Jay/chef 6031 (#8261)

* add the certificate template

Signed-off-by: punitmundra <[email protected]>

* cert rotate from template

Signed-off-by: Jay Sharma <[email protected]>

* patching frontend config

Signed-off-by: Jay Sharma <[email protected]>

* cluster certificate patch working code

Signed-off-by: Jay Sharma <[email protected]>

* putting frontend on maintenance mode before rotating certws

Signed-off-by: Jay Sharma <[email protected]>

* added test cases for get certs form template

Signed-off-by: Jay Sharma <[email protected]>

* correction of filename in cert-config generation

Signed-off-by: Jay Sharma <[email protected]>

* adding more test cases

Signed-off-by: Jay Sharma <[email protected]>

* adding validation on certificates before stopping traffic to frontends

Signed-off-by: Jay Sharma <[email protected]>

* adding defer statement to turn off maintenance mode

Signed-off-by: Jay Sharma <[email protected]>

* replacing fmt with logger

Signed-off-by: Jay Sharma <[email protected]>

* adding exclution on testcase pem files

Signed-off-by: Jay Sharma <[email protected]>

* adding testfile in credscan excl;ustion

Signed-off-by: Jay Sharma <[email protected]>

* fixing failing testcases

Signed-off-by: Jay Sharma <[email protected]>

* adding docs

Signed-off-by: Jay Sharma <[email protected]>

* resolving review comments

Signed-off-by: Jay Sharma <[email protected]>

* regfactoring

Signed-off-by: Jay Sharma <[email protected]>

---------

Signed-off-by: punitmundra <[email protected]>
Signed-off-by: Jay Sharma <[email protected]>
Co-authored-by: punitmundra <[email protected]>

components/automate-backend-deployment/habitat/hooks/install

@@ -173,6 +173,13 @@ EOF
     display_upgrade_help $(cat $OLD_WORKSPACE/terraform/.tf_arch)
   fi
 fi
+
+if [[ -f $OLD_WORKSPACE/certificate.toml ]]; then
+    echo "Copying previous 'certificate.toml' config to new workspace"
+    echo "Copying previous 'certificate.toml' config to new workspace" >> $LOGGER
+    cp $OLD_WORKSPACE/certificate.toml $NEW_WORKSPACE/certificate.toml
+    echo "Copied previous 'certificate.toml' config to new workspace" >> $LOGGER
+fi
 echo "creating new symlink for new workspace" >> $LOGGER
 # shellcheck disable=SC1083
 ln -nsf $NEW_WORKSPACE /hab/a2_deploy_workspace

components/automate-cli/cmd/chef-automate/automateHADeployExistingInfra.go

@@ -7,10 +7,13 @@ import (
 	"fmt"
 	"io/ioutil"
 	"os"
+	"strconv"
 	"strings"
 
 	"github.com/chef/automate/components/automate-cli/pkg/status"
+	"github.com/chef/automate/lib/logger"
 	"github.com/chef/automate/lib/stringutils"
+	"github.com/chef/toml"
 	ptoml "github.com/pelletier/go-toml"
 )
 
@@ -20,6 +23,7 @@ const S3 = "s3"
 type existingInfra struct {
 	config     ExistingInfraConfigToml
 	configPath string
+	log        logger.Logger
 }
 
 type keydetails struct {
@@ -29,8 +33,10 @@ type keydetails struct {
 }
 
 func newExistingInfa(configPath string) *existingInfra {
+	logger, _ := logger.NewLogger("text", "info")
 	return &existingInfra{
 		configPath: configPath,
+		log:        logger,
 	}
 }
 
@@ -75,9 +81,128 @@ func (e *existingInfra) generateConfig(state string) error {
 	if err != nil {
 		return err
 	}
+	err = e.populateCertificateTomlFile()
+	if err != nil {
+		return err
+	}
 	return writeHAConfigFiles(existingNodesA2harbTemplate, e.config, state)
 }
 
+type IP struct {
+	IP         string `toml:"ip"`
+	Publickey  string `toml:"public_key"`
+	PrivateKey string `toml:"private_key"`
+}
+type NodeCertficate struct {
+	RootCA          string `toml:"root_ca"`
+	AdminPublickey  string `toml:"admin_public_key,omitempty"`
+	AdminPrivateKey string `toml:"admin_private_key,omitempty"`
+	IPS             []IP   `toml:"ips"`
+}
+
+type CertificateToml struct {
+	Automate   NodeCertficate `toml:"automate"`
+	ChefServer NodeCertficate `toml:"chef_server"`
+	PostgreSQL NodeCertficate `toml:"postgresql"`
+	OpenSearch NodeCertficate `toml:"opensearch"`
+}
+
+func (e *existingInfra) populateCertificateTomlFile() error {
+	// This is just to create the certificate empty file
+	automateCount, _ := strconv.Atoi(e.config.Automate.Config.InstanceCount)
+	chefServerCount, _ := strconv.Atoi(e.config.ChefServer.Config.InstanceCount)
+	OpensearchCount, _ := strconv.Atoi(e.config.Opensearch.Config.InstanceCount)
+	postgresqlCount, _ := strconv.Atoi(e.config.Postgresql.Config.InstanceCount)
+	var certContent CertificateToml
+	if automateCount > 0 {
+		var automate NodeCertficate
+		var ips []IP
+		// Initialize Automate section
+		automate.RootCA = "/hab/a2_deploy_workspace/certificate/automte.fqdn.root.ca.cert"
+		for i := 0; i < automateCount; i++ {
+			var ip IP
+			ip.IP = e.config.ExistingInfra.Config.AutomatePrivateIps[i]
+			ip.Publickey = "/hab/a2_deploy_workspace/certificate/automte.public.key"
+			ip.PrivateKey = "/hab/a2_deploy_workspace/certificate/automte.private.key"
+			ips = append(ips, ip)
+			e.log.Debug(e.config.ExistingInfra.Config.AutomatePrivateIps[i], i)
+		}
+		automate.IPS = ips
+		certContent.Automate = automate
+	}
+
+	if chefServerCount > 0 {
+		// Initialize ChefServer section
+		var chefserver NodeCertficate
+		var ips []IP
+		// Initialize ChefServer section
+		chefserver.RootCA = "/hab/a2_deploy_workspace/certificate/chefserver.fqdn.root.ca.cert"
+		for i := 0; i < chefServerCount; i++ {
+			var ip IP
+			ip.IP = e.config.ExistingInfra.Config.ChefServerPrivateIps[i]
+			ip.Publickey = "/hab/a2_deploy_workspace/certificate/chefserver.public.key"
+			ip.PrivateKey = "/hab/a2_deploy_workspace/certificate/chefserver.private.key"
+			ips = append(ips, ip)
+			e.log.Debug(e.config.ExistingInfra.Config.ChefServerPrivateIps[i], i)
+		}
+		chefserver.IPS = ips
+		certContent.ChefServer = chefserver
+	}
+
+	if OpensearchCount > 0 {
+		// Initialize Opensearch section
+		var opensearch NodeCertficate
+		var ips []IP
+		// Initialize Opensearch section
+		opensearch.RootCA = "/hab/a2_deploy_workspace/certificate/opensearch.fqdn.root.ca.cert"
+		opensearch.AdminPrivateKey = "/hab/a2_deploy_workspace/certificate/opensearch.admin.public.cert"
+		opensearch.AdminPublickey = "/hab/a2_deploy_workspace/certificate/opensearch.admin.private.cert"
+		for i := 0; i < OpensearchCount; i++ {
+			var ip IP
+			ip.IP = e.config.ExistingInfra.Config.OpensearchPrivateIps[i]
+			ip.Publickey = "/hab/a2_deploy_workspace/certificate/opensearch.public.key"
+			ip.PrivateKey = "/hab/a2_deploy_workspace/certificate/opensearch.private.key"
+			ips = append(ips, ip)
+			e.log.Debug(e.config.ExistingInfra.Config.OpensearchPrivateIps[i], i)
+		}
+		opensearch.IPS = ips
+		certContent.OpenSearch = opensearch
+	}
+
+	if postgresqlCount > 0 {
+		// Initialize postgresql section
+		var postgresql NodeCertficate
+		var ips []IP
+		// Initialize postgresql section
+		postgresql.RootCA = "/hab/a2_deploy_workspace/certificate/postgresql.fqdn.root.ca.cert"
+		for i := 0; i < postgresqlCount; i++ {
+			var ip IP
+			ip.IP = e.config.ExistingInfra.Config.PostgresqlPrivateIps[i]
+			ip.Publickey = "/hab/a2_deploy_workspace/certificate/postgresql.public.key"
+			ip.PrivateKey = "/hab/a2_deploy_workspace/certificate/postgresql.private.key"
+			ips = append(ips, ip)
+			e.log.Debug(e.config.ExistingInfra.Config.PostgresqlPrivateIps[i], i)
+		}
+		postgresql.IPS = ips
+		certContent.PostgreSQL = postgresql
+	}
+
+	// Open a file for writing (create or overwrite if it exists)
+	file, err := os.Create(CERTIFICATE_TEMPLATE_TOML_FILE)
+	if err != nil {
+		e.log.Debug("Error creating file:", err)
+		return err
+	}
+	defer file.Close()
+
+	// Use the TOML encoder to write the configuration to the file
+	if err := toml.NewEncoder(file).Encode(certContent); err != nil {
+		e.log.Debug("Error encoding TOML:", err)
+		return err
+	}
+	e.log.Debug("Certificate TOML written to %s\n", CERTIFICATE_TEMPLATE_TOML_FILE)
+	return nil
+}
 func (e *existingInfra) addDNTocertConfig() error {
 	//If CustomCertsEnabled for OpenSearch is enabled, then get admin_dn and nodes_dn from the certs
 	if e.config.Opensearch.Config.EnableCustomCerts {