Update provision certificate command to allow provisioning via SSH

Author: vishesh92

api/src/main/java/org/apache/cloudstack/api/command/admin/ca/ProvisionCertificateCmd.java

@@ -63,6 +63,12 @@ public class ProvisionCertificateCmd extends BaseAsyncCmd {
             description = "Name of the CA service provider, otherwise the default configured provider plugin will be used")
     private String provider;
 
+    @Parameter(name = ApiConstants.FORCED, type = CommandType.BOOLEAN,
+            description = "When true, uses SSH to re-provision the agent's certificate, bypassing the NIO agent connection. " +
+            "Use this when agents are disconnected due to a CA change. Supported for KVM hosts and SystemVMs. Default is false",
+            since = "4.23.0")
+    private Boolean forced;
+
     /////////////////////////////////////////////////////
     /////////////////// Accessors ///////////////////////
     /////////////////////////////////////////////////////
@@ -79,6 +85,10 @@ public String getProvider() {
         return provider;
     }
 
+    public boolean isForced() {
+        return forced != null && forced;
+    }
+
     /////////////////////////////////////////////////////
     /////////////// API Implementation///////////////////
     /////////////////////////////////////////////////////
@@ -90,7 +100,7 @@ public void execute() {
             throw new ServerApiException(ApiErrorCode.PARAM_ERROR, "Unable to find host by ID: " + getHostId());
         }
 
-        boolean result = caManager.provisionCertificate(host, getReconnect(), getProvider());
+        boolean result = caManager.provisionCertificate(host, getReconnect(), getProvider(), isForced());
         SuccessResponse response = new SuccessResponse(getCommandName());
         response.setSuccess(result);
         setResponseObject(response);

api/src/main/java/org/apache/cloudstack/ca/CAManager.java

@@ -23,6 +23,8 @@
 import java.util.List;
 import java.util.Map;
 
+import com.trilead.ssh2.Connection;
+
 import org.apache.cloudstack.framework.ca.CAProvider;
 import org.apache.cloudstack.framework.ca.CAService;
 import org.apache.cloudstack.framework.ca.Certificate;
@@ -139,12 +141,25 @@ public interface CAManager extends CAService, Configurable, PluggableService {
     boolean revokeCertificate(final BigInteger certSerial, final String certCn, final String provider);
 
     /**
-     * Provisions certificate for given active and connected agent host
+     * Provisions certificate for given agent host.
+     * When forced=true, uses SSH to re-provision bypassing the NIO agent connection (for disconnected agents).
      * @param host
+     * @param reconnect
      * @param provider
+     * @param forced when true, provisions via SSH instead of NIO; supports KVM hosts and SystemVMs
      * @return returns success/failure as boolean
      */
-    boolean provisionCertificate(final Host host, final Boolean reconnect, final String provider);
+    boolean provisionCertificate(final Host host, final Boolean reconnect, final String provider, final boolean forced);
+
+    /**
+     * Provisions certificate for a KVM host using an existing SSH connection.
+     * Runs keystore-setup to generate a CSR, issues a certificate, then runs keystore-cert-import.
+     * Used during host discovery and for forced re-provisioning when the NIO agent is unreachable.
+     * @param sshConnection active SSH connection to the KVM host
+     * @param agentIp IP address of the KVM host agent
+     * @param agentHostname hostname of the KVM host agent
+     */
+    void provisionCertificateViaSsh(Connection sshConnection, String agentIp, String agentHostname);
 
     /**
      * Setups up a new keystore and generates CSR for a host

scripts/util/keystore-cert-import

@@ -70,8 +70,8 @@ elif [ ! -f "$CACERT_FILE" ]; then
 fi
 
 # Import cacerts into the keystore
-awk '/-----BEGIN CERTIFICATE-----?/{n++}{print > "cloudca." n }' "$CACERT_FILE"
-for caChain in $(ls cloudca.*); do
+awk 'BEGIN{n=0} /-----BEGIN CERTIFICATE-----/{n++}{print > "cloudca." n }' "$CACERT_FILE"
+for caChain in $(ls cloudca.* 2>/dev/null); do
     keytool -delete -noprompt -alias "$caChain" -keystore "$KS_FILE" -storepass "$KS_PASS" > /dev/null 2>&1 || true
     keytool -import -noprompt -storepass "$KS_PASS" -trustcacerts -alias "$caChain" -file "$caChain" -keystore "$KS_FILE" > /dev/null 2>&1
 done
@@ -143,7 +143,7 @@ if [ -f "$SYSTEM_FILE" ]; then
     REALHOSTIP_KS_FILE="$(dirname $(dirname $PROPS_FILE))/certs/realhostip.keystore"
     REALHOSTIP_PASS="vmops.com"
     if [ -f "$REALHOSTIP_KS_FILE" ]; then
-        awk '/-----BEGIN CERTIFICATE-----/{n++}{print > "cloudca." n }' "$CACERT_FILE"
+        awk 'BEGIN{n=0} /-----BEGIN CERTIFICATE-----/{n++}{print > "cloudca." n }' "$CACERT_FILE"
         for caChain in $(ls cloudca.* 2>/dev/null); do
             keytool -delete -noprompt -alias "$caChain" -keystore "$REALHOSTIP_KS_FILE" \
                 -storepass "$REALHOSTIP_PASS" > /dev/null 2>&1 || true

server/src/main/java/com/cloud/hypervisor/kvm/discoverer/LibvirtServerDiscoverer.java

@@ -21,7 +21,6 @@
 import java.net.InetAddress;
 import java.net.URI;
 import java.util.Arrays;
-import java.util.Collections;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
@@ -32,11 +31,8 @@
 
 import org.apache.cloudstack.agent.lb.IndirectAgentLB;
 import org.apache.cloudstack.ca.CAManager;
-import org.apache.cloudstack.ca.SetupCertificateCommand;
 import org.apache.cloudstack.direct.download.DirectDownloadManager;
-import org.apache.cloudstack.framework.ca.Certificate;
 import org.apache.cloudstack.utils.cache.LazyCache;
-import org.apache.cloudstack.utils.security.KeyStoreUtils;
 
 import com.cloud.agent.AgentManager;
 import com.cloud.agent.Listener;
@@ -66,7 +62,6 @@
 import com.cloud.resource.ResourceStateAdapter;
 import com.cloud.resource.ServerResource;
 import com.cloud.resource.UnableDeleteHostException;
-import com.cloud.utils.PasswordGenerator;
 import com.cloud.utils.StringUtils;
 import com.cloud.utils.UuidUtils;
 import com.cloud.utils.exception.CloudRuntimeException;
@@ -174,55 +169,7 @@ private void setupAgentSecurity(final Connection sshConnection, final String age
             throw new CloudRuntimeException("Cannot secure agent communication because SSH connection is invalid for host IP=" + agentIp);
         }
 
-        Integer validityPeriod = CAManager.CertValidityPeriod.value();
-        if (validityPeriod < 1) {
-            validityPeriod = 1;
-        }
-
-        String keystorePassword = PasswordGenerator.generateRandomPassword(16);
-        final SSHCmdHelper.SSHCmdResult keystoreSetupResult = SSHCmdHelper.sshExecuteCmdWithResult(sshConnection,
-                String.format("sudo /usr/share/cloudstack-common/scripts/util/%s " +
-                                "/etc/cloudstack/agent/agent.properties " +
-                                "/etc/cloudstack/agent/%s " +
-                                "%s %d " +
-                                "/etc/cloudstack/agent/%s",
-                        KeyStoreUtils.KS_SETUP_SCRIPT,
-                        KeyStoreUtils.KS_FILENAME,
-                        keystorePassword,
-                        validityPeriod,
-                        KeyStoreUtils.CSR_FILENAME));
-
-        if (!keystoreSetupResult.isSuccess()) {
-            throw new CloudRuntimeException("Failed to setup keystore on the KVM host: " + agentIp);
-        }
-
-        final Certificate certificate = caManager.issueCertificate(keystoreSetupResult.getStdOut(), Arrays.asList(agentHostname, agentIp), Collections.singletonList(agentIp), null, null);
-        if (certificate == null || certificate.getClientCertificate() == null) {
-            throw new CloudRuntimeException("Failed to issue certificates for KVM host agent: " + agentIp);
-        }
-
-        final SetupCertificateCommand certificateCommand = new SetupCertificateCommand(certificate);
-        final SSHCmdHelper.SSHCmdResult setupCertResult = SSHCmdHelper.sshExecuteCmdWithResult(sshConnection,
-                String.format("sudo /usr/share/cloudstack-common/scripts/util/%s " +
-                                "/etc/cloudstack/agent/agent.properties %s " +
-                                "/etc/cloudstack/agent/%s %s " +
-                                "/etc/cloudstack/agent/%s \"%s\" " +
-                                "/etc/cloudstack/agent/%s \"%s\" " +
-                                "/etc/cloudstack/agent/%s \"%s\"",
-                        KeyStoreUtils.KS_IMPORT_SCRIPT,
-                        keystorePassword,
-                        KeyStoreUtils.KS_FILENAME,
-                        KeyStoreUtils.SSH_MODE,
-                        KeyStoreUtils.CERT_FILENAME,
-                        certificateCommand.getEncodedCertificate(),
-                        KeyStoreUtils.CACERT_FILENAME,
-                        certificateCommand.getEncodedCaCertificates(),
-                        KeyStoreUtils.PKEY_FILENAME,
-                        certificateCommand.getEncodedPrivateKey()));
-
-        if (setupCertResult != null && !setupCertResult.isSuccess()) {
-            throw new CloudRuntimeException("Failed to setup certificate in the KVM agent's keystore file, please see logs and configure manually!");
-        }
+        caManager.provisionCertificateViaSsh(sshConnection, agentIp, agentHostname);
 
         if (logger.isDebugEnabled()) {
             logger.debug("Succeeded to import certificate in the keystore for agent on the KVM host: " + agentIp + ". Agent secured and trusted.");