[PLAT-13798] Remove runtime config for CA trust store

Summary: Custom CA trust store runtime config has been enabled since 2.18 Doing the cleanup to remove the same & enabling the feature by default Test Plan: Manually verified Reviewers: amalyshev, rmadhavan, kkannan Reviewed By: amalyshev, rmadhavan Subscribers: yugaware Differential Revision: https://phorge.dev.yugabyte.com/D34765
yugabyte · May 10, 2024 · 03c07bd · 03c07bd
1 parent bc46258
commit 03c07bd
Show file tree

Hide file tree

Showing 10 changed files with 5 additions and 237 deletions.
diff --git a/managed/RUNTIME-FLAGS.md b/managed/RUNTIME-FLAGS.md
@@ -71,7 +71,6 @@
 | "Bootstrap producer timeout" | "yb.xcluster.bootstrap_producer_timeout_ms" | "GLOBAL" | "Bootstrap producer timeout in milliseconds" | "Integer" |
 | "YBC socket read timeout" | "ybc.timeout.socket_read_timeout_ms" | "GLOBAL" | "YBC client socket read timeout in milliseconds" | "Integer" |
 | "YBC operation timeout" | "ybc.timeout.operation_timeout_ms" | "GLOBAL" | "YBC client timeout in milliseconds for operations" | "Integer" |
-| "Enable YBA's custom CA trust-store" | "yb.customCATrustStore.enabled" | "GLOBAL" | "Enable YBA's custom CA trust-store" | "Boolean" |
 | "Server certificate verification for S3 backup/restore" | "yb.certVerifyBackupRestore.is_enforced" | "GLOBAL" | "Enforce server certificate verification during S3 backup/restore" | "Boolean" |
 | "Javax Net SSL TrustStore" | "yb.wellKnownCA.trustStore.path" | "GLOBAL" | "Java property javax.net.ssl.trustStore" | "String" |
 | "Javax Net SSL TrustStore Type" | "yb.wellKnownCA.trustStore.type" | "GLOBAL" | "Java property javax.net.ssl.trustStoreType" | "String" |

diff --git a/managed/src/main/java/com/yugabyte/yw/common/certmgmt/castore/CustomCAStoreManager.java b/managed/src/main/java/com/yugabyte/yw/common/certmgmt/castore/CustomCAStoreManager.java
@@ -39,7 +39,6 @@
 @Singleton
 @Slf4j
 public class CustomCAStoreManager {
-  private final String CUSTOM_CA_STORE_ENABLED = "yb.customCATrustStore.enabled";
   private final List<TrustStoreManager> trustStoreManagers = new ArrayList<>();
 
   // Reference to the listeners who want to get notified about updates in this custom trust-store.
@@ -458,7 +457,7 @@ private char[] getTruststorePassword() {
   }
 
   public boolean isEnabled() {
-    return runtimeConfigFactory.globalRuntimeConf().getBoolean(CUSTOM_CA_STORE_ENABLED);
+    return true;
   }
 
   // ---------------- methods for CA store observers ---------------

diff --git a/managed/src/main/java/com/yugabyte/yw/common/config/GlobalConfKeys.java b/managed/src/main/java/com/yugabyte/yw/common/config/GlobalConfKeys.java
@@ -369,14 +369,6 @@ public class GlobalConfKeys extends RuntimeConfigKeysModule {
           "YBC client timeout in milliseconds for operations",
           ConfDataType.IntegerType,
           ImmutableList.of(ConfKeyTags.PUBLIC));
-  public static final ConfKeyInfo<Boolean> customCAStoreEnabled =
-      new ConfKeyInfo<>(
-          "yb.customCATrustStore.enabled",
-          ScopeType.GLOBAL,
-          "Enable YBA's custom CA trust-store",
-          "Enable YBA's custom CA trust-store",
-          ConfDataType.BooleanType,
-          ImmutableList.of(ConfKeyTags.PUBLIC));
   public static final ConfKeyInfo<Boolean> enforceCertVerificationBackupRestore =
       new ConfKeyInfo<>(
           "yb.certVerifyBackupRestore.is_enforced",

diff --git a/managed/src/main/resources/reference.conf b/managed/src/main/resources/reference.conf
@@ -149,9 +149,6 @@ yb {
       javaHomePaths = [${java.home}"/lib/security/jssecacerts",  ${java.home}"/lib/security/cacerts"]
     }
   }
-  customCATrustStore {
-    enabled = true
-  }
   certVerifyBackupRestore{
     is_enforced = true
   }

diff --git a/managed/ui/src/components/administration/Administration.tsx b/managed/ui/src/components/administration/Administration.tsx
@@ -16,7 +16,6 @@ import { HAInstancesContainer } from '../ha/instances/HAInstanceContainer';
 
 import ListCACerts from '../customCACerts/ListCACerts';
 import { RBACContainer } from '../../redesign/features/rbac/RBACContainer';
-import { isCertCAEnabledInRuntimeConfig } from '../customCACerts';
 import { RbacValidator } from '../../redesign/features/rbac/common/RbacApiPermValidator';
 import { ApiPermissionMap } from '../../redesign/features/rbac/ApiAndUserPermMapping';
 import { isRbacEnabled } from '../../redesign/features/rbac/common/RbacUtils';
@@ -104,7 +103,6 @@ export const Administration: FC<RouteComponentProps<{}, RouteParams>> = ({ param
     ? AdministrationTabs.HA
     : AdministrationTabs.AC;
 
-  const isCustomCaCertsEnabled = isCertCAEnabledInRuntimeConfig(globalRuntimeConfigs?.data);
 
   useEffect(() => {
     showOrRedirect(currentCustomer.data.features, 'menu.administration');
@@ -225,7 +223,7 @@ export const Administration: FC<RouteComponentProps<{}, RouteParams>> = ({ param
         {getHighAvailabilityTab()}
         {getAlertTab()}
         {!isRbacEnabled() && getUserManagementTab()}
-        {isCustomCaCertsEnabled && getCustomCACertsTab()}
+        {getCustomCACertsTab()}
         {isCongifUIEnabled && getAdvancedTab()}
         {isRbacEnabled() && getRbacTab()}
       </YBTabsWithLinksPanel>

diff --git a/managed/ui/src/components/customCACerts/CertUtils.tsx b/managed/ui/src/components/customCACerts/CertUtils.tsx
@@ -14,12 +14,6 @@ const CACertErrorPatterns = [
   'ERR_04120_TLS_HANDSHAKE_ERROR'
 ];
 
-export const CA_CERT_RUNTIME_CONFIG_KEY = 'yb.customCATrustStore.enabled';
-
-export function isCertCAEnabledInRuntimeConfig (runtimeConfig: RunTimeConfig) {
-  return runtimeConfig?.configEntries?.find((c: any) => c.key === CA_CERT_RUNTIME_CONFIG_KEY)?.value === 'true' ?? false;
-};
-
 export const LDAP_CA_CERT_ERR_MSG = (
   <span>
     Cannot connect to LDAP server. Please ask the Admin to add valid CA cert&nbsp;

diff --git a/managed/ui/src/components/ha/modals/AddStandbyInstanceModal.tsx b/managed/ui/src/components/ha/modals/AddStandbyInstanceModal.tsx
@@ -9,14 +9,11 @@ import { api, QUERY_KEY } from '../../../redesign/helpers/api';
 import { getPromiseState } from '../../../utils/PromiseUtils';
 import {
   EMPTY_YB_HA_WEBSERVICE,
-  getPeerCertIdentifier,
   getPeerCerts,
   YbHAWebService,
   YB_HA_WS_RUNTIME_CONFIG_KEY
 } from '../replication/HAReplicationView';
 import { ManagePeerCertsModal } from './ManagePeerCertsModal';
-import { isCertCAEnabledInRuntimeConfig } from '../../customCACerts';
-
 import styles from './AddStandbyInstanceModal.module.scss';
 
 interface AddStandbyInstanceModalProps {
@@ -80,10 +77,6 @@ export const AddStandbyInstanceModal: FC<AddStandbyInstanceModalProps> = ({
   };
 
   // fetch only specific key
-  const showAddPeerCertModal = () => {
-    fetchRuntimeConfigs();
-    setAddPeerCertsModalVisible(true);
-  };
   const hideAddPeerCertModal = () => {
     fetchRuntimeConfigs();
     setAddPeerCertsModalVisible(false);
@@ -99,7 +92,6 @@ export const AddStandbyInstanceModal: FC<AddStandbyInstanceModalProps> = ({
             .value
         )
       : EMPTY_YB_HA_WEBSERVICE;
-  const isCACertStoreEnabled = isCertCAEnabledInRuntimeConfig(runtimeConfigs?.data);
   const peerCerts = getPeerCerts(ybHAWebService);
   const isMissingPeerCerts = peerCerts.length === 0;
 
@@ -116,7 +108,7 @@ export const AddStandbyInstanceModal: FC<AddStandbyInstanceModalProps> = ({
           visible
           initialValues={INITIAL_VALUES}
           validate={(values: AddStandbyInstanceFormValues) =>
-            validateForm(values, isMissingPeerCerts, isCACertStoreEnabled)
+            validateForm(values, isMissingPeerCerts)
           }
           validateOnChange
           validateOnBlur
@@ -141,45 +133,6 @@ export const AddStandbyInstanceModal: FC<AddStandbyInstanceModalProps> = ({
                   type="text"
                   component={YBFormInput}
                 />
-                {!isCACertStoreEnabled && isHTTPS && (
-                  <div className={styles.peerCertsField}>
-                    <div>
-                      Please add one or more root CA cert needed to connect to each instance in the
-                      HA cluster.
-                    </div>
-                    <div className={styles.certsContainer}>
-                      {!isMissingPeerCerts && (
-                        <>
-                          <b>Peer Certificates:</b>
-                          {peerCerts.map((peerCert) => {
-                            return (
-                              <div className={styles.certificate}>
-                                <span className={styles.identifier}>
-                                  {getPeerCertIdentifier(peerCert)}
-                                </span>
-                                <span className={styles.ellipse}>( . . . )</span>
-                              </div>
-                            );
-                          })}
-                        </>
-                      )}
-                    </div>
-                    <YBButton
-                      className={styles.addCertsButton}
-                      btnText={
-                        isMissingPeerCerts ? 'Add Peer Certificates' : 'Manage Peer Certificates'
-                      }
-                      btnIcon="fa fa-plus-circle"
-                      onClick={(e: any) => {
-                        e.preventDefault();
-                        showAddPeerCertModal();
-                      }}
-                    />
-                    {errors.peerCerts && (
-                      <div className={styles.errorContainer}>{errors.peerCerts}</div>
-                    )}
-                  </div>
-                )}
               </div>
             );
           }}
@@ -191,7 +144,7 @@ export const AddStandbyInstanceModal: FC<AddStandbyInstanceModalProps> = ({
   }
 };
 
-const validateForm = (values: AddStandbyInstanceFormValues, isMissingPeerCerts: boolean, isCACertStoreEnabled: boolean) => {
+const validateForm = (values: AddStandbyInstanceFormValues, isMissingPeerCerts: boolean) => {
   // Since our formik verision is < 2.0 , we need to throw errors instead of
   // returning them in custom async validation:
   // https://github.com/jaredpalmer/formik/issues/1392#issuecomment-606301031
@@ -201,8 +154,6 @@ const validateForm = (values: AddStandbyInstanceFormValues, isMissingPeerCerts:
     errors.instanceAddress = 'Required field';
   } else if (!INSTANCE_VALID_ADDRESS_PATTERN.test(values.instanceAddress)) {
     errors.instanceAddress = 'Must be a valid URL';
-  } else if (!isCACertStoreEnabled && values.instanceAddress.startsWith('https:') && isMissingPeerCerts) {
-    errors.peerCerts = 'A peer certificate is required for adding a standby instance over HTTPS';
   }
 
   return errors;

diff --git a/managed/ui/src/components/ha/replication/HAReplicationForm.test.tsx b/managed/ui/src/components/ha/replication/HAReplicationForm.test.tsx
@@ -299,33 +299,6 @@ describe('HA replication configuration form', () => {
 
     expect(backToView).toBeCalled();
   });
-  it('should disable the submit button for active config if peer certs do not exist and using https', async () => {
-    const fakeValues = {
-      configId: 'fake-config-id',
-      instanceAddress: 'https://fake-address',
-      clusterKey: 'fake-key',
-      replicationFrequency: '30'
-    };
-    (api.generateHAKey as jest.Mock).mockResolvedValue({ cluster_key: fakeValues.clusterKey });
-
-    const { component, formFields } = setup(false);
-
-    // enter address
-    userEvent.clear(formFields.instanceAddress);
-    userEvent.type(formFields.instanceAddress, fakeValues.instanceAddress);
-
-    // generate cluster key and check form value
-    userEvent.click(component.queryByRole('button', { name: /generate key/i })!);
-    await waitFor(() => expect(api.generateHAKey).toBeCalled());
-    expect(formFields.clusterKey).toHaveValue(fakeValues.clusterKey);
-
-    // set replication frequency
-    userEvent.clear(formFields.replicationFrequency);
-    userEvent.type(formFields.replicationFrequency, fakeValues.replicationFrequency);
-
-    // Verify the submit button is disabled (since no peer certs were added).
-    expect(component.getByRole('button', { name: /create/i })).toBeDisabled();
-  });
   it('should not disable the submit button for active config if peer certs do not exist and not using https', async () => {
     const fakeValues = {
       configId: 'fake-config-id',

diff --git a/managed/ui/src/components/ha/replication/HAReplicationForm.tsx b/managed/ui/src/components/ha/replication/HAReplicationForm.tsx
@@ -12,7 +12,6 @@ import { api, CreateHaConfigRequest, QUERY_KEY } from '../../../redesign/helpers
 import { HaConfig, HaReplicationSchedule } from '../dtos';
 import YBInfoTip from '../../common/descriptors/YBInfoTip';
 import {
-  getPeerCertIdentifier,
   getPeerCerts,
   YbHAWebService,
   YB_HA_WS_RUNTIME_CONFIG_KEY,
@@ -22,7 +21,6 @@ import { getPromiseState } from '../../../utils/PromiseUtils';
 
 import './HAReplicationForm.scss';
 import { ManagePeerCertsModal } from '../modals/ManagePeerCertsModal';
-import { isCertCAEnabledInRuntimeConfig } from '../../customCACerts';
 
 export enum HAInstanceTypes {
   Active = 'Active',
@@ -118,10 +116,6 @@ export const HAReplicationForm: FC<HAReplicationFormProps> = ({
   }, []); // eslint-disable-line react-hooks/exhaustive-deps
 
   // fetch only specific key
-  const showAddPeerCertModal = () => {
-    fetchRuntimeConfigs();
-    setAddPeerCertsModalVisible(true);
-  };
   const hideAddPeerCertModal = () => {
     fetchRuntimeConfigs();
     setAddPeerCertsModalVisible(false);
@@ -191,7 +185,6 @@ export const HAReplicationForm: FC<HAReplicationFormProps> = ({
       )
     : EMPTY_YB_HA_WEBSERVICE;
 
-  const isCACertStoreEnabled = isCertCAEnabledInRuntimeConfig(runtimeConfigs?.data);
 
   const peerCerts = getPeerCerts(ybHAWebService);
   return (
@@ -215,21 +208,6 @@ export const HAReplicationForm: FC<HAReplicationFormProps> = ({
           const { instanceType, clusterKey } = formikProps.values;
           return (
             <>
-              <div className="ha-replication-form__action-bar">
-                {instanceType === HAInstanceTypes.Active &&
-                  isRuntimeConfigLoaded &&
-                  !isCACertStoreEnabled && (
-                    <YBButton
-                      btnText={`${
-                        getPeerCerts(ybHAWebService).length > 0 ? 'Manage' : 'Add'
-                      } Peer Certificates`}
-                      onClick={(e: any) => {
-                        showAddPeerCertModal();
-                        e.currentTarget.blur();
-                      }}
-                    />
-                  )}
-              </div>
               <Form role="form">
                 <Grid fluid>
                   {instanceType === HAInstanceTypes.Standby && !isEditMode && (
@@ -369,45 +347,6 @@ export const HAReplicationForm: FC<HAReplicationFormProps> = ({
                       </Col>
                     </Row>
                   </div>
-                  {instanceType === HAInstanceTypes.Active &&
-                    isRuntimeConfigLoaded &&
-                    !isCACertStoreEnabled && (
-                      <Row className="ha-replication-form__row">
-                        <Col xs={2} className="ha-replication-form__label">
-                          Peer Certificates
-                        </Col>
-                        <Col xs={10} className="ha-replication-form__certs">
-                          {!isCACertStoreEnabled && peerCerts.length === 0 ? (
-                            <button
-                              className="ha-replication-form__no-cert--add-button"
-                              onClick={(e) => {
-                                e.preventDefault();
-                                showAddPeerCertModal();
-                              }}
-                            >
-                              {`Add a peer certificate ${
-                                isHTTPS ? '(Required for HTTPS setup)' : ''
-                              }`}
-                            </button>
-                          ) : (
-                            peerCerts.map((peerCert) => {
-                              return (
-                                <>
-                                  <div className="ha-replication-form__cert-container">
-                                    <span className="ha-replication-form__cert-container--identifier">
-                                      {getPeerCertIdentifier(peerCert)}
-                                    </span>
-                                    <span className="ha-replication-form__cert-container--ellipse">
-                                      ( . . . )
-                                    </span>
-                                  </div>
-                                </>
-                              );
-                            })
-                          )}
-                        </Col>
-                      </Row>
-                    )}
 
                   <Row className="ha-replication-form__row">
                     <Col xs={12} className="ha-replication-form__footer">
@@ -416,11 +355,7 @@ export const HAReplicationForm: FC<HAReplicationFormProps> = ({
                         btnType="submit"
                         disabled={
                           formikProps.isSubmitting ||
-                          !formikProps.isValid ||
-                          (!isCACertStoreEnabled &&
-                            instanceType === HAInstanceTypes.Active &&
-                            isHTTPS &&
-                            peerCerts.length === 0)
+                          !formikProps.isValid
                         }
                         loading={formikProps.isSubmitting}
                         btnClass="btn btn-orange"