-
Notifications
You must be signed in to change notification settings - Fork 74
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable client-side CQL encryption in Stargate if it is configured on the cluster (fixes #722) #733
Conversation
@@ -43,7 +43,7 @@ type StargateTemplate struct { | |||
// ContainerImage is the image characteristics to use for Stargate containers. Leave nil | |||
// to use a default image. | |||
// +optional | |||
// +kubebuilder:default={repository:"stargateio", tag:"v1.0.45"} | |||
// +kubebuilder:default={repository:"stargateio", tag:"v1.0.66"} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
-Dstargate.cql.config_path
was introduced in 1.0.64. I went with the latest.
desiredConfig map[string]interface{}, | ||
userConfigMapContent string, | ||
dcConfig map[string]interface{}, | ||
userCassandraYaml, userCqlYaml string, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A bit of naming/refactoring in this function, because it was getting really confusing with two files.
@@ -7,7 +7,7 @@ require ( | |||
github.com/Masterminds/semver/v3 v3.1.1 | |||
github.com/apache/tinkerpop/gremlin-go v0.0.0-20220530191148-29272fa563ec | |||
github.com/bombsimon/logrusr/v2 v2.0.1 | |||
github.com/datastax/go-cassandra-native-protocol v0.0.0-20210829124742-a80a54434112 | |||
github.com/datastax/go-cassandra-native-protocol v0.0.0-20220706104457-5e8aad05cf90 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pull in TLS support.
if err != nil { | ||
return nil, err | ||
} | ||
rootCas, err := extractCaCertificates(secret) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Alternatively we could extract the certificate manually once, commit it and just load that file.
Pros:
- this avoids the extra dependency to jceks (keystore management).
Cons:
- we'd have to keep the cert file and config map in sync, but the certs are valid until 2049...
- this is test code and it works so why change it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Happy with what we have here, no need to change.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome work @olim7t 👏
Just one tiny question around the use case of externally provided cql yaml options to Stargate, which is non blocking for me. If there are specific settings other than client_encryption_options
which should go there instead of cassandra.yaml, we'll need to document them.
if stargate.Spec.CassandraConfigMapRef != nil { | ||
userConfigMap := &corev1.ConfigMap{} | ||
configMapKey := types.NamespacedName{Namespace: req.Namespace, Name: stargate.Spec.CassandraConfigMapRef.Name} | ||
err := r.Get(ctx, configMapKey, userConfigMap) | ||
if err != nil { | ||
return ctrl.Result{}, err | ||
} | ||
userConfigMapContent = userConfigMap.Data["cassandra.yaml"] | ||
userStargateCassandraYaml = userConfigMap.Data["cassandra.yaml"] | ||
userStargateCqlYaml = userConfigMap.Data[stargateutil.CqlConfigName] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm trying to think of a case where we'd get a user input that should go into that Stargate cql config file.
Which settings other than client_encryption_options
have to be passed through this file?
}, | ||
} | ||
} | ||
|
||
func MergeConfigMaps(userConfigMap string, generatedConfigMap string) string { | ||
func MergeYamlString(userConfigMap string, generatedConfigMap string) string { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yep, definitely more accurate 👍
if err != nil { | ||
return nil, err | ||
} | ||
rootCas, err := extractCaCertificates(secret) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Happy with what we have here, no need to change.
221817f
to
1a6e592
Compare
Right, there might be more than the encryption options.
For the ones I marked with RPC address / interface: unlikely to be set globally on the Ports: the service hard-codes port 9042, and it doesn't allow both SSL and non-SSL either. So I don't think customizing those is a use case either. |
Codecov Report
@@ Coverage Diff @@
## main #733 +/- ##
==========================================
- Coverage 54.14% 54.12% -0.03%
==========================================
Files 82 82
Lines 8342 8361 +19
==========================================
+ Hits 4517 4525 +8
- Misses 3376 3384 +8
- Partials 449 452 +3
|
06c82b7
to
e4ac26b
Compare
What this PR does:
Generate a config file to enable client encryption for Stargate's CQL module.
Adapt e2e tests (thankfully NGINX ingress forwards TCP port 9042 the same whether it uses SSL or not, so the only thing to change is client code).
Which issue(s) this PR fixes:
Fixes #722
Checklist