forked from yugabyte/yugabyte-db
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[BACKPORT 2.18][PLAT-10529][PLAT-10530][PLAT-11176] Adds support for …
…CA having cert chain in YBA trust's store Summary: Currently YBA assumes that the CA certs added to YBA trust store will be a single root cert. With this diff we enable the support for cert chain as well. This was observed in fidelity environment where our migration V274 failed for the same reason. Some minor other improvements/fixes - - Fix the deletion of CA certs from YBA's trust store. In case the deletion fails in the first attempt the `certContent` that stores the filePath starts storing `certContent` which causes the subsequent deletion attempt to fail - This diff fixes it. [PLAT-11176][PLAT-11170] Pass Java PKCS TrustStore for play.ws.ssl connections This diff fixes two issues - - **PLAT-11176**: Previously, we were only passing YBA's PEM trust store from the custom CA trust store for `play.ws.ssl` TLS handshakes. Consequently, when we attempted to upload multiple CA certificates to YBA's trust store, it resulted in SSL handshake failures for the previously uploaded certificates. With this update, we have included YBA's Java trust store as well. - **PLAT-11170**: There was an issue with deletion of CA cert from YBA's trust store. Specifically, when we had uploaded one certificate chain and another certificate that only contained the root of the previously uploaded certificate chain, the deletion of the latter was failing. This issue has been resolved in this diff. Depends on - D29985, D29143 Original Commit - yugabyte@863ae72 yugabyte@4c8978b Test Plan: **Case1** - Ran the migration with the fidelity postgres dump. - Ensured that the certs are correctly importerd in both YBA's PKCS12/PEM trust store. **Case2** - Deployed a keycloak server (OIDC server) - [[ https://10.23.16.17:8443 | https://10.23.16.17/ ]] that supports custom certs. - Created a cert chain certificates (root -> intermediate -> client). - Deployed the above server with client certificate. - Added the root/intermediate certs in YBA's trust store. - Ensured authentication is successful. - Deleted the certs from YBA trust store. - Now ensured SSO login is broken. - Uploaded partial, i.e., root only cert to YBA trust store. - Ensured that SSO login is broken. **Case3** - Verified crud for the custom CA trust store. **Case4** - Added a cert chain with root (r1) & intermediate (i1) -> (cert1) - Added another cert chain with root(r1) & intermediate (i2) -> (cert2) - Ensured our PEM store contains 3 entries now. - Removed cert1 from the trust store. - Verified that r1 & i2 are present in the YBA's PEM store. - Added back cert1 in trust store. - Replaced cert1 with some other cert chain -> (cert3) [root (r2) & intermediate i3] - Verified that PEM trust store contain now 4 certs -> [r1, i2, r2, i3]. - For PKCS12 store, we add/remove/delete based on the alias (cert name). So we don't need any special handling for that. **Case5** - Ensured that the migration V274 is idempotent, i.e, the directory created are cleared in case the migration fails, so that we remains in the same state from YBA's perspective. iTest pipeline UT's CA trust store related iTests **PLAT-11170** - Uploaded the root cert to YBA's trust store. - Created a certificate chain using the root certificate mentioned above and also uploaded it. - Verified that deletion of cert uploaded in yugabyte#1 was successful. **PLAT-11176** - Created HA setup with two standup portals. - Each portal is using it's own custom CA certs. - Uploaded both the cert chains to YBA's trust store. - Verified that the backup is successful on both the standby setups configured. Reviewers: #yba-api-review, nbhatia, cwang, amalyshev Reviewed By: amalyshev Subscribers: yugaware Tags: #jenkins-ready Differential Revision: https://phorge.dev.yugabyte.com/D30055
- Loading branch information
Showing
8 changed files
with
645 additions
and
61 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.