Add support to enable transport encryption TLS

[shubhanilBag]

This PR:

1. Adds configurable params to enable transport encryption
2. Supports adding custom TLS CA cert using a configurable k8s secret
3. Adds a clqshrc ConfigMap file that allows cqlsh to be used without any additional configuration when TLS is enabled
4. Adds integration tests to check
   1.1 Node-to-Node transport encryption
   1.2 Client-to-Node encryption
   1.3 Node-to-Node along with Client-to-Node encryption
   1.4 Data read and write using cqlsh
5. Adds and updates documentation for enabling TLS
   6. Bumps operator version to 0.2.0

[zmalik]

This is looking really good!
leaving some comments to improve the parameter docs

[zmalik]

lets add some description here

[mpereira]

+1, and the following ones as well.

[mpereira]

@shubhanilBag could you please merge in the latest master?

[mpereira]

Hi @shubhanilBag, thanks for the great progress so far!

A few comments from my side.

[mpereira]

Let's revert the operator version bump. Version bumps should happen in the stable branches.

[mpereira]

+1, and the following ones as well.

[mpereira]

Could this be a configmap of cqlshrc itself instead of a bash script that generates it?

[shubhanilBag]

That is what I was going to do initially, but I made a script so that in future if additional configuration is needed for cqlsh, it can be in one script; like adding custom config containing additional config for cqlsh ref: https://docs.datastax.com/en/cql-oss/3.3/cql/cql_reference/cqlshUsingCqlshrc.html

[mpereira]

What's the difference regarding supporting future additional configuration between:
A) a templated bash script that outputs a file
B) a templated file?

[shubhanilBag]

like here what we do for kafka custom properties taken from a user provided CM https://github.com/kudobuilder/operators/blob/ebaf9e6dba463aa4ff8ec7b4e537c7fdc8c3f629/repository/kafka/operator/templates/bootstrap.yaml#L175

[shubhanilBag]

If this is not required for cqlshrc file then I can revert back to the usual way for mounting a CM and cp it

[shubhanilBag]

@mpereira as discussed we are keeping the script based approach as POD_NAME env variable is used in the script to create the hostname

[mpereira]

Should cassandra-home be just /home/cassandra/?

[shubhanilBag]

Both cqlsh and nodetool creates files in .cassandra, /home/cassandra is not used directly
so directly mounted it in .cassandra, otherwise it would need another mkdir.

cassandra@cassandra-node-0:~ $ ls -lah
total 0
drwxr-xr-x. 3 root root 24 Jan 29 14:46 .
drwxr-xr-x. 1 root root 23 Jan 29 14:46 ..
drwxrwsrwx. 2 root cassandra 66 Jan 29 14:49 .cassandra
cassandra@cassandra-node-0:~$ ls -lah .cassandra/
total 12K
drwxrwsrwx. 2 root cassandra 66 Jan 29 14:49 .
drwxr-xr-x. 3 root root 24 Jan 29 14:46 ..
-rw-------. 1 cassandra cassandra 5 Jan 29 14:49 cqlsh_history
-rw-r--r--. 1 cassandra cassandra 264 Jan 29 14:46 cqlshrc
-rw-r--r--. 1 cassandra cassandra 1.7K Jan 29 14:50 nodetool.history

[mpereira]

Let's name it something other than "cassandra-home" then, since it implies /home/cassandra. Maybe something like cassandra-configuration-directory or dot-cassandra.

[shubhanilBag]

dot-cassandra SGTM 👍

[mpereira]

Would PodContainerLogs be a more representative name for this function?

[shubhanilBag]

Let's go with FetchContainerLogs

[mpereira]

How is that function different than the already existing k8s.GetPodContainerLogs by the way?

[shubhanilBag]

It's not, I made a duplicate by mistake 🤔! Thanks for pointing it out, will fix that

[mpereira]

Suggested change

	func CQLSH(
	func cqlsh(

[mpereira]

Try to follow the active voice for the test names, so that it reads like:

It "checks for the container logs"

like the above

It "installs the operator from a directory"

On the other tests as well.

[mpereira]

Let's put this test file in tests/suites/tls_test.go.

[shubhanilBag]

I followed kudo-kafka-operator's way of having tests in different packages with it's own folder. If we have the tls_test.go and sanity_test.go under same package sanity they will share the global vars and functions. We won't get full isolation. like https://github.com/mesosphere/kudo-cassandra-operator/blob/d6f6784bb48ae6b0473a4ed70fc97af783fad2e2/tests/suites/sanity_test.go#L23
and
https://github.com/mesosphere/kudo-cassandra-operator/blob/8932a7e5f58b52495466ca16265aace4b8b3ca97/tests/suites/cassandra_tls/tls_test.go#L19 will conflict if tls_test was in same folder

[mpereira]

I see. In that case, let's move

• tests/suites/sanity_test.go to tests/suites/sanity/sanity_test.go
• tests/suites/cassandra_tls/tls_test.go to tests/suites/tls/tls_test.go.

[shubhanilBag]

Sure 👍

[ANeumann82]

This is required because the suites moved one directory deeper?

Maybe we should pass in the scripts directory as an absolute path at some point and not rely on relative paths. Seems to be ok for now though.

[mpereira]

Would be ok for now for me too. Is there a way to make this relative to the actual kudo.go file instead, though?

[shubhanilBag]

@ANeumann82 right, later we can do something like this: https://github.com/mesosphere/kudo-kafka-operator/pull/6/files#diff-dc3495b5db55989eec09ceab2776f370R29
Set a REPO_ROOT env var and create abs paths using that

[mpereira]

It's already available to be passed as an environment variable fwiw: https://github.com/mesosphere/kudo-cassandra-operator/blob/7a143804c906b3f8c5fda40f359ab297506c35ff/run-tests.sh#L7

[ANeumann82]

These are probably development settings for local testing?

[shubhanilBag]

right! I will remove these ☑️ from here and tls test

[shubhanilBag]

but it's a good practice to have tests that consume as less resource as possible, I added these as the default ones where too large to run in konovy cluster with default config.
It can help in starting up running tests in small clusters faster, plus if we have extra pods in tests like KDC or like a client pod for testing out application features then those can fail to run due to resource starvation on the k8s nodes WDYT @ANeumann82 ?
fyi same practice is followed by kudo-kafka ref:https://github.com/mesosphere/kudo-kafka-operator/blob/b692a7f003afe31a3b35002820542afe62178cbd/tests/utils/client.go#L241

[ANeumann82]

Yeah, I'm fine with that. I didn't know Cassandra enough yet to tune the settings down, but as long as we don't make anything flaky because Cassandra doesn't have enough CPU or Mem, i'm fine with having lower values for the tests.

[mpereira]

These settings are too low, and can likely cause resource throttling issues. I've seen it happen during MWTs. Unless we're specifically testing CPU/MEM parameters, let's use the default parameter values.

[shubhanilBag]

@zmalik @mpereira @ANeumann82 thanks for the thorough review 👍 added changes as requested in fd0ff10

[mpereira]

Great work @shubhanilBag. Just a few comments from my side regarding documentation, but nothing blocking. Thanks!

[mpereira]

Suggested change

	- [Security](./docs/secuity.md)
	- [Security](./docs/security.md)

[mpereira]

Let's rephrase all instances of "service" with "operator" to maintain consistency.

Suggested change

	The KUDO Cassandra service supports Cassandra’s native transport **encryption**
	The KUDO Cassandra operator supports Cassandra’s native transport **encryption**

[mpereira]

Let's also rephrase "Cassadra" instances to "Apache Cassandra" for the same reason.

Suggested change

	of these important features. For more information on Cassandra’s security, read
	of these important features. For more information on Apache Cassandra’s security, read

[mpereira]

Let's maintain consistency of either all parameters in one line, or one parameter per-line when there's lots of them.

Suggested change

	--instance=cassandra --namespace=kudo-cassandra \
	--instance=cassandra \
	--namespace=kudo-cassandra \

[mpereira]

I pushed two small commits fixing a documentation thing.

@shubhanilBag would you be able to add an "unreleased" changelog entry as well?

[shubhanilBag]

I pushed two small commits fixing a documentation thing.

@shubhanilBag would you be able to add an "unreleased" changelog entry as well?

@mpereira Added the doc fixes and added changelog entry in b3bf8f8

[mpereira]

🚢

[mpereira]

Looks like there are two test failures:

[18:14:38][Step 5/7] Summarizing 2 Failures:
[18:14:38][Step 5/7] 
[18:14:38][Step 5/7] [Fail] sanity-test [It] Configures Cassandra properties through custom properties 
[18:14:38][Step 5/7] /kudo-cassandra-operator/tests/suites/sanity/sanity_test.go:151
[18:14:38][Step 5/7] 
[18:14:38][Step 5/7] [Fail] sanity-test [It] Configures Cassandra JVM options through custom options 
[18:14:38][Step 5/7] /kudo-cassandra-operator/tests/suites/sanity/sanity_test.go:175
[18:14:38][Step 5/7] 
[18:14:38][Step 5/7] Ran 7 of 7 Specs in 1109.357 seconds
[18:14:38][Step 5/7] FAIL! -- 5 Passed | 2 Failed | 0 Pending | 0 Skipped

@shubhanilBag could you take a look when you get a chance?

[shubhanilBag]

The sanity test suite was running the tests in this order:

1. install from community repo
2. upgrade to local version
3. Node Scaling tests (3nodes -> 4nodes)
4. Three parameter update tests

As the result the 3 param update tests were running with 4 nodes in the c* instance, so the SS took more time to update itself than the estimated 5mins of timeout, and failing the tests
In c0fb3bd I moved the node scaling tests to the end. The tests are passing and the update tests are a bit faster now.
cc: @mpereira

[zmalik]

add the comment?

[shubhanilBag]

added in a2162f4

[zmalik]

LGTM! 🎉

[ANeumann82]

Looks good!

[mpereira]

🚢