=%s, cn=%s:role.%s", providerService, role.domain().getName(), role.roleName()));
var b = Pkcs10CsrBuilder.fromKeypair(principal, keyPair, SHA256_WITH_RSA)
.addSubjectAlternativeName(DNS, getIdentitySAN(instanceId))
- .addSubjectAlternativeName(EMAIL, String.format("%s.%s@%s", identity.getDomainName(), identity.getName(), dnsSuffix));
+ .addSubjectAlternativeName(EMAIL, String.format("%s.%s@%s", identity.getDomainName(), identity.getName(), dnsSuffix))
+ .addSubjectAlternativeName(URI, "spiffe://%s/ra/%s".formatted(role.domain().getName(), role.roleName()));
if (clusterType != null) b.addSubjectAlternativeName(URI, clusterType.asCertificateSanUri().toString());
return b.build();
}
diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGeneratorTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGeneratorTest.java
index cb2aac372ff..1f9ad2ced64 100644
--- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGeneratorTest.java
+++ b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGeneratorTest.java
@@ -42,7 +42,8 @@ public class InstanceCsrGeneratorTest {
var expectedSans = Set.of(
new SubjectAlternativeName(DNS, "bar.foo.prod-us-north-1.vespa.yahoo.cloud"),
new SubjectAlternativeName(DNS, "0.default.default.foo-app.vespa.us-north-1.prod.node.instanceid.athenz.prod-us-north-1.vespa.yahoo.cloud"),
- new SubjectAlternativeName(URI, "vespa://cluster-type/container"));
+ new SubjectAlternativeName(URI, "vespa://cluster-type/container"),
+ new SubjectAlternativeName(URI, "spiffe://foo/sa/bar"));
assertEquals(expectedSans, actualSans);
}
}