summaryrefslogtreecommitdiffstats
path: root/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
diff options
context:
space:
mode:
Diffstat (limited to 'node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java')
-rw-r--r--node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java53
1 files changed, 19 insertions, 34 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
index 1d3fcb5fbf8..b6ec0ebbd94 100644
--- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
+++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
@@ -43,7 +43,6 @@ import java.io.UncheckedIOException;
import java.net.URI;
import java.nio.file.Files;
import java.nio.file.Path;
-import java.nio.file.StandardCopyOption;
import java.security.KeyPair;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
@@ -76,7 +75,6 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
private static final String CONTAINER_SIA_DIRECTORY = "/var/lib/sia";
private static final String LEGACY_SIA_DIRECTORY = "/opt/vespa/var/vespa/sia";
- private final URI ztsEndpoint;
private final Path ztsTrustStorePath;
private final Timer timer;
private final String certificateDnsSuffix;
@@ -87,14 +85,12 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
// Used as an optimization to ensure ZTS is not DDoS'ed on continuously failing refresh attempts
private final Map<ContainerName, Instant> lastRefreshAttempt = new ConcurrentHashMap<>();
- public AthenzCredentialsMaintainer(URI ztsEndpoint,
- Path ztsTrustStorePath,
+ public AthenzCredentialsMaintainer(Path ztsTrustStorePath,
ConfigServerInfo configServerInfo,
String certificateDnsSuffix,
ServiceIdentityProvider hostIdentityProvider,
FlagSource flagSource,
Timer timer) {
- this.ztsEndpoint = ztsEndpoint;
this.ztsTrustStorePath = ztsTrustStorePath;
this.certificateDnsSuffix = certificateDnsSuffix;
this.hostIdentityProvider = hostIdentityProvider;
@@ -231,14 +227,7 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
var keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA);
var athenzRole = AthenzRole.fromResourceNameString(role);
- var containerIdentitySslContext = new SslContextBuilder()
- .withKeyStore(privateKeyFile, certificateFile)
- .withTrustStore(ztsTrustStorePath)
- .build();
- try (ZtsClient ztsClient = new DefaultZtsClient.Builder(ztsEndpoint(identityDocument))
- .withSslContext(containerIdentitySslContext)
- .withHostnameVerifier(ztsHostNameVerifier)
- .build()) {
+ try (ZtsClient ztsClient = ztsClient(identityDocument.ztsUrl(), privateKeyFile, certificateFile, ztsHostNameVerifier)) {
var csrGenerator = new CsrGenerator(certificateDnsSuffix, identityDocument.providerService().getFullName());
var csr = csrGenerator.generateRoleCsr(
identity, athenzRole, identityDocument.providerUniqueId(), identityDocument.clusterType(), keyPair);
@@ -318,7 +307,7 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
// Allow all zts hosts while removing SIS
HostnameVerifier ztsHostNameVerifier = (hostname, sslSession) -> true;
- try (ZtsClient ztsClient = new DefaultZtsClient.Builder(ztsEndpoint(doc)).withIdentityProvider(hostIdentityProvider).withHostnameVerifier(ztsHostNameVerifier).build()) {
+ try (ZtsClient ztsClient = ztsClient(doc.ztsUrl(), hostIdentityProvider.privateKeyPath(), hostIdentityProvider.certificatePath(), ztsHostNameVerifier)) {
InstanceIdentity instanceIdentity =
ztsClient.registerInstance(
doc.providerService(),
@@ -331,15 +320,6 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
}
}
- /**
- * Return zts url from identity document, fallback to ztsEndpoint
- */
- private URI ztsEndpoint(IdentityDocument doc) {
- return Optional.ofNullable(doc.ztsUrl())
- .filter(s -> !s.isBlank())
- .map(URI::create)
- .orElse(ztsEndpoint);
- }
private void refreshIdentity(NodeAgentContext context, ContainerPath privateKeyFile, ContainerPath certificateFile,
ContainerPath identityDocumentFile, IdentityDocument doc, IdentityType identityType, AthenzIdentity identity) {
KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA);
@@ -347,14 +327,10 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
Pkcs10Csr csr = csrGenerator.generateInstanceCsr(
identity, doc.providerUniqueId(), doc.ipAddresses(), doc.clusterType(), keyPair);
- SSLContext containerIdentitySslContext = new SslContextBuilder().withKeyStore(privateKeyFile, certificateFile)
- .withTrustStore(ztsTrustStorePath)
- .build();
-
try {
// Allow all zts hosts while removing SIS
HostnameVerifier ztsHostNameVerifier = (hostname, sslSession) -> true;
- try (ZtsClient ztsClient = new DefaultZtsClient.Builder(ztsEndpoint(doc)).withSslContext(containerIdentitySslContext).withHostnameVerifier(ztsHostNameVerifier).build()) {
+ try (ZtsClient ztsClient = ztsClient(doc.ztsUrl(), privateKeyFile, certificateFile, ztsHostNameVerifier)) {
InstanceIdentity instanceIdentity =
ztsClient.refreshInstance(
doc.providerService(),
@@ -439,17 +415,26 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
var certsDirectory = legacySiaDirectory.resolve("certs");
Files.createDirectories(keysDirectory);
Files.createDirectories(certsDirectory);
- writeFile(certsDirectory.resolve(certificateFile.getFileName()), new String(Files.readAllBytes(certificateFile)));
- writeFile(keysDirectory.resolve(privateKeyFile.getFileName()), new String(Files.readAllBytes(privateKeyFile)));
+ writeFile(certsDirectory.resolve(certificateFile.getFileName()), Files.readString(certificateFile));
+ writeFile(keysDirectory.resolve(privateKeyFile.getFileName()), Files.readString(privateKeyFile));
}
- /*
- Get the document version to ask for
- */
+ /** Get the document version to ask for */
private int documentVersion(NodeAgentContext context) {
return SignedIdentityDocument.DEFAULT_DOCUMENT_VERSION;
}
+ private ZtsClient ztsClient(URI ztsEndpoint, Path privateKeyFile, Path certificateFile, HostnameVerifier hostnameVerifier) {
+ SSLContext sslContext = new SslContextBuilder()
+ .withKeyStore(privateKeyFile, certificateFile)
+ .withTrustStore(ztsTrustStorePath)
+ .build();
+ return new DefaultZtsClient.Builder(ztsEndpoint)
+ .withSslContext(sslContext)
+ .withHostnameVerifier(hostnameVerifier)
+ .build();
+ }
+
private List<String> getRoleList(NodeAgentContext context) {
try {
return identityDocumentClient.getNodeRoles(context.hostname().value());
@@ -463,7 +448,7 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
NODE("vespa-node-identity-document.json"),
TENANT("vespa-tenant-identity-document.json");
- private String identityDocument;
+ private final String identityDocument;
IdentityType(String identityDocument) {
this.identityDocument = identityDocument;
}