Pulling external database configs and using default AWS root certs in…

… case of no certs passed for external AWS databases (#8014)

* pulling external database configs and using default aws root certs in case of no certs passed for external aws databases

Signed-off-by: Jay Sharma <jsharma@progress.com>

* getting only host from https opensearch url

Signed-off-by: Jay Sharma <jsharma@progress.com>

* adding testcases for new functions

Signed-off-by: Jay Sharma <jsharma@progress.com>

* taking snapshot role arn, accesskey, secrectkey from automate config, added test cases

Signed-off-by: Jay Sharma <jsharma@progress.com>

* fixing test cases

Signed-off-by: Jay Sharma <jsharma@progress.com>

---------

Signed-off-by: Jay Sharma <jsharma@progress.com>

components/automate-cli/cmd/chef-automate/pullAndGenerateConfig.go

@@ -4,6 +4,7 @@ import (
  "encoding/json"
  "fmt"
  "io/ioutil"
+ "net/url"
  "os/exec"
  "path/filepath"
  "strconv"
@@ -357,6 +358,27 @@ func (p *PullConfigsImpl) fetchInfraConfig() (*ExistingInfraConfigToml, error) {
  sharedConfigToml.Postgresql.Config.RootCA = pgRootCA
  }
  sharedConfigToml.Postgresql.Config.EnableCustomCerts = true
+ } else {
+ externalOsDetails := getExternalOpensearchDetails(a2ConfigMap)
+ if externalOsDetails != nil {
+ sharedConfigToml.ExternalDB.Database.Opensearch.OpensearchDomainName = externalOsDetails.OpensearchDomainName
+ sharedConfigToml.ExternalDB.Database.Opensearch.OpensearchInstanceURL = externalOsDetails.OpensearchInstanceURL
+ sharedConfigToml.ExternalDB.Database.Opensearch.OpensearchRootCert = externalOsDetails.OpensearchRootCert
+ sharedConfigToml.ExternalDB.Database.Opensearch.OpensearchSuperUserName = externalOsDetails.OpensearchSuperUserName
+ sharedConfigToml.ExternalDB.Database.Opensearch.OpensearchSuperUserPassword = externalOsDetails.OpensearchSuperUserPassword
+ sharedConfigToml.ExternalDB.Database.Opensearch.AWS.AwsOsSnapshotRoleArn = externalOsDetails.AWS.AwsOsSnapshotRoleArn
+ sharedConfigToml.ExternalDB.Database.Opensearch.AWS.OsUserAccessKeyId = externalOsDetails.AWS.OsUserAccessKeyId
+ sharedConfigToml.ExternalDB.Database.Opensearch.AWS.OsUserAccessKeySecret = externalOsDetails.AWS.OsUserAccessKeySecret
+ }
+ externalPgDetails := getExternalPGDetails(a2ConfigMap)
+ if externalPgDetails != nil {
+ sharedConfigToml.ExternalDB.Database.PostgreSQL.PostgreSQLDBUserName = externalPgDetails.PostgreSQLDBUserName
+ sharedConfigToml.ExternalDB.Database.PostgreSQL.PostgreSQLDBUserPassword = externalPgDetails.PostgreSQLDBUserPassword
+ sharedConfigToml.ExternalDB.Database.PostgreSQL.PostgreSQLInstanceURL = externalPgDetails.PostgreSQLInstanceURL
+ sharedConfigToml.ExternalDB.Database.PostgreSQL.PostgreSQLRootCert = externalPgDetails.PostgreSQLRootCert
+ sharedConfigToml.ExternalDB.Database.PostgreSQL.PostgreSQLSuperUserName = externalPgDetails.PostgreSQLSuperUserName
+ sharedConfigToml.ExternalDB.Database.PostgreSQL.PostgreSQLSuperUserPassword = externalPgDetails.PostgreSQLSuperUserPassword
+ }
  }
 
  // Build CertsByIP for Automate
@@ -415,6 +437,70 @@ func (p *PullConfigsImpl) fetchInfraConfig() (*ExistingInfraConfigToml, error) {
  return sharedConfigToml, nil
 }
 
+func getExternalOpensearchDetails(a2ConfigMap map[string]*dc.AutomateConfig) *ExternalOpensearchToml {
+ for _, ele := range a2ConfigMap {
+ if ele.Global.V1.External.Opensearch != nil &&
+ ele.Global.V1.External.Opensearch.Auth != nil &&
+ ele.Global.V1.External.Opensearch.Auth.AwsOs != nil {
+ return setExternalOpensearchDetails(ele.Global.V1.External.Opensearch.Nodes[0].Value,
+ ele.Global.V1.External.Opensearch.Auth.AwsOs.Username.Value,
+ ele.Global.V1.External.Opensearch.Auth.AwsOs.Password.Value,
+ ele.Global.V1.External.Opensearch.Ssl.RootCert.Value,
+ ele.Global.V1.External.Opensearch.Ssl.ServerName.Value,
+ ele.Global.V1.External.Opensearch.Auth.AwsOs.AccessKey.Value,
+ ele.Global.V1.External.Opensearch.Auth.AwsOs.SecretKey.Value,
+ ele.Global.V1.External.Opensearch.Backup.S3.Settings.RoleArn.Value,
+ )
+ }
+ }
+ return nil
+}
+
+func setExternalOpensearchDetails(instanceUrl, superUserName, superPassword, rootCert, domainName, accessKey, secretKey, roleArn string) *ExternalOpensearchToml {
+ nodeUrl, _ := url.Parse(instanceUrl)
+ return &ExternalOpensearchToml{
+ OpensearchInstanceURL: nodeUrl.Host,
+ OpensearchSuperUserName: superUserName,
+ OpensearchSuperUserPassword: superPassword,
+ OpensearchRootCert: rootCert,
+ OpensearchDomainName: domainName,
+ AWS: ExternalAwsToml{
+ OsUserAccessKeyId: accessKey,
+ OsUserAccessKeySecret: secretKey,
+ AwsOsSnapshotRoleArn: roleArn,
+ },
+ }
+}
+
+func getExternalPGDetails(a2ConfigMap map[string]*dc.AutomateConfig) *ExternalPostgreSQLToml {
+ for _, ele := range a2ConfigMap {
+ if ele.Global.V1.External.Postgresql.Nodes != nil &&
+ ele.Global.V1.External.Postgresql.Auth.Password.Superuser != nil &&
+ ele.Global.V1.External.Postgresql.Auth.Password.Dbuser != nil {
+ return setExternalPGDetails(
+ ele.Global.V1.External.Postgresql.Nodes[0].Value,
+ ele.Global.V1.External.Postgresql.Auth.Password.Superuser.Username.Value,
+ ele.Global.V1.External.Postgresql.Auth.Password.Superuser.Password.Value,
+ ele.Global.V1.External.Postgresql.Auth.Password.Dbuser.Username.Value,
+ ele.Global.V1.External.Postgresql.Auth.Password.Dbuser.Password.Value,
+ ele.Global.V1.External.Postgresql.Ssl.RootCert.Value,
+ )
+ }
+ }
+ return nil
+}
+
+func setExternalPGDetails(instanceUrl, superUserName, superUserPassword, dBUserName, dBUserPassword, rootCerts string) *ExternalPostgreSQLToml {
+ return &ExternalPostgreSQLToml{
+ PostgreSQLInstanceURL: instanceUrl,
+ PostgreSQLSuperUserName: superUserName,
+ PostgreSQLSuperUserPassword: superUserPassword,
+ PostgreSQLDBUserName: dBUserName,
+ PostgreSQLDBUserPassword: dBUserPassword,
+ PostgreSQLRootCert: rootCerts,
+ }
+}
+
 func (p *PullConfigsImpl) getOsCertsByIp(osConfigMap map[string]*ConfigKeys) []CertByIP {
  var osCerts []CertByIP
  nodesDnMap := make(map[string]bool)
@@ -569,6 +655,27 @@ func (p *PullConfigsImpl) fetchAwsConfig() (*AwsConfigToml, error) {
  sharedConfigToml.Postgresql.Config.PublicKey = pgPubKey
  }
  sharedConfigToml.Postgresql.Config.EnableCustomCerts = true
+ } else {
+ externalOsDetails := getExternalOpensearchDetails(a2ConfigMap)
+ if externalOsDetails != nil {
+ sharedConfigToml.Aws.Config.OpensearchDomainName = externalOsDetails.OpensearchDomainName
+ sharedConfigToml.Aws.Config.OpensearchDomainUrl = externalOsDetails.OpensearchInstanceURL
+ sharedConfigToml.Aws.Config.OpensearchCertificate = externalOsDetails.OpensearchRootCert
+ sharedConfigToml.Aws.Config.OpensearchUsername = externalOsDetails.OpensearchSuperUserName
+ sharedConfigToml.Aws.Config.OpensearchUserPassword = externalOsDetails.OpensearchSuperUserPassword
+ sharedConfigToml.Aws.Config.AwsOsSnapshotRoleArn = externalOsDetails.AWS.AwsOsSnapshotRoleArn
+ sharedConfigToml.Aws.Config.OsUserAccessKeyId = externalOsDetails.AWS.OsUserAccessKeyId
+ sharedConfigToml.Aws.Config.OsUserAccessKeySecret = externalOsDetails.AWS.OsUserAccessKeySecret
+ }
+ externalPgDetails := getExternalPGDetails(a2ConfigMap)
+ if externalPgDetails != nil {
+ sharedConfigToml.Aws.Config.RDSDBUserName = externalPgDetails.PostgreSQLDBUserName
+ sharedConfigToml.Aws.Config.RDSDBUserPassword = externalPgDetails.PostgreSQLDBUserPassword
+ sharedConfigToml.Aws.Config.RDSInstanceUrl = externalPgDetails.PostgreSQLInstanceURL
+ sharedConfigToml.Aws.Config.RDSCertificate = externalPgDetails.PostgreSQLRootCert
+ sharedConfigToml.Aws.Config.RDSSuperUserName = externalPgDetails.PostgreSQLSuperUserName
+ sharedConfigToml.Aws.Config.RDSSuperUserPassword = externalPgDetails.PostgreSQLSuperUserPassword
+ }
  }
 
  // Build CertsByIP for Automate

components/automate-cli/cmd/chef-automate/pullAndGenerateConfig_test.go

@@ -591,3 +591,166 @@ func TestGetOsCertsByIp(t *testing.T) {
  })
  }
 }
+
+func TestGetOpensearchDetails(t *testing.T) {
+ type testCaseInfo struct {
+ testCaseDescreption string
+ InstanceURL string
+ Username string
+ password string
+ rootCert string
+ serverName string
+ accessKey string
+ secretKey string
+ roleArn string
+ ExpectedOpensearchToml *ExternalOpensearchToml
+ }
+
+ testCases := []testCaseInfo{
+ {
+ testCaseDescreption: "With Http URL",
+ InstanceURL: "http://testopensearch:9200/",
+ Username: "admin",
+ password: "pass",
+ rootCert: "----certs----",
+ serverName: "test server",
+ accessKey: "test-access",
+ secretKey: "test-secret",
+ roleArn: "test-role-arn",
+ ExpectedOpensearchToml: &ExternalOpensearchToml{
+ OpensearchInstanceURL: "testopensearch:9200",
+ OpensearchSuperUserName: "admin",
+ OpensearchSuperUserPassword: "pass",
+ OpensearchRootCert: "----certs----",
+ OpensearchDomainName: "test server",
+ AWS: ExternalAwsToml{
+ AwsOsSnapshotRoleArn: "test-role-arn",
+ OsUserAccessKeyId: "test-access",
+ OsUserAccessKeySecret: "test-secret",
+ },
+ },
+ },
+ {
+ testCaseDescreption: "With Https URL",
+ InstanceURL: "https://testopensearch:9200/",
+ Username: "admin",
+ password: "pass",
+ rootCert: "----certs----",
+ serverName: "test server",
+ accessKey: "test-access",
+ secretKey: "test-secret",
+ roleArn: "test-role-arn",
+ ExpectedOpensearchToml: &ExternalOpensearchToml{
+ OpensearchInstanceURL: "testopensearch:9200",
+ OpensearchSuperUserName: "admin",
+ OpensearchSuperUserPassword: "pass",
+ OpensearchRootCert: "----certs----",
+ OpensearchDomainName: "test server",
+ AWS: ExternalAwsToml{
+ AwsOsSnapshotRoleArn: "test-role-arn",
+ OsUserAccessKeyId: "test-access",
+ OsUserAccessKeySecret: "test-secret",
+ },
+ },
+ },
+ {
+ testCaseDescreption: "With cert blank",
+ InstanceURL: "https://testopensearch:9200/",
+ Username: "admin",
+ password: "pass",
+ rootCert: "",
+ serverName: "test server",
+ accessKey: "test-access",
+ secretKey: "test-secret",
+ roleArn: "test-role-arn",
+ ExpectedOpensearchToml: &ExternalOpensearchToml{
+ OpensearchInstanceURL: "testopensearch:9200",
+ OpensearchSuperUserName: "admin",
+ OpensearchSuperUserPassword: "pass",
+ OpensearchRootCert: "",
+ OpensearchDomainName: "test server",
+ AWS: ExternalAwsToml{
+ AwsOsSnapshotRoleArn: "test-role-arn",
+ OsUserAccessKeyId: "test-access",
+ OsUserAccessKeySecret: "test-secret",
+ },
+ },
+ },
+ }
+
+ for _, testCase := range testCases {
+ t.Run(testCase.testCaseDescreption, func(t *testing.T) {
+ externalOsConfig := setExternalOpensearchDetails(testCase.InstanceURL, testCase.Username, testCase.password, testCase.rootCert, testCase.serverName, testCase.accessKey, testCase.secretKey, testCase.roleArn)
+ assert.Equal(t, testCase.ExpectedOpensearchToml.OpensearchInstanceURL, externalOsConfig.OpensearchInstanceURL)
+ assert.Equal(t, testCase.ExpectedOpensearchToml.OpensearchDomainName, externalOsConfig.OpensearchDomainName)
+ assert.Equal(t, testCase.ExpectedOpensearchToml.OpensearchSuperUserName, externalOsConfig.OpensearchSuperUserName)
+ assert.Equal(t, testCase.ExpectedOpensearchToml.OpensearchSuperUserPassword, externalOsConfig.OpensearchSuperUserPassword)
+ assert.Equal(t, testCase.ExpectedOpensearchToml.OpensearchRootCert, externalOsConfig.OpensearchRootCert)
+ assert.Equal(t, testCase.ExpectedOpensearchToml.AWS.AwsOsSnapshotRoleArn, externalOsConfig.AWS.AwsOsSnapshotRoleArn)
+ assert.Equal(t, testCase.ExpectedOpensearchToml.AWS.OsUserAccessKeyId, externalOsConfig.AWS.OsUserAccessKeyId)
+ assert.Equal(t, testCase.ExpectedOpensearchToml.AWS.OsUserAccessKeySecret, externalOsConfig.AWS.OsUserAccessKeySecret)
+ })
+ }
+}
+
+func TestGetPGDetails(t *testing.T) {
+ type testCaseInfo struct {
+ testCaseDescreption string
+ InstanceURL string
+ SuperUsername string
+ SuperUserPassword string
+ DBUserName string
+ DBUserPassword string
+ rootCert string
+ ExpectedPGToml *ExternalPostgreSQLToml
+ }
+
+ testCases := []testCaseInfo{
+ {
+ testCaseDescreption: "With cert",
+ InstanceURL: "testopensearch:5432",
+ SuperUsername: "admin",
+ SuperUserPassword: "pass",
+ DBUserName: "admin",
+ DBUserPassword: "pass",
+ rootCert: "----certs----",
+ ExpectedPGToml: &ExternalPostgreSQLToml{
+ PostgreSQLInstanceURL: "testopensearch:5432",
+ PostgreSQLSuperUserName: "admin",
+ PostgreSQLSuperUserPassword: "pass",
+ PostgreSQLDBUserName: "admin",
+ PostgreSQLDBUserPassword: "pass",
+ PostgreSQLRootCert: "----certs----",
+ },
+ },
+ {
+ testCaseDescreption: "With empty cert",
+ InstanceURL: "testopensearch:5432",
+ SuperUsername: "admin",
+ SuperUserPassword: "pass",
+ DBUserName: "admin",
+ DBUserPassword: "pass",
+ rootCert: "",
+ ExpectedPGToml: &ExternalPostgreSQLToml{
+ PostgreSQLInstanceURL: "testopensearch:5432",
+ PostgreSQLSuperUserName: "admin",
+ PostgreSQLSuperUserPassword: "pass",
+ PostgreSQLDBUserName: "admin",
+ PostgreSQLDBUserPassword: "pass",
+ PostgreSQLRootCert: "",
+ },
+ },
+ }
+
+ for _, testCase := range testCases {
+ t.Run(testCase.testCaseDescreption, func(t *testing.T) {
+ externalPGConfig := setExternalPGDetails(testCase.InstanceURL, testCase.SuperUsername, testCase.SuperUserPassword, testCase.DBUserName, testCase.DBUserPassword, testCase.rootCert)
+ assert.Equal(t, testCase.ExpectedPGToml.PostgreSQLInstanceURL, externalPGConfig.PostgreSQLInstanceURL)
+ assert.Equal(t, testCase.ExpectedPGToml.PostgreSQLSuperUserName, externalPGConfig.PostgreSQLSuperUserName)
+ assert.Equal(t, testCase.ExpectedPGToml.PostgreSQLSuperUserPassword, externalPGConfig.PostgreSQLSuperUserPassword)
+ assert.Equal(t, testCase.ExpectedPGToml.PostgreSQLDBUserName, externalPGConfig.PostgreSQLDBUserName)
+ assert.Equal(t, testCase.ExpectedPGToml.PostgreSQLDBUserPassword, externalPGConfig.PostgreSQLDBUserPassword)
+ assert.Equal(t, testCase.ExpectedPGToml.PostgreSQLRootCert, externalPGConfig.PostgreSQLRootCert)
+ })
+ }
+}

components/automate-cli/pkg/verifyserver/models/batchcheck.go

@@ -4,6 +4,7 @@ import (
  "errors"
  "log"
  "strconv"
+ "strings"
 
  "github.com/aws/aws-sdk-go/aws/credentials"
  "github.com/chef/automate/lib/config"
@@ -331,6 +332,9 @@ func (c *Config) populateAwsManagedServicesConfig(haConfig *config.HaDeployConfi
  c.ExternalPG.PGDbUserPassword = awsManagedServicesConfig.ManagedRdsDbuserPassword
  c.ExternalPG.PGInstanceURL = awsManagedServicesConfig.ManagedRdsInstanceURL
  c.ExternalPG.PGRootCert = awsManagedServicesConfig.ManagedRdsCertificate
+ if len(strings.TrimSpace(awsManagedServicesConfig.ManagedRdsCertificate)) < 1 {
+ c.ExternalPG.PGRootCert = EXTERNAL_PG_ROOT_CERT
+ }
  c.ExternalPG.PGSuperuserName = awsManagedServicesConfig.ManagedRdsSuperuserUsername
  c.ExternalPG.PGSuperuserPassword = awsManagedServicesConfig.ManagedRdsSuperuserPassword
 
@@ -341,6 +345,9 @@ func (c *Config) populateAwsManagedServicesConfig(haConfig *config.HaDeployConfi
  c.ExternalOS.OSDomainName = awsManagedServicesConfig.ManagedOpensearchDomainName
  c.ExternalOS.OSDomainURL = awsManagedServicesConfig.ManagedOpensearchDomainURL
  c.ExternalOS.OSCert = awsManagedServicesConfig.ManagedOpensearchCertificate
+ if len(strings.TrimSpace(awsManagedServicesConfig.ManagedOpensearchCertificate)) < 1 {
+ c.ExternalOS.OSCert = EXTERNAL_OPENSEARCH_ROOT_CERT
+ }
  c.ExternalOS.OSUserPassword = awsManagedServicesConfig.ManagedOpensearchUserPassword
  c.ExternalOS.OSUsername = awsManagedServicesConfig.ManagedOpensearchUsername
 }
@@ -388,6 +395,11 @@ func (c *Config) populateExternalDbConfig(haConfig *config.HaDeployConfig) {
  c.ExternalPG.PGDbUserPassword = externalPgConfig.DbuserPassword
  c.ExternalPG.PGInstanceURL = externalPgConfig.InstanceURL
  c.ExternalPG.PGRootCert = externalPgConfig.PostgresqlRootCert
+
+ if len(externalPgConfig.PostgresqlRootCert) < 1 && haConfig.External.Database.Type == "aws" {
+ c.ExternalPG.PGRootCert = EXTERNAL_PG_ROOT_CERT
+ }
+
  c.ExternalPG.PGSuperuserName = externalPgConfig.SuperuserUsername
  c.ExternalPG.PGSuperuserPassword = externalPgConfig.SuperuserPassword
 
@@ -400,6 +412,10 @@ func (c *Config) populateExternalDbConfig(haConfig *config.HaDeployConfig) {
  c.ExternalOS.OSDomainName = externalOsConfig.OpensearchDomainName
  c.ExternalOS.OSDomainURL = externalOsConfig.OpensearchDomainURL
  c.ExternalOS.OSCert = externalOsConfig.OpensearchRootCert
+
+ if len(externalOsConfig.OpensearchRootCert) < 1 && haConfig.External.Database.Type == "aws" {
+ c.ExternalOS.OSCert = EXTERNAL_OPENSEARCH_ROOT_CERT
+ }
  c.ExternalOS.OSUserPassword = externalOsConfig.OpensearchUserPassword
  c.ExternalOS.OSUsername = externalOsConfig.OpensearchUsername