Skip to content

Commit

Permalink
[PLAT-16176]Fix TLS toggle for expired certs
Browse files Browse the repository at this point in the history
Summary:
If NodeToNode certs have expired, we don't need to perform round1GflagUpgrade since the cluster is already down.
We can simply edit the universeDetails and set appropriate gflags in conf files for master/tserver/ybc and restart these services (handled by round2GflagUpgrade)

Test Plan:
tested locally

1. Created a universe with both nton and cton certs -> certs expired -> TLS toggle Off
2. Created a universe with only nton certs -> certs expired -> TLS toggle OFF
3. Created a universe with only cton certs -> certs expired -> TLS toggle OFF

Reviewers: svarshney, nsingh, nbhatia

Reviewed By: svarshney

Subscribers: yugaware

Differential Revision: https://phorge.dev.yugabyte.com/D40799
  • Loading branch information
Arpit-yb committed Dec 20, 2024
1 parent 9778f9f commit dbff386
Showing 1 changed file with 10 additions and 0 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,10 @@ public void run() {

private void createRound1GFlagUpdateTasks(MastersAndTservers nodes) {
if (getNodeToNodeChange() < 0) {
// Skip running round1 if Node2Node certs have expired
if (CertificateHelper.checkNode2NodeCertsExpiry(getUniverse())) {
return;
}
// Setting allow_insecure to true can be done in non-restart way
createNonRestartUpgradeTaskFlow(
(List<NodeDetails> nodeList, Set<ServerType> processTypes) -> {
Expand Down Expand Up @@ -313,6 +317,12 @@ private AnsibleConfigureServers getAnsibleConfigureServerTaskForYbcToggleTls(Nod
return task;
}

/*
* Returns:
* 1: If task is to enable node-to-node encryption
* -1: If task is to disable node-to-node encryption
* 0: If there is no change in node-to-node encryption
*/
private int getNodeToNodeChange() {
return getUserIntent().enableNodeToNodeEncrypt != taskParams().enableNodeToNodeEncrypt
? (taskParams().enableNodeToNodeEncrypt ? 1 : -1)
Expand Down

0 comments on commit dbff386

Please sign in to comment.