Merge pull request #23842 from vespa-engine/bjorncs/zk-tls-config

Bjorncs/zk tls config
author: Morten Tokle <mortent@yahooinc.com> 2022-08-30 10:13:41 +0200
committer: GitHub <noreply@github.com> 2022-08-30 10:13:41 +0200
commit: f68ac5ef5774dfb878e2df010f5257a66b4d6669 (patch)
tree: 6b5e4decc99863b64a0383570cc9c9bdeb09a8f6 /zookeeper-server
parent: 880e62e89020c90f0987c624e6b524906f312182 (diff)
parent: 70f97248a925720bea816f64f237349679c792b7 (diff)
2 files changed, 29 insertions, 5 deletions
diff --git a/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/Configurator.java b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/Configurator.java
index 8f8058c6c0b..6508c154978 100644
--- a/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/Configurator.java
+++ b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/Configurator.java
@@ -2,6 +2,7 @@
 package com.yahoo.vespa.zookeeper;
 
 import com.yahoo.cloud.config.ZookeeperServerConfig;
+import com.yahoo.security.tls.ConfigFileBasedTlsContext;
 import com.yahoo.security.tls.MixedMode;
 import com.yahoo.security.tls.TlsContext;
 import com.yahoo.security.tls.TransportSecurityUtils;
@@ -47,7 +48,16 @@ public class Configurator {
         System.setProperty("zookeeper.snapshot.compression.method", zookeeperServerConfig.snapshotMethod());
     }
 
-    void writeConfigToDisk() { writeConfigToDisk(VespaTlsConfig.fromSystem()); }
+    void writeConfigToDisk() {
+        VespaTlsConfig config;
+        String cfgFile = zookeeperServerConfig.vespaTlsConfigFile();
+        if (cfgFile.isBlank()) {
+            config = VespaTlsConfig.fromSystem();
+        } else {
+            config = VespaTlsConfig.fromConfig(Paths.get(cfgFile));
+        }
+        writeConfigToDisk(config);
+    }
 
     // override of Vespa TLS config for unit testing
     void writeConfigToDisk(VespaTlsConfig vespaTlsConfig) {
@@ -158,6 +168,7 @@ public class Configurator {
 
         default void appendSharedTlsConfig(StringBuilder builder, VespaTlsConfig vespaTlsConfig) {
             vespaTlsConfig.context().ifPresent(ctx -> {
+                VespaSslContextProvider.set(ctx);
                 builder.append(configFieldPrefix()).append(".context.supplier.class=").append(VespaSslContextProvider.class.getName()).append("\n");
                 String enabledCiphers = Arrays.stream(ctx.parameters().getCipherSuites()).sorted().collect(Collectors.joining(","));
                 builder.append(configFieldPrefix()).append(".ciphersuites=").append(enabledCiphers).append("\n");
@@ -224,6 +235,13 @@ public class Configurator {
                     TransportSecurityUtils.getInsecureMixedMode());
         }
 
+        static VespaTlsConfig fromConfig(Path file) {
+            return new VespaTlsConfig(
+                    new ConfigFileBasedTlsContext(file, TransportSecurityUtils.getInsecureAuthorizationMode()),
+                    TransportSecurityUtils.getInsecureMixedMode());
+        }
+
+
         static VespaTlsConfig tlsDisabled() { return new VespaTlsConfig(null, MixedMode.defaultValue()); }
 
         boolean tlsEnabled() { return context != null; }
diff --git a/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/VespaSslContextProvider.java b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/VespaSslContextProvider.java
index 89a0fa8a924..5434804cd62 100644
--- a/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/VespaSslContextProvider.java
+++ b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/VespaSslContextProvider.java
@@ -2,7 +2,6 @@
 package com.yahoo.vespa.zookeeper;
 
 import com.yahoo.security.tls.TlsContext;
-import com.yahoo.security.tls.TransportSecurityUtils;
 
 import javax.net.ssl.SSLContext;
 import java.util.function.Supplier;
@@ -14,12 +13,19 @@ import java.util.function.Supplier;
  */
 public class VespaSslContextProvider implements Supplier<SSLContext> {
 
-    private static final SSLContext sslContext = TransportSecurityUtils.getSystemTlsContext().map(TlsContext::context).orElse(null);
+    private static TlsContext tlsContext;
 
     @Override
     public SSLContext get() {
-        if (sslContext == null) throw new IllegalStateException("Vespa TLS is not enabled");
-        return sslContext;
+        synchronized (VespaSslContextProvider.class) {
+            if (tlsContext == null) throw new IllegalStateException("Vespa TLS is not enabled");
+            return tlsContext.context();
+        }
+    }
+
+    static synchronized void set(TlsContext ctx) {
+        if (tlsContext != null) tlsContext.close();
+        tlsContext = ctx;
     }
 
 }
author	Morten Tokle <mortent@yahooinc.com>	2022-08-30 10:13:41 +0200
committer	GitHub <noreply@github.com>	2022-08-30 10:13:41 +0200
commit	f68ac5ef5774dfb878e2df010f5257a66b4d6669 (patch)
tree	6b5e4decc99863b64a0383570cc9c9bdeb09a8f6 /zookeeper-server
parent	880e62e89020c90f0987c624e6b524906f312182 (diff)
parent	70f97248a925720bea816f64f237349679c792b7 (diff)