[#25332]yugabyted: Add use_client_to_server_encryption as part of master gFlags

gargsans-yb · gargsans-yb · commit e1d5952b6398 · 2025-01-02T15:52:00.000Z
Summary: Adding `use_client_to_server_encryption` as part of master gFlags when node is staring in `--secure` mode as yugabyteDB stores login passwords in master which should not be expose through non secure channels. Jira: DB-14546 Test Plan: ./yb_build.sh --java-test 'org.yb.yugabyted.*' Reviewers: nikhil Reviewed By: nikhil Subscribers: svc_phabricator, yugabyted-dev, sgarg-yb Differential Revision: https://phorge.dev.yugabyte.com/D40798
diff --git a/bin/yugabyted b/bin/yugabyted
@@ -3601,7 +3601,10 @@ class ControlScript(object):
         if self.configs.saved_data.get("secure"):
             common_gflags.extend(["--certs_dir={}".format(certs_dir),
             "--allow_insecure_connections=false",
-            "--use_node_to_node_encryption=true",])
+            "--use_node_to_node_encryption=true",
+            "--use_client_to_server_encryption=true",
+            "--certs_for_client_dir={}".format(certs_dir),
+            "--certs_for_cdc_dir={}/xcluster".format(certs_dir),])
 
         return common_gflags
 
@@ -3653,7 +3656,6 @@ class ControlScript(object):
         if join_ip:
             master_addresses  = "{}:{},{}".format(join_ip, master_rpc_port, master_addresses)
 
-        certs_dir = self.configs.saved_data.get("certs_dir")
 
         flag_list = common_flags + [
             "--rpc_bind_addresses={}:{}".format(advertise_ip, master_rpc_port),
@@ -3668,11 +3670,6 @@ class ControlScript(object):
             "--split_respects_tablet_replica_limits=true",
         ]
 
-        if self.configs.saved_data.get("secure"):
-            flag_list.extend([
-                "--certs_for_cdc_dir={}/xcluster".format(certs_dir)
-                ])
-
         yb_master_cmd = [find_binary_location("yb-master")]
 
         master_flags = self.configs.saved_data.get("master_flags","")
@@ -3747,7 +3744,6 @@ class ControlScript(object):
         if join_ip:
             master_addresses  = "{}:{},{}".format(join_ip, master_rpc_port, master_addresses)
         tserver_rpc_port = self.configs.saved_data.get("tserver_rpc_port")
-        certs_dir = self.configs.saved_data.get("certs_dir")
 
         yb_tserver_cmd = [find_binary_location("yb-tserver")] + common_flags + \
             [
@@ -3768,11 +3764,6 @@ class ControlScript(object):
                 "--placement_uuid={}".format(self.configs.saved_data.get("placement_uuid")),
             ]
 
-        if self.configs.saved_data.get("secure"):
-            yb_tserver_cmd.extend([
-                "--certs_for_cdc_dir={}/xcluster".format(certs_dir)
-                ])
-
         tserver_flags = self.configs.saved_data.get("tserver_flags","")
 
         if self.configs.temp_data.get("enable_pg_parity"):
@@ -3876,11 +3867,6 @@ class ControlScript(object):
                     # Handle simple flags
                     yb_tserver_cmd.append("--{}".format(tserver_flag))
 
-        # Add authentication flags in tserver
-        if self.configs.saved_data.get("secure"):
-            yb_tserver_cmd.extend(["--use_client_to_server_encryption=true",
-                "--certs_for_client_dir={}".format(certs_dir),])
-
             hba_conf_updated = False
             for i, flag in enumerate(yb_tserver_cmd):
                 if flag.startswith("--ysql_hba_conf_csv="):
