Allow host cert renewals even if client auth strictness is false

[Slair1]

Description

This PR allows the management servers to renew certificates issued to hosts, even if ca.plugin.root.auth.strictness is false. There is already a global setting named ca.framework.cert.automatic.renewal that should be controlling the certificate renewals. However, ca.plugin.root.auth.strictness currently circumvents that setting.

More Detail

The ca.plugin.root.auth.strictness setting is checked early in the client certificate checking method and exits the method without adding the certificate to the management server's in-memory certificate map if strictness is false. The certificate renewal process (if enabled with ca.framework.cert.automatic.renewal) reads that in-memory certificate map to determine what certs it could renew. Those two settings shouldn't be so closely related.

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

• Major
• [X ] Minor

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Screenshots (if appropriate):

How Has This Been Tested?

We've deployed and tested this in our CloudStack environments.

[Slair1]

Update PR with more tests and now when not in strict mode it will still log issues with certificates, but just accept the cert still.

[Slair1]

Let me know if i can do anything else to help this along

[DaanHoogland]

@sureshanaparti do you approve now?

[sureshanaparti]

code LGTM.

[yadvr]

@blueorangutan package

[blueorangutan]

@rhtyd a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result: ✔️ centos7 ✔️ centos8 ✔️ debian. SL-JID 87

[yadvr]

@blueorangutan test

[blueorangutan]

@rhtyd a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests

[blueorangutan]

@DaanHoogland a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests

[blueorangutan]

Trillian Build Failed (tid-753)

[blueorangutan]

Trillian test result (tid-764)
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 32757 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr4852-t764-kvm-centos7.zip
Smoke tests completed. 88 look OK, 0 have error(s)
Only failed tests results shown below:

Test	Result	Time (s)	Test File

[yadvr]

Needs some manual testing/validation, otherwise lgtm

[nvazquez]

@blueorangutan package

[blueorangutan]

@nvazquez a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result: ✔️ centos7 ✔️ centos8 ✔️ debian. SL-JID 338

[nvazquez]

@blueorangutan test

[blueorangutan]

@nvazquez a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests

[blueorangutan]

Trillian test result (tid-1070)
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 37786 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr4852-t1070-kvm-centos7.zip
Intermittent failure detected: /marvin/tests/smoke/test_kubernetes_clusters.py
Intermittent failure detected: /marvin/tests/smoke/test_vpc_vpn.py
Smoke tests completed. 87 look OK, 1 have error(s)
Only failed tests results shown below:

Test	Result	Time (s)	Test File
ContextSuite context=TestKubernetesCluster>:teardown	Error	71.22	test_kubernetes_clusters.py

[nvazquez]

@weizhouapache can you please test this PR?

[weizhouapache]

@Slair1 @nvazquez
tested ok. except two small questions.

(1) change global settings (just for my testing, do not set it on production)
ca.framework.cert.expiry.alert.period , from 15 to 1500 (days)
ca.framework.background.task.delay, from 3600 to 60 (seconds)
ca.plugin.root.auth.strictness , from true to false.

(2) add debug info in server/src/main/java/org/apache/cloudstack/ca/CAManagerImpl.java

             try {
-                if (LOG.isTraceEnabled()) {
-                    LOG.trace("CA background task is running...");
+                if (LOG.isDebugEnabled()) {
+                    LOG.debug("CA background task is running...");
                 }

(3) without this patch
$ egrep "Certificate is going to expire|CA background task is running" /var/log/cloudstack/management/management-server.log

2021-07-15 07:12:03,827 DEBUG [o.a.c.c.CAManagerImpl] (BackgroundTaskPollManager-2:ctx-59f9ec37) (logid:7d7a59b2) CA background task is running...
2021-07-15 07:13:30,314 DEBUG [o.a.c.c.CAManagerImpl] (BackgroundTaskPollManager-5:ctx-e17c3499) (logid:de3f6c2a) CA background task is running...
2021-07-15 07:14:58,516 DEBUG [o.a.c.c.CAManagerImpl] (BackgroundTaskPollManager-4:ctx-13297c4e) (logid:4dc266a0) CA background task is running...
2021-07-15 07:16:26,420 DEBUG [o.a.c.c.CAManagerImpl] (BackgroundTaskPollManager-5:ctx-13d9b8c4) (logid:10203dcf) CA background task is running...

(4) with the patch

$ egrep "Certificate is going to expire|CA background task is running" /var/log/cloudstack/management/management-server.log

2021-07-15 09:12:13,759 DEBUG [o.a.c.c.CAManagerImpl] (BackgroundTaskPollManager-6:ctx-a913172f) (logid:4c23e662) CA background task is running...
2021-07-15 09:12:13,761 WARN [o.a.c.c.CAManagerImpl] (BackgroundTaskPollManager-6:ctx-a913172f) (logid:4c23e662) Certificate is going to expire for host id=5, uuid=060e2261-8214-4385-b0d4-ce90b6fe2786, name=s-79-VM, ip=10.0.36.8, zone id=1
2021-07-15 09:12:23,912 WARN [o.a.c.c.CAManagerImpl] (BackgroundTaskPollManager-6:ctx-a913172f) (logid:4c23e662) Certificate is going to expire for host id=2, uuid=fd8384ff-fe21-41e2-84ea-bc70e6d26b97, name=v-1-VM, ip=10.0.36.3, zone id=1
2021-07-15 09:12:34,978 WARN [o.a.c.c.CAManagerImpl] (BackgroundTaskPollManager-6:ctx-a913172f) (logid:4c23e662) Certificate is going to expire for host id=1, uuid=4ea38782-280c-4122-aea8-63682c16c115, name=ref-trl-1000-k-Mu20-wei-zhou-kvm2, ip=10.0.34.159, zone id=1
2021-07-15 09:12:40,425 WARN [o.a.c.c.CAManagerImpl] (BackgroundTaskPollManager-6:ctx-a913172f) (logid:4c23e662) Certificate is going to expire for host id=4, uuid=d9988a7b-7e02-4e90-9c4a-798c588b1cba, name=ref-trl-1000-k-Mu20-wei-zhou-kvm1, ip=10.0.33.203, zone id=1

[weizhouapache]

@Slair1 what if allowExpiredCertificate is true ? log the error and silently ignore it ?
should it be appended to exceptionMsg ?

[nvazquez]

Thanks @weizhouapache, looks good. @Slair1 can you please check the open comment? Then will be good to go

[yadvr]

Ping @slavkap thanks for the PR, it seems like an important fix. Can you address the outstanding comment so we can move forward with this PR?

[slavkap]

@rhtyd, unfortunately, I don't have anything with this PR

[yadvr]

My bad @slavkap sorry I wrongly selected the Github ID when I typed `@sla... and selected your handle.

I meant @Slair1 can you address the outstanding comment so we can move forward with this PR?

[yadvr]

@Slair1 can you address the outstanding comment so we can move forward with this PR?

[yadvr]

@blueorangutan package

[blueorangutan]

@rhtyd a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result: ✔️ el7 ✔️ el8 ✔️ debian. SL-JID 929

[yadvr]

@blueorangutan test

[blueorangutan]

@rhtyd a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests

[blueorangutan]

Trillian test result (tid-1722)
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 34368 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr4852-t1722-kvm-centos7.zip
Smoke tests completed. 89 look OK, 0 have error(s)
Only failed tests results shown below:

Test	Result	Time (s)	Test File

[weizhouapache]

@nvazquez @rhtyd
since we have 2 approvals (including 1 manual test) and integration test passed, can we merge this pr ?

[yadvr]

Merging this based on your comment @weizhouapache