diff options
Diffstat (limited to 'controller-server/src')
3 files changed, 14 insertions, 6 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzClientFactoryImpl.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzClientFactoryImpl.java index e640fcd0ea7..a91604f937b 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzClientFactoryImpl.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzClientFactoryImpl.java @@ -18,7 +18,7 @@ import com.yahoo.vespa.hosted.controller.api.integration.security.KeyService; import com.yahoo.vespa.hosted.controller.athenz.config.AthenzConfig; import java.security.PrivateKey; -import java.util.concurrent.TimeUnit; +import java.time.Duration; import static com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzUtils.USER_PRINCIPAL_DOMAIN; @@ -75,8 +75,12 @@ public class AthenzClientFactoryImpl implements AthenzClientFactory { // TODO bjorncs: Cache principal token SimpleServiceIdentityProvider identityProvider = new SimpleServiceIdentityProvider( - athenzPrincipalAuthority, config.domain(), service.name(), - getServicePrivateKey(), service.publicKeyId(), /*tokenTimeout*/TimeUnit.HOURS.toSeconds(1)); + athenzPrincipalAuthority, + config.domain(), + service.name(), + getServicePrivateKey(), + service.publicKeyId(), + Duration.ofMinutes(service.credentialsExpiryMinutes()).getSeconds()); return identityProvider.getIdentity(config.domain(), service.name()); } diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/ZtsClientImpl.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/ZtsClientImpl.java index d518e1905e5..a29f2e81fba 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/ZtsClientImpl.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/ZtsClientImpl.java @@ -32,18 +32,19 @@ import static java.util.stream.Collectors.toList; public class ZtsClientImpl implements ZtsClient { private static final Logger log = Logger.getLogger(ZtsClientImpl.class.getName()); - private static final Duration CERTIFICATE_EXPIRY = Duration.ofHours(1); private final ZTSClient ztsClient; private final AthenzService service; private final PrivateKey privateKey; private final String certificateDnsDomain; + private final Duration certExpiry; public ZtsClientImpl(ZTSClient ztsClient, PrivateKey privateKey, AthenzConfig config) { this.ztsClient = ztsClient; this.service = new AthenzService(config.domain(), config.service().name()); this.privateKey = privateKey; this.certificateDnsDomain = config.certDnsDomain(); + this.certExpiry = Duration.ofMinutes(config.service().credentialsExpiryMinutes()); } @Override @@ -71,7 +72,7 @@ public class ZtsClientImpl implements ZtsClient { service.getName(), privateKey, certificateDnsDomain, - (int) CERTIFICATE_EXPIRY.getSeconds()); + (int) certExpiry.getSeconds()); X509Certificate certificate = Crypto.loadX509Certificate( ztsClient.postInstanceRefreshRequest(service.getDomain().id(), service.getName(), req) .getCertificate()); @@ -93,7 +94,7 @@ public class ZtsClientImpl implements ZtsClient { roleName, privateKey, certificateDnsDomain, - (int)CERTIFICATE_EXPIRY.getSeconds()); + (int)certExpiry.getSeconds()); X509Certificate roleCertificate = Crypto.loadX509Certificate( ztsClient.postRoleCertificateRequest(roleDomain.id(), roleName, req) .getToken()); diff --git a/controller-server/src/main/resources/configdefinitions/athenz.def b/controller-server/src/main/resources/configdefinitions/athenz.def index 2ee15e183f2..1d95ebd7860 100644 --- a/controller-server/src/main/resources/configdefinitions/athenz.def +++ b/controller-server/src/main/resources/configdefinitions/athenz.def @@ -31,3 +31,6 @@ service.privateKeyVersion int # Name of Athenz service private key secret service.privateKeySecretName string + +# Expiry of service principal token and certificate +service.credentialsExpiryMinutes int default=43200 # 30 days |