vishesh92 opened a new pull request, #12911: URL: https://github.com/apache/cloudstack/pull/12911
### Description This PR adds ROOT CAs to the trust store in System VMs & the management This PR also adds another parameter `forced` to `provisionCertificate` command which allows provisioning certs via SSH to KVM hosts & system VMs. <details><summary>Details</summary> <p> This pull request introduces several improvements and new features to the CloudStack Certificate Authority (CA) management system, with a focus on enhancing certificate provisioning flexibility, supporting user-provided CA material, and improving truststore management. The most significant changes add support for forced certificate re-provisioning via SSH for disconnected agents, clarify and enforce requirements for custom CA keys, and enable automatic truststore injection for outgoing HTTPS connections. **Certificate Provisioning Enhancements:** * Added a `forced` boolean parameter to the `ProvisionCertificateCmd` API and the `CAManager.provisionCertificate` method, allowing administrators to re-provision agent certificates via SSH when agents are disconnected (e.g., after a CA change). This is supported for KVM hosts and SystemVMs. The implementation includes a new `provisionCertificateViaSsh` method for KVM hosts. [[1]](diffhunk://#diff-47256011611f1eb6e02d5bcea6b93522b9cbb3d02b412e453f70ece90f73be0bR66-R71) [[2]](diffhunk://#diff-47256011611f1eb6e02d5bcea6b93522b9cbb3d02b412e453f70ece90f73be0bR88-R91) [[3]](diffhunk://#diff-47256011611f1eb6e02d5bcea6b93522b9cbb3d02b412e453f70ece90f73be0bL93-R103) [[4]](diffhunk://#diff-53dd6811a2c0ba19528607f2a53f673e923eb0e4d115b1b35a7075e7e232611cL133-R162) [[5]](diffhunk://#diff-036089d4cf9f9b952aa61bddf51c2c632a22fc9df1ea280009f319ff5f677d76L177-R172) [[6]](diffhunk://#diff-c2b82ab4b90cd69457a55529eb79aba79e580cb3b527c7770dc62473ff69d8ebL180-R213) **CA Provider and Configuration Improvements:** * Expanded and clarified configuration key documentation for user-provided CA material in the `RootCAProvider`, including PEM format requirements and the need to set all three keys together. Enhanced error handling and logging when loading user-provided CA keys/certificates fails, with fallback to auto-generation. [[1]](diffhunk://#diff-3d6faed94078da6001579a25a36661ff936f215b9bfc753707ea803f77caaa26L109-R123) [[2]](diffhunk://#diff-3d6faed94078da6001579a25a36661ff936f215b9bfc753707ea803f77caaa26L425-R469) * Improved the description of the `ca.framework.provider.plugin` configuration key to clarify its purpose and the requirements for custom CA material. **Truststore Management:** * Introduced a new configuration key `ca.framework.inject.default.truststore` to control whether the CA provider's certificate is injected into the JVM default truststore on management server startup, enabling outgoing HTTPS connections from the management server to trust servers signed by the configured CA. * Updated the `keystore-cert-import` script to also import the CA certificate into the `realhostip.keystore` used by the SSVM JVM, ensuring trust for CloudStack CA-signed servers. **Script and Utility Fixes:** * Improved the `keystore-cert-import` script to handle certificate splitting and file cleanup more robustly, preventing errors if no certificates are present. **Code Cleanup:** * Removed unused imports and code from `LibvirtServerDiscoverer` and related classes as part of the refactoring for SSH-based certificate provisioning. [[1]](diffhunk://#diff-036089d4cf9f9b952aa61bddf51c2c632a22fc9df1ea280009f319ff5f677d76L24) [[2]](diffhunk://#diff-036089d4cf9f9b952aa61bddf51c2c632a22fc9df1ea280009f319ff5f677d76L35-L39) [[3]](diffhunk://#diff-036089d4cf9f9b952aa61bddf51c2c632a22fc9df1ea280009f319ff5f677d76L69) [[4]](diffhunk://#diff-c2b82ab4b90cd69457a55529eb79aba79e580cb3b527c7770dc62473ff69d8ebR25-R32) [[5]](diffhunk://#diff-c2b82ab4b90cd69457a55529eb79aba79e580cb3b527c7770dc62473ff69d8ebR44-R57) [[6]](diffhunk://#diff-c2b82ab4b90cd69457a55529eb79aba79e580cb3b527c7770dc62473ff69d8ebR79) [[7]](diffhunk://#diff-c2b82ab4b90cd69457a55529eb79aba79e580cb3b527c7770dc62473ff69d8ebR101-R106) These changes collectively improve CloudStack's certificate management flexibility, security, and ease of integration with external CA infrastructures. </p> </details> <!--- Describe your changes in DETAIL - And how has behaviour functionally changed. --> <!-- For new features, provide link to FS, dev ML discussion etc. --> <!-- In case of bug fix, the expected and actual behaviours, steps to reproduce. --> <!-- When "Fixes: #<id>" is specified, the issue/PR will automatically be closed when this PR gets merged --> <!-- For addressing multiple issues/PRs, use multiple "Fixes: #<id>" --> <!-- Fixes: # --> <!--- ******************************************************************************* --> <!--- NOTE: AUTOMATION USES THE DESCRIPTIONS TO SET LABELS AND PRODUCE DOCUMENTATION. --> <!--- PLEASE PUT AN 'X' in only **ONE** box --> <!--- ******************************************************************************* --> ### Types of changes - [ ] Breaking change (fix or feature that would cause existing functionality to change) - [ ] New feature (non-breaking change which adds functionality) - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] Enhancement (improves an existing feature and functionality) - [ ] Cleanup (Code refactoring and cleanup, that may add test cases) - [ ] Build/CI - [ ] Test (unit or integration test code) ### Feature/Enhancement Scale or Bug Severity #### Feature/Enhancement Scale - [ ] Major - [ ] Minor #### Bug Severity - [ ] BLOCKER - [ ] Critical - [ ] Major - [ ] Minor - [ ] Trivial ### Screenshots (if appropriate): ### How Has This Been Tested? <!-- Please describe in detail how you tested your changes. --> <!-- Include details of your testing environment, and the tests you ran to --> #### How did you try to break this feature and the system with this change? <!-- see how your change affects other areas of the code, etc. --> <!-- Please read the [CONTRIBUTING](https://github.com/apache/cloudstack/blob/main/CONTRIBUTING.md) document --> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
