Enable client-side CQL encryption in Stargate if it is configured on the cluster (fixes #722)

[olim7t]

What this PR does:
Generate a config file to enable client encryption for Stargate's CQL module.
Adapt e2e tests (thankfully NGINX ingress forwards TCP port 9042 the same whether it uses SSL or not, so the only thing to change is client code).

Which issue(s) this PR fixes:
Fixes #722

Checklist

• Changes manually tested
• Automated Tests added/updated
• Documentation added/updated
• CHANGELOG.md updated (not required for documentation PRs)
• CLA Signed: DataStax CLA

[olim7t]

-Dstargate.cql.config_path was introduced in 1.0.64. I went with the latest.

[olim7t]

A bit of naming/refactoring in this function, because it was getting really confusing with two files.

[olim7t]

Pull in TLS support.

[olim7t]

Alternatively we could extract the certificate manually once, commit it and just load that file.
Pros:

• this avoids the extra dependency to jceks (keystore management).

Cons:

• we'd have to keep the cert file and config map in sync, but the certs are valid until 2049...
• this is test code and it works so why change it

[adejanovski]

Happy with what we have here, no need to change.

[adejanovski]

Awesome work @olim7t 👏
Just one tiny question around the use case of externally provided cql yaml options to Stargate, which is non blocking for me. If there are specific settings other than client_encryption_options which should go there instead of cassandra.yaml, we'll need to document them.

[adejanovski]

I'm trying to think of a case where we'd get a user input that should go into that Stargate cql config file.
Which settings other than client_encryption_options have to be passed through this file?

[adejanovski]

yep, definitely more accurate 👍

[adejanovski]

Happy with what we have here, no need to change.

[olim7t]

If there are specific settings other than client_encryption_options which should go there instead of cassandra.yaml, we'll need to document them.

Right, there might be more than the encryption options.
The full list supported by Stargate CQL is:

rpc_address
rpc_interface
rpc_interface_prefer_ipv6
rpc_keepalive *
native_transport_port
native_transport_port_ssl
native_transport_max_frame_size_in_mb *
native_transport_max_concurrent_connections *
native_transport_max_concurrent_connections_per_ip *
native_transport_flush_in_batches_legacy *
native_transport_allow_older_protocols *
native_transport_max_concurrent_requests_in_bytes_per_ip *
native_transport_max_concurrent_requests_in_bytes *
native_transport_idle_timeout_in_ms *

For the ones I marked with *: I think it make sense to copy to stargate_cql.yaml, I will add them to the list.

RPC address / interface: unlikely to be set globally on the CassandraDatacenter, if they are set to non-default values it's unlikely that it would be something global for all nodes.

Ports: the service hard-codes port 9042, and it doesn't allow both SSL and non-SSL either. So I don't think customizing those is a use case either.

[codecov-commenter]

Codecov Report

Merging #733 (3702173) into main (237a335) will decrease coverage by 0.02%.
The diff coverage is 55.81%.

@@            Coverage Diff             @@
##             main     #733      +/-   ##
==========================================
- Coverage   54.14%   54.12%   -0.03%     
==========================================
  Files          82       82              
  Lines        8342     8361      +19     
==========================================
+ Hits         4517     4525       +8     
- Misses       3376     3384       +8     
- Partials      449      452       +3     

Impacted Files	Coverage Δ
apis/stargate/v1alpha1/stargate_types.go	96.15% <ø> (ø)
pkg/stargate/config.go	0.00% <0.00%> (ø)
controllers/stargate/stargate_controller.go	46.36% <60.60%> (+0.30%)	⬆️
pkg/stargate/deployments.go	92.81% <100.00%> (+0.08%)	⬆️
controllers/replication/secret_controller.go	64.42% <0.00%> (-1.35%)	⬇️