[PLAT-18873]: Allow non-restart upgrade for certs rotate.

Summary: Allowed non-restart upgrade for certs rotate for VM based universe.

Test Plan: Tested manually

Reviewers: anabaria, #yba-api-review!

Reviewed By: anabaria

Subscribers: yugaware

Differential Revision: https://phorge.dev.yugabyte.com/D48192

Author: vipul-yb

managed/src/main/java/com/yugabyte/yw/commissioner/tasks/upgrade/CertsRotate.java

@@ -100,7 +100,9 @@ public void run() {
           // For rootCA root certificate rotation, we would need to do it in three rounds
           // so that node to node communications are not disturbed during the upgrade.
           // For other cases we can do it in one round by updating respective certs.
-          if (taskParams().upgradeOption == UpgradeOption.ROLLING_UPGRADE
+          // This 3-round process works for both ROLLING_UPGRADE and NON_RESTART_UPGRADE.
+          if ((taskParams().upgradeOption == UpgradeOption.ROLLING_UPGRADE
+                  || taskParams().upgradeOption == UpgradeOption.NON_RESTART_UPGRADE)
               && taskParams().rootCARotationType == CertRotationType.RootCert) {
             // Update the rootCA in platform to generate a multi-cert containing both old cert and
             // new cert. If it is already a multi-cert or the root CA of the universe is already
@@ -111,14 +113,14 @@ && taskParams().rootCARotationType == CertRotationType.RootCert) {
             createCertUpdateTasks(allNodes, CertRotateAction.APPEND_NEW_ROOT_CERT);
 
             // Add task to use the updated certs
-            createActivateCertsTask(universe, nodes, UpgradeOption.ROLLING_UPGRADE, false);
+            createActivateCertsTask(universe, nodes, taskParams().upgradeOption, false);
 
             // Copy new server certs to all nodes. This deletes the old certs and uploads the new
             // files to the same location.
             createCertUpdateTasks(allNodes, CertRotateAction.ROTATE_CERTS);
 
             // Add task to use the updated certs.
-            createActivateCertsTask(getUniverse(), nodes, UpgradeOption.ROLLING_UPGRADE, false);
+            createActivateCertsTask(getUniverse(), nodes, taskParams().upgradeOption, false);
 
             // Remove old root cert from the ca.crt by replacing (moving) the old cert with the new
             // one.
@@ -137,7 +139,7 @@ && taskParams().rootCARotationType == CertRotationType.RootCert) {
 
             // Add task to use the updated certs.
             createActivateCertsTask(
-                getUniverse(), nodes, UpgradeOption.ROLLING_UPGRADE, taskParams().isYbcInstalled());
+                getUniverse(), nodes, taskParams().upgradeOption, taskParams().isYbcInstalled());
 
           } else {
             // Update the rootCA in platform to have both old cert and new cert.
@@ -243,12 +245,16 @@ private void createActivateCertsTask(
       UpgradeOption upgradeOption,
       boolean ybcInstalled) {
 
-    boolean n2nCertExpired = CertificateHelper.checkNode2NodeCertsExpiry(universe);
-    if (isCertReloadable(universe) && !n2nCertExpired) {
+    boolean canReloadCert =
+        isCertReloadable(universe) && !CertificateHelper.checkNode2NodeCertsExpiry(universe);
+    if (taskParams().upgradeOption == UpgradeOption.NON_RESTART_UPGRADE) {
+      if (!canReloadCert) {
+        throw new RuntimeException(
+            "Node-to-node certificates are expired, only non-rolling upgrade is supported");
+      }
       // cert reload can be performed.
       log.info("adding cert rotate via reload task ...");
       createCertReloadTask(nodes, universe.getUniverseUUID(), getUserTaskUUID());
-
     } else {
       // Do a restart to rotate certificate.
       log.info("adding a cert rotate via restart task ...");

managed/src/main/java/com/yugabyte/yw/forms/CertsRotateParams.java

@@ -13,6 +13,9 @@
 import com.yugabyte.yw.common.certmgmt.CertConfigType;
 import com.yugabyte.yw.common.certmgmt.CertificateHelper;
 import com.yugabyte.yw.common.certmgmt.EncryptionInTransitUtil;
+import com.yugabyte.yw.common.config.GlobalConfKeys;
+import com.yugabyte.yw.common.config.RuntimeConfGetter;
+import com.yugabyte.yw.common.inject.StaticInjectorHolder;
 import com.yugabyte.yw.models.CertificateInfo;
 import com.yugabyte.yw.models.Universe;
 import com.yugabyte.yw.models.helpers.CommonUtils;
@@ -81,6 +84,56 @@ private void verifyCertificateValidity(Universe universe) {
     }
   }
 
+  private void verifyNonRestartUpgradeSupport(Universe universe) {
+    UserIntent userIntent = universe.getUniverseDetails().getPrimaryCluster().userIntent;
+    String softwareVersion = userIntent.ybSoftwareVersion;
+
+    // Check if YB version supports cert reload (>= 2.14.0.0-b1)
+    if (Util.compareYbVersions(softwareVersion, "2.14.0.0-b1", true) < 0) {
+      throw new PlatformServiceException(
+          Status.BAD_REQUEST,
+          "Non-restart certificate rotation is not supported for universe with software version: "
+              + softwareVersion
+              + ". Minimum required version is 2.14.0.0-b1.");
+    }
+
+    // Check if cert reload feature flag is enabled
+    if (runtimeConfGetter == null) {
+      runtimeConfGetter = StaticInjectorHolder.injector().instanceOf(RuntimeConfGetter.class);
+    }
+    boolean featureFlagEnabled = runtimeConfGetter.getGlobalConf(GlobalConfKeys.enableCertReload);
+    if (!featureFlagEnabled) {
+      throw new PlatformServiceException(
+          Status.BAD_REQUEST,
+          "Non-restart certificate rotation requires the cert reload feature to be enabled. "
+              + "Please enable the feature flag 'yb.features.cert_reload.enabled' and retry.");
+    }
+
+    // Check if universe is configured for cert reload
+    boolean universeConfigured =
+        Boolean.parseBoolean(
+            universe
+                .getConfig()
+                .getOrDefault(Universe.KEY_CERT_HOT_RELOADABLE, Boolean.FALSE.toString()));
+    if (!universeConfigured) {
+      throw new PlatformServiceException(
+          Status.BAD_REQUEST,
+          "Non-restart certificate rotation requires the universe to be configured for cert "
+              + "reload. The universe will be automatically configured during the first cert "
+              + "rotation, but for non-restart upgrades, it must be configured beforehand. "
+              + "Please perform a rolling cert rotation first to configure the universe.");
+    }
+
+    // Check if node-to-node certs are expired (non-restart upgrade cannot proceed if expired)
+    boolean n2nCertExpired = CertificateHelper.checkNode2NodeCertsExpiry(universe);
+    if (n2nCertExpired) {
+      throw new PlatformServiceException(
+          Status.BAD_REQUEST,
+          "Non-restart certificate rotation cannot be performed when node-to-node certificates "
+              + "have expired. Please use rolling or non-rolling upgrade option instead.");
+    }
+  }
+
   private void commonValidation(Universe universe) {
     UniverseDefinitionTaskParams universeDetails = universe.getUniverseDetails();
     UserIntent userIntent = universeDetails.getPrimaryCluster().userIntent;
@@ -113,8 +166,9 @@ private void verifyParamsForNormalUpgrade(Universe universe, boolean isFirstTry)
     UUID currentRootCA = universeDetails.rootCA;
     UUID currentClientRootCA = universeDetails.clientRootCA;
 
+    // Validate non-restart upgrade option for non-Kubernetes universes
     if (upgradeOption == UpgradeOption.NON_RESTART_UPGRADE) {
-      throw new PlatformServiceException(Status.BAD_REQUEST, "Cert upgrade cannot be non restart.");
+      verifyNonRestartUpgradeSupport(universe);
     }
 
     // Make sure rootCA and clientRootCA respects the rootAndClientRootCASame property