From cd48b7a4def4e43c83670e142f0b88907aea52ae Mon Sep 17 00:00:00 2001
From: ydhawale <yogesh.dhawale@gmail.com>
Date: Fri, 25 Feb 2022 13:28:45 +0530
Subject: [PATCH] [PLAT-3188] client certificates are not updated in
 $HOME/.yugabytedb dir due to which Health check fails.

Summary:
Found that in function getCertificatePaths only one code path updates the certs and other one was not updating it.

Also, returning  empty string for Hashicorp cert type when key is requested. - PLAT-3216

Test Plan:
     Reproduced issue via provided steps and used same to verify.

# Tip: You can add a project as a subscriber or reviewer by writing
# "#projectname" in the appropriate field.

Reviewers: vpatibandla, kkg, hkandala

Reviewed By: hkandala

Subscribers: jenkins-bot, yugaware

Differential Revision: https://phabricator.dev.yugabyte.com/D15651
---
 .../com/yugabyte/yw/common/NodeManager.java   | 26 ++++++++++++++-----
 .../yw/common/certmgmt/CertificateHelper.java |  5 ++--
 .../handlers/UpgradeUniverseHandler.java      | 14 +++++++---
 3 files changed, 32 insertions(+), 13 deletions(-)

diff --git a/managed/src/main/java/com/yugabyte/yw/common/NodeManager.java b/managed/src/main/java/com/yugabyte/yw/common/NodeManager.java
index 4784a0052473..3ba169375c84 100644
--- a/managed/src/main/java/com/yugabyte/yw/common/NodeManager.java
+++ b/managed/src/main/java/com/yugabyte/yw/common/NodeManager.java
@@ -414,15 +414,15 @@ private List<String> getCertificatePaths(
               serverKeyPath = String.format("%s/%s", tempStorageDirectory, serverKeyFile);
               certsLocation = CERT_LOCATION_PLATFORM;
 
-              if (taskParam.rootAndClientRootCASame && taskParam.enableClientToNodeEncrypt) {
-                // These client certs are used for node to postgres communication
-                // These are separate from clientRoot certs which are used for server to client
-                // communication These are not required anymore as this is not mandatory now and
-                // can be removed. The code is still here to maintain backward compatibility
+              if (taskParam.enableClientToNodeEncrypt) {
+
+                UUID cliRootCA = taskParam.clientRootCA;
+                if (taskParam.rootAndClientRootCASame) cliRootCA = taskParam.rootCA;
+
                 subcommandStrings.add("--client_cert_path");
-                subcommandStrings.add(CertificateHelper.getClientCertFile(taskParam.rootCA));
+                subcommandStrings.add(CertificateHelper.getClientCertFile(cliRootCA));
                 subcommandStrings.add("--client_key_path");
-                subcommandStrings.add(CertificateHelper.getClientKeyFile(taskParam.rootCA));
+                subcommandStrings.add(CertificateHelper.getClientKeyFile(cliRootCA));
               }
             } catch (IOException e) {
               LOG.error(e.getMessage(), e);
@@ -516,6 +516,18 @@ private List<String> getCertificatePaths(
               serverCertPath = String.format("%s/%s", tempStorageDirectory, serverCertFile);
               serverKeyPath = String.format("%s/%s", tempStorageDirectory, serverKeyFile);
               certsLocation = CERT_LOCATION_PLATFORM;
+
+              if (taskParam.enableClientToNodeEncrypt) {
+
+                UUID cliRootCA = taskParam.clientRootCA;
+                if (taskParam.rootAndClientRootCASame) cliRootCA = taskParam.rootCA;
+
+                subcommandStrings.add("--client_cert_path");
+                subcommandStrings.add(CertificateHelper.getClientCertFile(cliRootCA));
+                subcommandStrings.add("--client_key_path");
+                subcommandStrings.add(CertificateHelper.getClientKeyFile(cliRootCA));
+              }
+
             } catch (IOException e) {
               LOG.error(e.getMessage(), e);
               throw new RuntimeException(e);
diff --git a/managed/src/main/java/com/yugabyte/yw/common/certmgmt/CertificateHelper.java b/managed/src/main/java/com/yugabyte/yw/common/certmgmt/CertificateHelper.java
index c7b316980d7d..6a4e034de749 100644
--- a/managed/src/main/java/com/yugabyte/yw/common/certmgmt/CertificateHelper.java
+++ b/managed/src/main/java/com/yugabyte/yw/common/certmgmt/CertificateHelper.java
@@ -545,6 +545,7 @@ public static String getCertPEM(CertificateInfo cert) {
   }
 
   public static String getKeyPEM(CertificateInfo cert) {
+    if (cert.certType == CertConfigType.HashicorpVault) return "";
     String privateKeyPEM = FileUtils.readFileToString(new File(cert.privateKey));
     privateKeyPEM = Base64.getEncoder().encodeToString(privateKeyPEM.getBytes());
     return privateKeyPEM;
@@ -552,9 +553,7 @@ public static String getKeyPEM(CertificateInfo cert) {
 
   public static String getKeyPEM(UUID rootCA) {
     CertificateInfo cert = CertificateInfo.get(rootCA);
-    String privateKeyPEM = FileUtils.readFileToString(new File(cert.privateKey));
-    privateKeyPEM = Base64.getEncoder().encodeToString(privateKeyPEM.getBytes());
-    return privateKeyPEM;
+    return getKeyPEM(cert);
   }
 
   public static String getClientCertFile(UUID rootCA) {
diff --git a/managed/src/main/java/com/yugabyte/yw/controllers/handlers/UpgradeUniverseHandler.java b/managed/src/main/java/com/yugabyte/yw/controllers/handlers/UpgradeUniverseHandler.java
index 9b2f3f2748ec..0a04e1807eff 100644
--- a/managed/src/main/java/com/yugabyte/yw/controllers/handlers/UpgradeUniverseHandler.java
+++ b/managed/src/main/java/com/yugabyte/yw/controllers/handlers/UpgradeUniverseHandler.java
@@ -147,19 +147,27 @@ public UUID rotateCerts(CertsRotateParams requestParams, Customer customer, Univ
     requestParams.universeUUID = universe.universeUUID;
     requestParams.expectedUniverseVersion = universe.version;
     UserIntent userIntent = universe.getUniverseDetails().getPrimaryCluster().userIntent;
+
     // Generate client certs if rootAndClientRootCASame is true and rootCA is self-signed.
     // This is there only for legacy support, no need if rootCA and clientRootCA are different.
     if (userIntent.enableClientToNodeEncrypt && requestParams.rootAndClientRootCASame) {
-      CertificateInfo rootCert = CertificateInfo.get(requestParams.rootCA);
+
+      UUID cliRootCA = requestParams.clientRootCA;
+      if (requestParams.rootAndClientRootCASame) cliRootCA = requestParams.rootCA;
+
+      CertificateInfo rootCert = CertificateInfo.get(cliRootCA);
+      log.debug(
+          "rotateCerts called with clientRootCA: {}",
+          (cliRootCA != null) ? cliRootCA.toString() : "NULL");
       if (rootCert.certType == CertConfigType.SelfSigned
           || rootCert.certType == CertConfigType.HashicorpVault) {
         CertificateHelper.createClientCertificate(
-            requestParams.rootCA,
+            cliRootCA,
             String.format(
                 CertificateHelper.CERT_PATH,
                 runtimeConfigFactory.staticApplicationConf().getString("yb.storage.path"),
                 customer.uuid.toString(),
-                requestParams.rootCA.toString()),
+                cliRootCA.toString()),
             CertificateHelper.DEFAULT_CLIENT,
             null,
             null);