From 0b0860e49eca445b7977e43575e3c72fe1263d8b Mon Sep 17 00:00:00 2001 From: Morten Tokle Date: Tue, 12 Jan 2021 09:50:57 +0100 Subject: Reduce role cert ttl, log expiry --- .../athenz/identityprovider/client/AthenzIdentityProviderImpl.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'vespa-athenz/src') diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java index ef38ca8c6ad..7b13332052f 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java @@ -67,7 +67,7 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen // TODO These should match the requested expiration static final Duration UPDATE_PERIOD = Duration.ofDays(1); static final Duration AWAIT_TERMINTATION_TIMEOUT = Duration.ofSeconds(90); - private final static Duration ROLE_SSL_CONTEXT_EXPIRY = Duration.ofHours(24); + private final static Duration ROLE_SSL_CONTEXT_EXPIRY = Duration.ofHours(2); private final static Duration ROLE_TOKEN_EXPIRY = Duration.ofMinutes(30); // TODO Make path to trust store paths config @@ -280,6 +280,7 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen try (ZtsClient client = createZtsClient()) { X509Certificate roleCertificate = client.getRoleCertificate(role, csr); updateRoleKeyManager(role, roleCertificate); + log.info(String.format("Requester role certificate for role %s, expires: %s", role.toResourceNameString(), roleCertificate.getNotAfter().toInstant().toString())); return roleCertificate; } } -- cgit v1.2.3