From 2b421e9b1aac0704ec0d7aab40c4292ece3da1bb Mon Sep 17 00:00:00 2001
From: Wesley Wang <2791412+WesleyW@users.noreply.github.com>
Date: Wed, 10 Feb 2021 16:11:38 -0800
Subject: [PATCH] [Backport 2.2][#7196] Platform: Health check should use
 appropriate version of TLS

Summary: If `ssl_protocols` is added to the tserver gflags, health checks should use the appropriate option when trying to connect with the sample cqlsh command.

Test Plan:
Create tls universe with no gflags and run. Create tls universe with `ssl_protocols` and run.
Jenkins: rebase: 2.2

Reviewers: sanketh, arnav, bogdan, daniel, sb-yb

Reviewed By: sb-yb

Subscribers: yugaware, jenkins-bot

Differential Revision: https://phabricator.dev.yugabyte.com/D10600
---
 managed/devops/bin/cluster_health.py            | 17 +++++++++++++++--
 .../yugabyte/yw/commissioner/HealthChecker.java |  3 +++
 .../com/yugabyte/yw/common/HealthManager.java   |  1 +
 3 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/managed/devops/bin/cluster_health.py b/managed/devops/bin/cluster_health.py
index 22edf5a9af0e..76f726e5258a 100755
--- a/managed/devops/bin/cluster_health.py
+++ b/managed/devops/bin/cluster_health.py
@@ -175,13 +175,15 @@ def __init__(self, node_fqdn, config_map):
 class NodeChecker():
 
     def __init__(self, node, node_name, identity_file, ssh_port, start_time_ms,
-                 namespace_to_config, ysql_port, ycql_port, redis_port, enable_tls_client):
+                 namespace_to_config, ysql_port, ycql_port, redis_port, enable_tls_client,
+                 ssl_protocol):
         self.node = node
         self.node_name = node_name
         self.identity_file = identity_file
         self.ssh_port = ssh_port
         self.start_time_ms = start_time_ms
         self.enable_tls_client = enable_tls_client
+        self.ssl_protocol = ssl_protocol
         # TODO: best way to do mark that this is a k8s deployment?
         self.is_k8s = ssh_port == 0 and not self.identity_file
         self.k8s_details = None
@@ -373,6 +375,16 @@ def check_cqlsh(self):
             cert_file = K8S_CERT_FILE_PATH if self.is_k8s else VM_CERT_FILE_PATH
 
             remote_cmd = 'SSL_CERTFILE={} {} {}'.format(cert_file, remote_cmd, '--ssl')
+            if self.ssl_protocol is not None:
+                SSL_PROTOCOL_TO_SSL_VERSION = {
+                    "ssl2": "SSLv23",
+                    "ssl3": "SSLv23",
+                    "tls10": "TLSv1",
+                    "tls11": "TLSv1_1",
+                    "tls12": "TLSv1_2"
+                }
+                protocol = SSL_PROTOCOL_TO_SSL_VERSION.get(self.ssl_protocol)
+                remote_cmd = 'SSL_VERSION={} {}'.format(protocol, remote_cmd)
 
         output = self._remote_check_output(remote_cmd).strip()
 
@@ -704,6 +716,7 @@ def __init__(self, data):
         self.tserver_nodes = data["tserverNodes"]
         self.yb_version = data["ybSoftwareVersion"]
         self.namespace_to_config = data["namespaceToConfig"]
+        self.ssl_protocol = data["sslProtocol"]
         self.enable_ysql = data["enableYSQL"]
         self.ysql_port = data["ysqlPort"]
         self.ycql_port = data["ycqlPort"]
@@ -753,7 +766,7 @@ def main():
             checker = NodeChecker(
                     node, node_name, c.identity_file, c.ssh_port,
                     args.start_time_ms, c.namespace_to_config, c.ysql_port,
-                    c.ycql_port, c.redis_port, c.enable_tls_client)
+                    c.ycql_port, c.redis_port, c.enable_tls_client, c.ssl_protocol)
             # TODO: use paramiko to establish ssh connection to the nodes.
             if node in master_nodes:
                 coordinator.add_check(
diff --git a/managed/src/main/java/com/yugabyte/yw/commissioner/HealthChecker.java b/managed/src/main/java/com/yugabyte/yw/commissioner/HealthChecker.java
index 1e013da61350..3960404928bd 100644
--- a/managed/src/main/java/com/yugabyte/yw/commissioner/HealthChecker.java
+++ b/managed/src/main/java/com/yugabyte/yw/commissioner/HealthChecker.java
@@ -284,6 +284,9 @@ public void checkSingleUniverse(Universe u, Customer c, CustomerConfig config,
       clusterMetadata.put(cluster.uuid, info);
       info.ybSoftwareVersion = cluster.userIntent.ybSoftwareVersion;
       info.enableYSQL = cluster.userIntent.enableYSQL;
+      if (cluster.userIntent.tserverGFlags.containsKey("ssl_protocols")) {
+        info.sslProtocol = cluster.userIntent.tserverGFlags.get("ssl_protocols");
+      }
       // Since health checker only uses CQLSH, we only care about the
       // client to node encryption flag.
       info.enableTlsClient = cluster.userIntent.enableClientToNodeEncrypt;
diff --git a/managed/src/main/java/com/yugabyte/yw/common/HealthManager.java b/managed/src/main/java/com/yugabyte/yw/common/HealthManager.java
index a3eec6e51428..4b97a529f6e3 100644
--- a/managed/src/main/java/com/yugabyte/yw/common/HealthManager.java
+++ b/managed/src/main/java/com/yugabyte/yw/common/HealthManager.java
@@ -35,6 +35,7 @@ public static class ClusterInfo {
     public Map<String, String> tserverNodes = new HashMap<>();
     public String ybSoftwareVersion = null;
     public boolean enableTlsClient = false;
+    public String sslProtocol = "";
     public boolean enableYSQL = false;
     public int ysqlPort = 5433;
     public int ycqlPort = 9042;