Add TLS support for Cassandra (#183)

Signed-off-by: sabbir <[email protected]>

Author: sabbir-hossain70

cassandra/kubedb_client_builder.go

@@ -2,6 +2,8 @@ package cassandra
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"errors"
 	"fmt"
 
@@ -76,10 +78,54 @@ func (o *KubeDBClientBuilder) GetCassandraClient() (*Client, error) {
 			Password: password,
 		}
 	}
+	if o.db.Spec.TLS != nil {
+		tlsConfig, err := o.GetTLSConfig()
+		if err != nil {
+			return nil, err
+		}
+		cluster.SslOpts = &gocql.SslOptions{
+			Config: tlsConfig,
+		}
+	}
 	session, err := cluster.CreateSession()
 	if err != nil {
 		return nil, fmt.Errorf("unable to connect to Cassandra cluster: %v", err)
 	}
 
 	return &Client{session}, nil
 }
+
+func (o *KubeDBClientBuilder) GetTLSConfig() (*tls.Config, error) {
+	var certSecret core.Secret
+	err := o.kc.Get(o.ctx, types.NamespacedName{
+		Namespace: o.db.Namespace,
+		Name:      o.db.GetCertSecretName(api.CassandraClientCert),
+	}, &certSecret)
+	if err != nil {
+		klog.Error(err, "failed to get clientCert secret")
+		return nil, err
+	}
+
+	// get tls cert, clientCA and rootCA for tls config
+	// use server cert ca for rootca as issuer ref is not taken into account
+	clientCA := x509.NewCertPool()
+	rootCA := x509.NewCertPool()
+
+	crt, err := tls.X509KeyPair(certSecret.Data[core.TLSCertKey], certSecret.Data[core.TLSPrivateKeyKey])
+	if err != nil {
+		klog.Error(err, "failed to create certificate for TLS config")
+		return nil, err
+	}
+	clientCA.AppendCertsFromPEM(certSecret.Data[kubedb.CACert])
+	rootCA.AppendCertsFromPEM(certSecret.Data[kubedb.CACert])
+
+	tlsConfig := &tls.Config{
+		ServerName:   o.db.ServiceName(),
+		Certificates: []tls.Certificate{crt},
+		ClientAuth:   tls.RequireAndVerifyClientCert,
+		ClientCAs:    clientCA,
+		RootCAs:      rootCA,
+		MaxVersion:   tls.VersionTLS13,
+	}
+	return tlsConfig, nil
+}

go.mod

@@ -37,7 +37,7 @@ require (
 	k8s.io/klog/v2 v2.130.1
 	kmodules.xyz/client-go v0.32.6
 	kmodules.xyz/custom-resources v0.32.0
-	kubedb.dev/apimachinery v0.55.1-0.20250627044625-8ce5da487c01
+	kubedb.dev/apimachinery v0.55.1-0.20250630051705-117e2306d4e2
 	sigs.k8s.io/controller-runtime v0.20.4
 	xorm.io/xorm v1.3.9
 )

go.sum

@@ -546,8 +546,8 @@ kmodules.xyz/monitoring-agent-api v0.32.0 h1:cMQbWvbTc4JWeLI/zYE0HLefsdFYBzqvATL
 kmodules.xyz/monitoring-agent-api v0.32.0/go.mod h1:zgRKiJcuK7FOHy0Y1TsONRbJfgnPCs8t4Zh/6Afr+yU=
 kmodules.xyz/offshoot-api v0.32.0 h1:gogc5scSZe2JoXtZof72UGRl3Tit0kFaFRMkLLT1D8o=
 kmodules.xyz/offshoot-api v0.32.0/go.mod h1:tled7OxYZ3SkUJcrVFVVYyd+zXjsRSEm1R6Q3k4gcx0=
-kubedb.dev/apimachinery v0.55.1-0.20250627044625-8ce5da487c01 h1:mZ/amsE16eesPExYL6TZo8mc3CHzvcphtanSdmj3xbg=
-kubedb.dev/apimachinery v0.55.1-0.20250627044625-8ce5da487c01/go.mod h1:/GY1pDR/Y9C1qY83KI9DBHLS+JFO/TYq4zLxk/+UJy0=
+kubedb.dev/apimachinery v0.55.1-0.20250630051705-117e2306d4e2 h1:8qKjiiVduUTH14u5iu5Emg4sCf79NOo1ykOnXgbzWZU=
+kubedb.dev/apimachinery v0.55.1-0.20250630051705-117e2306d4e2/go.mod h1:iiqMOpMi8H4SZkD3vw5BS3V0t2UmIde4RnotjJ7VeNE=
 kubeops.dev/petset v0.0.10 h1:sNaqmHrD9bW7pcrWnwPoiQrKvdRwRX0BaRQc5QA78Bg=
 kubeops.dev/petset v0.0.10/go.mod h1:uHL83kggwmtSxdlIfxNbY2isV22iYV6YjADv0y+Z7YA=
 kubeops.dev/sidekick v0.0.11 h1:OydXdIH6cYSiWxKIWvrywk95WhhHSERkc7RNPOmTekc=

vendor/kubedb.dev/apimachinery/apis/catalog/v1alpha1/cassandra_version_types.go

@@ -74,6 +74,9 @@ type CassandraVersionSpec struct {
 
 	// +optional
 	UI []ChartInfo `json:"ui,omitempty"`
+
+	// update constraints
+	UpdateConstraints UpdateConstraints `json:"updateConstraints,omitempty"`
 }
 
 // CassandraVersionExporter is the image for the Cassandra exporter

vendor/kubedb.dev/apimachinery/apis/catalog/v1alpha1/clickhouse_version_types.go

@@ -72,6 +72,9 @@ type ClickHouseVersionSpec struct {
 
 	// +optional
 	UI []ChartInfo `json:"ui,omitempty"`
+
+	// update constraints
+	UpdateConstraints UpdateConstraints `json:"updateConstraints,omitempty"`
 }
 
 // ClickHouseVersionDatabase is the ClickHouse Database image

vendor/kubedb.dev/apimachinery/apis/catalog/v1alpha1/druid_version_types.go

@@ -61,6 +61,8 @@ type DruidVersionSpec struct {
 	SecurityContext SecurityContext `json:"securityContext"`
 	// +optional
 	UI []ChartInfo `json:"ui,omitempty"`
+	// update constraints
+	UpdateConstraints UpdateConstraints `json:"updateConstraints,omitempty"`
 }
 
 // DruidVersionDatabase is the Druid Database image

vendor/kubedb.dev/apimachinery/apis/catalog/v1alpha1/ignite_version_types.go

@@ -63,6 +63,9 @@ type IgniteVersionSpec struct {
 	SecurityContext IgniteSecurityContext `json:"securityContext"`
 	// +optional
 	UI []ChartInfo `json:"ui,omitempty"`
+
+	// update constraints
+	UpdateConstraints UpdateConstraints `json:"updateConstraints,omitempty"`
 }
 
 // IgniteSecurityContext is for the additional config for the DB container

vendor/kubedb.dev/apimachinery/apis/catalog/v1alpha1/openapi_generated.go

@@ -63,6 +63,8 @@ type RabbitMQVersionSpec struct {
 	SecurityContext SecurityContext `json:"securityContext"`
 	// +optional
 	UI []ChartInfo `json:"ui,omitempty"`
+	// update constraints
+	UpdateConstraints UpdateConstraints `json:"updateConstraints,omitempty"`
 }
 
 // RabbitMQVersionDatabase is the RabbitMQ Database image