From 761c86dc78215a8cc7a407953cbb87aba9c6ecda Mon Sep 17 00:00:00 2001 From: Morten Tokle Date: Thu, 23 Nov 2023 08:35:46 +0100 Subject: Add spiffe uri to role and service certs --- .../yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java | 6 ++++-- .../athenz/identityprovider/client/InstanceCsrGeneratorTest.java | 3 ++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java index 6d79e96a635..06a7c59b959 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java @@ -50,7 +50,8 @@ public class CsrGenerator { instanceIdentity.getName(), instanceIdentity.getDomainName().replace(".", "-"), dnsSuffix)) - .addSubjectAlternativeName(DNS, getIdentitySAN(instanceId)); + .addSubjectAlternativeName(DNS, getIdentitySAN(instanceId)) + .addSubjectAlternativeName(URI, instanceIdentity.spiffeUri().toString()); if (clusterType != null) pkcs10CsrBuilder.addSubjectAlternativeName(URI, clusterType.asCertificateSanUri().toString()); ipAddresses.forEach(ip -> pkcs10CsrBuilder.addSubjectAlternativeName(new SubjectAlternativeName(IP, ip))); return pkcs10CsrBuilder.build(); @@ -64,7 +65,8 @@ public class CsrGenerator { X500Principal principal = new X500Principal(String.format("OU=%s, cn=%s:role.%s", providerService, role.domain().getName(), role.roleName())); var b = Pkcs10CsrBuilder.fromKeypair(principal, keyPair, SHA256_WITH_RSA) .addSubjectAlternativeName(DNS, getIdentitySAN(instanceId)) - .addSubjectAlternativeName(EMAIL, String.format("%s.%s@%s", identity.getDomainName(), identity.getName(), dnsSuffix)); + .addSubjectAlternativeName(EMAIL, String.format("%s.%s@%s", identity.getDomainName(), identity.getName(), dnsSuffix)) + .addSubjectAlternativeName(URI, "spiffe://%s/ra/%s".formatted(role.domain().getName(), role.roleName())); if (clusterType != null) b.addSubjectAlternativeName(URI, clusterType.asCertificateSanUri().toString()); return b.build(); } diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGeneratorTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGeneratorTest.java index cb2aac372ff..1f9ad2ced64 100644 --- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGeneratorTest.java +++ b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGeneratorTest.java @@ -42,7 +42,8 @@ public class InstanceCsrGeneratorTest { var expectedSans = Set.of( new SubjectAlternativeName(DNS, "bar.foo.prod-us-north-1.vespa.yahoo.cloud"), new SubjectAlternativeName(DNS, "0.default.default.foo-app.vespa.us-north-1.prod.node.instanceid.athenz.prod-us-north-1.vespa.yahoo.cloud"), - new SubjectAlternativeName(URI, "vespa://cluster-type/container")); + new SubjectAlternativeName(URI, "vespa://cluster-type/container"), + new SubjectAlternativeName(URI, "spiffe://foo/sa/bar")); assertEquals(expectedSans, actualSans); } } -- cgit v1.2.3