summaryrefslogtreecommitdiffstats
path: root/node-admin
diff options
context:
space:
mode:
Diffstat (limited to 'node-admin')
-rw-r--r--node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/component/Environment.java10
-rw-r--r--node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/SslConfigServerApiImpl.java15
-rw-r--r--node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/certificate/ConfigServerKeyStoreRefresher.java14
-rw-r--r--node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/containerdata/PromptContainerData.java2
-rw-r--r--node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/nodeagent/NodeAgentImpl.java10
-rw-r--r--node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/util/KeyStoreOptions.java39
-rw-r--r--node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/configserver/certificate/ConfigServerKeyStoreRefresherTest.java2
7 files changed, 35 insertions, 57 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/component/Environment.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/component/Environment.java
index 4fb3049c39d..5fb619ee6e2 100644
--- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/component/Environment.java
+++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/component/Environment.java
@@ -117,13 +117,11 @@ public class Environment {
this.keyStoreOptions = createKeyStoreOptions(
configServerConfig.keyStoreConfig().path(),
configServerConfig.keyStoreConfig().password().toCharArray(),
- configServerConfig.keyStoreConfig().type().name(),
- "BC");
+ configServerConfig.keyStoreConfig().type().name());
this.trustStoreOptions = createKeyStoreOptions(
configServerConfig.trustStoreConfig().path(),
configServerConfig.trustStoreConfig().password().toCharArray(),
- configServerConfig.trustStoreConfig().type().name(),
- null);
+ configServerConfig.trustStoreConfig().type().name());
this.athenzIdentity = createAthenzIdentity(
configServerConfig.athenzDomain(),
configServerConfig.serviceName());
@@ -184,10 +182,10 @@ public class Environment {
return Arrays.asList(logstashNodes.split("[,\\s]+"));
}
- private static Optional<KeyStoreOptions> createKeyStoreOptions(String pathToKeyStore, char[] password, String type, String provider) {
+ private static Optional<KeyStoreOptions> createKeyStoreOptions(String pathToKeyStore, char[] password, String type) {
return Optional.ofNullable(pathToKeyStore)
.filter(path -> !Strings.isNullOrEmpty(path))
- .map(path -> new KeyStoreOptions(Paths.get(path), password, type, provider));
+ .map(path -> new KeyStoreOptions(Paths.get(path), password, type));
}
private static Optional<AthenzIdentity> createAthenzIdentity(String athenzDomain, String serviceName) {
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/SslConfigServerApiImpl.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/SslConfigServerApiImpl.java
index 04b222875c3..110dbe9c9b3 100644
--- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/SslConfigServerApiImpl.java
+++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/SslConfigServerApiImpl.java
@@ -3,7 +3,6 @@ package com.yahoo.vespa.hosted.node.admin.configserver;
import com.yahoo.vespa.athenz.tls.AthenzIdentityVerifier;
import com.yahoo.vespa.athenz.tls.AthenzSslContextBuilder;
-import com.yahoo.vespa.athenz.tls.KeyStoreType;
import com.yahoo.vespa.hosted.node.admin.component.Environment;
import com.yahoo.vespa.hosted.node.admin.configserver.certificate.ConfigServerKeyStoreRefresher;
import com.yahoo.vespa.hosted.node.admin.util.KeyStoreOptions;
@@ -18,7 +17,7 @@ import java.util.Optional;
/**
* ConfigServerApi with proper keystore, truststore and hostname verifier to communicate with the
- * configserver(s). The keystore is refreshed automatically.
+ * config server(s). The keystore is refreshed automatically.
*
* @author freva
*/
@@ -99,16 +98,8 @@ public class SslConfigServerApiImpl implements ConfigServerApi {
private SSLContext makeSslContext(Optional<KeyStoreOptions> keyStoreOptions) {
AthenzSslContextBuilder sslContextBuilder = new AthenzSslContextBuilder();
- environment.getTrustStoreOptions().ifPresent(
- options -> sslContextBuilder.withTrustStore(options.path.toFile(), KeyStoreType.valueOf(options.type)));
-
- keyStoreOptions.ifPresent(options -> {
- try {
- sslContextBuilder.withKeyStore(options.path.toFile(), options.password, KeyStoreType.valueOf(options.type));
- } catch (Exception e) {
- throw new RuntimeException("Failed to read key store", e);
- }
- });
+ environment.getTrustStoreOptions().map(KeyStoreOptions::loadKeyStore).ifPresent(sslContextBuilder::withTrustStore);
+ keyStoreOptions.ifPresent(options -> sslContextBuilder.withKeyStore(options.loadKeyStore(), options.password));
return sslContextBuilder.build();
}
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/certificate/ConfigServerKeyStoreRefresher.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/certificate/ConfigServerKeyStoreRefresher.java
index ae725769bdb..a9db96c2a77 100644
--- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/certificate/ConfigServerKeyStoreRefresher.java
+++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/certificate/ConfigServerKeyStoreRefresher.java
@@ -3,6 +3,7 @@ package com.yahoo.vespa.hosted.node.admin.configserver.certificate;
import com.yahoo.log.LogLevel;
import com.yahoo.net.HostName;
+import com.yahoo.vespa.athenz.tls.KeyStoreBuilder;
import com.yahoo.vespa.hosted.node.admin.configserver.ConfigServerApi;
import com.yahoo.vespa.hosted.node.admin.util.KeyStoreOptions;
import org.bouncycastle.asn1.x500.X500Name;
@@ -12,7 +13,6 @@ import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
-import java.io.FileOutputStream;
import java.io.IOException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
@@ -159,14 +159,12 @@ public class ConfigServerKeyStoreRefresher {
private void storeCertificate(KeyPair keyPair, X509Certificate certificate)
throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException, NoSuchProviderException {
keyStoreOptions.path.getParent().toFile().mkdirs();
- X509Certificate[] certificateChain = {certificate};
- try (FileOutputStream fos = new FileOutputStream(keyStoreOptions.path.toFile())) {
- KeyStore keyStore = keyStoreOptions.getKeyStoreInstance();
- keyStore.load(null, null);
- keyStore.setKeyEntry(KEY_STORE_ALIAS, keyPair.getPrivate(), keyStoreOptions.password, certificateChain);
- keyStore.store(fos, keyStoreOptions.password);
- }
+ KeyStore keyStore = KeyStoreBuilder.withType(keyStoreOptions.keyStoreType)
+ .withKeyEntry(KEY_STORE_ALIAS, keyPair.getPrivate(), keyStoreOptions.password, certificate)
+ .build();
+
+ keyStoreOptions.storeKeyStore(keyStore);
}
private X509Certificate sendCsr(PKCS10CertificationRequest csr) {
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/containerdata/PromptContainerData.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/containerdata/PromptContainerData.java
index ea9b2312b77..8b6be32f649 100644
--- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/containerdata/PromptContainerData.java
+++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/containerdata/PromptContainerData.java
@@ -24,7 +24,7 @@ public class PromptContainerData {
"color_off='\\[\\e[0m\\]' # Text Reset\n" +
"color_bold='\\[\\e[1m\\]' # Bold text\n" +
"\n" +
- "env_colour=#if($zone.getSystem() == \"main\")#if($zone.getEnvironment() == \"prod\")'\\e[0;91m'#else'\\e[0;33m'#end#else$green#end\n" +
+ "env_colour=#if($zone.getSystem() == \"main\")#if($zone.getEnvironment() == \"prod\")'\\[\\e[0;91m\\]'#else'\\[\\e[0;33m\\]'#end#else'\\[\\e[0;32m\\]'#end\n" +
"\n" +
"\n" +
"PS1=\"${env_colour}$zone.getRegion().toUpperCase()${color_off} [\\u@${color_bold}\\h${color_off}:\\w]\\$ \"\n" +
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/nodeagent/NodeAgentImpl.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/nodeagent/NodeAgentImpl.java
index 336e947d7b4..f08c91ec9c0 100644
--- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/nodeagent/NodeAgentImpl.java
+++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/nodeagent/NodeAgentImpl.java
@@ -29,6 +29,7 @@ import com.yahoo.vespa.hosted.node.admin.component.Environment;
import com.yahoo.vespa.hosted.node.admin.util.PrefixLogger;
import com.yahoo.vespa.hosted.provision.Node;
+import java.io.UncheckedIOException;
import java.text.SimpleDateFormat;
import java.time.Clock;
import java.time.Duration;
@@ -688,18 +689,21 @@ public class NodeAgentImpl implements NodeAgent {
ContainerName.fromHostname(nodeSpec.hostname));
// ContainerData only works when root, which is the case only for HostAdmin so far -- config nodes are only used under HostAdmin.
+ // If this fails, however, we should fail the start-up, as the config server won't work without it. Thus, no catch here.
if (nodeSpec.nodeType.equals(NodeType.config.name())) {
logger.info("Creating files needed by config server");
new ConfigServerContainerData(environment, nodeSpec.hostname).writeTo(containerData);
}
- // ContainerData only works when root, which is the case only for HostAdmin so far -- only AWS uses HostAdmin now.
- if (environment.getRegion().startsWith("aws-")) {
+ // ContainerData only works when root, which is the case only for HostAdmin so far. Allow this to fail, since it's not critical.
+ try {
logger.info("Creating files for message of the day and the bash prompt");
new MotdContainerData(nodeSpec, environment).writeTo(containerData);
new PromptContainerData(environment).writeTo(containerData);
}
-
+ catch (UncheckedIOException e) {
+ logger.info("Failed creating files for message of the day and the bash prompt", e);
+ }
}
}
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/util/KeyStoreOptions.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/util/KeyStoreOptions.java
index 1115f6dca91..03aff7f22d8 100644
--- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/util/KeyStoreOptions.java
+++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/util/KeyStoreOptions.java
@@ -1,45 +1,32 @@
// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
package com.yahoo.vespa.hosted.node.admin.util;
-import java.io.FileInputStream;
-import java.io.IOException;
+import com.yahoo.vespa.athenz.tls.KeyStoreBuilder;
+import com.yahoo.vespa.athenz.tls.KeyStoreType;
+import com.yahoo.vespa.athenz.tls.KeyStoreUtils;
+
import java.nio.file.Path;
import java.security.KeyStore;
-import java.security.KeyStoreException;
-import java.security.NoSuchAlgorithmException;
-import java.security.NoSuchProviderException;
-import java.security.cert.CertificateException;
-import java.util.Optional;
public class KeyStoreOptions {
public final Path path;
public final char[] password;
- public final String type;
- private final Optional<String> provider;
+ public final KeyStoreType keyStoreType;
public KeyStoreOptions(Path path, char[] password, String type) {
- this(path, password, type, null);
- }
-
- public KeyStoreOptions(Path path, char[] password, String type, String provider) {
this.path = path;
this.password = password;
- this.type = type;
- this.provider = Optional.ofNullable(provider);
+ this.keyStoreType = KeyStoreType.valueOf(type);
}
- public KeyStore loadKeyStore()
- throws IOException, NoSuchProviderException, KeyStoreException, CertificateException, NoSuchAlgorithmException {
- try (FileInputStream in = new FileInputStream(path.toFile())) {
- KeyStore keyStore = getKeyStoreInstance();
- keyStore.load(in, password);
- return keyStore;
- }
+ public KeyStore loadKeyStore() {
+ return KeyStoreBuilder
+ .withType(keyStoreType)
+ .fromFile(path.toFile(), password)
+ .build();
}
- public KeyStore getKeyStoreInstance() throws NoSuchProviderException, KeyStoreException {
- return provider.isPresent() ?
- KeyStore.getInstance(type, provider.get()) :
- KeyStore.getInstance(type);
+ public void storeKeyStore(KeyStore keyStore) {
+ KeyStoreUtils.writeKeyStoreToFile(keyStore, path.toFile(), password);
}
}
diff --git a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/configserver/certificate/ConfigServerKeyStoreRefresherTest.java b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/configserver/certificate/ConfigServerKeyStoreRefresherTest.java
index f9f8b230154..85684ea3bd4 100644
--- a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/configserver/certificate/ConfigServerKeyStoreRefresherTest.java
+++ b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/configserver/certificate/ConfigServerKeyStoreRefresherTest.java
@@ -54,7 +54,7 @@ public class ConfigServerKeyStoreRefresherTest {
@Before
public void setup() {
keyStoreOptions = new KeyStoreOptions(
- tempFolder.getRoot().toPath().resolve("some/path/keystore.p12"), new char[0], "PKCS12", null);
+ tempFolder.getRoot().toPath().resolve("some/path/keystore.p12"), new char[0], "PKCS12");
}
@Test