diff options
| -rw-r--r-- | flags/src/main/java/com/yahoo/vespa/flags/Flags.java | 6 | ||||
| -rw-r--r-- | node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java | 20 |
2 files changed, 6 insertions, 20 deletions
diff --git a/flags/src/main/java/com/yahoo/vespa/flags/Flags.java b/flags/src/main/java/com/yahoo/vespa/flags/Flags.java index cd5debe147e..8cd7ebd0697 100644 --- a/flags/src/main/java/com/yahoo/vespa/flags/Flags.java +++ b/flags/src/main/java/com/yahoo/vespa/flags/Flags.java @@ -55,12 +55,6 @@ public class Flags { "On first tick of the main chain after (re)start of host admin.", ZONE_ID, NODE_TYPE, HOSTNAME); - public static final UnboundBooleanFlag PEM_TRUST_STORE = defineFeatureFlag( - "pem-trust-store", true, - List.of("hakonhall"), "2022-09-15", "2022-10-14", - "Whether to use the host admin server's trust store in the request when refreshing node identity.", - "On start of host admin."); - public static final UnboundDoubleFlag DEFAULT_TERM_WISE_LIMIT = defineDoubleFlag( "default-term-wise-limit", 1.0, List.of("baldersheim"), "2020-12-02", "2023-01-01", diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java index 70b9cc9cc16..b903712254b 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java @@ -2,7 +2,6 @@ package com.yahoo.vespa.hosted.node.admin.maintenance.identity; import com.yahoo.security.KeyAlgorithm; -import com.yahoo.security.KeyStoreType; import com.yahoo.security.KeyUtils; import com.yahoo.security.Pkcs10Csr; import com.yahoo.security.SslContextBuilder; @@ -63,8 +62,7 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer { private static final String CONTAINER_SIA_DIRECTORY = "/var/lib/sia"; private final URI ztsEndpoint; - private final Path ztsTrustStoreJksPath; - private final Path ztsTrustStorePemPath; + private final Path ztsTrustStorePath; private final AthenzIdentity configserverIdentity; private final Clock clock; private final ServiceIdentityProvider hostIdentityProvider; @@ -76,16 +74,14 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer { private final Map<ContainerName, Instant> lastRefreshAttempt = new ConcurrentHashMap<>(); public AthenzCredentialsMaintainer(URI ztsEndpoint, - Path ztsTrustStoreJksPath, - Path ztsTrustStorePemPath, + Path ztsTrustStorePath, ConfigServerInfo configServerInfo, String certificateDnsSuffix, ServiceIdentityProvider hostIdentityProvider, boolean useInternalZts, Clock clock) { this.ztsEndpoint = ztsEndpoint; - this.ztsTrustStoreJksPath = ztsTrustStoreJksPath; - this.ztsTrustStorePemPath = ztsTrustStorePemPath; + this.ztsTrustStorePath = ztsTrustStorePath; this.configserverIdentity = configServerInfo.getConfigServerIdentity(); this.csrGenerator = new CsrGenerator(certificateDnsSuffix, configserverIdentity.getFullName()); this.hostIdentityProvider = hostIdentityProvider; @@ -211,13 +207,9 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer { Pkcs10Csr csr = csrGenerator.generateInstanceCsr( context.identity(), identityDocument.providerUniqueId(), identityDocument.ipAddresses(), keyPair); - var sslContextBuilder = new SslContextBuilder().withKeyStore(privateKeyFile, certificateFile); - if (ztsTrustStorePemPath != null) { - sslContextBuilder.withTrustStore(ztsTrustStorePemPath); - } else { - sslContextBuilder.withTrustStore(ztsTrustStoreJksPath, KeyStoreType.JKS); - } - SSLContext containerIdentitySslContext = sslContextBuilder.build(); + SSLContext containerIdentitySslContext = new SslContextBuilder().withKeyStore(privateKeyFile, certificateFile) + .withTrustStore(ztsTrustStorePath) + .build(); try { // Set up a hostname verified for zts if this is configured to use the config server (internal zts) apis |