Revert "Merge pull request #29674 from vespa-engine/revert-29671-jonmv/reapply-zk-3.9.1"

This reverts commit 28f8cf3e298d51ca703ceee36a992297d38637cc, reversing
changes made to 3a9f89fe60e3420eed435daee435a4f8534c9512.

4 files changed, 23 insertions, 17 deletions

diff --git a/zookeeper-client-common/pom.xml b/zookeeper-client-common/pom.xml
index 12ff1517e53..ccfdbd9a429 100644
--- a/zookeeper-client-common/pom.xml
+++ b/zookeeper-client-common/pom.xml
@@ -21,12 +21,25 @@
       <scope>provided</scope>
     </dependency>
     <dependency>
+      <groupId>com.yahoo.vespa</groupId>
+      <artifactId>defaults</artifactId>
+      <version>${project.version}</version>
+      <scope>provided</scope>
+    </dependency>
+    <dependency>
       <groupId>org.apache.zookeeper</groupId>
       <artifactId>zookeeper</artifactId>
       <scope>provided</scope>
     </dependency>
 
     <!-- compile scope -->
+    <dependency>
+      <groupId>com.yahoo.vespa</groupId>
+      <artifactId>zookeeper-common</artifactId>
+      <version>${project.version}</version>
+      <scope>compile</scope>
+    </dependency>
+
     <!-- test scope -->
     <dependency>
       <groupId>org.junit.jupiter</groupId>
diff --git a/zookeeper-client-common/src/main/java/com/yahoo/vespa/zookeeper/client/VespaSslContextProvider.java b/zookeeper-client-common/src/main/java/com/yahoo/vespa/zookeeper/client/VespaSslContextProvider.java
index 9cc71eab96e..5772070d550 100644
--- a/zookeeper-client-common/src/main/java/com/yahoo/vespa/zookeeper/client/VespaSslContextProvider.java
+++ b/zookeeper-client-common/src/main/java/com/yahoo/vespa/zookeeper/client/VespaSslContextProvider.java
@@ -1,25 +1,23 @@
 // Copyright Vespa.ai. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.zookeeper.client;
 
-import com.yahoo.security.tls.TransportSecurityUtils;
+import com.yahoo.vespa.zookeeper.tls.VespaZookeeperTlsContextUtils;
 
 import javax.net.ssl.SSLContext;
 import java.util.function.Supplier;
 
 /**
- * Provider for Vespa {@link SSLContext} instance to Zookeeper + misc utility methods for providing Vespa TLS specific ZK configuration.
+ * Provider for Vespa {@link SSLContext} instance to Zookeeper.
  *
  * @author bjorncs
  */
 public class VespaSslContextProvider implements Supplier<SSLContext> {
 
-    private static final SSLContext sslContext = TransportSecurityUtils.getSystemTlsContext()
-            .map(tc -> tc.sslContext().context()).orElse(null);
-
     @Override
     public SSLContext get() {
-        if (sslContext == null) throw new IllegalStateException("Vespa TLS is not enabled");
-        return sslContext;
+        return VespaZookeeperTlsContextUtils.tlsContext()
+                                            .orElseThrow(() -> new IllegalStateException("Vespa TLS is not enabled"))
+                                            .sslContext().context();
     }
 
 }
diff --git a/zookeeper-client-common/src/main/java/com/yahoo/vespa/zookeeper/client/ZkClientConfigBuilder.java b/zookeeper-client-common/src/main/java/com/yahoo/vespa/zookeeper/client/ZkClientConfigBuilder.java
index 5c969454d11..af49fab0d40 100644
--- a/zookeeper-client-common/src/main/java/com/yahoo/vespa/zookeeper/client/ZkClientConfigBuilder.java
+++ b/zookeeper-client-common/src/main/java/com/yahoo/vespa/zookeeper/client/ZkClientConfigBuilder.java
@@ -1,9 +1,8 @@
 // Copyright Vespa.ai. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.zookeeper.client;
 
-import com.yahoo.security.tls.MixedMode;
 import com.yahoo.security.tls.TlsContext;
-import com.yahoo.security.tls.TransportSecurityUtils;
+import com.yahoo.vespa.zookeeper.tls.VespaZookeeperTlsContextUtils;
 import org.apache.zookeeper.client.ZKClientConfig;
 import org.apache.zookeeper.server.quorum.QuorumPeerConfig;
 
@@ -14,7 +13,6 @@ import java.nio.file.StandardCopyOption;
 import java.util.Arrays;
 import java.util.HashMap;
 import java.util.Map;
-import java.util.Optional;
 import java.util.stream.Collectors;
 
 /**
@@ -31,7 +29,7 @@ public class ZkClientConfigBuilder {
     public static final String SSL_CLIENTAUTH_PROPERTY = "zookeeper.ssl.clientAuth";
     public static final String CLIENT_CONNECTION_SOCKET = "zookeeper.clientCnxnSocket";
 
-    private static final TlsContext defaultTlsContext = getTlsContext().orElse(null);
+    private static final TlsContext defaultTlsContext = VespaZookeeperTlsContextUtils.tlsContext().orElse(null);
 
     private final TlsContext tlsContext;
 
@@ -71,8 +69,8 @@ public class ZkClientConfigBuilder {
         builder.put(CLIENT_SECURE_PROPERTY, Boolean.toString(tlsContext != null));
         builder.put(CLIENT_CONNECTION_SOCKET, "org.apache.zookeeper.ClientCnxnSocketNetty");
         if (tlsContext != null) {
-            builder.put(SSL_CONTEXT_SUPPLIER_CLASS_PROPERTY, VespaSslContextProvider.class.getName());
             String protocolsConfigValue = Arrays.stream(tlsContext.parameters().getProtocols()).sorted().collect(Collectors.joining(","));
+            builder.put(SSL_CONTEXT_SUPPLIER_CLASS_PROPERTY, VespaSslContextProvider.class.getName());
             builder.put(SSL_ENABLED_PROTOCOLS_PROPERTY, protocolsConfigValue);
             String ciphersConfigValue = Arrays.stream(tlsContext.parameters().getCipherSuites()).sorted().collect(Collectors.joining(","));
             builder.put(SSL_ENABLED_CIPHERSUITES_PROPERTY, ciphersConfigValue);
@@ -81,8 +79,4 @@ public class ZkClientConfigBuilder {
         return Map.copyOf(builder);
     }
 
-    private static Optional<TlsContext> getTlsContext() {
-        if (TransportSecurityUtils.getInsecureMixedMode() == MixedMode.PLAINTEXT_CLIENT_MIXED_SERVER) return Optional.empty();
-        return TransportSecurityUtils.getSystemTlsContext();
-    }
 }
diff --git a/zookeeper-client-common/src/test/java/com/yahoo/vespa/zookeeper/client/ZkClientConfigBuilderTest.java b/zookeeper-client-common/src/test/java/com/yahoo/vespa/zookeeper/client/ZkClientConfigBuilderTest.java
index 56bfe8381c2..45ae68cb41d 100644
--- a/zookeeper-client-common/src/test/java/com/yahoo/vespa/zookeeper/client/ZkClientConfigBuilderTest.java
+++ b/zookeeper-client-common/src/test/java/com/yahoo/vespa/zookeeper/client/ZkClientConfigBuilderTest.java
@@ -31,6 +31,7 @@ public class ZkClientConfigBuilderTest {
         assertEquals("org.apache.zookeeper.ClientCnxnSocketNetty", config.getProperty(CLIENT_CONNECTION_SOCKET));
         assertNull(config.getProperty(SSL_CONTEXT_SUPPLIER_CLASS_PROPERTY));
         assertNull(config.getProperty(SSL_CLIENTAUTH_PROPERTY));
+        assertNull(config.getProperty(SSL_CONTEXT_SUPPLIER_CLASS_PROPERTY));
     }
 
     @Test
@@ -39,10 +40,10 @@ public class ZkClientConfigBuilderTest {
         ZKClientConfig config = builder.toConfig();
         assertEquals("true", config.getProperty(CLIENT_SECURE_PROPERTY));
         assertEquals("org.apache.zookeeper.ClientCnxnSocketNetty", config.getProperty(CLIENT_CONNECTION_SOCKET));
-        assertEquals(com.yahoo.vespa.zookeeper.client.VespaSslContextProvider.class.getName(), config.getProperty(SSL_CONTEXT_SUPPLIER_CLASS_PROPERTY));
         assertEquals("TLSv1.3", config.getProperty(SSL_ENABLED_PROTOCOLS_PROPERTY));
         assertEquals("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", config.getProperty(SSL_ENABLED_CIPHERSUITES_PROPERTY));
         assertEquals("NEED", config.getProperty(SSL_CLIENTAUTH_PROPERTY));
+        assertEquals(VespaSslContextProvider.class.getName(), config.getProperty(SSL_CONTEXT_SUPPLIER_CLASS_PROPERTY));
     }
 
     private static class MockTlsContext implements TlsContext {