Skip to content

Commit

Permalink
[PLAT-12732] toggle tls and cert rotation v2 apis
Browse files Browse the repository at this point in the history 
Summary:
 implement toggling of node to node and client to node encryption, along
 with rotating certs for both encryptions.

Test Plan: new unit test

Reviewers: sneelakantan, #yba-api-review

Reviewed By: sneelakantan, #yba-api-review

Subscribers: yugaware

Differential Revision: https://phorge.dev.yugabyte.com/D36486
  • Loading branch information
@shubin-yb
shubin-yb committed Jul 15, 2024
1 parent 1773ae2 commit 39c6228
Show file tree
Hide file tree
Showing 14 changed files with 627 additions and 0 deletions.
15 changes: 15 additions & 0 deletions managed/src/main/java/api/v2/controllers/UniverseApiControllerImp.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,10 @@
import api.v2.handlers.UniverseUpgradesManagementHandler;
import api.v2.models.ClusterAddSpec;
import api.v2.models.Universe;
import api.v2.models.UniverseCertRotateSpec;
import api.v2.models.UniverseCreateSpec;
import api.v2.models.UniverseDeleteSpec;
import api.v2.models.UniverseEditEncryptionInTransit;
import api.v2.models.UniverseEditGFlags;
import api.v2.models.UniverseEditSpec;
import api.v2.models.UniverseRestart;
Expand Down Expand Up @@ -125,4 +127,17 @@ public YBATask systemdEnable(
throws Exception {
return universeUpgradeHandler.systemdEnable(request, cUUID, uniUUID, systemd);
}

@Override
public YBATask encryptionInTransitToggle(
Request request, UUID cUUID, UUID uniUUID, UniverseEditEncryptionInTransit spec)
throws Exception {
return universeUpgradeHandler.tlsToggle(request, cUUID, uniUUID, spec);
}

@Override
public YBATask encryptionInTransitCertRotate(
Request request, UUID cUUID, UUID uniUUID, UniverseCertRotateSpec spec) throws Exception {
return universeUpgradeHandler.certRotate(request, cUUID, uniUUID, spec);
}
}
42 changes: 42 additions & 0 deletions managed/src/main/java/api/v2/handlers/UniverseUpgradesManagementHandler.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@

import static play.mvc.Http.Status.BAD_REQUEST;

import api.v2.mappers.UniverseCertsRotateParamsMapper;
import api.v2.mappers.UniverseDefinitionTaskParamsMapper;
import api.v2.mappers.UniverseEditGFlagsMapper;
import api.v2.mappers.UniverseRestartParamsMapper;
Expand All @@ -13,6 +14,9 @@
import api.v2.mappers.UniverseSoftwareUpgradeStartMapper;
import api.v2.mappers.UniverseSystemdUpgradeMapper;
import api.v2.mappers.UniverseThirdPartySoftwareUpgradeMapper;
import api.v2.mappers.UniverseTlsToggleParamsMapper;
import api.v2.models.UniverseCertRotateSpec;
import api.v2.models.UniverseEditEncryptionInTransit;
import api.v2.models.UniverseEditGFlags;
import api.v2.models.UniverseRestart;
import api.v2.models.UniverseRollbackUpgradeReq;
Expand All @@ -35,13 +39,15 @@
import com.yugabyte.yw.common.config.GlobalConfKeys;
import com.yugabyte.yw.common.config.RuntimeConfGetter;
import com.yugabyte.yw.controllers.handlers.UpgradeUniverseHandler;
import com.yugabyte.yw.forms.CertsRotateParams;
import com.yugabyte.yw.forms.FinalizeUpgradeParams;
import com.yugabyte.yw.forms.GFlagsUpgradeParams;
import com.yugabyte.yw.forms.RestartTaskParams;
import com.yugabyte.yw.forms.RollbackUpgradeParams;
import com.yugabyte.yw.forms.SoftwareUpgradeParams;
import com.yugabyte.yw.forms.SystemdUpgradeParams;
import com.yugabyte.yw.forms.ThirdpartySoftwareUpgradeParams;
import com.yugabyte.yw.forms.TlsToggleParams;
import com.yugabyte.yw.forms.UpgradeTaskParams;
import com.yugabyte.yw.models.Customer;
import com.yugabyte.yw.models.Release;
Expand Down Expand Up @@ -264,4 +270,40 @@ public YBATask systemdEnable(
log.info("Started systemd enable task {}", mapper.writeValueAsString(ybaTask));
return ybaTask;
}

public YBATask tlsToggle(
Http.Request request, UUID cUUID, UUID uniUUID, UniverseEditEncryptionInTransit spec)
throws JsonProcessingException {

Customer customer = Customer.getOrBadRequest(cUUID);
Universe universe = Universe.getOrBadRequest(uniUUID, customer);

TlsToggleParams v1Params =
UniverseDefinitionTaskParamsMapper.INSTANCE.toTlsToggleParams(
universe.getUniverseDetails());
UniverseTlsToggleParamsMapper.INSTANCE.copyToV1TlsToggleParams(spec, v1Params);

UUID taskUUID = v1Handler.toggleTls(v1Params, customer, universe);
YBATask ybaTask = new YBATask().taskUuid(taskUUID).resourceUuid(uniUUID);
log.info("Started tls toggle task {}", mapper.writeValueAsString(ybaTask));
return ybaTask;
}

public YBATask certRotate(
Http.Request request, UUID cUUID, UUID uniUUID, UniverseCertRotateSpec spec)
throws JsonProcessingException {

Customer customer = Customer.getOrBadRequest(cUUID);
Universe universe = Universe.getOrBadRequest(uniUUID, customer);

CertsRotateParams v1Params =
UniverseDefinitionTaskParamsMapper.INSTANCE.toCertsRotateParams(
universe.getUniverseDetails());
v1Params = UniverseCertsRotateParamsMapper.INSTANCE.copyToV1CertsRotateParams(spec, v1Params);

UUID taskUUID = v1Handler.rotateCerts(v1Params, customer, universe);
YBATask ybaTask = new YBATask().taskUuid(taskUUID).resourceUuid(uniUUID);
log.info("Started cert rotate task {}", mapper.writeValueAsString(ybaTask));
return ybaTask;
}
}
36 changes: 36 additions & 0 deletions managed/src/main/java/api/v2/mappers/UniverseCertsRotateParamsMapper.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
package api.v2.mappers;

import api.v2.models.UniverseCertRotateSpec;
import com.yugabyte.yw.forms.CertsRotateParams;
import com.yugabyte.yw.forms.SoftwareUpgradeParams;
import org.mapstruct.Mapper;
import org.mapstruct.Mapping;
import org.mapstruct.MappingTarget;
import org.mapstruct.factory.Mappers;

@Mapper(config = CentralConfig.class)
public interface UniverseCertsRotateParamsMapper {
UniverseCertsRotateParamsMapper INSTANCE =
Mappers.getMapper(UniverseCertsRotateParamsMapper.class);

@Mapping(target = "upgradeOption", source = "source")
@Mapping(target = "rootAndClientRootCASame", source = "source")
@Mapping(target = "sleepAfterTServerRestartMillis", source = "sleepAfterTserverRestartMillis")
@Mapping(target = "rootCA", source = "rootCa")
@Mapping(target = "clientRootCA", source = "clientRootCa")
CertsRotateParams copyToV1CertsRotateParams(
UniverseCertRotateSpec source, @MappingTarget CertsRotateParams target);

default SoftwareUpgradeParams.UpgradeOption mapUpgradeOption(UniverseCertRotateSpec source) {
return source.getRollingUpgrade()
? SoftwareUpgradeParams.UpgradeOption.ROLLING_UPGRADE
: SoftwareUpgradeParams.UpgradeOption.NON_ROLLING_UPGRADE;
}

default boolean mapRootAndClientRootCASame(UniverseCertRotateSpec spec) {
if (spec.getRootCa() == null) {
return false;
}
return spec.getRootCa().equals(spec.getClientRootCa());
}
}
18 changes: 18 additions & 0 deletions managed/src/main/java/api/v2/mappers/UniverseDefinitionTaskParamsMapper.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@
import api.v2.models.YCQLSpec;
import api.v2.models.YSQLSpec;
import com.yugabyte.yw.cloud.PublicCloudConstants.Architecture;
import com.yugabyte.yw.forms.CertsRotateParams;
import com.yugabyte.yw.forms.EncryptionAtRestConfig;
import com.yugabyte.yw.forms.FinalizeUpgradeParams;
import com.yugabyte.yw.forms.GFlagsUpgradeParams;
Expand All @@ -23,6 +24,7 @@
import com.yugabyte.yw.forms.SoftwareUpgradeParams;
import com.yugabyte.yw.forms.SystemdUpgradeParams;
import com.yugabyte.yw.forms.ThirdpartySoftwareUpgradeParams;
import com.yugabyte.yw.forms.TlsToggleParams;
import com.yugabyte.yw.forms.UniverseConfigureTaskParams;
import com.yugabyte.yw.forms.UniverseDefinitionTaskParams;
import com.yugabyte.yw.forms.UniverseDefinitionTaskParams.UserIntent;
Expand Down Expand Up @@ -136,6 +138,22 @@ public ThirdpartySoftwareUpgradeParams toThirdpartySoftwareUpgradeParams(
@Mapping(target = "nonPrimaryClusters", ignore = true)
public SystemdUpgradeParams toSystemdUpgradeParams(UniverseDefinitionTaskParams source);

@Mapping(target = "existingLBs", ignore = true)
@Mapping(target = "primaryCluster", ignore = true)
@Mapping(target = "TServers", ignore = true)
@Mapping(target = "readOnlyClusters", ignore = true)
@Mapping(target = "addOnClusters", ignore = true)
@Mapping(target = "nonPrimaryClusters", ignore = true)
public TlsToggleParams toTlsToggleParams(UniverseDefinitionTaskParams source);

@Mapping(target = "existingLBs", ignore = true)
@Mapping(target = "primaryCluster", ignore = true)
@Mapping(target = "TServers", ignore = true)
@Mapping(target = "readOnlyClusters", ignore = true)
@Mapping(target = "addOnClusters", ignore = true)
@Mapping(target = "nonPrimaryClusters", ignore = true)
public CertsRotateParams toCertsRotateParams(UniverseDefinitionTaskParams source);

@Mapping(target = "spec", source = ".")
UniverseCreateSpec toV2UniverseCreateSpec(UniverseDefinitionTaskParams v1UniverseTaskParams);

Expand Down
38 changes: 38 additions & 0 deletions managed/src/main/java/api/v2/mappers/UniverseTlsToggleParamsMapper.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
package api.v2.mappers;

import api.v2.models.UniverseEditEncryptionInTransit;
import com.yugabyte.yw.forms.SoftwareUpgradeParams;
import com.yugabyte.yw.forms.TlsToggleParams;
import org.mapstruct.Mapper;
import org.mapstruct.Mapping;
import org.mapstruct.MappingTarget;
import org.mapstruct.factory.Mappers;

@Mapper(config = CentralConfig.class)
public interface UniverseTlsToggleParamsMapper {
UniverseTlsToggleParamsMapper INSTANCE = Mappers.getMapper(UniverseTlsToggleParamsMapper.class);

@Mapping(target = "upgradeOption", source = "source")
@Mapping(target = "rootAndClientRootCASame", source = "source")
@Mapping(target = "enableNodeToNodeEncrypt", source = "nodeToNode")
@Mapping(target = "enableClientToNodeEncrypt", source = "clientToNode")
@Mapping(target = "sleepAfterTServerRestartMillis", source = "sleepAfterTserverRestartMillis")
@Mapping(target = "rootCA", source = "rootCa")
@Mapping(target = "clientRootCA", source = "clientRootCa")
TlsToggleParams copyToV1TlsToggleParams(
UniverseEditEncryptionInTransit source, @MappingTarget TlsToggleParams target);

default SoftwareUpgradeParams.UpgradeOption mapUpgradeOption(
UniverseEditEncryptionInTransit source) {
return source.getRollingUpgrade()
? SoftwareUpgradeParams.UpgradeOption.ROLLING_UPGRADE
: SoftwareUpgradeParams.UpgradeOption.NON_ROLLING_UPGRADE;
}

default boolean mapRootAndClientRootCASame(UniverseEditEncryptionInTransit spec) {
if (spec.getRootCa() == null) {
return false;
}
return spec.getRootCa().equals(spec.getClientRootCa());
}
}
5 changes: 5 additions & 0 deletions managed/src/main/resources/openapi/components/requestBodies/UniverseCertRotateReq.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
required: true
content:
application/json:
schema:
$ref: "../schemas/UniverseCertRotateSpec.yaml"
5 changes: 5 additions & 0 deletions ...d/src/main/resources/openapi/components/requestBodies/UniverseEncryptionInTransitReq.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
required: true
content:
application/json:
schema:
$ref: "../schemas/UniverseEditEncryptionInTransit.yaml"
22 changes: 22 additions & 0 deletions managed/src/main/resources/openapi/components/schemas/UniverseCertRotateSpec.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
title: UniverseCertRotateSpec
description: |
UniverseCertRotateSpec
Request payload to rotate the certs used for encryption
in transit. Part of UniverseCertRotateReq.
type: object
allOf:
- $ref: "./SleepAfterRestartSchema.yaml"
- $ref: "./UniverseUpgradeOptionRolling.yaml"
- type: object
properties:
self_signed_server_cert_rotate:
type: boolean
self_signed_client_cert_rotate:
type: boolean
root_ca:
type: string
format: uuid
client_root_ca:
type: string
format: uuid
27 changes: 27 additions & 0 deletions managed/src/main/resources/openapi/components/schemas/UniverseEditEncryptionInTransit.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
title: UniverseEditEncryptionInTransit
description: |
UniverseEditEncryptionInTransit
Request Payload to enable or disable encryption in transit. Encryption in transit can be
toggled for either node to node traffic or node to client traffic. Part of
UniverseEncryptionInTransitReq
type: object
allOf:
- $ref: "./SleepAfterRestartSchema.yaml"
- $ref: "./UniverseUpgradeOptionRolling.yaml"
- type: object
properties:
node_to_node:
description: Control encryption in transit between YugabyteDB nodes
type: boolean
client_to_node:
description: Control encryption in transit between YugabyteDB nodes and clients
type: boolean
root_ca:
description: Root CA cert for node to node encryption. Required if node_to_node is true
type: string
format: uuid
client_root_ca:
description: Root CA used for node to client encryption. Required if client_to_node is true
type: string
format: uuid
106 changes: 106 additions & 0 deletions managed/src/main/resources/openapi/paths/_index.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -715,3 +715,109 @@
checkOnlyPermission: false
x-yba-api-since: 2024.2.0.0
x-yba-api-visibility: preview
'/customers/{cUUID}/universes/{uniUUID}/encryption/in-transit':
parameters:
- name: cUUID
in: path
description: Customer UUID
schema:
type: string
format: uuid
explode: false
style: simple
required: true
- name: uniUUID
in: path
description: Universe UUID
schema:
type: string
format: uuid
explode: false
style: simple
required: true
post:
operationId: encryptionInTransitToggle
summary: Enable or disable encryption in transit
description: |
Enable or disable encryption in transit. Encryption in transit can be both node to node or
node to client.
tags:
- Universe
requestBody:
$ref: "../components/requestBodies/UniverseEncryptionInTransitReq.yaml"
responses:
'202':
$ref: "../components/responses/YBATaskResp.yaml"
'400':
description: Invalid input
'500':
description: Server error
security:
- apiKeyAuth: []
x-yba-api-audit:
auditTargetType: Universe
auditTargetId: uniUUID.toString()
auditActionType: UpgradeTLS
taskUuid: obj.getTaskUuid()
x-yba-api-authz:
- requiredPermission:
resourceType: universe
action: UPDATE
resourceLocation:
path: universes
sourceType: endpoint
checkOnlyPermission: false
x-yba-api-since: 2024.2.0.0
x-yba-api-visibility: preview
'/customers/{cUUID}/universes/{uniUUID}/encryption/in-transit/rotate':
parameters:
- name: cUUID
in: path
description: Customer UUID
schema:
type: string
format: uuid
explode: false
style: simple
required: true
- name: uniUUID
in: path
description: Universe UUID
schema:
type: string
format: uuid
explode: false
style: simple
required: true
post:
operationId: encryptionInTransitCertRotate
summary: Rotate TLS Certs
description: Rotate the certs used for encryption in transit.
tags:
- Universe
requestBody:
$ref: "../components/requestBodies/UniverseCertRotateReq.yaml"
responses:
'202':
$ref: "../components/responses/YBATaskResp.yaml"
'400':
description: Invalid input
'500':
description: Server error
security:
- apiKeyAuth: []
x-yba-api-audit:
auditTargetType: Universe
auditTargetId: uniUUID.toString()
auditActionType: UpgradeCerts
taskUuid: obj.getTaskUuid()
x-yba-api-authz:
- requiredPermission:
resourceType: universe
action: UPDATE
resourceLocation:
path: universes
sourceType: endpoint
checkOnlyPermission: false
x-yba-api-since: 2024.2.0.0
x-yba-api-visibility: preview

0 comments on commit 39c6228

Please sign in to comment.