TLS connections to Cassandra

Makefile

@@ -7,7 +7,7 @@ DOCKER_TAG            ?= $(USER)
 # default helm chart version must be 0.0.42 for local development (because 42 is the answer to the universe and everything)
 HELM_SEMVER           ?= 0.0.42
 # The list of helm charts needed on internal kubernetes testing environments
-CHARTS_INTEGRATION    := wire-server databases-ephemeral redis-cluster rabbitmq fake-aws ingress-nginx-controller nginx-ingress-controller nginx-ingress-services fluent-bit kibana sftd restund coturn
+CHARTS_INTEGRATION    := wire-server databases-ephemeral redis-cluster rabbitmq fake-aws ingress-nginx-controller nginx-ingress-controller nginx-ingress-services fluent-bit kibana sftd restund coturn k8ssandra-test-cluster
 # The list of helm charts to publish on S3
 # FUTUREWORK: after we "inline local subcharts",
 # (e.g. move charts/brig to charts/wire-server/brig)

changelog.d/2-features/cassandra-tls

@@ -0,0 +1,6 @@
+Allow the configuration of TLS-secured connections to Cassandra. TLS is used
+when a certificate is provided. This is either done with
+`--tls-ca-certificate-file` for cli commands or the configuration attribute
+`cassandra.tlsCa` for services. In Helm charts, the certificate is provided as
+literal PEM string; either as attribute `cassandra.tlsCa` (analog to service
+configuration) or by a reference to a secret (`cassandra.tlsCaSecretRef`.)

charts/brig/templates/_helpers.tpl

@@ -7,3 +7,19 @@
 {{- define "includeSecurityContext" -}}
   {{- (semverCompare ">= 1.24-0" (include "kubeVersion" .)) -}}
 {{- end -}}
+
+{{- define "useCassandraTLS" -}}
+{{ or (hasKey .cassandra "tlsCa") (hasKey .cassandra "tlsCaSecretRef") }}
+{{- end -}}
+
+{{/* Return a Dict of TLS CA secret name and key
+This is used to switch between provided secret (e.g. by cert-manager) and
+created one (in case the CA is provided as PEM string.)
+*/}}
+{{- define "tlsSecretRef" -}}
+{{- if .cassandra.tlsCaSecretRef -}}
+{{ .cassandra.tlsCaSecretRef | toYaml }}
+{{- else }}
+{{- dict "name" "brig-cassandra" "key" "ca.pem" | toYaml -}}
+{{- end -}}
+{{- end -}}

charts/brig/templates/cassandra-secret.yaml

@@ -0,0 +1,15 @@
+{{/* Secret for the provided Cassandra TLS CA. */}}
+{{- if not (empty .Values.config.cassandra.tlsCa) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: brig-cassandra
+  labels:
+    app: brig
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+type: Opaque
+data:
+  ca.pem: {{ .Values.config.cassandra.tlsCa | b64enc | quote }}
+{{- end }}

charts/brig/templates/configmap.yaml

@@ -28,6 +28,9 @@ data:
       {{- if hasKey .cassandra "filterNodesByDatacentre" }}
       filterNodesByDatacentre: {{ .cassandra.filterNodesByDatacentre }}
       {{- end }}
+      {{- if eq (include "useCassandraTLS" .) "true" }}
+      tlsCa: /etc/wire/brig/cassandra/{{- (include "tlsSecretRef" . | fromYaml).key }}
+      {{- end }}
 
     elasticsearch:
       url: http://{{ .elasticsearch.host }}:{{ .elasticsearch.port }}

charts/brig/templates/deployment.yaml

@@ -46,6 +46,11 @@ spec:
         - name: "geoip"
           emptyDir: {}
         {{- end }}
+        {{- if eq (include "useCassandraTLS" .Values.config) "true" }}
+        - name: "brig-cassandra"
+          secret:
+            secretName: {{ (include "tlsSecretRef" .Values.config | fromYaml).name }}
+        {{- end}}
       {{- if .Values.config.geoip.enabled }}
       # Brig needs GeoIP database to be downloaded before it can start.
       initContainers:
@@ -102,6 +107,10 @@ spec:
           - name: "geoip"
             mountPath: "/usr/share/GeoIP"
           {{- end }}
+          {{- if eq (include "useCassandraTLS" .Values.config) "true" }}
+          - name: "brig-cassandra"
+            mountPath: "/etc/wire/brig/cassandra"
+          {{- end }}
           env:
           - name: LOG_LEVEL
             value: {{ .Values.config.logLevel }}

charts/brig/templates/tests/brig-integration.yaml

@@ -44,6 +44,11 @@ spec:
     - name: "brig-integration-secrets"
       secret:
         secretName: "brig-integration"
+    {{- if eq (include "useCassandraTLS" .Values.config) "true" }}
+    - name: "brig-cassandra"
+      secret:
+        secretName: {{ (include "tlsSecretRef" .Values.config | fromYaml).name }}
+    {{- end}}
   containers:
   - name: integration
     image: "{{ .Values.image.repository }}-integration:{{ .Values.image.tag }}"
@@ -101,6 +106,10 @@ spec:
       #       non-default locations
       #       (see corresp. TODO in galley.)
       mountPath: "/etc/wire/integration-secrets"
+    {{- if eq (include "useCassandraTLS" .Values.config) "true" }}
+    - name: "brig-cassandra"
+      mountPath: "/etc/wire/brig/cassandra"
+    {{- end }}
 
     env:
     # these dummy values are necessary for Amazonka's "Discover"

charts/brig/values.yaml

@@ -20,6 +20,14 @@ config:
   logNetStrings: false
   cassandra:
     host: aws-cassandra
+#   To enable TLS provide a CA:
+#   tlsCa: <CA in PEM format (can be self-signed)>
+#
+#   Or refer to an existing secret (containing the CA):
+#   tlsCaSecretRef:
+#     name: <secret-name>
+#     key: <ca-attribute>
+
   elasticsearch:
     host: elasticsearch-client
     port: 9200

charts/cassandra-migrations/templates/_helpers.tpl

@@ -107,6 +107,125 @@ Thus the order of priority is:
 {{- end -}}
 {{- end -}}
 
+{{/* NOTE: Cassandra TLS helpers
+
+Cassandra connections can be configured per service or with a general configuration.
+Thus, there are three functions per service that fallback to the general
+configuration if the specific one does not exist:
+
+- useTls<service-name> -> Bool: Do we use Cassandra TLS connections for this
+  service?
+
+- tlsCa<service-name> -> String: TLS CA PEM string (if configured)
+
+- tlsSecretRef<service-name> -> YAML: Dict with keys `name` (name of the
+  secret to use) and `key` (name of the entry in the secret)
+*/}}
+
+{{- define "useTlsGalley" -}}
+{{ $cassandraGalley := default .Values.cassandra .Values.cassandraGalley }}
+{{- if or $cassandraGalley.tlsCa $cassandraGalley.tlsCaSecretRef -}}
+true
+{{- else}}
+false
+{{- end }}
+{{- end -}}
+
+{{- define "tlsCaGalley" -}}
+{{ $cassandraGalley := default .Values.cassandra .Values.cassandraGalley }}
+{{- if hasKey $cassandraGalley "tlsCa" -}}
+{{- $cassandraGalley.tlsCa }}
+{{ else }}
+{{- end -}}
+{{- end -}}
+
+{{- define "tlsSecretRefGalley" -}}
+{{ $cassandraGalley := default .Values.cassandra .Values.cassandraGalley }}
+{{- if $cassandraGalley.tlsCaSecretRef -}}
+{{ $cassandraGalley.tlsCaSecretRef | toYaml }}
+{{- else }}
+{{- dict "name" "galley-cassandra-cert" "key" "ca.pem" | toYaml -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "useTlsBrig" -}}
+{{ $cassandraBrig := default .Values.cassandra .Values.cassandraBrig }}
+{{- if or $cassandraBrig.tlsCa $cassandraBrig.tlsCaSecretRef -}}
+true
+{{- else}}
+false
+{{- end }}
+{{- end -}}
+
+{{- define "tlsCaBrig" -}}
+{{ $cassandraBrig := default .Values.cassandra .Values.cassandraBrig }}
+{{- if hasKey $cassandraBrig "tlsCa" -}}
+{{- $cassandraBrig.tlsCa }}
+{{ else }}
+{{- end -}}
+{{- end -}}
+
+{{- define "tlsSecretRefBrig" -}}
+{{ $cassandraBrig := default .Values.cassandra .Values.cassandraBrig }}
+{{- if $cassandraBrig.tlsCaSecretRef -}}
+{{ $cassandraBrig.tlsCaSecretRef | toYaml }}
+{{- else }}
+{{- dict "name" "brig-cassandra-cert" "key" "ca.pem" | toYaml -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "useTlsSpar" -}}
+{{ $cassandraSpar := default .Values.cassandra .Values.cassandraSpar }}
+{{- if or $cassandraSpar.tlsCa $cassandraSpar.tlsCaSecretRef -}}
+true
+{{- else}}
+false
+{{- end }}
+{{- end -}}
+
+{{- define "tlsCaSpar" -}}
+{{ $cassandraSpar := default .Values.cassandra .Values.cassandraSpar }}
+{{- if hasKey $cassandraSpar "tlsCa" -}}
+{{- $cassandraSpar.tlsCa }}
+{{ else }}
+{{- end -}}
+{{- end -}}
+
+{{- define "tlsSecretRefSpar" -}}
+{{ $cassandraSpar := default .Values.cassandra .Values.cassandraSpar }}
+{{- if $cassandraSpar.tlsCaSecretRef -}}
+{{ $cassandraSpar.tlsCaSecretRef | toYaml }}
+{{- else }}
+{{- dict "name" "spar-cassandra-cert" "key" "ca.pem" | toYaml -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "useTlsGundeck" -}}
+{{ $cassandraGundeck := default .Values.cassandra .Values.cassandraGundeck }}
+{{- if or $cassandraGundeck.tlsCa $cassandraGundeck.tlsCaSecretRef -}}
+true
+{{- else}}
+false
+{{- end }}
+{{- end -}}
+
+{{- define "tlsCaGundeck" -}}
+{{ $cassandraGundeck := default .Values.cassandra .Values.cassandraGundeck }}
+{{- if hasKey $cassandraGundeck "tlsCa" -}}
+{{- $cassandraGundeck.tlsCa }}
+{{ else }}
+{{- end -}}
+{{- end -}}
+
+{{- define "tlsSecretRefGundeck" -}}
+{{ $cassandraGundeck := default .Values.cassandra .Values.cassandraGundeck }}
+{{- if $cassandraGundeck.tlsCaSecretRef -}}
+{{ $cassandraGundeck.tlsCaSecretRef | toYaml }}
+{{- else }}
+{{- dict "name" "gundeck-cassandra-cert" "key" "ca.pem" | toYaml -}}
+{{- end -}}
+{{- end -}}
+
 {{/* Allow KubeVersion to be overridden. */}}
 {{- define "kubeVersion" -}}
   {{- default .Capabilities.KubeVersion.Version .Values.kubeVersionOverride -}}

charts/cassandra-migrations/templates/cassandra-certs.yaml

@@ -0,0 +1,75 @@
+{{- if ne (trim (include "tlsCaBrig" .)) "" }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: brig-cassandra-cert
+  labels:
+    app: cassandra-migrations
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook-weight": "0"
+    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
+type: Opaque
+data:
+  ca.pem: {{ include "tlsCaBrig" . | b64enc | quote }}
+{{- end}}
+{{- if ne (trim (include "tlsCaGalley" .)) "" }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: galley-cassandra-cert
+  labels:
+    app: cassandra-migrations
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook-weight": "0"
+    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
+type: Opaque
+data:
+  ca.pem: {{ include "tlsCaGalley" . | b64enc | quote }}
+{{- end}}
+{{- if ne (trim (include "tlsCaGundeck" .)) "" }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gundeck-cassandra-cert
+  labels:
+    app: cassandra-migrations
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "0"
+    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
+type: Opaque
+data:
+  ca.pem: {{ include "tlsCaGundeck" . | b64enc | quote }}
+{{- end}}
+{{- if ne (trim (include "tlsCaSpar" .)) "" }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: spar-cassandra-cert
+  labels:
+    app: cassandra-migrations
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook-weight": "0"
+    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
+type: Opaque
+data:
+  ca.pem: {{ include "tlsCaSpar" . | b64enc | quote }}
+{{- end}}

charts/cassandra-migrations/templates/galley-migrate-data.yaml

@@ -42,4 +42,19 @@ spec:
            - "9042"
            - --cassandra-keyspace
            - galley
+           {{- if eq (include "useTlsGalley" .) "true" }}
+           - --tls-ca-certificate-file
+           - /certs/galley/{{- (include "tlsSecretRefGalley" . | fromYaml).key }}
+           {{- end }}
+          {{- if eq (include "useTlsGalley" .) "true" }}
+          volumeMounts:
+            - name: galley-cassandra-cert
+              mountPath: "/certs/galley"
+          {{- end }}
+      {{- if eq (include "useTlsGalley" .) "true" }}
+      volumes:
+        - name: galley-cassandra-cert
+          secret:
+            secretName: {{ (include "tlsSecretRefGalley" . | fromYaml).name }}
+      {{- end }}
 {{- end }}