Merge branch '4.19' into 4.20

.github/workflows/ui.yml

@@ -56,6 +56,7 @@ jobs:
           npm run test:unit
 
       - uses: codecov/codecov-action@v4
+        if: github.repository == 'apache/cloudstack'
         with:
           working-directory: ui
           files: ./coverage/lcov.info

core/src/main/java/org/apache/cloudstack/direct/download/HttpsDirectTemplateDownloader.java

@@ -39,9 +39,7 @@ import java.util.Map;
 
 import javax.net.ssl.HttpsURLConnection;
 import javax.net.ssl.SSLContext;
-import javax.net.ssl.TrustManager;
 
-import org.apache.cloudstack.utils.security.SSLUtils;
 import org.apache.commons.collections.MapUtils;
 import org.apache.commons.httpclient.HttpStatus;
 import org.apache.commons.io.IOUtils;
@@ -55,6 +53,7 @@ import org.apache.http.client.methods.HttpUriRequest;
 import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
 import org.apache.http.impl.client.CloseableHttpClient;
 import org.apache.http.impl.client.HttpClients;
+import org.apache.http.ssl.SSLContexts;
 import org.apache.http.util.EntityUtils;
 
 import com.cloud.utils.Pair;
@@ -120,10 +119,10 @@ public class HttpsDirectTemplateDownloader extends DirectTemplateDownloaderImpl
                 String password = "changeit";
                 defaultKeystore.load(is, password.toCharArray());
             }
-            TrustManager[] tm = HttpsMultiTrustManager.getTrustManagersFromKeyStores(customKeystore, defaultKeystore);
-            SSLContext sslContext = SSLUtils.getSSLContext();
-            sslContext.init(null, tm, null);
-            return sslContext;
+            return SSLContexts.custom()
+                    .loadTrustMaterial(customKeystore, null)
+                    .loadTrustMaterial(defaultKeystore, null)
+                    .build();
         } catch (KeyStoreException | NoSuchAlgorithmException | CertificateException | IOException | KeyManagementException e) {
             logger.error(String.format("Failure getting SSL context for HTTPS downloader, using default SSL context: %s", e.getMessage()), e);
             try {

core/src/main/java/org/apache/cloudstack/direct/download/HttpsMultiTrustManager.java

@@ -1,102 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements.  See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership.  The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License.  You may obtain a copy of the License at
-//
-//   http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied.  See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.direct.download;
-
-import java.security.KeyStore;
-import java.security.KeyStoreException;
-import java.security.NoSuchAlgorithmException;
-import java.security.cert.CertificateException;
-import java.security.cert.X509Certificate;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.List;
-
-import javax.net.ssl.TrustManager;
-import javax.net.ssl.TrustManagerFactory;
-import javax.net.ssl.X509TrustManager;
-
-import com.google.common.collect.ImmutableList;
-import com.google.common.collect.Iterables;
-
-public class HttpsMultiTrustManager implements X509TrustManager {
-
-    private final List<X509TrustManager> trustManagers;
-
-    public HttpsMultiTrustManager(KeyStore... keystores) {
-        List<X509TrustManager> trustManagers = new ArrayList<>();
-        trustManagers.add(getTrustManager(null));
-        for (KeyStore keystore : keystores) {
-            trustManagers.add(getTrustManager(keystore));
-        }
-        this.trustManagers = ImmutableList.copyOf(trustManagers);
-    }
-
-    public static TrustManager[] getTrustManagersFromKeyStores(KeyStore... keyStore) {
-        return new TrustManager[] { new HttpsMultiTrustManager(keyStore) };
-
-    }
-
-    @Override
-    public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
-        for (X509TrustManager trustManager : trustManagers) {
-            try {
-                trustManager.checkClientTrusted(chain, authType);
-                return;
-            } catch (CertificateException ignored) {}
-        }
-        throw new CertificateException("None of the TrustManagers trust this certificate chain");
-    }
-
-    @Override
-    public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
-        for (X509TrustManager trustManager : trustManagers) {
-            try {
-                trustManager.checkServerTrusted(chain, authType);
-                return;
-            } catch (CertificateException ignored) {}
-        }
-        throw new CertificateException("None of the TrustManagers trust this certificate chain");
-    }
-
-    @Override
-    public X509Certificate[] getAcceptedIssuers() {
-        ImmutableList.Builder<X509Certificate> certificates = ImmutableList.builder();
-        for (X509TrustManager trustManager : trustManagers) {
-            for (X509Certificate cert : trustManager.getAcceptedIssuers()) {
-                certificates.add(cert);
-            }
-        }
-        return Iterables.toArray(certificates.build(), X509Certificate.class);
-    }
-
-    public X509TrustManager getTrustManager(KeyStore keystore) {
-        return getTrustManager(TrustManagerFactory.getDefaultAlgorithm(), keystore);
-    }
-
-    public X509TrustManager getTrustManager(String algorithm, KeyStore keystore) {
-        TrustManagerFactory factory;
-        try {
-            factory = TrustManagerFactory.getInstance(algorithm);
-            factory.init(keystore);
-            return Iterables.getFirst(Iterables.filter(
-                    Arrays.asList(factory.getTrustManagers()), X509TrustManager.class), null);
-        } catch (NoSuchAlgorithmException | KeyStoreException e) {
-            e.printStackTrace();
-        }
-        return null;
-    }
-}

plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtSetupDirectDownloadCertificateCommandWrapper.java

@@ -84,7 +84,7 @@ public class LibvirtSetupDirectDownloadCertificateCommandWrapper extends Command
     private void importCertificate(String tempCerFilePath, String keyStoreFile, String certificateName, String privatePassword) {
         logger.debug("Importing certificate from temporary file to keystore");
         String keyToolPath = Script.getExecutableAbsolutePath("keytool");
-        int result = Script.executeCommandForExitValue(keyToolPath, "-importcert", "file", tempCerFilePath,
+        int result = Script.executeCommandForExitValue(keyToolPath, "-importcert", "-file", tempCerFilePath,
                 "-keystore", keyStoreFile, "-alias", sanitizeBashCommandArgument(certificateName), "-storepass",
                 privatePassword, "-noprompt");
         if (result != 0) {

plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/actionworkers/KubernetesClusterResourceModifierActionWorker.java

@@ -159,6 +159,8 @@ public class KubernetesClusterResourceModifierActionWorker extends KubernetesClu
 
     protected String kubernetesClusterNodeNamePrefix;
 
+    private static final int MAX_CLUSTER_PREFIX_LENGTH = 43;
+
     protected KubernetesClusterResourceModifierActionWorker(final KubernetesCluster kubernetesCluster, final KubernetesClusterManagerImpl clusterManager) {
         super(kubernetesCluster, clusterManager);
     }
@@ -775,19 +777,35 @@ public class KubernetesClusterResourceModifierActionWorker extends KubernetesClu
         }
     }
 
+    /**
+     * Generates a valid name prefix for Kubernetes cluster nodes.
+     *
+     * <p>The prefix must comply with Kubernetes naming constraints:
+     * <ul>
+     *   <li>Maximum 63 characters total</li>
+     *   <li>Only lowercase alphanumeric characters and hyphens</li>
+     *   <li>Must start with a letter</li>
+     *   <li>Must end with an alphanumeric character</li>
+     * </ul>
+     *
+     * <p>The generated prefix is limited to 43 characters to accommodate the full node naming pattern:
+     * <pre>{'prefix'}-{'control' | 'node'}-{'11-digit-hash'}</pre>
+     *
+     * @return A valid node name prefix, truncated if necessary
+     * @see <a href="https://kubernetes.io/docs/concepts/overview/working-with-objects/names/">Kubernetes "Object Names and IDs" documentation</a>
+     */
     protected String getKubernetesClusterNodeNamePrefix() {
-        String prefix = kubernetesCluster.getName();
-        if (!NetUtils.verifyDomainNameLabel(prefix, true)) {
-            prefix = prefix.replaceAll("[^a-zA-Z0-9-]", "");
-            if (prefix.length() == 0) {
-                prefix = kubernetesCluster.getUuid();
-            }
-            prefix = "k8s-" + prefix;
+        String prefix = kubernetesCluster.getName().toLowerCase();
+
+        if (NetUtils.verifyDomainNameLabel(prefix, true)) {
+            return StringUtils.truncate(prefix, MAX_CLUSTER_PREFIX_LENGTH);
         }
-        if (prefix.length() > 40) {
-            prefix = prefix.substring(0, 40);
+
+        prefix = prefix.replaceAll("[^a-z0-9-]", "");
+        if (prefix.isEmpty()) {
+            prefix = kubernetesCluster.getUuid();
         }
-        return prefix;
+        return StringUtils.truncate("k8s-" + prefix, MAX_CLUSTER_PREFIX_LENGTH);
     }
 
     protected KubernetesClusterVO updateKubernetesClusterEntry(final Long cores, final Long memory, final Long size,

plugins/integrations/kubernetes-service/src/test/java/com/cloud/kubernetes/cluster/actionworkers/KubernetesClusterResourceModifierActionWorkerTest.java

@@ -0,0 +1,138 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package com.cloud.kubernetes.cluster.actionworkers;
+
+import com.cloud.kubernetes.cluster.KubernetesCluster;
+import com.cloud.kubernetes.cluster.KubernetesClusterManagerImpl;
+import com.cloud.kubernetes.cluster.dao.KubernetesClusterDao;
+import com.cloud.kubernetes.cluster.dao.KubernetesClusterDetailsDao;
+import com.cloud.kubernetes.cluster.dao.KubernetesClusterVmMapDao;
+import com.cloud.kubernetes.version.dao.KubernetesSupportedVersionDao;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.Mockito;
+import org.mockito.junit.MockitoJUnitRunner;
+
+@RunWith(MockitoJUnitRunner.class)
+public class KubernetesClusterResourceModifierActionWorkerTest {
+    @Mock
+    private KubernetesClusterDao kubernetesClusterDaoMock;
+
+    @Mock
+    private KubernetesClusterDetailsDao kubernetesClusterDetailsDaoMock;
+
+    @Mock
+    private KubernetesClusterVmMapDao kubernetesClusterVmMapDaoMock;
+
+    @Mock
+    private KubernetesSupportedVersionDao kubernetesSupportedVersionDaoMock;
+
+    @Mock
+    private KubernetesClusterManagerImpl kubernetesClusterManagerMock;
+
+    @Mock
+    private KubernetesCluster kubernetesClusterMock;
+
+    private KubernetesClusterResourceModifierActionWorker kubernetesClusterResourceModifierActionWorker;
+
+    @Before
+    public void setUp() {
+        kubernetesClusterManagerMock.kubernetesClusterDao = kubernetesClusterDaoMock;
+        kubernetesClusterManagerMock.kubernetesSupportedVersionDao = kubernetesSupportedVersionDaoMock;
+        kubernetesClusterManagerMock.kubernetesClusterDetailsDao = kubernetesClusterDetailsDaoMock;
+        kubernetesClusterManagerMock.kubernetesClusterVmMapDao = kubernetesClusterVmMapDaoMock;
+
+        kubernetesClusterResourceModifierActionWorker = new KubernetesClusterResourceModifierActionWorker(kubernetesClusterMock, kubernetesClusterManagerMock);
+    }
+
+    @Test
+    public void getKubernetesClusterNodeNamePrefixTestReturnOriginalPrefixWhenNamingAllRequirementsAreMet() {
+        String originalPrefix = "k8s-cluster-01";
+        String expectedPrefix = "k8s-cluster-01";
+
+        Mockito.when(kubernetesClusterMock.getName()).thenReturn(originalPrefix);
+        Assert.assertEquals(expectedPrefix, kubernetesClusterResourceModifierActionWorker.getKubernetesClusterNodeNamePrefix());
+    }
+
+    @Test
+    public void getKubernetesClusterNodeNamePrefixTestNormalizedPrefixShouldOnlyContainLowerCaseCharacters() {
+        String originalPrefix = "k8s-CLUSTER-01";
+        String expectedPrefix = "k8s-cluster-01";
+
+        Mockito.when(kubernetesClusterMock.getName()).thenReturn(originalPrefix);
+        Assert.assertEquals(expectedPrefix, kubernetesClusterResourceModifierActionWorker.getKubernetesClusterNodeNamePrefix());
+    }
+
+    @Test
+    public void getKubernetesClusterNodeNamePrefixTestNormalizedPrefixShouldBeTruncatedWhenRequired() {
+        int maxPrefixLength = 43;
+
+        String originalPrefix = "c".repeat(maxPrefixLength + 1);
+        String expectedPrefix = "c".repeat(maxPrefixLength);
+
+        Mockito.when(kubernetesClusterMock.getName()).thenReturn(originalPrefix);
+        String normalizedPrefix = kubernetesClusterResourceModifierActionWorker.getKubernetesClusterNodeNamePrefix();
+        Assert.assertEquals(expectedPrefix, normalizedPrefix);
+        Assert.assertEquals(maxPrefixLength, normalizedPrefix.length());
+    }
+
+    @Test
+    public void getKubernetesClusterNodeNamePrefixTestNormalizedPrefixShouldBeTruncatedWhenRequiredAndWhenOriginalPrefixIsInvalid() {
+        int maxPrefixLength = 43;
+
+        String originalPrefix = "1!" + "c".repeat(maxPrefixLength);
+        String expectedPrefix = "k8s-1" + "c".repeat(maxPrefixLength - 5);
+
+        Mockito.when(kubernetesClusterMock.getName()).thenReturn(originalPrefix);
+        String normalizedPrefix = kubernetesClusterResourceModifierActionWorker.getKubernetesClusterNodeNamePrefix();
+        Assert.assertEquals(expectedPrefix, normalizedPrefix);
+        Assert.assertEquals(maxPrefixLength, normalizedPrefix.length());
+    }
+
+    @Test
+    public void getKubernetesClusterNodeNamePrefixTestNormalizedPrefixShouldOnlyIncludeAlphanumericCharactersAndHyphen() {
+        String originalPrefix = "Cluster!@#$%^&*()_+?.-01|<>";
+        String expectedPrefix = "k8s-cluster-01";
+
+        Mockito.when(kubernetesClusterMock.getName()).thenReturn(originalPrefix);
+        Assert.assertEquals(expectedPrefix, kubernetesClusterResourceModifierActionWorker.getKubernetesClusterNodeNamePrefix());
+    }
+
+    @Test
+    public void getKubernetesClusterNodeNamePrefixTestNormalizedPrefixShouldContainClusterUuidWhenAllCharactersAreInvalid() {
+        String clusterUuid = "2699b547-cb56-4a59-a2c6-331cfb21d2e4";
+        String originalPrefix = "!@#$%^&*()_+?.|<>";
+        String expectedPrefix = "k8s-" + clusterUuid;
+
+        Mockito.when(kubernetesClusterMock.getUuid()).thenReturn(clusterUuid);
+        Mockito.when(kubernetesClusterMock.getName()).thenReturn(originalPrefix);
+        Assert.assertEquals(expectedPrefix, kubernetesClusterResourceModifierActionWorker.getKubernetesClusterNodeNamePrefix());
+    }
+
+    @Test
+    public void getKubernetesClusterNodeNamePrefixTestNormalizedPrefixShouldNotStartWithADigit() {
+        String originalPrefix = "1 cluster";
+        String expectedPrefix = "k8s-1cluster";
+
+        Mockito.when(kubernetesClusterMock.getName()).thenReturn(originalPrefix);
+        Assert.assertEquals(expectedPrefix, kubernetesClusterResourceModifierActionWorker.getKubernetesClusterNodeNamePrefix());
+    }
+}

server/src/main/java/com/cloud/template/TemplateAdapterBase.java

@@ -194,7 +194,8 @@ public abstract class TemplateAdapterBase extends AdapterBase implements Templat
 
         if (!isAdmin && zoneIdList == null && !isRegionStore ) {
             // domain admin and user should also be able to register template on a region store
-            throw new InvalidParameterValueException("Please specify a valid zone Id. Only admins can create templates in all zones.");
+            throw new InvalidParameterValueException("Template registered for 'All zones' can only be owned a Root Admin account. " +
+                    "Please select specific zone(s).");
         }
 
         // check for the url format only when url is not null. url can be null incase of form based upload

utils/src/main/java/com/cloud/utils/net/NetUtils.java

@@ -1058,13 +1058,23 @@ public class NetUtils {
         return Integer.toString(portRange[0]) + ":" + Integer.toString(portRange[1]);
     }
 
+    /**
+     * Validates a domain name.
+     *
+     * <p>Domain names must satisfy the following constraints:
+     * <ul>
+     *   <li>Length between 1 and 63 characters</li>
+     *   <li>Contain only ASCII letters 'a' through 'z' (case-insensitive)</li>
+     *   <li>Can include digits '0' through '9' and hyphens (-)</li>
+     *   <li>Must not start or end with a hyphen</li>
+     *   <li>If used as hostname, must not start with a digit</li>
+     * </ul>
+     *
+     * @param hostName The domain name to validate
+     * @param isHostName If true, verifies whether the domain name starts with a digit
+     * @return true if the domain name is valid, false otherwise
+     */
     public static boolean verifyDomainNameLabel(final String hostName, final boolean isHostName) {
-        // must be between 1 and 63 characters long and may contain only the ASCII letters 'a' through 'z' (in a
-        // case-insensitive manner),
-        // the digits '0' through '9', and the hyphen ('-').
-        // Can not start with a hyphen and digit, and must not end with a hyphen
-        // If it's a host name, don't allow to start with digit
-
         if (hostName.length() > 63 || hostName.length() < 1) {
             LOGGER.warn("Domain name label must be between 1 and 63 characters long");
             return false;

vmware-base/src/main/java/com/cloud/hypervisor/vmware/mo/BaseMO.java

@@ -253,12 +253,29 @@ public class BaseMO {
                 hostClusterPair = hostClusterNamesMap.get(hostMorValue);
             } else {
                 HostMO hostMO = new HostMO(_context, hostMor);
-                ClusterMO clusterMO = new ClusterMO(_context, hostMO.getHyperHostCluster());
-                hostClusterPair = new Pair<>(hostMO.getHostName(), clusterMO.getName());
+                String hostName = hostMO.getHostName();
+                String clusterName = getClusterNameFromHostIncludingStandaloneHosts(hostMO, hostName);
+                hostClusterPair = new Pair<>(hostName, clusterName);
                 hostClusterNamesMap.put(hostMorValue, hostClusterPair);
             }
             vm.setHostName(hostClusterPair.first());
             vm.setClusterName(hostClusterPair.second());
         }
     }
+
+    /**
+     * Return the cluster name of the host on the vCenter
+     * @return null in case the host is standalone (doesn't belong to a cluster), cluster name otherwise
+     */
+    private String getClusterNameFromHostIncludingStandaloneHosts(HostMO hostMO, String hostName) {
+        try {
+            ClusterMO clusterMO = new ClusterMO(_context, hostMO.getHyperHostCluster());
+            return clusterMO.getName();
+        } catch (Exception e) {
+            String msg = String.format("Cannot find a cluster for host %s, assuming standalone host, " +
+                    "setting its cluster name as empty", hostName);
+            logger.info(msg);
+            return null;
+        }
+    }
 }