From dbff386a08a50e3e3aeb61cf5a013f52d4f773f1 Mon Sep 17 00:00:00 2001 From: Arpit Nabaria Date: Thu, 19 Dec 2024 06:43:31 +0000 Subject: [PATCH] [PLAT-16176]Fix TLS toggle for expired certs Summary: If NodeToNode certs have expired, we don't need to perform round1GflagUpgrade since the cluster is already down. We can simply edit the universeDetails and set appropriate gflags in conf files for master/tserver/ybc and restart these services (handled by round2GflagUpgrade) Test Plan: tested locally 1. Created a universe with both nton and cton certs -> certs expired -> TLS toggle Off 2. Created a universe with only nton certs -> certs expired -> TLS toggle OFF 3. Created a universe with only cton certs -> certs expired -> TLS toggle OFF Reviewers: svarshney, nsingh, nbhatia Reviewed By: svarshney Subscribers: yugaware Differential Revision: https://phorge.dev.yugabyte.com/D40799 --- .../yw/commissioner/tasks/upgrade/TlsToggle.java | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/managed/src/main/java/com/yugabyte/yw/commissioner/tasks/upgrade/TlsToggle.java b/managed/src/main/java/com/yugabyte/yw/commissioner/tasks/upgrade/TlsToggle.java index 7efc04e2aeec..842c7028cf3e 100644 --- a/managed/src/main/java/com/yugabyte/yw/commissioner/tasks/upgrade/TlsToggle.java +++ b/managed/src/main/java/com/yugabyte/yw/commissioner/tasks/upgrade/TlsToggle.java @@ -101,6 +101,10 @@ public void run() { private void createRound1GFlagUpdateTasks(MastersAndTservers nodes) { if (getNodeToNodeChange() < 0) { + // Skip running round1 if Node2Node certs have expired + if (CertificateHelper.checkNode2NodeCertsExpiry(getUniverse())) { + return; + } // Setting allow_insecure to true can be done in non-restart way createNonRestartUpgradeTaskFlow( (List nodeList, Set processTypes) -> { @@ -313,6 +317,12 @@ private AnsibleConfigureServers getAnsibleConfigureServerTaskForYbcToggleTls(Nod return task; } + /* + * Returns: + * 1: If task is to enable node-to-node encryption + * -1: If task is to disable node-to-node encryption + * 0: If there is no change in node-to-node encryption + */ private int getNodeToNodeChange() { return getUserIntent().enableNodeToNodeEncrypt != taskParams().enableNodeToNodeEncrypt ? (taskParams().enableNodeToNodeEncrypt ? 1 : -1)