[PLAT-11187] Make TlsToggle task retryable

Summary: Record the actual intent (enable or disable) in the task param so that it remains unchanged. Other changes are minor tweaks.

Test Plan:
1. UT added. 2. Due to PLAT-9434, rolling is not allowed. 3. Manually tested by aborting multiple times.

Note: We will add itests for this.

Reviewers: anijhawan, yshchetinin, anabaria, muthu, sanketh

Reviewed By: anabaria

Subscribers: yugaware

Differential Revision: https://phorge.dev.yugabyte.com/D42936

Author: nkhogen

managed/src/main/java/com/yugabyte/yw/commissioner/tasks/UniverseTaskBase.java

@@ -365,6 +365,7 @@ public CustomBuilder taskTypes(Collection<? extends TaskType> taskTypes) {
           TaskType.VMImageUpgrade,
           TaskType.ThirdpartySoftwareUpgrade,
           TaskType.CertsRotate,
+          TaskType.TlsToggle,
           TaskType.MasterFailover,
           TaskType.SyncMasterAddresses,
           TaskType.PauseUniverse,

managed/src/main/java/com/yugabyte/yw/commissioner/tasks/upgrade/TlsToggle.java

@@ -4,6 +4,8 @@
 
 import com.google.common.collect.ImmutableMap;
 import com.yugabyte.yw.commissioner.BaseTaskDependencies;
+import com.yugabyte.yw.commissioner.ITask.Abortable;
+import com.yugabyte.yw.commissioner.ITask.Retryable;
 import com.yugabyte.yw.commissioner.TaskExecutor.SubTaskGroup;
 import com.yugabyte.yw.commissioner.UpgradeTaskBase;
 import com.yugabyte.yw.commissioner.UserTaskDetails.SubTaskGroupType;
@@ -14,6 +16,7 @@
 import com.yugabyte.yw.common.certmgmt.EncryptionInTransitUtil;
 import com.yugabyte.yw.common.config.UniverseConfKeys;
 import com.yugabyte.yw.forms.TlsToggleParams;
+import com.yugabyte.yw.forms.UniverseDefinitionTaskParams.UserIntent;
 import com.yugabyte.yw.forms.UpgradeTaskParams.UpgradeOption;
 import com.yugabyte.yw.forms.UpgradeTaskParams.UpgradeTaskSubType;
 import com.yugabyte.yw.forms.UpgradeTaskParams.UpgradeTaskType;
@@ -26,7 +29,11 @@
 import java.util.Map;
 import java.util.Set;
 import javax.inject.Inject;
+import lombok.extern.slf4j.Slf4j;
 
+@Slf4j
+@Abortable
+@Retryable
 public class TlsToggle extends UpgradeTaskBase {
 
   @Inject
@@ -71,7 +78,8 @@ protected void createPrecheckTasks(Universe universe) {
     if (!CertificateHelper.checkNode2NodeCertsExpiry(universe)) {
       addBasicPrecheckTasks();
     }
-    if (taskParams().enableNodeToNodeEncrypt || taskParams().enableClientToNodeEncrypt) {
+    if (isFirstTry()
+        && (taskParams().enableNodeToNodeEncrypt || taskParams().enableClientToNodeEncrypt)) {
       createCheckCertificateConfigTask();
     }
   }
@@ -96,16 +104,29 @@ public void run() {
           createUniverseSetTlsParamsTask();
           // Round 2 gflags upgrade
           createRound2GFlagUpdateTasks(nodes);
+        },
+        u -> {
+          // 1: If task is to enable node-to-node encryption.
+          // -1: If task is to disable node-to-node encryption.
+          // 0: If there is no change in node-to-node encryption.
+          UserIntent userIntent = u.getUniverseDetails().getPrimaryCluster().userIntent;
+          taskParams().nodeToNodeChange =
+              userIntent.enableNodeToNodeEncrypt != taskParams().enableNodeToNodeEncrypt
+                  ? (taskParams().enableNodeToNodeEncrypt ? 1 : -1)
+                  : 0;
+          // Persist this setting in the DB.
+          updateTaskDetailsInDB(taskParams());
         });
   }
 
   private void createRound1GFlagUpdateTasks(MastersAndTservers nodes) {
-    if (getNodeToNodeChange() < 0) {
-      // Skip running round1 if Node2Node certs have expired
+    if (taskParams().nodeToNodeChange < 0) {
+      // Skip running round1 if Node2Node certs have expired because the DB call will fail.
       if (CertificateHelper.checkNode2NodeCertsExpiry(getUniverse())) {
+        log.debug("Skipping round 1 because the cert has expired");
         return;
       }
-      // Setting allow_insecure to true can be done in non-restart way
+      // Setting allow_insecure to true can be done in non-restart way.
       createNonRestartUpgradeTaskFlow(
           (List<NodeDetails> nodeList, Set<ServerType> processTypes) -> {
             createGFlagUpdateTasks(1, nodeList, getSingle(processTypes));
@@ -143,7 +164,7 @@ private void createRound1GFlagUpdateTasks(MastersAndTservers nodes) {
 
   private void createRound2GFlagUpdateTasks(MastersAndTservers nodes) {
     // Second round upgrade not needed when there is no change in node-to-node
-    if (getNodeToNodeChange() > 0) {
+    if (taskParams().nodeToNodeChange > 0) {
       // Setting allow_insecure can be done in non-restart way
       createNonRestartUpgradeTaskFlow(
           (List<NodeDetails> nodeList, Set<ServerType> processTypes) -> {
@@ -162,7 +183,7 @@ private void createRound2GFlagUpdateTasks(MastersAndTservers nodes) {
           },
           nodes,
           DEFAULT_CONTEXT);
-    } else if (getNodeToNodeChange() < 0) {
+    } else if (taskParams().nodeToNodeChange < 0) {
       if (taskParams().upgradeOption == UpgradeOption.ROLLING_UPGRADE) {
         createRollingUpgradeTaskFlow(
             (nodeList, processTypes) ->
@@ -193,7 +214,7 @@ private void createRound2GFlagUpdateTasks(MastersAndTservers nodes) {
   }
 
   protected void updateUniverseHttpsEnabledUI() {
-    int nodeToNodeChange = getNodeToNodeChange();
+    int nodeToNodeChange = taskParams().nodeToNodeChange;
     boolean isNodeUIHttpsEnabled =
         confGetter.getConfForScope(getUniverse(), UniverseConfKeys.nodeUIHttpsEnabled);
     // HTTPS_ENABLED_UI will piggyback node-to-node encryption.
@@ -290,7 +311,7 @@ private AnsibleConfigureServers getAnsibleConfigureServerTaskForToggleTls(
     params.rootCA = taskParams().rootCA;
     params.setClientRootCA(taskParams().getClientRootCA());
     params.rootAndClientRootCASame = taskParams().rootAndClientRootCASame;
-    params.nodeToNodeChange = getNodeToNodeChange();
+    params.nodeToNodeChange = taskParams().nodeToNodeChange;
     AnsibleConfigureServers task = createTask(AnsibleConfigureServers.class);
     task.initialize(params);
     task.setUserTaskUUID(getUserTaskUUID());
@@ -310,25 +331,13 @@ private AnsibleConfigureServers getAnsibleConfigureServerTaskForYbcToggleTls(Nod
     params.rootCA = taskParams().rootCA;
     params.setClientRootCA(taskParams().getClientRootCA());
     params.rootAndClientRootCASame = taskParams().rootAndClientRootCASame;
-    params.nodeToNodeChange = getNodeToNodeChange();
+    params.nodeToNodeChange = taskParams().nodeToNodeChange;
     AnsibleConfigureServers task = createTask(AnsibleConfigureServers.class);
     task.initialize(params);
     task.setUserTaskUUID(getUserTaskUUID());
     return task;
   }
 
-  /*
-   * Returns:
-   * 1: If task is to enable node-to-node encryption
-   * -1: If task is to disable node-to-node encryption
-   * 0: If there is no change in node-to-node encryption
-   */
-  private int getNodeToNodeChange() {
-    return getUserIntent().enableNodeToNodeEncrypt != taskParams().enableNodeToNodeEncrypt
-        ? (taskParams().enableNodeToNodeEncrypt ? 1 : -1)
-        : 0;
-  }
-
   public void createCheckCertificateConfigTask() {
     MastersAndTservers nodes = getNodesToBeRestarted();
     Set<NodeDetails> allNodes = toOrderedSet(nodes.asPair());

managed/src/main/java/com/yugabyte/yw/common/CustomerTaskManager.java

@@ -46,6 +46,7 @@
 import com.yugabyte.yw.forms.SoftwareUpgradeParams;
 import com.yugabyte.yw.forms.SystemdUpgradeParams;
 import com.yugabyte.yw.forms.ThirdpartySoftwareUpgradeParams;
+import com.yugabyte.yw.forms.TlsToggleParams;
 import com.yugabyte.yw.forms.UniverseDefinitionTaskParams;
 import com.yugabyte.yw.forms.UniverseDefinitionTaskParams.SoftwareUpgradeState;
 import com.yugabyte.yw.forms.UniverseTaskParams;
@@ -856,6 +857,9 @@ public CustomerTask retryCustomerTask(UUID customerUUID, UUID taskUUID) {
       case CertsRotate:
         taskParams = Json.fromJson(oldTaskParams, CertsRotateParams.class);
         break;
+      case TlsToggle:
+        taskParams = Json.fromJson(oldTaskParams, TlsToggleParams.class);
+        break;
       case SystemdUpgrade:
         taskParams = Json.fromJson(oldTaskParams, SystemdUpgradeParams.class);
         break;

managed/src/main/java/com/yugabyte/yw/forms/TlsToggleParams.java

@@ -12,6 +12,7 @@
 import com.yugabyte.yw.common.certmgmt.CertConfigType;
 import com.yugabyte.yw.models.CertificateInfo;
 import com.yugabyte.yw.models.Universe;
+import io.swagger.annotations.ApiModelProperty;
 import java.util.UUID;
 import play.mvc.Http;
 import play.mvc.Http.Status;
@@ -24,10 +25,9 @@ public class TlsToggleParams extends UpgradeTaskParams {
   public boolean enableClientToNodeEncrypt = false;
   public boolean allowInsecure = true;
 
-  // below fields are already inherited from UniverseDefinitionTaskParams
-  //  public UUID rootCA = null;
-  //  public UUID clientRootCA = null;
-  //  public Boolean rootAndClientRootCASame = null;
+  // Do not include in swagger.
+  @ApiModelProperty(hidden = true)
+  public int nodeToNodeChange = 0;
 
   public TlsToggleParams() {}
 
@@ -43,101 +43,102 @@ public TlsToggleParams(
 
   @Override
   public void verifyParams(Universe universe, boolean isFirstTry) {
-    super.verifyParams(universe, isFirstTry);
-
-    UniverseDefinitionTaskParams universeDetails = universe.getUniverseDetails();
-    UserIntent userIntent = universeDetails.getPrimaryCluster().userIntent;
-    boolean existingEnableClientToNodeEncrypt = userIntent.enableClientToNodeEncrypt;
-    boolean existingEnableNodeToNodeEncrypt = userIntent.enableNodeToNodeEncrypt;
-    UUID existingRootCA = universeDetails.rootCA;
-    UUID existingClientRootCA = universeDetails.getClientRootCA();
-
-    // Due to a bug, temporarily disable rolling upgrade for TLS toggle.
+    // Due to a bug (PLAT-9434), temporarily disable rolling upgrade for TLS toggle.
     if (upgradeOption != UpgradeOption.NON_ROLLING_UPGRADE) {
       throw new PlatformServiceException(
           Status.BAD_REQUEST, "TLS toggle can only be performed in a non-rolling manner.");
     }
-
-    if (this.enableClientToNodeEncrypt == existingEnableClientToNodeEncrypt
-        && this.enableNodeToNodeEncrypt == existingEnableNodeToNodeEncrypt) {
-      throw new PlatformServiceException(
-          Status.BAD_REQUEST, "No changes in Tls parameters, cannot perform update operation.");
-    }
-
-    if (existingRootCA != null && rootCA != null && !existingRootCA.equals(rootCA)) {
-      throw new PlatformServiceException(
-          Status.BAD_REQUEST, "Cannot update root certificate, if already created.");
-    }
-
-    if (existingClientRootCA != null
-        && clientRootCA != null
-        && !existingClientRootCA.equals(clientRootCA)) {
-      throw new PlatformServiceException(
-          Status.BAD_REQUEST, "Cannot update client root certificate, if already created.");
-    }
-
-    if (!CertificateInfo.isCertificateValid(rootCA)) {
-      throw new PlatformServiceException(
-          Status.BAD_REQUEST, "No valid root certificate found for UUID: " + rootCA);
-    }
-
-    if (!CertificateInfo.isCertificateValid(clientRootCA)) {
-      throw new PlatformServiceException(
-          Status.BAD_REQUEST, "No valid client root certificate found for UUID: " + clientRootCA);
-    }
-
-    if (rootCA != null
-        && CertificateInfo.get(rootCA).getCertType() == CertConfigType.CustomServerCert) {
-      throw new PlatformServiceException(
-          Http.Status.BAD_REQUEST,
-          "CustomServerCert are only supported for Client to Server Communication.");
-    }
-
-    if (rootCA != null
-        && CertificateInfo.get(rootCA).getCertType() == CertConfigType.CustomCertHostPath
-        && !userIntent.providerType.equals(CloudType.onprem)) {
-      throw new PlatformServiceException(
-          Status.BAD_REQUEST,
-          "CustomCertHostPath certificates are only supported for on-prem providers.");
-    }
-
-    if (clientRootCA != null
-        && CertificateInfo.get(clientRootCA).getCertType() == CertConfigType.CustomCertHostPath
-        && !userIntent.providerType.equals(Common.CloudType.onprem)) {
-      throw new PlatformServiceException(
-          Http.Status.BAD_REQUEST,
-          "CustomCertHostPath certificates are only supported for on-prem providers.");
-    }
-
-    // TODO: Add check that the userIntent is to use cert-manager
-    if (rootCA != null
-        && CertificateInfo.get(rootCA).getCertType() == CertConfigType.K8SCertManager
-        && !userIntent.providerType.equals(CloudType.kubernetes)) {
-      throw new PlatformServiceException(
-          Status.BAD_REQUEST,
-          "K8SCertManager certificates are only supported for k8s providers with cert-manager"
-              + " configured.");
-    }
-
-    // TODO: Add check that the userIntent is to use cert-manager
-    if (clientRootCA != null
-        && CertificateInfo.get(clientRootCA).getCertType() == CertConfigType.K8SCertManager
-        && !userIntent.providerType.equals(Common.CloudType.kubernetes)) {
-      throw new PlatformServiceException(
-          Http.Status.BAD_REQUEST,
-          "K8SCertManager certificates are only supported for k8s providers with cert-manager"
-              + " configured.");
-    }
-
-    if (rootAndClientRootCASame
-        && enableNodeToNodeEncrypt
-        && enableClientToNodeEncrypt
-        && rootCA != null
-        && clientRootCA != null
-        && !rootCA.equals(clientRootCA)) {
-      throw new PlatformServiceException(
-          Http.Status.BAD_REQUEST,
-          "RootCA and ClientRootCA cannot be different when rootAndClientRootCASame is true.");
+    super.verifyParams(universe, isFirstTry);
+    if (isFirstTry) {
+      // Validate against the current settings in the universe.
+      UniverseDefinitionTaskParams universeDetails = universe.getUniverseDetails();
+      UserIntent userIntent = universeDetails.getPrimaryCluster().userIntent;
+      boolean existingEnableClientToNodeEncrypt = userIntent.enableClientToNodeEncrypt;
+      boolean existingEnableNodeToNodeEncrypt = userIntent.enableNodeToNodeEncrypt;
+      UUID existingRootCA = universeDetails.rootCA;
+      UUID existingClientRootCA = universeDetails.getClientRootCA();
+
+      if (this.enableClientToNodeEncrypt == existingEnableClientToNodeEncrypt
+          && this.enableNodeToNodeEncrypt == existingEnableNodeToNodeEncrypt) {
+        throw new PlatformServiceException(
+            Status.BAD_REQUEST, "No changes in Tls parameters, cannot perform update operation.");
+      }
+
+      if (existingRootCA != null && rootCA != null && !existingRootCA.equals(rootCA)) {
+        throw new PlatformServiceException(
+            Status.BAD_REQUEST, "Cannot update root certificate, if already created.");
+      }
+
+      if (existingClientRootCA != null
+          && clientRootCA != null
+          && !existingClientRootCA.equals(clientRootCA)) {
+        throw new PlatformServiceException(
+            Status.BAD_REQUEST, "Cannot update client root certificate, if already created.");
+      }
+
+      if (!CertificateInfo.isCertificateValid(rootCA)) {
+        throw new PlatformServiceException(
+            Status.BAD_REQUEST, "No valid root certificate found for UUID: " + rootCA);
+      }
+
+      if (!CertificateInfo.isCertificateValid(clientRootCA)) {
+        throw new PlatformServiceException(
+            Status.BAD_REQUEST, "No valid client root certificate found for UUID: " + clientRootCA);
+      }
+
+      if (rootCA != null
+          && CertificateInfo.get(rootCA).getCertType() == CertConfigType.CustomServerCert) {
+        throw new PlatformServiceException(
+            Http.Status.BAD_REQUEST,
+            "CustomServerCert are only supported for Client to Server Communication.");
+      }
+
+      if (rootCA != null
+          && CertificateInfo.get(rootCA).getCertType() == CertConfigType.CustomCertHostPath
+          && !userIntent.providerType.equals(CloudType.onprem)) {
+        throw new PlatformServiceException(
+            Status.BAD_REQUEST,
+            "CustomCertHostPath certificates are only supported for on-prem providers.");
+      }
+
+      if (clientRootCA != null
+          && CertificateInfo.get(clientRootCA).getCertType() == CertConfigType.CustomCertHostPath
+          && !userIntent.providerType.equals(Common.CloudType.onprem)) {
+        throw new PlatformServiceException(
+            Http.Status.BAD_REQUEST,
+            "CustomCertHostPath certificates are only supported for on-prem providers.");
+      }
+
+      // TODO: Add check that the userIntent is to use cert-manager
+      if (rootCA != null
+          && CertificateInfo.get(rootCA).getCertType() == CertConfigType.K8SCertManager
+          && !userIntent.providerType.equals(CloudType.kubernetes)) {
+        throw new PlatformServiceException(
+            Status.BAD_REQUEST,
+            "K8SCertManager certificates are only supported for k8s providers with cert-manager"
+                + " configured.");
+      }
+
+      // TODO: Add check that the userIntent is to use cert-manager
+      if (clientRootCA != null
+          && CertificateInfo.get(clientRootCA).getCertType() == CertConfigType.K8SCertManager
+          && !userIntent.providerType.equals(Common.CloudType.kubernetes)) {
+        throw new PlatformServiceException(
+            Http.Status.BAD_REQUEST,
+            "K8SCertManager certificates are only supported for k8s providers with cert-manager"
+                + " configured.");
+      }
+
+      if (rootAndClientRootCASame
+          && enableNodeToNodeEncrypt
+          && enableClientToNodeEncrypt
+          && rootCA != null
+          && clientRootCA != null
+          && !rootCA.equals(clientRootCA)) {
+        throw new PlatformServiceException(
+            Http.Status.BAD_REQUEST,
+            "RootCA and ClientRootCA cannot be different when rootAndClientRootCASame is true.");
+      }
     }
   }
 

managed/src/test/java/com/yugabyte/yw/commissioner/TaskExecutorTest.java

@@ -128,6 +128,7 @@ public class TaskExecutorTest extends PlatformGuiceApplicationBaseTest {
           TaskType.RestartUniverseKubernetesUpgrade,
           TaskType.ThirdpartySoftwareUpgrade,
           TaskType.CertsRotate,
+          TaskType.TlsToggle,
           TaskType.SystemdUpgrade,
           TaskType.ModifyAuditLoggingConfig,
           TaskType.StartMasterOnNode,