Merge pull request #28843 from vespa-engine/mortent/fix-node-cert-ref…

…resh

fix node cert refresh MERGEOK

node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java

@@ -297,12 +297,15 @@ private void registerIdentity(NodeAgentContext context, ContainerPath privateKey
 
     private void refreshIdentity(NodeAgentContext context, ContainerPath privateKeyFile, ContainerPath certificateFile,
                                  ContainerPath identityDocumentFile, IdentityDocument doc, IdentityType identityType, AthenzIdentity identity) {
-        KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA);
-        CsrGenerator csrGenerator = new CsrGenerator(certificateDnsSuffix, doc.providerService().getFullName());
-        Pkcs10Csr csr = csrGenerator.generateInstanceCsr(
-                identity, doc.providerUniqueId(), doc.ipAddresses(), doc.clusterType(), keyPair);
-
         try {
+            // Do not rotate private key on every refresh.
+            // TODO: rotate key pair only on Vespa upgrade or similar
+            PrivateKey privateKey = readPrivateKeyFromFile(privateKeyFile);
+            KeyPair keyPair = KeyUtils.toKeyPair(privateKey);
+            CsrGenerator csrGenerator = new CsrGenerator(certificateDnsSuffix, doc.providerService().getFullName());
+            Pkcs10Csr csr = csrGenerator.generateInstanceCsr(
+                    identity, doc.providerUniqueId(), doc.ipAddresses(), doc.clusterType(), keyPair);
+
             // Allow all zts hosts while removing SIS
             HostnameVerifier ztsHostNameVerifier = (hostname, sslSession) -> true;
             try (ZtsClient ztsClient = ztsClient(doc.ztsUrl(), privateKeyFile, certificateFile, ztsHostNameVerifier)) {
@@ -347,6 +350,11 @@ private static X509Certificate readCertificateFromFile(ContainerPath certificate
         return X509CertificateUtils.fromPem(pemEncodedCertificate);
     }
 
+    private static PrivateKey readPrivateKeyFromFile(ContainerPath privateKeyFile) throws IOException {
+        String pemEncodedKey = new String(Files.readAllBytes(privateKeyFile));
+        return KeyUtils.fromPemEncodedPrivateKey(pemEncodedKey);
+    }
+
     private static boolean isCertificateExpired(Instant expiry, Instant now) {
         return now.isAfter(expiry.minus(EXPIRY_MARGIN));
     }

vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java

@@ -278,17 +278,17 @@ private X509Certificate requestRoleCertificate(AthenzRole role) {
                 identity, role, athenzUniqueInstanceId, null, keyPair);
         try (ZtsClient client = createZtsClient()) {
             X509Certificate roleCertificate = client.getRoleCertificate(role, csr);
-            updateRoleKeyManager(role, roleCertificate);
+            updateRoleKeyManager(role, keyPair.getPrivate(), roleCertificate);
             log.info(String.format("Requester role certificate for role %s, expires: %s", role.toResourceNameString(), roleCertificate.getNotAfter().toInstant().toString()));
             return roleCertificate;
         }
     }
 
-    private void updateRoleKeyManager(AthenzRole role, X509Certificate certificate) {
+    private void updateRoleKeyManager(AthenzRole role, PrivateKey privateKey, X509Certificate certificate) {
         MutableX509KeyManager keyManager = roleKeyManagerCache.computeIfAbsent(role, r -> new MutableX509KeyManager());
         keyManager.updateKeystore(
                 KeyStoreBuilder.withType(PKCS12)
-                        .withKeyEntry("default", autoReloadingX509KeyManager.getCurrentCertificateWithKey().privateKey(), certificate)
+                        .withKeyEntry("default", privateKey, certificate)
                         .build(),
                 new char[0]);
     }