aboutsummaryrefslogtreecommitdiffstats
path: root/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
diff options
context:
space:
mode:
Diffstat (limited to 'node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java')
-rw-r--r--node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java25
1 files changed, 24 insertions, 1 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
index c9c76e1edd3..9e295b6a8e6 100644
--- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
+++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
@@ -1,6 +1,8 @@
// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
package com.yahoo.vespa.hosted.node.admin.maintenance.identity;
+import com.yahoo.component.Version;
+import com.yahoo.config.provision.ApplicationId;
import com.yahoo.security.KeyAlgorithm;
import com.yahoo.security.KeyUtils;
import com.yahoo.security.Pkcs10Csr;
@@ -107,6 +109,8 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
modified |= maintain(context, NODE);
if (shouldWriteTenantServiceIdentity(context))
modified |= maintain(context, TENANT);
+ else
+ modified |= deleteTenantCredentials(context);
return modified;
}
@@ -195,6 +199,21 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
return "node-certificate";
}
+ private boolean deleteTenantCredentials(NodeAgentContext context) {
+ var siaDirectory = context.paths().of(CONTAINER_SIA_DIRECTORY, context.users().vespa());
+ var identityDocumentFile = siaDirectory.resolve(TENANT.getIdentityDocument());
+ var athenzIdentity = getAthenzIdentity(context, TENANT, identityDocumentFile);
+ var privateKeyFile = (ContainerPath) SiaUtils.getPrivateKeyFile(siaDirectory, athenzIdentity);
+ var certificateFile = (ContainerPath) SiaUtils.getCertificateFile(siaDirectory, athenzIdentity);
+ try {
+ return Files.deleteIfExists(identityDocumentFile) ||
+ Files.deleteIfExists(privateKeyFile) ||
+ Files.deleteIfExists(certificateFile);
+ } catch (IOException e) {
+ throw new UncheckedIOException(e);
+ }
+ }
+
private boolean shouldRefreshCredentials(Duration age) {
return age.compareTo(REFRESH_PERIOD) >= 0;
}
@@ -321,8 +340,12 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
}
private boolean shouldWriteTenantServiceIdentity(NodeAgentContext context) {
+ var version = context.node().currentVespaVersion()
+ .orElse(context.node().wantedVespaVersion().orElse(Version.emptyVersion));
+ var appId = context.node().owner().orElse(ApplicationId.defaultId());
return tenantServiceIdentityFlag
- .with(FetchVector.Dimension.HOSTNAME, context.hostname().value())
+ .with(FetchVector.Dimension.VESPA_VERSION, version.toFullString())
+ .with(FetchVector.Dimension.APPLICATION_ID, appId.serializedForm())
.value();
}