feat(cassandra): add ssl option cassandra

[MitulShah1]

#3124

What does this PR do?

Why is it important?

Related issues

@mdelapenya Can you please review

[netlify]

✅ Deploy Preview for testcontainers-go ready!

Name	Link
🔨 Latest commit	60622d4
🔍 Latest deploy log	https://app.netlify.com/sites/testcontainers-go/deploys/681d95cdea7398000823931c
😎 Deploy Preview	https://deploy-preview-3151--testcontainers-go.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[mdelapenya]

Looking good, although I added some comments about using the same approach as in the Redis module. Could you please take a look?

Cheers!

[mdelapenya]

suggestion: keep this initialisation next to its usage. Seems moved here for no reasons

[mdelapenya]

question: is 2 minutes too long? Can we use a shorter duration?

[mdelapenya]

question: are these new env vars related to the SSL options? If not, I'd separate the changes into a new PR, if possible

[mdelapenya]

question: why adding two flavours of the same option? I'd just choose one to avoid creating confusion on users

[mdelapenya]

question: I guess this is needed to notify the Run function about the SSL addition, right? I'd choose a different pattern for this, creating an options type as in the redis module. Then, you can simply generate the SSL certs on-the-fly as in that module.

[MitulShah1]

Looking good, although I added some comments about using the same approach as in the Redis module. Could you please take a look?

Cheers!

I made changes, can you please check again?

[stevenh]

Thanks for the quick updates, here's some suggestion which focus on simplification and reducing API surface area.

[stevenh]

suggestion: make these private so there's less API surface area allowing for refactoring without causing breaking changes. Given it's typed nature we can skip the Is prefix for boolean flag too.

Suggested change

	IsTLSEnabled bool
	TLSConfig *tls.Config
	tlsEnabled bool
	tlsConfig *tls.Config

More fixes to align with this change obviously, so best to just rename in your editor.

[stevenh]

suggestion: make private, again less API surface area to maintain. Also needs to use go not an external tool which might not be present on all platforms. See other modules on how they generate keys, hopefully that's compatible with cassandra.

[MitulShah1]

@stevenh making this function private, i need to change in options_test.go, its ok?

[stevenh]

Either that or make a seperate test file.

[MitulShah1]

options_test.go is created by me only but i cannot access that function as testcases are depend on it, do you want me to make this function private and remove options_test.go?

[stevenh]

Up to you, having integration and unit tests are both good. In go its not a problem to use the main package for tests, as long as you're conscious about the seperation.

However can we should first see if we can eliminate this external dependency. You can see a similar example here: https://github.com/testcontainers/testcontainers-go/blob/main/modules/redis/options.go#L86 which uses https://pkg.go.dev/github.com/mdelapenya/tlscert

[MitulShah1]

It seems you're suggesting we either minimize SSL-related dependencies or simply support SSL with minimal setup. I always try to follow the existing repository codebase and coding style as much possible.

Initially, I tried using only tlscert, but it has some limitations. If we choose to use tlscert, we can eliminate the keytool dependency, but we'd then need to rely on openssl.

So, we have two options:

Use keytool as we currently do.

Follow an approach similar to Cassandra's Go driver, where certificates are added in a testdata folder and used for SSL testing, as seen in the official Go driver.

[stevenh]

tlscert would be the preferred option as it's what a lot of the other modules use.

If it needs changes that should be quick and easy as that module is written by @mdelapenya one of this repositories maintainers.

[MitulShah1]

i know but it can handle this cassandra cert generation? @mdelapenya ? i already tried that let me know if ok to use openssl then i will make change to tlscert.

[mdelapenya]

Yes, let's use it for consistency. If there is a missing feature in that library, let's open an issue in there and work on fix and release it

Cheers!

[stevenh]

A Quick Look and it seems like it can use standard pen formatted certs so it should just work

[stevenh]

A few bugs introduced here I think, the big question is eliminating the use of external dependency keytool

[stevenh]

Up to you, having integration and unit tests are both good. In go its not a problem to use the main package for tests, as long as you're conscious about the seperation.

However can we should first see if we can eliminate this external dependency. You can see a similar example here: https://github.com/testcontainers/testcontainers-go/blob/main/modules/redis/options.go#L86 which uses https://pkg.go.dev/github.com/mdelapenya/tlscert

[stevenh]

question: do we need to two ports or can it just be one which is either SSL or not?

[stevenh]

@mdelapenya looks like we have an issue with WithWaitStrategy, it sets vs appending to WaitFor preventing easy initialisation here.

[mdelapenya]

Indeed. I think the use case here would be appending. I can submit a fix now

[stevenh]

suggestion: wrap the error here

Suggested change

	return nil, err
	return nil, fmt.Errorf("with wait strategy: %w", err)

[stevenh]

@mdelapenya quite a common pattern in modules, we should consider returning an error instead.

[mdelapenya]

You mean the pointer to the config and the error, right? I think we changed the tlscert library precisely for that, so good to me to change it

[stevenh]

Nope, these container methods, have them return an error if the config is nil vs just returning nil as the caller should know if they enabled TLS or not.

func (c *CassandraContainer) TLSConfig() (*tls.Config, error) {
	if c.settings.tlsConfig == nil {
		return nil, errors.New("tls not enabled")
	}
	return c.settings.tlsConfig.Config, nil
}

[mdelapenya]

Oh I see, the recently added methods for Redis and Valkey. For Valkey, we are in the same release cycle, we can change it without BC, for Redis, it's a BC

[stevenh]

bug: while this will run there options won't be accessible, so should still be just a noop.

We're looking to refactor how this works in a future version to avoid this, but that will be a bit.

[stevenh]

bug: settings is never set, you still need to check if you have an Option in the for loop and process it to ensure it set correctly.

If your tests are passing they shouldn't so might need a fix there too.

[stevenh]

question: are the paths needed? If not we can just return *tls.Config. I suspect the answer is dependent on eliminating the need for keytool