save latest changes

microsoft · Apr 16, 2024 · 15d93e4 · 15d93e4
1 parent ad52266
commit 15d93e4
Show file tree

Hide file tree

Showing 13 changed files with 301 additions and 126 deletions.
diff --git a/src/modules/SdnDiag.LoadBalancerMux/public/Get-SdnMuxCertificate.ps1 b/src/modules/SdnDiag.LoadBalancerMux/public/Get-SdnMuxCertificate.ps1
@@ -1,16 +1,31 @@
 function Get-SdnMuxCertificate {
     <#
         .SYNOPSIS
-        Returns the certificate used by the SDN Load Balancer Mux.
+            Returns the certificate used by the SDN Load Balancer Mux.
+        .PARAMETER NetworkControllerOid
+            Specifies to return only the certificate that has the specified Network Controller OID.
     #>
 
     [CmdletBinding()]
-    param ()
+    param (
+        [Parameter(Mandatory = $false)]
+        [switch]$NetworkControllerOid
+    )
 
     try {
         $muxCert = Get-ItemPropertyValue -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\SlbMux' -Name 'MuxCert'
         $subjectName = "CN={0}" -f $muxCert
-        $certificate = Get-SdnCertificate -Subject $subjectName -Path 'Cert:\LocalMachine\My'
+        $certificate = Get-SdnCertificate -Subject $subjectName -Path 'Cert:\LocalMachine\My' -NetworkControllerOid:$NetworkControllerOid
+
+        if ($null -eq $certificate) {
+            if ($NetworkControllerOid) {
+                throw New-Object System.NullReferenceException("Failed to locate certificate for Load Balancer Mux containing Network Controller OID")
+            }
+            else {
+                throw New-Object System.NullReferenceException("Failed to locate certificate for Load Balancer Mux")
+            }
+        }
+
         return $certificate
     }
     catch {

diff --git a/src/modules/SdnDiag.NetworkController/SdnDiag.NetworkController.Helper.psm1 b/src/modules/SdnDiag.NetworkController/SdnDiag.NetworkController.Helper.psm1
@@ -10,6 +10,52 @@ class SdnFabricInfrastructure {
     [System.String[]]$FabricNodes
 }
 
+class BaseCert {
+    [String]$Thumbprint
+    [String]$SubjectName
+    [bool]$IsSelfSigned
+}
+
+class RestCert : BaseCert {
+    [CertType]$CertificateType = [CertType]::Rest
+}
+
+class NodeCert : BaseCert {
+    [String]$ResourceRef
+    [String]$IpAddressOrFQDN
+    [String]$NodeName
+}
+
+class NetworkControllerNodeCert : NodeCert {
+    [CertType]$CertificateType = [CertType]::NetworkController
+}
+
+class LoadBalancerMuxNodeCert : NodeCert {
+    [CertType]$CertificateType = [CertType]::LoadBalancerMux
+}
+
+class ServerNodeCert : NodeCert {
+    [CertType]$CertificateType = [CertType]::Server
+}
+
+class CertRotateConfig {
+    [RestCert]$RestCert
+    [ClusterCredentialType]$ClusterCredentialType = [ClusterCredentialType]::Kerberos
+    [Object[]]$NodeCerts
+}
+
+enum ClusterCredentialType {
+    Kerberos
+    X509
+}
+
+enum CertType {
+    Rest
+    NetworkController
+    Server
+    LoadBalancerMux
+}
+
 enum NcManagedRoles {
     Gateway
     Server

diff --git a/src/modules/SdnDiag.NetworkController/private/Start-SdnExpiredCertificateRotation.ps1 b/src/modules/SdnDiag.NetworkController/private/Start-SdnExpiredCertificateRotation.ps1
@@ -24,9 +24,11 @@ function Start-SdnExpiredCertificateRotation {
         [Parameter(Mandatory = $true)]
         [hashtable]
         $CertRotateConfig,
+
         [System.Management.Automation.PSCredential]
         [System.Management.Automation.Credential()]
         $Credential = [System.Management.Automation.PSCredential]::Empty,
+
         [System.Management.Automation.PSCredential]
         [System.Management.Automation.Credential()]
         $NcRestCredential = [System.Management.Automation.PSCredential]::Empty
@@ -44,26 +46,24 @@ function Start-SdnExpiredCertificateRotation {
     $NcNodeList = $NcInfraInfo.NodeList
 
     if ($null -eq $NcNodeList -or $NcNodeList.Count -eq 0) {
-        Trace-Output -Message "Failed to get NC Node List from NetworkController: $(HostName)" -Level:Error
+        throw "Failed to get NC Node List from NetworkController: $($env:COMPUTERNAME)"
     }
 
     Trace-Output -Message "NcNodeList: $($NcNodeList.IpAddressOrFQDN)"
-
     Trace-Output -Message "Validate CertRotateConfig"
     if(!(Test-SdnCertificateRotationConfig -NcNodeList $NcNodeList -CertRotateConfig $CertRotateConfig -Credential $Credential)){
-        Trace-Output -Message "Invalid CertRotateConfig, please correct the configuration and try again" -Level:Error
-        return
+        throw "Invalid CertRotateConfig, please correct the configuration and try again"
     }
 
     if ([String]::IsNullOrEmpty($NcInfraInfo.NcRestName)) {
         Trace-Output -Message "Failed to get NcRestName using current secret certificate thumbprint. This might indicate the certificate not found on $(HOSTNAME). We won't be able to recover." -Level:Error
-        throw New-Object System.NotSupportedException("Current NC Rest Cert not found, Certificate Rotation cannot be continue.")
+        throw New-Object System.NotSupportedException("Current Network Controller Rest certificate not found.")
     }
 
     $NcVms = $NcNodeList.IpAddressOrFQDN
 
-    if (Test-Path $NcUpdateFolder) {
-        $items = Get-ChildItem $NcUpdateFolder
+    if (Test-Path -Path $NcUpdateFolder) {
+        $items = Get-ChildItem -Path $NcUpdateFolder -ErrorAction Ignore
         if ($items.Count -gt 0) {
             $confirmCleanup = Read-Host "The Folder $NcUpdateFolder not empty. Need to be cleared. Enter Y to confirm"
             if ($confirmCleanup -eq "Y") {
@@ -122,15 +122,4 @@ function Start-SdnExpiredCertificateRotation {
     # Step 7 Restart
     Trace-Output -Message "Step 7 Restarting Service Fabric Cluster after configuration change"
     $clusterHealthy = Wait-ServiceFabricClusterHealthy -NcNodeList $NcNodeList -CertRotateConfig $CertRotateConfig -Credential $Credential -Restart
-
-<#     Trace-Output -Message "Step 7.2 Rotate Network Controller Certificate"
-    #$null = Invoke-CertRotateCommand -Command 'Set-NetworkController' -Credential $Credential -Thumbprint $NcRestCertThumbprint
-
-    # Step 8 Update REST CERT credential
-    Trace-Output -Message "Step 8 Update REST CERT credential"
-    # Step 8.1 Wait for NC App Healthy
-    Trace-Output -Message "Step 8.1 Wiating for Network Controller App Ready"
-    #Wait-NetworkControllerAppHealthy -Interval 60
-    Trace-Output -Message "Step 8.2 Updating REST CERT Credential object calling REST API" #>
-    #Update-NetworkControllerCredentialResource -NcUri "https://$($NcInfraInfo.NcRestName)" -NewRestCertThumbprint $NcRestCertThumbprint -Credential $NcRestCredential
 }
diff --git a/src/modules/SdnDiag.NetworkController/public/Get-SdnNetworkController.ps1 b/src/modules/SdnDiag.NetworkController/public/Get-SdnNetworkController.ps1
@@ -23,22 +23,31 @@ function Get-SdnNetworkController {
         $Credential = [System.Management.Automation.PSCredential]::Empty
     )
 
-    try {
-        if (-NOT ($PSBoundParameters.ContainsKey('NetworkController'))) {
-            $config = Get-SdnModuleConfiguration -Role 'NetworkController'
-            $confirmFeatures = Confirm-RequiredFeaturesInstalled -Name $config.windowsFeature
-            if (-NOT ($confirmFeatures)) {
-                "The current machine is not a NetworkController, run this on NetworkController or use -NetworkController parameter to specify one" | Trace-Output -Level:Warning
-                return # don't throw exception, since this is a controlled scenario and we do not need stack exception tracing
-            }
+    if (-NOT ($PSBoundParameters.ContainsKey('NetworkController'))) {
+        $config = Get-SdnModuleConfiguration -Role 'NetworkController'
+        $confirmFeatures = Confirm-RequiredFeaturesInstalled -Name $config.windowsFeature
+        if (-NOT ($confirmFeatures)) {
+            "The current machine is not a NetworkController, run this on NetworkController or use -NetworkController parameter to specify one" | Trace-Output -Level:Warning
+            return # don't throw exception, since this is a controlled scenario and we do not need stack exception tracing
+        }
+    }
+
+    $sb = {
+        # check if service fabric service is running otherwise this command will hang
+        if ((Get-Service -Name 'FabricHostSvc').Status -ine 'Running' ) {
+            throw "Service Fabric Service is not running on $NetworkController"
         }
 
+        return (Get-NetworkController)
+    }
+
+    try {
         try {
             if (Test-ComputerNameIsLocal -ComputerName $NetworkController) {
-                $result = Get-NetworkController
+                $result = Invoke-Command -ScriptBlock $sb -ErrorAction Stop
             }
             else {
-                $result = Invoke-PSRemoteCommand -ComputerName $NetworkController -ScriptBlock { Get-NetworkController } -Credential $Credential
+                $result = Invoke-PSRemoteCommand -ComputerName $NetworkController -ScriptBlock $sb -Credential $Credential -ErrorAction Stop
             }
         }
         catch {

diff --git a/src/modules/SdnDiag.NetworkController/public/Get-SdnNetworkControllerNode.ps1 b/src/modules/SdnDiag.NetworkController/public/Get-SdnNetworkControllerNode.ps1
@@ -6,7 +6,7 @@ function Get-SdnNetworkControllerNode {
         Specifies the friendly name of the node for the network controller. If not provided, settings are retrieved for all nodes in the deployment.
     .PARAMETER NetworkController
         Specifies the name or IP address of the network controller node on which this cmdlet operates. The parameter is optional if running on network controller node.
-	.PARAMETER Credential
+    .PARAMETER Credential
         Specifies a user account that has permission to perform this action. The default is the current user.
     .EXAMPLE
         PS> Get-SdnNetworkControllerNode
@@ -31,50 +31,65 @@ function Get-SdnNetworkControllerNode {
         [switch]$ServerNameOnly
     )
 
-    try {
+    if (-NOT ($PSBoundParameters.ContainsKey('NetworkController'))) {
+        $config = Get-SdnModuleConfiguration -Role 'NetworkController'
+        $confirmFeatures = Confirm-RequiredFeaturesInstalled -Name $config.windowsFeature
+        if (-NOT ($confirmFeatures)) {
+            "The current machine is not a NetworkController, run this on NetworkController or use -NetworkController parameter to specify one" | Trace-Output -Level:Warning
+            return # don't throw exception, since this is a controlled scenario and we do not need stack exception tracing
+        }
+    }
 
-        if (-NOT ($PSBoundParameters.ContainsKey('NetworkController'))) {
-            $config = Get-SdnModuleConfiguration -Role 'NetworkController'
-            $confirmFeatures = Confirm-RequiredFeaturesInstalled -Name $config.windowsFeature
-            if (-NOT ($confirmFeatures)) {
-                "The current machine is not a NetworkController, run this on NetworkController or use -NetworkController parameter to specify one" | Trace-Output -Level:Warning
-                return # don't throw exception, since this is a controlled scenario and we do not need stack exception tracing
-            }
+    $params = @{
+        NetworkController = $NetworkController
+        Credential        = $Credential
+        ErrorAction       = 'Stop'
+    }
+    if ($Name) {
+        $params.Add('Name', $Name)
+    }
+
+    $sb = {
+        param([String]$arg0)
+
+        # check if service fabric service is running otherwise this command will hang
+        if ((Get-Service -Name 'FabricHostSvc').Status -ine 'Running' ) {
+            throw "Service Fabric Service is not running on $NetworkController"
         }
 
+        if ([string]::IsNullOrEmpty($arg0)) {
+            Get-NetworkControllerNode -ErrorAction Stop
+        }
+        else {
+            Get-NetworkControllerNode -Name $arg0 -ErrorAction Stop
+        }
+    }
+
+    try {
         try {
+            # Run the script block locally or remotely
             if (Test-ComputerNameIsLocal -ComputerName $NetworkController) {
-                $result = Get-NetworkControllerNode -ErrorAction Stop
+                $result = Invoke-Command -ScriptBlock $sb -ArgumentList @($Name) -ErrorAction Stop
             }
             else {
-                $result = Invoke-PSRemoteCommand -ComputerName $NetworkController -Credential $Credential -ScriptBlock {
-                    Get-NetworkControllerNode -ErrorAction Stop
-                } -ErrorAction Stop
+                $result = Invoke-PSRemoteCommand -ComputerName $NetworkController -Credential $Credential -ScriptBlock $sb -ArgumentList @($Name) -ErrorAction Stop
             }
 
             # in this scenario if the results returned we will parse the objects returned and generate warning to user if node is not up
             # this property is only going to exist though if service fabric is healthy and underlying NC cmdlet can query node status
-            foreach($obj in $result){
-                if($obj.Status -ine 'Up'){
-                    "{0} is reporting status {1}" -f $obj.Name, $obj.Status | Trace-Output -Level:Warning
+            $result | ForEach-Object {
+                if ($_.Status -ine 'Up') {
+                    "{0} is reporting status {1}" -f $_.Name, $_.Status | Trace-Output -Level:Warning
                 }
 
-                # if we returned the object, we want to add a new property called NodeCertificateThumbprint as this will ensure consistent
-                # output in scenarios where this operation fails due to NC unhealthy and we need to fallback to reading the cluster manifest
-                $result | ForEach-Object {
-                    if (!($_.PSOBject.Properties.name -contains "NodeCertificateThumbprint")) {
-                        $_ | Add-Member -MemberType NoteProperty -Name 'NodeCertificateThumbprint' -Value $_.NodeCertificate.Thumbprint
-                    }
+                if (!($_.PSOBject.Properties.name -contains "NodeCertificateThumbprint")) {
+                    $_ | Add-Member -MemberType NoteProperty -Name 'NodeCertificateThumbprint' -Value $_.NodeCertificate.Thumbprint
                 }
             }
         }
         catch {
-            "Get-NetworkControllerNode failed with following exception: `n`t{0}`n" -f $_ | Trace-Output -Level:Error
-            $result = Get-NetworkControllerNodeInfoFromClusterManifest  -NetworkController $NetworkController -Credential $Credential
-        }
-
-        if ($Name) {
-            $result = $result | Where-Object { $_.Name.Split(".")[0] -ieq $Name.Split(".")[0] -or $_.Server -ieq $Name.Split(".")[0] }
+            "Get-NetworkControllerNode failed: {0}" -f $_.Exception.Message | Trace-Output -Level:Error
+            $result = Get-NetworkControllerNodeInfoFromClusterManifest @params
         }
 
         if($ServerNameOnly){
@@ -83,7 +98,6 @@ function Get-SdnNetworkControllerNode {
         else {
             return $result
         }
-
     }
     catch {
         $_ | Trace-Exception

diff --git a/src/modules/SdnDiag.NetworkController/public/Get-SdnNetworkControllerNodeCertificate.ps1 b/src/modules/SdnDiag.NetworkController/public/Get-SdnNetworkControllerNodeCertificate.ps1
@@ -2,8 +2,16 @@ function Get-SdnNetworkControllerNodeCertificate {
     <#
     .SYNOPSIS
         Returns the current Network Controller node certificate
+    .PARAMETER NetworkControllerOid
+        Specifies to return only the certificate that has the specified Network Controller OID.
     #>
 
+    [CmdletBinding()]
+    param (
+        [Parameter(Mandatory = $false)]
+        [switch]$NetworkControllerOid
+    )
+
     try {
         $networkControllerNode = Get-SdnNetworkControllerNode -Name $env:COMPUTERNAME
 
@@ -14,17 +22,17 @@ function Get-SdnNetworkControllerNodeCertificate {
             switch ($networkControllerNode.FindCertificateBy) {
                 'FindBySubjectName' {
                     "`tFindBySubjectName: {0}" -f $networkControllerNode.NodeCertSubjectName | Trace-Output -Level:Verbose
-                    $certificate = Get-SdnCertificate -Path 'Cert:\LocalMachine\My' -Subject $networkControllerNode.NodeCertSubjectName
+                    $certificate = Get-SdnCertificate -Path 'Cert:\LocalMachine\My' -Subject $networkControllerNode.NodeCertSubjectName -NetworkControllerOid:$NetworkControllerOid
                 }
 
                 'FindByThumbprint' {
                     "`FindByThumbprint: {0}" -f $networkControllerNode.NodeCertificateThumbprint | Trace-Output -Level:Verbose
-                    $certificate = Get-SdnCertificate -Path 'Cert:\LocalMachine\My' -Thumbprint $networkControllerNode.NodeCertificateThumbprint
+                    $certificate = Get-SdnCertificate -Path 'Cert:\LocalMachine\My' -Thumbprint $networkControllerNode.NodeCertificateThumbprint -NetworkControllerOid:$NetworkControllerOid
                 }
             }
         }
         else {
-            $certificate = Get-SdnCertificate -Path 'Cert:\LocalMachine\My' -Thumbprint $networkControllerNode.NodeCertificateThumbprint
+            $certificate = Get-SdnCertificate -Path 'Cert:\LocalMachine\My' -Thumbprint $networkControllerNode.NodeCertificateThumbprint -NetworkControllerOid:$NetworkControllerOid
         }
 
         if ($null -eq $certificate) {