[#4733]: Fix universe creation with user provided cert.

Summary:
Our current code did not create client certs for user provided certs, causing universe
creation to fail due to lack of the client cert files.

Test Plan:
Created a universe with a user provided cert and verified that it worked as expected.
Also added unit tests.

Reviewers: sanketh, ram, daniel

Reviewed By: daniel

Subscribers: yugaware, daniel, jenkins-bot

Differential Revision: https://phabricator.dev.yugabyte.com/D8817

managed/src/main/java/com/yugabyte/yw/common/CertificateHelper.java

@@ -75,9 +75,9 @@ public class CertificateHelper {
   public static final String CLIENT_CERT = "yugabytedb.crt";
   public static final String CLIENT_KEY = "yugabytedb.key";
   public static final String DEFAULT_CLIENT = "yugabyte";
+  public static final String CERT_PATH = "%s/certs/%s/%s";
 
-  public static UUID createRootCA(String nodePrefix, UUID customerUUID, String storagePath,
-                                  boolean generateClientCert) {
+  public static UUID createRootCA(String nodePrefix, UUID customerUUID, String storagePath) {
       try {
         Security.addProvider(new BouncyCastleProvider());
         KeyPairGenerator keypairGen = KeyPairGenerator.getInstance("RSA");
@@ -117,9 +117,9 @@ public static UUID createRootCA(String nodePrefix, UUID customerUUID, String sto
         JcaX509CertificateConverter converter = new JcaX509CertificateConverter();
         converter.setProvider(new BouncyCastleProvider());
         X509Certificate x509 = converter.getCertificate(holder);
-        String certPath = String.format("%s/certs/%s/%s/ca.root.crt", storagePath,
+        String certPath = String.format(CERT_PATH + "/ca.root.crt", storagePath,
             customerUUID.toString(), rootCA_UUID.toString());
-        String keyPath = String.format("%s/certs/%s/%s/ca.key.pem", storagePath,
+        String keyPath = String.format(CERT_PATH + "/ca.key.pem", storagePath,
             customerUUID.toString(), rootCA_UUID.toString());
         File certfile = new File(certPath);
         certfile.getParentFile().mkdirs();
@@ -133,13 +133,6 @@ public static UUID createRootCA(String nodePrefix, UUID customerUUID, String sto
         CertificateInfo cert = CertificateInfo.create(rootCA_UUID, customerUUID, nodePrefix,
                                                       certStart, certExpiry, keyPath, certPath);
 
-        // Generate Client Certificates.
-        if (generateClientCert) {
-          createClientCertificate(cert.uuid, certfile.getParentFile().toString(), DEFAULT_CLIENT,
-                                    certStart, certExpiry);
-        }
-
-
         LOG.info("Created Root CA for {}.", nodePrefix);
         return cert.uuid;
       } catch (NoSuchAlgorithmException | IOException | OperatorCreationException |
@@ -157,6 +150,15 @@ public static JsonNode createClientCertificate(UUID rootCA, String storagePath,
       KeyPairGenerator keypairGen = KeyPairGenerator.getInstance("RSA");
       keypairGen.initialize(2048);
 
+      Calendar cal = Calendar.getInstance();
+      if (certStart == null) {
+        certStart = cal.getTime();
+      }
+      if (certExpiry == null) {
+        cal.add(Calendar.YEAR, 1);
+        certExpiry = cal.getTime();
+      }
+
       CertificateInfo cert = CertificateInfo.get(rootCA);
       FileInputStream is = new FileInputStream(new File(cert.certificate));
       CertificateFactory fact = CertificateFactory.getInstance("X.509");

managed/src/main/java/com/yugabyte/yw/controllers/UniverseController.java

@@ -485,8 +485,14 @@ public Result create(UUID customerUUID) {
                 primaryCluster.userIntent.enableClientToNodeEncrypt) {
           if (taskParams.rootCA == null) {
             taskParams.rootCA = CertificateHelper.createRootCA(taskParams.nodePrefix,
-                    customerUUID, appConfig.getString("yb.storage.path"),
-                    primaryCluster.userIntent.enableClientToNodeEncrypt);
+                    customerUUID, appConfig.getString("yb.storage.path"));
+          }
+          // If client encryption is enabled, generate the client cert file for each node.
+          if (primaryCluster.userIntent.enableClientToNodeEncrypt) {
+            CertificateHelper.createClientCertificate(taskParams.rootCA,
+                String.format(CertificateHelper.CERT_PATH, appConfig.getString("yb.storage.path"),
+                              customerUUID.toString(), taskParams.rootCA.toString()),
+                CertificateHelper.DEFAULT_CLIENT, null, null);
           }
           // Set the flag to mark the universe as using TLS enabled and therefore not allowing
           // insecure connections.

managed/src/test/java/com/yugabyte/yw/commissioner/tasks/subtasks/KubernetesCommandExecutorTest.java

@@ -95,8 +95,7 @@ public void setUp() {
     defaultUniverse = updateUniverseDetails("small");
     defaultCert = CertificateInfo.get(CertificateHelper.createRootCA(
         defaultUniverse.getUniverseDetails().nodePrefix,
-        defaultProvider.customerUUID, "/tmp/certs",
-        true));
+        defaultProvider.customerUUID, "/tmp/certs"));
     defaultUniverse.setConfig(ImmutableMap.of(Universe.HELM2_LEGACY,
                                               Universe.HelmLegacy.V3.toString()));
   }

managed/src/test/java/com/yugabyte/yw/common/CertificateHelperTest.java

@@ -61,7 +61,7 @@ public void tearDown() throws IOException {
   public void testCreateRootCAWithoutClientCert() {
     UniverseDefinitionTaskParams taskParams = new UniverseDefinitionTaskParams();
     taskParams.nodePrefix = "test-universe";
-    UUID rootCA = CertificateHelper.createRootCA(taskParams.nodePrefix, c.uuid, "/tmp", false);
+    UUID rootCA = CertificateHelper.createRootCA(taskParams.nodePrefix, c.uuid, "/tmp");
     assertNotNull(CertificateInfo.get(rootCA));
     try {
       InputStream in = new FileInputStream(certPath + String.format("/%s/ca.root.crt", rootCA));
@@ -77,7 +77,10 @@ public void testCreateRootCAWithoutClientCert() {
   public void testCreateRootCAWithClientCert() {
     UniverseDefinitionTaskParams taskParams = new UniverseDefinitionTaskParams();
     taskParams.nodePrefix = "test-universe";
-    UUID rootCA = CertificateHelper.createRootCA(taskParams.nodePrefix, c.uuid, "/tmp", true);
+    UUID rootCA = CertificateHelper.createRootCA(taskParams.nodePrefix, c.uuid, "/tmp");
+    CertificateHelper.createClientCertificate(rootCA, String.format(certPath + "/%s",
+                                                                    rootCA),
+                                              "yugabyte", null, null);
     assertNotNull(CertificateInfo.get(rootCA));
     try {
       InputStream in = new FileInputStream(certPath + String.format("/%s/ca.root.crt", rootCA));
@@ -99,7 +102,7 @@ public void testCreateCustomerCertToString() throws CertificateException,
     SignatureException, IOException {
     UniverseDefinitionTaskParams taskParams = new UniverseDefinitionTaskParams();
     taskParams.nodePrefix = "test-universe";
-    UUID rootCA = CertificateHelper.createRootCA(taskParams.nodePrefix, c.uuid, "/tmp", false);
+    UUID rootCA = CertificateHelper.createRootCA(taskParams.nodePrefix, c.uuid, "/tmp");
     assertNotNull(CertificateInfo.get(rootCA));
 
     CertificateInfo cert = CertificateInfo.get(rootCA);
@@ -126,7 +129,7 @@ public void testCreateCustomerCertToFile() throws CertificateException, NoSuchAl
     InvalidKeyException, NoSuchProviderException, SignatureException, IOException {
     UniverseDefinitionTaskParams taskParams = new UniverseDefinitionTaskParams();
     taskParams.nodePrefix = "test-universe";
-    UUID rootCA = CertificateHelper.createRootCA(taskParams.nodePrefix, c.uuid, "/tmp", false);
+    UUID rootCA = CertificateHelper.createRootCA(taskParams.nodePrefix, c.uuid, "/tmp");
     assertNotNull(CertificateInfo.get(rootCA));
 
     CertificateInfo cert = CertificateInfo.get(rootCA);

managed/src/test/java/com/yugabyte/yw/controllers/CertificateControllerTest.java

@@ -59,7 +59,7 @@ public void setUp() {
     customer = ModelFactory.testCustomer();
     user = ModelFactory.testUser(customer);
     for (String cert: test_certs) {
-      test_certs_uuids.add(CertificateHelper.createRootCA(cert, customer.uuid, "/tmp/certs", true));
+      test_certs_uuids.add(CertificateHelper.createRootCA(cert, customer.uuid, "/tmp/certs"));
     }
   }
 
@@ -158,7 +158,7 @@ public void testCreateClientCertificate() {
     bodyJson.put("certStart", date.getTime());
     bodyJson.put("certExpiry", date.getTime());
     UUID rootCA = CertificateHelper.createRootCA("test-universe", customer.uuid,
-                                                 "/tmp", false);
+                                                 "/tmp");
     Result result = createClientCertificate(customer.uuid, rootCA, bodyJson);
     JsonNode json = Json.parse(contentAsString(result));
     assertEquals(OK, result.status());