From b267b3642c34720e8a6353d9afaf324f64ff2f71 Mon Sep 17 00:00:00 2001 From: Bjørn Christian Seime Date: Tue, 29 May 2018 16:35:01 +0200 Subject: Use mutual TLS auth when retrieving identity document --- .../vespa/model/container/IdentityProvider.java | 21 ++++++++++++++++++++- .../model/container/xml/ContainerModelBuilder.java | 2 +- 2 files changed, 21 insertions(+), 2 deletions(-) (limited to 'config-model/src/main/java/com/yahoo') diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/IdentityProvider.java b/config-model/src/main/java/com/yahoo/vespa/model/container/IdentityProvider.java index fbfff408cb7..874a7933fbe 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/IdentityProvider.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/IdentityProvider.java @@ -4,6 +4,8 @@ package com.yahoo.vespa.model.container; import com.yahoo.config.provision.AthenzDomain; import com.yahoo.config.provision.AthenzService; import com.yahoo.config.provision.HostName; +import com.yahoo.config.provision.SystemName; +import com.yahoo.config.provision.Zone; import com.yahoo.container.bundle.BundleInstantiationSpecification; import com.yahoo.container.core.identity.IdentityConfig; import com.yahoo.osgi.provider.model.ComponentModel; @@ -23,14 +25,21 @@ public class IdentityProvider extends SimpleComponent implements IdentityConfig. private final HostName loadBalancerName; private final URI ztsUrl; private final String athenzDnsSuffix; + private final Zone zone; - public IdentityProvider(AthenzDomain domain, AthenzService service, HostName loadBalancerName, URI ztsUrl, String athenzDnsSuffix) { + public IdentityProvider(AthenzDomain domain, + AthenzService service, + HostName loadBalancerName, + URI ztsUrl, + String athenzDnsSuffix, + Zone zone) { super(new ComponentModel(BundleInstantiationSpecification.getFromStrings(CLASS, CLASS, BUNDLE))); this.domain = domain; this.service = service; this.loadBalancerName = loadBalancerName; this.ztsUrl = ztsUrl; this.athenzDnsSuffix = athenzDnsSuffix; + this.zone = zone; } @Override @@ -42,5 +51,15 @@ public class IdentityProvider extends SimpleComponent implements IdentityConfig. builder.loadBalancerAddress(loadBalancerName.value()); builder.ztsUrl(ztsUrl != null ? ztsUrl.toString() : ""); builder.athenzDnsSuffix(athenzDnsSuffix != null ? athenzDnsSuffix : ""); + builder.nodeIdentityName("vespa.vespa.tenant"); // TODO Move to Oath configmodel amender + builder.configserverIdentityName(getConfigserverIdentityName()); + } + + // TODO Move to Oath configmodel amender + private String getConfigserverIdentityName() { + return String.format("%s.provider_%s_%s", + zone.system() == SystemName.main ? "vespa.vespa" : "vespa.vespa.cd", + zone.environment().value(), + zone.region().value()); } } diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java index 46d968554d8..1745dc9855e 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java @@ -759,7 +759,7 @@ public class ContainerModelBuilder extends ConfigModelBuilder { spec.athenzDomain().ifPresent(domain -> { AthenzService service = spec.athenzService(zone.environment(), zone.region()) .orElseThrow(() -> new RuntimeException("Missing Athenz service configuration")); - IdentityProvider identityProvider = new IdentityProvider(domain, service, getLoadBalancerName(loadBalancerName, configServerSpecs), ztsUrl, athenzDnsSuffix); + IdentityProvider identityProvider = new IdentityProvider(domain, service, getLoadBalancerName(loadBalancerName, configServerSpecs), ztsUrl, athenzDnsSuffix, zone); cluster.addComponent(identityProvider); cluster.getContainers().forEach(container -> { -- cgit v1.2.3