From dc1fe2964619e827517237a1ed3db960b680459d Mon Sep 17 00:00:00 2001
From: Håkon Hallingstad <hakon@yahooinc.com>
Date: Thu, 29 Sep 2022 11:30:35 +0200
Subject: Remove pem-trust-store flag

---
 .../identity/AthenzCredentialsMaintainer.java        | 20 ++++++--------------
 1 file changed, 6 insertions(+), 14 deletions(-)

(limited to 'node-admin')

diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
index 70b9cc9cc16..b903712254b 100644
--- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
+++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
@@ -2,7 +2,6 @@
 package com.yahoo.vespa.hosted.node.admin.maintenance.identity;
 
 import com.yahoo.security.KeyAlgorithm;
-import com.yahoo.security.KeyStoreType;
 import com.yahoo.security.KeyUtils;
 import com.yahoo.security.Pkcs10Csr;
 import com.yahoo.security.SslContextBuilder;
@@ -63,8 +62,7 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
     private static final String CONTAINER_SIA_DIRECTORY = "/var/lib/sia";
 
     private final URI ztsEndpoint;
-    private final Path ztsTrustStoreJksPath;
-    private final Path ztsTrustStorePemPath;
+    private final Path ztsTrustStorePath;
     private final AthenzIdentity configserverIdentity;
     private final Clock clock;
     private final ServiceIdentityProvider hostIdentityProvider;
@@ -76,16 +74,14 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
     private final Map<ContainerName, Instant> lastRefreshAttempt = new ConcurrentHashMap<>();
 
     public AthenzCredentialsMaintainer(URI ztsEndpoint,
-                                       Path ztsTrustStoreJksPath,
-                                       Path ztsTrustStorePemPath,
+                                       Path ztsTrustStorePath,
                                        ConfigServerInfo configServerInfo,
                                        String certificateDnsSuffix,
                                        ServiceIdentityProvider hostIdentityProvider,
                                        boolean useInternalZts,
                                        Clock clock) {
         this.ztsEndpoint = ztsEndpoint;
-        this.ztsTrustStoreJksPath = ztsTrustStoreJksPath;
-        this.ztsTrustStorePemPath = ztsTrustStorePemPath;
+        this.ztsTrustStorePath = ztsTrustStorePath;
         this.configserverIdentity = configServerInfo.getConfigServerIdentity();
         this.csrGenerator = new CsrGenerator(certificateDnsSuffix, configserverIdentity.getFullName());
         this.hostIdentityProvider = hostIdentityProvider;
@@ -211,13 +207,9 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
         Pkcs10Csr csr = csrGenerator.generateInstanceCsr(
                 context.identity(), identityDocument.providerUniqueId(), identityDocument.ipAddresses(), keyPair);
 
-        var sslContextBuilder = new SslContextBuilder().withKeyStore(privateKeyFile, certificateFile);
-        if (ztsTrustStorePemPath != null) {
-            sslContextBuilder.withTrustStore(ztsTrustStorePemPath);
-        } else {
-            sslContextBuilder.withTrustStore(ztsTrustStoreJksPath, KeyStoreType.JKS);
-        }
-        SSLContext containerIdentitySslContext = sslContextBuilder.build();
+        SSLContext containerIdentitySslContext = new SslContextBuilder().withKeyStore(privateKeyFile, certificateFile)
+                                                                        .withTrustStore(ztsTrustStorePath)
+                                                                        .build();
 
         try {
             // Set up a hostname verified for zts if this is configured to use the config server (internal zts) apis
-- 
cgit v1.2.3