diff options
Diffstat (limited to 'node-admin/src/main/java/com')
-rw-r--r-- | node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java | 53 |
1 files changed, 19 insertions, 34 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java index 1d3fcb5fbf8..b6ec0ebbd94 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java @@ -43,7 +43,6 @@ import java.io.UncheckedIOException; import java.net.URI; import java.nio.file.Files; import java.nio.file.Path; -import java.nio.file.StandardCopyOption; import java.security.KeyPair; import java.security.PrivateKey; import java.security.cert.X509Certificate; @@ -76,7 +75,6 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer { private static final String CONTAINER_SIA_DIRECTORY = "/var/lib/sia"; private static final String LEGACY_SIA_DIRECTORY = "/opt/vespa/var/vespa/sia"; - private final URI ztsEndpoint; private final Path ztsTrustStorePath; private final Timer timer; private final String certificateDnsSuffix; @@ -87,14 +85,12 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer { // Used as an optimization to ensure ZTS is not DDoS'ed on continuously failing refresh attempts private final Map<ContainerName, Instant> lastRefreshAttempt = new ConcurrentHashMap<>(); - public AthenzCredentialsMaintainer(URI ztsEndpoint, - Path ztsTrustStorePath, + public AthenzCredentialsMaintainer(Path ztsTrustStorePath, ConfigServerInfo configServerInfo, String certificateDnsSuffix, ServiceIdentityProvider hostIdentityProvider, FlagSource flagSource, Timer timer) { - this.ztsEndpoint = ztsEndpoint; this.ztsTrustStorePath = ztsTrustStorePath; this.certificateDnsSuffix = certificateDnsSuffix; this.hostIdentityProvider = hostIdentityProvider; @@ -231,14 +227,7 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer { var keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA); var athenzRole = AthenzRole.fromResourceNameString(role); - var containerIdentitySslContext = new SslContextBuilder() - .withKeyStore(privateKeyFile, certificateFile) - .withTrustStore(ztsTrustStorePath) - .build(); - try (ZtsClient ztsClient = new DefaultZtsClient.Builder(ztsEndpoint(identityDocument)) - .withSslContext(containerIdentitySslContext) - .withHostnameVerifier(ztsHostNameVerifier) - .build()) { + try (ZtsClient ztsClient = ztsClient(identityDocument.ztsUrl(), privateKeyFile, certificateFile, ztsHostNameVerifier)) { var csrGenerator = new CsrGenerator(certificateDnsSuffix, identityDocument.providerService().getFullName()); var csr = csrGenerator.generateRoleCsr( identity, athenzRole, identityDocument.providerUniqueId(), identityDocument.clusterType(), keyPair); @@ -318,7 +307,7 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer { // Allow all zts hosts while removing SIS HostnameVerifier ztsHostNameVerifier = (hostname, sslSession) -> true; - try (ZtsClient ztsClient = new DefaultZtsClient.Builder(ztsEndpoint(doc)).withIdentityProvider(hostIdentityProvider).withHostnameVerifier(ztsHostNameVerifier).build()) { + try (ZtsClient ztsClient = ztsClient(doc.ztsUrl(), hostIdentityProvider.privateKeyPath(), hostIdentityProvider.certificatePath(), ztsHostNameVerifier)) { InstanceIdentity instanceIdentity = ztsClient.registerInstance( doc.providerService(), @@ -331,15 +320,6 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer { } } - /** - * Return zts url from identity document, fallback to ztsEndpoint - */ - private URI ztsEndpoint(IdentityDocument doc) { - return Optional.ofNullable(doc.ztsUrl()) - .filter(s -> !s.isBlank()) - .map(URI::create) - .orElse(ztsEndpoint); - } private void refreshIdentity(NodeAgentContext context, ContainerPath privateKeyFile, ContainerPath certificateFile, ContainerPath identityDocumentFile, IdentityDocument doc, IdentityType identityType, AthenzIdentity identity) { KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA); @@ -347,14 +327,10 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer { Pkcs10Csr csr = csrGenerator.generateInstanceCsr( identity, doc.providerUniqueId(), doc.ipAddresses(), doc.clusterType(), keyPair); - SSLContext containerIdentitySslContext = new SslContextBuilder().withKeyStore(privateKeyFile, certificateFile) - .withTrustStore(ztsTrustStorePath) - .build(); - try { // Allow all zts hosts while removing SIS HostnameVerifier ztsHostNameVerifier = (hostname, sslSession) -> true; - try (ZtsClient ztsClient = new DefaultZtsClient.Builder(ztsEndpoint(doc)).withSslContext(containerIdentitySslContext).withHostnameVerifier(ztsHostNameVerifier).build()) { + try (ZtsClient ztsClient = ztsClient(doc.ztsUrl(), privateKeyFile, certificateFile, ztsHostNameVerifier)) { InstanceIdentity instanceIdentity = ztsClient.refreshInstance( doc.providerService(), @@ -439,17 +415,26 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer { var certsDirectory = legacySiaDirectory.resolve("certs"); Files.createDirectories(keysDirectory); Files.createDirectories(certsDirectory); - writeFile(certsDirectory.resolve(certificateFile.getFileName()), new String(Files.readAllBytes(certificateFile))); - writeFile(keysDirectory.resolve(privateKeyFile.getFileName()), new String(Files.readAllBytes(privateKeyFile))); + writeFile(certsDirectory.resolve(certificateFile.getFileName()), Files.readString(certificateFile)); + writeFile(keysDirectory.resolve(privateKeyFile.getFileName()), Files.readString(privateKeyFile)); } - /* - Get the document version to ask for - */ + /** Get the document version to ask for */ private int documentVersion(NodeAgentContext context) { return SignedIdentityDocument.DEFAULT_DOCUMENT_VERSION; } + private ZtsClient ztsClient(URI ztsEndpoint, Path privateKeyFile, Path certificateFile, HostnameVerifier hostnameVerifier) { + SSLContext sslContext = new SslContextBuilder() + .withKeyStore(privateKeyFile, certificateFile) + .withTrustStore(ztsTrustStorePath) + .build(); + return new DefaultZtsClient.Builder(ztsEndpoint) + .withSslContext(sslContext) + .withHostnameVerifier(hostnameVerifier) + .build(); + } + private List<String> getRoleList(NodeAgentContext context) { try { return identityDocumentClient.getNodeRoles(context.hostname().value()); @@ -463,7 +448,7 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer { NODE("vespa-node-identity-document.json"), TENANT("vespa-tenant-identity-document.json"); - private String identityDocument; + private final String identityDocument; IdentityType(String identityDocument) { this.identityDocument = identityDocument; } |