Fix CassandraContainer wait strategy when SSL is configured

[maximevw]

This fixes issue #9410 and reduce error logging while trying to connect to Cassandra database at container startup (as discussed in #9337 (comment)).

The proposed solution introduces a method withSslClientConfig(certFile, keyFile) to use when a secured connection (TLS) is required by the Cassandra server configuration. It allows to specify the client certificate and key to use when connection checks and init script execution are performed.

The tests and documentation have been updated as well.

[eddumelendez]

Hi @maximevw, sorry for the delay. I think the wait was worth because I recently learnt about SSL_CERTFILE env var which could avoid writing a cqlshrc file.

Let me know if you can take look at this. Otherwise, I can tackle it.

Thanks again!

[eddumelendez]

SSL_CERTFILE env var can be set with value. I recently learnt it from scylladb module. This will avoid creating a cqlshrc file. See https://github.com/testcontainers/testcontainers-java/blob/main/modules/scylladb/src/main/java/org/testcontainers/scylladb/ScyllaDBContainer.java#L81

[maximevw]

Hello @eddumelendez,

As stated in my previous message and after testing the different use cases, if client_encryption_options.require_client_auth is set to true in cassandra.yaml configuration file, the cqlshrc file becomes required because the environment variable SSL_CERTFILE is not sufficient to configure SSL properly on client-side and other required parameters ssl.usercert and ssl.userkey don't have equivalent env variables.

See:

• cqlshrc SSL options
• Using cqlsh with SSL
• Cassandra server - client encryption options reference

That's why I used cqlshrc way: because it covers more possible configurations.

So, what we could do to avoid writing a cqlshrc in most use cases (by default, client auth is not required by server) is to have 2 methods withSsl:

• withSsl(String clientCertFile, String clientKeyFile) using the SSL_CERTFILE env variable for the default use case where client_encryption_options.require_client_auth is false in cassandra.yaml.
• withSsl(String clientCertFile, String clientKeyFile, boolean clientAuthRequired) using the appropriate cqlshrc file client_encryption_options.require_client_auth is true in cassandra.yaml.

Let me know the solution you prefer and I'll implement it.

[maximevw]

Hello @eddumelendez,

Thank you for your review. I'll try to take a look in the next days.

Regarding the SSL_CERTFILE env variable, I think I tested it, but I had issues if some other parameters such as ssl.userkey or ssl.usercert (not available through env variables if I remember well) were not present in the cqlshrc file. The cause was these properties are mandatory when require_client_auth is enabled on Cassandra server side.