[PLAT-16616][PLAT-16340] Improved how yba installer handles self sign…

…ed certs Summary: Allow regenerating self signed certs via yba-ctl reconfigure. If the config file has empty values for the pem files, it will regenerate the self signed certs. In addition, added a preflight check to validate cert values are set before allowing an upgrade. Test Plan: validated cert regen and preflight Reviewers: muthu, sanketh Reviewed By: muthu Subscribers: yugaware Differential Revision: https://phorge.dev.yugabyte.com/D41533
yugabyte · Jan 30, 2025 · 79a005a · 79a005a
1 parent 16f2042
commit 79a005a
Show file tree

Hide file tree

Showing 3 changed files with 53 additions and 5 deletions.
diff --git a/managed/yba-installer/cmd/reconfigure.go b/managed/yba-installer/cmd/reconfigure.go
@@ -38,11 +38,18 @@ var reconfigureCmd = &cobra.Command{
 			log.Fatal("invalid reconfigure: " + err.Error())
 		}
 
-		isSelfSigned := state.Config.SelfSignedCert ||
-			(viper.GetString("server_cert_path") == "" && viper.GetString("server_key_path") == "")
-		if state.Config.Hostname != viper.GetString("host") && isSelfSigned {
-			log.Info("Detected hostname change for self signed certs, regenerating the certs")
-			serverCertPath, serverKeyPath := common.RegenerateSelfSignedCerts()
+		// Regenerate self signed certs if hostname has changed or if certs are missing from the config.
+		var serverCertPath, serverKeyPath string = "", ""
+		if viper.GetString("server_cert_path") == "" || viper.GetString("server_key_path") == "" {
+			log.Info("Generating new self-signed server certificates")
+			serverCertPath, serverKeyPath = common.GenerateSelfSignedCerts()
+		} else if state.Config.Hostname != viper.GetString("host") && state.Config.SelfSignedCert {
+			log.Info("Regenerating self signed certs for hostname change")
+			serverCertPath, serverKeyPath = common.RegenerateSelfSignedCerts()
+		}
+		if serverCertPath != "" || serverKeyPath != "" {
+			log.Debug("Populating new self signed certs in yba-ctl.yml: " +
+				serverCertPath + ", " + serverKeyPath)
 			common.SetYamlValue(common.InputFile(), "server_cert_path", serverCertPath)
 			common.SetYamlValue(common.InputFile(), "server_key_path", serverKeyPath)
 			common.InitViper()

diff --git a/managed/yba-installer/pkg/preflight/checks/upgrade_config.go b/managed/yba-installer/pkg/preflight/checks/upgrade_config.go
@@ -0,0 +1,40 @@
+package checks
+
+import (
+	"fmt"
+
+	"github.com/spf13/viper"
+)
+
+var UpgradeConfigCheck = upgradeConfigCheck{
+	"upgrade-config",
+	true,
+}
+
+type upgradeConfigCheck struct {
+	name        string
+	skipAllowed bool
+}
+
+func (u upgradeConfigCheck) Name() string {
+	return u.name
+}
+
+func (u upgradeConfigCheck) SkipAllowed() bool {
+	return u.skipAllowed
+}
+
+func (u upgradeConfigCheck) Execute() Result {
+	res := Result{
+		Check:  u.name,
+		Status: StatusPassed,
+	}
+
+	// Check that certs are specified
+	if viper.GetString("server_cert_path") == "" || viper.GetString("server_key_path") == "" {
+		res.Status = StatusCritical
+		res.Error = fmt.Errorf("server_cert_path and server_key_path must be set")
+	}
+
+	return res
+}
diff --git a/managed/yba-installer/pkg/preflight/predefined_lists.go b/managed/yba-installer/pkg/preflight/predefined_lists.go
@@ -36,6 +36,7 @@ var UpgradeChecks = []Check{
 	checks.Prometheus,
 	checks.NonRootUpgradeCheck,
 	checks.ServicesRunningCheck,
+	checks.UpgradeConfigCheck,
 }
 
 var ReplicatedMigrateChecks = []Check{