diff options
4 files changed, 26 insertions, 12 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java index 865bcc61837..058317ffd25 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java @@ -27,6 +27,7 @@ import com.yahoo.vespa.hosted.node.admin.nodeagent.NodeAgentContext; import com.yahoo.vespa.hosted.node.admin.task.util.file.FileFinder; import com.yahoo.vespa.hosted.node.admin.task.util.file.UnixPath; +import javax.net.ssl.HostnameVerifier; import javax.net.ssl.SSLContext; import java.io.IOException; import java.io.UncheckedIOException; @@ -68,6 +69,7 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer { private final ServiceIdentityProvider hostIdentityProvider; private final IdentityDocumentClient identityDocumentClient; private final CsrGenerator csrGenerator; + private final boolean useInternalZts; // Used as an optimization to ensure ZTS is not DDoS'ed on continuously failing refresh attempts private final Map<ContainerName, Instant> lastRefreshAttempt = new ConcurrentHashMap<>(); @@ -76,7 +78,8 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer { Path trustStorePath, ConfigServerInfo configServerInfo, String certificateDnsSuffix, - ServiceIdentityProvider hostIdentityProvider) { + ServiceIdentityProvider hostIdentityProvider, + boolean useInternalZts) { this.ztsEndpoint = ztsEndpoint; this.trustStorePath = trustStorePath; this.configserverIdentity = configServerInfo.getConfigServerIdentity(); @@ -87,6 +90,7 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer { hostIdentityProvider, new AthenzIdentityVerifier(singleton(configserverIdentity))); this.clock = Clock.systemUTC(); + this.useInternalZts = useInternalZts; } public boolean converge(NodeAgentContext context) { @@ -157,7 +161,12 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer { SignedIdentityDocument signedIdentityDocument = identityDocumentClient.getNodeIdentityDocument(context.hostname().value()); Pkcs10Csr csr = csrGenerator.generateInstanceCsr( context.identity(), signedIdentityDocument.providerUniqueId(), signedIdentityDocument.ipAddresses(), keyPair); - try (ZtsClient ztsClient = new DefaultZtsClient(ztsEndpoint, hostIdentityProvider)) { + + // Set up a hostname verified for zts if this is configured to use the config server (internal zts) apis + HostnameVerifier ztsHostNameVerifier = useInternalZts + ? new AthenzIdentityVerifier(singleton(configserverIdentity)) + : null; + try (ZtsClient ztsClient = new DefaultZtsClient(ztsEndpoint, hostIdentityProvider, ztsHostNameVerifier)) { InstanceIdentity instanceIdentity = ztsClient.registerInstance( configserverIdentity, diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/common/ClientBase.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/common/ClientBase.java index bda7e41c19b..4cc92828b0e 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/common/ClientBase.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/common/ClientBase.java @@ -36,9 +36,10 @@ public abstract class ClientBase implements AutoCloseable { protected ClientBase(String userAgent, Supplier<SSLContext> sslContextSupplier, - ClientExceptionFactory exceptionFactory) { + ClientExceptionFactory exceptionFactory, + HostnameVerifier hostnameVerifier) { this.exceptionFactory = exceptionFactory; - this.client = createHttpClient(userAgent, sslContextSupplier); + this.client = createHttpClient(userAgent, sslContextSupplier, hostnameVerifier); } protected <T> T execute(HttpUriRequest request, ResponseHandler<T> responseHandler) { @@ -74,11 +75,11 @@ public abstract class ClientBase implements AutoCloseable { return statusCode>=200 && statusCode<300; } - private static CloseableHttpClient createHttpClient(String userAgent, Supplier<SSLContext> sslContextSupplier) { + private static CloseableHttpClient createHttpClient(String userAgent, Supplier<SSLContext> sslContextSupplier, HostnameVerifier hostnameVerifier) { return HttpClientBuilder.create() .setRetryHandler(new DefaultHttpRequestRetryHandler(3, /*requestSentRetryEnabled*/true)) .setUserAgent(userAgent) - .setSSLSocketFactory(new SSLConnectionSocketFactory(new ServiceIdentitySslSocketFactory(sslContextSupplier), (HostnameVerifier)null)) + .setSSLSocketFactory(new SSLConnectionSocketFactory(new ServiceIdentitySslSocketFactory(sslContextSupplier), hostnameVerifier)) .setDefaultRequestConfig(RequestConfig.custom() .setConnectTimeout((int) Duration.ofSeconds(10).toMillis()) .setConnectionRequestTimeout((int)Duration.ofSeconds(10).toMillis()) diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java index da3bd18440b..7b5427216a1 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java @@ -5,7 +5,6 @@ import com.yahoo.vespa.athenz.api.AthenzDomain; import com.yahoo.vespa.athenz.api.AthenzIdentity; import com.yahoo.vespa.athenz.api.AthenzResourceName; import com.yahoo.vespa.athenz.api.AthenzRole; -import com.yahoo.vespa.athenz.api.AthenzIdentity; import com.yahoo.vespa.athenz.api.OktaAccessToken; import com.yahoo.vespa.athenz.client.common.ClientBase; import com.yahoo.vespa.athenz.client.zms.bindings.AccessResponseEntity; @@ -45,7 +44,7 @@ public class DefaultZmsClient extends ClientBase implements ZmsClient { } private DefaultZmsClient(URI zmsUrl, AthenzIdentity identity, Supplier<SSLContext> sslContextSupplier) { - super("vespa-zms-client", sslContextSupplier, ZmsClientException::new); + super("vespa-zms-client", sslContextSupplier, ZmsClientException::new, null); this.zmsUrl = addTrailingSlash(zmsUrl); this.identity = identity; } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java index 8bd0d0b50d4..6c0348d7aa9 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java @@ -26,6 +26,7 @@ import org.apache.http.HttpResponse; import org.apache.http.client.methods.HttpUriRequest; import org.apache.http.client.methods.RequestBuilder; +import javax.net.ssl.HostnameVerifier; import javax.net.ssl.SSLContext; import java.io.IOException; import java.net.URI; @@ -49,15 +50,19 @@ public class DefaultZtsClient extends ClientBase implements ZtsClient { private final URI ztsUrl; public DefaultZtsClient(URI ztsUrl, SSLContext sslContext) { - this(ztsUrl, () -> sslContext); + this(ztsUrl, () -> sslContext, null); } public DefaultZtsClient(URI ztsUrl, ServiceIdentityProvider identityProvider) { - this(ztsUrl, identityProvider::getIdentitySslContext); + this(ztsUrl, identityProvider::getIdentitySslContext, null); } - private DefaultZtsClient(URI ztsUrl, Supplier<SSLContext> sslContextSupplier) { - super("vespa-zts-client", sslContextSupplier, ZtsClientException::new); + public DefaultZtsClient(URI ztsUrl, ServiceIdentityProvider identityProvider, HostnameVerifier hostnameVerifier) { + this(ztsUrl, identityProvider::getIdentitySslContext, null); + } + + private DefaultZtsClient(URI ztsUrl, Supplier<SSLContext> sslContextSupplier, HostnameVerifier hostnameVerifier) { + super("vespa-zts-client", sslContextSupplier, ZtsClientException::new, hostnameVerifier); this.ztsUrl = addTrailingSlash(ztsUrl); } |