SWATCH-2007: Enable Spring actuator custom certificate information provider

[awood]

Jira issue: SWATCH-2007

Description

This issue is additional work associated with the annual X509 certificate renewal we do. Before revoking the old certificates, I need to ensure the new ones are in use. Last February, I wrote a Spring Actuator endpoint to display the certificate information, but the endpoint was configured incorrectly. Specifically, the endpoint worked fine over JMX but was misconfigured for HTTP. Since JMX is no longer available, this PR fixes the misconfiguration. Additionally, this PR moves the certificate information underneath the info actuator (which is already enabled) since there isn't much point in having a custom actuator for an informational thing like this.

Testing

Steps

1. Start the application with the correct environment settings

   RHSMSUBSCRIPTIONS_SUBSCRIPTION_TRUSTSTORE=file:${PWD}/swatch-core/src/test/resources/client.jks \
   RHSMSUBSCRIPTIONS_SUBSCRIPTION_TRUSTSTOREPASSWORD=password \
   RHSMSUBSCRIPTIONS_SUBSCRIPTION_KEYSTORE=file:${PWD}/swatch-core/src/test/resources/test-ca.jks \
   RHSMSUBSCRIPTIONS_SUBSCRIPTION_KEYSTOREPASSWORD=password \
   ./gradlew :bootRun
   

2. Check the actuator endpoint

   http :9000/info
   

3. The result shows the certificate information for subscriptionServiceProperties (both .keystore and .truststore). The other TlsProperties beans are either completely empty or have error messages indicating that the certificate path can't be read (e.g. ${clowder.endpoints.rbac-service.trust-store-path} not readable
4. The environment variables are handled differently in conduit so change the command to

   RHSM_TRUSTSTORE=${PWD}/swatch-core/src/test/resources/client.jks \
   RHSM_TRUSTSTORE_PASSWORD=password \
   RHSM_KEYSTORE=${PWD}/swatch-core/src/test/resources/test-ca.jks \
   RHSM_KEYSTORE_PASSWORD=password \
   ./gradlew :swatch-system-conduit:bootRun
   

5. Check the actuator endpoint with

   http :9000/info
   

6. The result shows the certificate details for rhsmApiProperties.*.

[Sgitario]

Note that I've also tried to provide the certificates using the following clowder config:

{
    "endpoints": [
        {
            "app": "swatch-contracts",
            "hostname": "swatch-contracts.hostname",
            "name": "service",
            "port": 8000,
            "tlsPort": 8001
        }
    ],
    "metricsPath": "/metrics",
    "metricsPort": 9000,
    "privatePort": 8080,
    "publicPort": 8000,
    "webPort": 8000,
    "tlsCAPath": "/home/jcarvaja/sources/RedHatInsights/rhsm-subscriptions/swatch-core/src/test/resources/ca-test.pem"
}

And running the app as:

ACG_CONFIG=/home/jcarvaja/sources/RedHatInsights/rhsm-subscriptions/swatch-core/src/test/resources/test-clowder-config-with-ssl.json SPRING_PROFILES_ACTIVE=worker,api,kafka-queue ./gradlew :bootRun

And the cert for the contracts endpoint is correctly displayed:

{
"build": {
"artifact": "rhsm-subscriptions",
"name": "rhsm-subscriptions",
"time": "2023-12-07T07:18:37.510Z",
"version": "0.1.0-snapshot.202312070718.uncommitted+awood.cert.endpoint.987107c",
"group": "com.redhat.swatch"
},
"umbProperties.keystore": {},
"umbProperties.truststore": {},
"contractsClientProperties.keystore": {},
"contractsClientProperties.truststore": {
"cert-0": {
"Distinguished Name": "CN=localhost, O=unknown, L=unknown, ST=unknown, C=XX",
"Serial Number": "17232293264883780949",
"SHA-1 Fingerprint": "960f13f186301c2418265ab937b0af589576c248",
"Not After": "2023-04-05T18:57:04Z",
"Issuer Distinguished Name": "CN=localhost, O=unknown, L=unknown, ST=unknown, C=XX"
}
},
"capacityHttpClientProperties.keystore": {},
"capacityHttpClientProperties.truststore": {},
"rbacServiceProperties.keystore": {},
"rbacServiceProperties.truststore": {
"${clowder.endpoints.rbac-service.trust-store-path} not readable": {}
},
"productServiceProperties.keystore": {
" not readable": {}
},
"productServiceProperties.truststore": {},
"subscriptionServiceProperties.keystore": {
" not readable": {}
},
"subscriptionServiceProperties.truststore": {}
}

[Sgitario]

When hitting the /info endpoint, I see some awkward values like:

"productServiceProperties.keystore": {
" not readable": {}
},

This is happening when the certificate path is empty (not provided), so more descriptive message would be either:

"productServiceProperties.keystore": {},

Or being more descriptive like:

"productServiceProperties.keystore": {
"certificate not configured / not set / or something like this": {}
},

I prefer the first option which is less verbose.

[Sgitario]

lgtm now!
I think these changes are quite useful. Is there a JIRA ticket to implement this /info endpoint for the Quarkus-based services? @kahowell @lindseyburnett

[kahowell]

I think these changes are quite useful. Is there a JIRA ticket to implement this /info endpoint for the Quarkus-based services? @kahowell @lindseyburnett

@Sgitario no, we don't currently have a Jira issue for this, feel free to create one and get it groomed, etc.

[kahowell]

/retest