ci: add certs for cassandra tls

.ci/docker-compose-file/.env

@@ -6,5 +6,6 @@ LDAP_TAG=2.4.50
 INFLUXDB_TAG=2.5.0
 TDENGINE_TAG=3.0.2.4
 DYNAMO_TAG=1.21.0
+CASSANDRA_TAG=3.11.6
 
 TARGET=emqx/emqx

.ci/docker-compose-file/cassandra/Dockerfile-tls

@@ -1,4 +0,0 @@
-ARG CASSANDRA_TAG=3.11.6
-FROM cassandra:${CASSANDRA_TAG}
-COPY cassandra-tls.yaml /etc/cassandra/cassandra.yaml
-CMD ["cassandra", "-f"]

.ci/docker-compose-file/cassandra/cassandra.yaml

@@ -638,7 +638,7 @@ native_transport_port: 9042
 # for native_transport_port. Setting native_transport_port_ssl to a different value
 # from native_transport_port will use encryption for native_transport_port_ssl while
 # keeping native_transport_port unencrypted.
-# native_transport_port_ssl: 9142
+native_transport_port_ssl: 9142
 # The maximum threads for handling requests when the native transport is used.
 # This is similar to rpc_max_threads though the default differs slightly (and
 # there is no native_transport_min_threads, idle threads will always be stopped
@@ -1044,20 +1044,20 @@ server_encryption_options:
 
 # enable or disable client/server encryption.
 client_encryption_options:
-    enabled: false
+    enabled: true
     # If enabled and optional is set to true encrypted and unencrypted connections are handled.
-    optional: false
-    keystore: conf/.keystore
-    keystore_password: cassandra
-    # require_client_auth: false
+    optional: true
+    keystore: /certs/server.jks
+    keystore_password: my_password
+    require_client_auth: true
     # Set trustore and truststore_password if require_client_auth is true
-    # truststore: conf/.truststore
-    # truststore_password: cassandra
+    truststore: /certs/truststore.jks
+    truststore_password: my_password
     # More advanced defaults below:
-    # protocol: TLS
-    # algorithm: SunX509
-    # store_type: JKS
-    # cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
+    protocol: TLS
+    algorithm: SunX509
+    store_type: JKS
+    cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
 
 # internode_compression controls whether traffic between nodes is
 # compressed.

.ci/docker-compose-file/certs/README.md

@@ -0,0 +1,23 @@
+Certificate and Key files for testing
+
+## Cassandra (v3.x)
+
+### How to convert server PEM to JKS Format
+
+1. Convert server.crt and server.key to server.p12
+
+```bash
+openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -name "certificate"
+```
+
+2. Convert server.p12 to server.jks
+
+```bash
+keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -destkeystore server.jks
+```
+
+### How to convert CA PEM certificate to truststore.jks
+
+```
+keytool -import -file ca.pem -keystore truststore.jks
+```

.ci/docker-compose-file/docker-compose-cassandra-tcp.yaml

@@ -2,7 +2,7 @@ version: '3.9'
 
 services:
   cassandra_server:
-    container_name: cassa_tcp
+    container_name: cassandra
     build:
       context: ./cassandra
       args:
@@ -12,8 +12,11 @@ services:
     environment:
       CASSANDRA_BROADCAST_ADDRESS: "1.2.3.4"
       CASSANDRA_RPC_ADDRESS: "0.0.0.0"
+    volumes:
+      - ./certs:/certs
     ports:
       - "9042:9042"
+      - "9142:9142"
     command:
       - /bin/bash
       - -c

.ci/docker-compose-file/docker-compose-toxiproxy.yaml

@@ -20,6 +20,7 @@ services:
       - 16041:6041
       - 18000:8000
       - 19042:9042
+      - 19142:9142
     command:
       - "-host=0.0.0.0"
       - "-config=/config/toxiproxy.json"

.ci/docker-compose-file/toxiproxy.json

@@ -57,13 +57,13 @@
   {
     "name": "cassa_tcp",
     "listen": "0.0.0.0:9042",
-    "upstream": "cassa_tcp:9042",
+    "upstream": "cassandra:9042",
     "enabled": true
   },
   {
     "name": "cassa_tls",
-    "listen": "0.0.0.0:9043",
-    "upstream": "cassa_tls:9043",
-    "enabled": false
+    "listen": "0.0.0.0:9142",
+    "upstream": "cassandra:9142",
+    "enabled": true
   }
 ]

lib-ee/emqx_ee_bridge/test/emqx_ee_bridge_cassa_SUITE.erl

@@ -76,7 +76,7 @@ init_per_group(tcp, Config) ->
     ];
 init_per_group(tls, Config) ->
     Host = os:getenv("CASSA_TLS_HOST", "toxiproxy"),
-    Port = list_to_integer(os:getenv("CASSA_TLS_PORT", "9043")),
+    Port = list_to_integer(os:getenv("CASSA_TLS_PORT", "9142")),
     [
         {cassa_host, Host},
         {cassa_port, Port},
@@ -132,6 +132,7 @@ end_per_testcase(_Testcase, Config) ->
 %%------------------------------------------------------------------------------
 
 common_init(Config0) ->
+    ct:pal("commit_init: ~p~n", [Config0]),
     BridgeType = proplists:get_value(bridge_type, Config0, <<"cassandra">>),
     Host = ?config(cassa_host, Config0),
     Port = ?config(cassa_port, Config0),
@@ -251,8 +252,7 @@ query_resource(Config, Request) ->
 
 connect_direct_cassa(Config) ->
     Opts = #{
-        host => ?config(cassa_host, Config),
-        port => ?config(cassa_port, Config),
+        nodes => [{?config(cassa_host, Config), ?config(cassa_port, Config)}],
         username => ?CASSA_USERNAME,
         password => ?CASSA_PASSWORD,
         keyspace => ?CASSA_KEYSPACE
@@ -262,8 +262,7 @@ connect_direct_cassa(Config) ->
         case ?config(enable_tls, Config) of
             true ->
                 Opts#{
-                    ssl => true,
-                    ssl_opts => emqx_tls_lib:to_client_opts(#{enable => true})
+                    ssl => emqx_tls_lib:to_client_opts(#{enable => true})
                 };
             false ->
                 Opts