From d55929be2d6d498c0df66691c99d6202651f8c85 Mon Sep 17 00:00:00 2001
From: andreer <andreer@verizonmedia.com>
Date: Wed, 5 Feb 2020 11:31:48 +0100
Subject: reduce certificate log spam

---
 .../container/jdisc/secretstore/SecretNotFoundException.java | 12 ++++++++++++
 .../endpointcertificates/EndpointCertificateManager.java     | 12 ++++++++----
 2 files changed, 20 insertions(+), 4 deletions(-)
 create mode 100644 container-disc/src/main/java/com/yahoo/container/jdisc/secretstore/SecretNotFoundException.java

diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/secretstore/SecretNotFoundException.java b/container-disc/src/main/java/com/yahoo/container/jdisc/secretstore/SecretNotFoundException.java
new file mode 100644
index 00000000000..b9439432c06
--- /dev/null
+++ b/container-disc/src/main/java/com/yahoo/container/jdisc/secretstore/SecretNotFoundException.java
@@ -0,0 +1,12 @@
+// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.container.jdisc.secretstore;
+
+/**
+ * @author mortent
+ */
+public class SecretNotFoundException extends RuntimeException {
+
+    public SecretNotFoundException(String message) {
+        super(message);
+    }
+}
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/endpointcertificates/EndpointCertificateManager.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/endpointcertificates/EndpointCertificateManager.java
index cf43e83d735..c90d5886777 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/endpointcertificates/EndpointCertificateManager.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/endpointcertificates/EndpointCertificateManager.java
@@ -5,6 +5,7 @@ import com.yahoo.config.provision.ApplicationId;
 import com.yahoo.config.provision.ClusterSpec;
 import com.yahoo.config.provision.zone.ZoneApi;
 import com.yahoo.config.provision.zone.ZoneId;
+import com.yahoo.container.jdisc.secretstore.SecretNotFoundException;
 import com.yahoo.container.jdisc.secretstore.SecretStore;
 import com.yahoo.log.LogLevel;
 import com.yahoo.security.SubjectAlternativeName;
@@ -20,7 +21,6 @@ import com.yahoo.vespa.hosted.controller.api.integration.zone.ZoneRegistry;
 import com.yahoo.vespa.hosted.controller.application.Endpoint;
 import com.yahoo.vespa.hosted.controller.application.EndpointId;
 import com.yahoo.vespa.hosted.controller.persistence.CuratorDb;
-import com.yahoo.vespa.hosted.controller.persistence.EndpointCertificateMetadataSerializer;
 
 import java.security.cert.X509Certificate;
 import java.time.Clock;
@@ -116,7 +116,8 @@ public class EndpointCertificateManager {
         try {
             var pemEncodedEndpointCertificate = secretStore.getSecret(endpointCertificateMetadata.certName(), endpointCertificateMetadata.version());
 
-            if (pemEncodedEndpointCertificate == null) return logWarning(warningPrefix, "Certificate not found in secret store");
+            if (pemEncodedEndpointCertificate == null)
+                return logWarning(warningPrefix, "Secret store returned null for certificate");
 
             List<X509Certificate> x509CertificateList = X509CertificateUtils.certificateListFromPem(pemEncodedEndpointCertificate);
 
@@ -139,10 +140,13 @@ public class EndpointCertificateManager {
                     .filter(san -> san.getType().equals(SubjectAlternativeName.Type.DNS_NAME))
                     .map(SubjectAlternativeName::getValue).collect(Collectors.toSet());
 
-            if (!subjectAlternativeNames.equals(Set.copyOf(dnsNamesOf(instance.id(), List.of(zone)))))
-                return logWarning(warningPrefix, "The list of SANs in the certificate does not match what we expect");
+            if(Sets.intersection(subjectAlternativeNames, Set.copyOf(dnsNamesOf(instance.id(), List.of(zone)))).isEmpty()) {
+                return logWarning(warningPrefix, "No overlap between SANs in certificate and expected SANs");
+            }
 
             return true; // All good then, hopefully
+        } catch (SecretNotFoundException s) {
+            return logWarning(warningPrefix, "Certificate not found in secret store");
         } catch (Exception e) {
             log.log(LogLevel.WARNING, "Exception thrown when verifying endpoint certificate", e);
             return false;
-- 
cgit v1.2.3


From 0116cde0673ea2897df5e83c8620911c7331d342 Mon Sep 17 00:00:00 2001
From: andreer <andreer@verizonmedia.com>
Date: Wed, 5 Feb 2020 11:39:08 +0100
Subject: update abi spec

---
 container-disc/abi-spec.json | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/container-disc/abi-spec.json b/container-disc/abi-spec.json
index 29ca56fa9bc..81de014c6ad 100644
--- a/container-disc/abi-spec.json
+++ b/container-disc/abi-spec.json
@@ -33,6 +33,17 @@
     ],
     "fields": []
   },
+  "com.yahoo.container.jdisc.secretstore.SecretNotFoundException": {
+    "superClass": "java.lang.RuntimeException",
+    "interfaces": [],
+    "attributes": [
+      "public"
+    ],
+    "methods": [
+      "public void <init>(java.lang.String)"
+    ],
+    "fields": []
+  },
   "com.yahoo.container.jdisc.secretstore.SecretStore": {
     "superClass": "java.lang.Object",
     "interfaces": [],
-- 
cgit v1.2.3