BUG#35416666 Incorrect SSL options when rebooting a cluster

When rebooting a cluster configured with SSL options (i.e.:
memberAuthType) and switching the comm stack to "mysql", the seed
instance isn't rebooted with the correct SSL options.

This patch fixes this issue by making sure that the cluster (the primary
and all remaining members) are correctly set with the SSL options
specified during the Cluster setup.

Change-Id: Ib66a18d109ff7f47e56877406c71c9dec2412868

Author: joaosigma

modules/adminapi/cluster/add_instance.cc

@@ -664,7 +664,7 @@ void Add_instance::do_run() {
               m_target_instance, m_options.cert_subject, m_gr_opts,
               !recovery_certificates);
 
-          // if recovery accounts need certificates, we much ensure that the
+          // if recovery accounts need certificates, we must ensure that the
           // recovery accounts of all members also exist on the target instance
           if (recovery_certificates) {
             m_cluster_impl->create_replication_users_at_instance(

modules/adminapi/cluster/rejoin_instance.cc

@@ -289,6 +289,12 @@ void Rejoin_instance::do_run() {
           m_target_instance, m_auth_cert_subject, m_gr_opts,
           !recovery_certificates, m_options.dry_run);
 
+      // if recovery accounts need certificates, we must ensure that the
+      // recovery accounts of all members also exist on the target instance
+      if (recovery_certificates) {
+        m_cluster_impl->create_replication_users_at_instance(m_target_instance);
+      }
+
       // Set the allowlist to 'AUTOMATIC' to ensure no older values are used
       m_gr_opts.ip_allowlist = "AUTOMATIC";
 

modules/adminapi/dba/reboot_cluster_from_complete_outage.cc

@@ -771,6 +771,7 @@ void Reboot_cluster_from_complete_outage::reboot_seed() {
     //   - The recovery credentials have the required Grants
     //
     // For those reasons, we must simply re-create the recovery account
+    bool requires_certificates{false};
     if (m_options.gr_options.communication_stack.value_or("") ==
         kCommunicationStackMySQL) {
       // If it's a Replica cluster, we must disable the binary logging and
@@ -849,6 +850,35 @@ void Reboot_cluster_from_complete_outage::reboot_seed() {
         options.auto_failover = false;
         options.mysql_comm_stack_supported = true;
 
+        auto auth_type = m_cluster->impl()->query_cluster_auth_type();
+        switch (auth_type) {
+          case Replication_auth_type::PASSWORD:
+          case Replication_auth_type::CERT_ISSUER_PASSWORD:
+          case Replication_auth_type::CERT_SUBJECT_PASSWORD:
+            options.requires_password = true;
+            break;
+          default:
+            options.requires_password = false;
+            break;
+        }
+
+        switch (auth_type) {
+          case Replication_auth_type::CERT_SUBJECT:
+          case Replication_auth_type::CERT_SUBJECT_PASSWORD:
+            options.cert_subject =
+                m_cluster->impl()->query_cluster_instance_auth_cert_subject(
+                    *m_target_instance);
+            [[fallthrough]];
+          case Replication_auth_type::CERT_ISSUER:
+          case Replication_auth_type::CERT_ISSUER_PASSWORD:
+            options.cert_issuer =
+                m_cluster->impl()->query_cluster_auth_cert_issuer();
+            requires_certificates = true;
+            break;
+          default:
+            break;
+        }
+
         repl_account = mysqlshdk::gr::create_recovery_user(
             repl_account.user, *m_target_instance, hosts, options);
       }
@@ -934,25 +964,18 @@ void Reboot_cluster_from_complete_outage::reboot_seed() {
       }
     }
 
-    log_info("Starting cluster with '%s' using account %s",
+    resolve_ssl_mode_option("memberSslMode", "Cluster", *m_target_instance,
+                            &m_options.gr_options.ssl_mode);
+
+    log_info("Starting cluster with '%s' (%s) using account %s",
              m_target_instance->descr().c_str(),
+             to_string(m_options.gr_options.ssl_mode).c_str(),
              m_target_instance->get_connection_options().get_user().c_str());
 
     // Determine the topology mode to use.
     auto multi_primary = m_cluster->impl()->get_cluster_topology_type() ==
                          mysqlshdk::gr::Topology_mode::MULTI_PRIMARY;
 
-    bool requires_certificates{false};
-    switch (m_cluster->impl()->query_cluster_auth_type()) {
-      case mysqlsh::dba::Replication_auth_type::CERT_ISSUER:
-      case mysqlsh::dba::Replication_auth_type::CERT_SUBJECT:
-      case mysqlsh::dba::Replication_auth_type::CERT_ISSUER_PASSWORD:
-      case mysqlsh::dba::Replication_auth_type::CERT_SUBJECT_PASSWORD:
-        requires_certificates = true;
-      default:
-        break;
-    }
-
     // Start the cluster to bootstrap Group Replication.
     mysqlsh::dba::start_cluster(*m_target_instance, m_options.gr_options,
                                 requires_certificates, multi_primary,

unittest/scripts/auto/js_adminapi/scripts/ssl_auth_more.js

@@ -42,6 +42,15 @@ function test_add_instance(commStack, recoverMethod) {
 
     testutil.waitMemberState(__mysql_sandbox_port2, "ONLINE");
 
+    if (commStack.toLowerCase() == "xcom" && (__version_num >= 80027)) {
+
+        testutil.stopGroup([__mysql_sandbox_port1, __mysql_sandbox_port2]);
+        EXPECT_NO_THROWS(function(){ cluster = dba.rebootClusterFromCompleteOutage("cluster", {switchCommunicationStack: "mysql"}); });
+
+        EXPECT_NE("", session.runSql("SELECT ssl_type FROM mysql.user WHERE (user LIKE 'mysql_innodb_cluster_%');").fetchOne()[0]);
+        EXPECT_NE("", session.runSql("SELECT authentication_string FROM mysql.user WHERE (user LIKE 'mysql_innodb_cluster_%');").fetchOne()[0]);
+    }
+
     cluster.dissolve();
 }
 
@@ -73,7 +82,6 @@ reset_instance(session);
 //@<> create cluster comm stack xcom with primary offline
 shell.connect(__sandbox_uri1);
 
-
 var cluster;
 if (__version_num < 80027) {
     EXPECT_NO_THROWS(function() { cluster = dba.createCluster("cluster", { memberAuthType: "CERT_SUBJECT_PASSWORD", certIssuer: "/CN=Test_CA", certSubject: `/CN=${hostname}/L=machine1` }); });