Enable TLS client connections to Cassandra

Signed-off-by: Robert Collins <robertc@vmware.com>

cmd/flags/cassandra/options.go

@@ -34,6 +34,12 @@ const (
 	suffixSocketKeepAlive  = ".socket-keep-alive"
 	suffixUsername         = ".username"
 	suffixPassword         = ".password"
+	suffixTLS              = ".tls"
+	suffixCert             = ".cert"
+	suffixKey              = ".key"
+	suffixCA               = ".ca"
+	suffixServerName       = ".servername"
+	suffixVerifyHost       = ".verify-host"
 )
 
 // TODO this should be moved next to config.Configuration struct (maybe ./flags package)
@@ -62,6 +68,10 @@ func NewOptions(primaryNamespace string, otherNamespaces ...string) *Options {
 	options := &Options{
 		primary: &namespaceConfig{
 			Configuration: config.Configuration{
+				TLS: config.TLS{
+					Enabled:                false,
+					EnableHostVerification: true,
+				},
 				MaxRetryAttempts:   3,
 				Keyspace:           "jaeger_v1_local",
 				ProtoVersion:       4,
@@ -129,6 +139,30 @@ func addFlags(flagSet *flag.FlagSet, nsConfig *namespaceConfig) {
 		nsConfig.namespace+suffixPassword,
 		nsConfig.Authenticator.Basic.Password,
 		"Password for password authentication for Cassandra")
+	flagSet.Bool(
+		nsConfig.namespace+suffixTLS,
+		nsConfig.TLS.Enabled,
+		"Enable TLS")
+	flagSet.String(
+		nsConfig.namespace+suffixCert,
+		nsConfig.TLS.CertPath,
+		"Path to TLS certificate file")
+	flagSet.String(
+		nsConfig.namespace+suffixKey,
+		nsConfig.TLS.KeyPath,
+		"Path to TLS key file")
+	flagSet.String(
+		nsConfig.namespace+suffixCA,
+		nsConfig.TLS.CaPath,
+		"Path to TLS CA file")
+	flagSet.String(
+		nsConfig.namespace+suffixServerName,
+		nsConfig.TLS.ServerName,
+		"Override the TLS server name")
+	flagSet.Bool(
+		nsConfig.namespace+suffixVerifyHost,
+		nsConfig.TLS.EnableHostVerification,
+		"Enable (or disable) host key verification")
 }
 
 // InitFromViper initializes Options with properties from viper
@@ -150,6 +184,12 @@ func initFromViper(cfg *namespaceConfig, v *viper.Viper) {
 	cfg.SocketKeepAlive = v.GetDuration(cfg.namespace + suffixSocketKeepAlive)
 	cfg.Authenticator.Basic.Username = v.GetString(cfg.namespace + suffixUsername)
 	cfg.Authenticator.Basic.Password = v.GetString(cfg.namespace + suffixPassword)
+	cfg.TLS.Enabled = v.GetBool(cfg.namespace + suffixTLS)
+	cfg.TLS.CertPath = v.GetString(cfg.namespace + suffixCert)
+	cfg.TLS.KeyPath = v.GetString(cfg.namespace + suffixKey)
+	cfg.TLS.CaPath = v.GetString(cfg.namespace + suffixCA)
+	cfg.TLS.ServerName = v.GetString(cfg.namespace + suffixServerName)
+	cfg.TLS.EnableHostVerification = v.GetBool(cfg.namespace + suffixVerifyHost)
 }
 
 // GetPrimary returns primary configuration.

pkg/cassandra/config/config.go

@@ -15,6 +15,7 @@
 package config
 
 import (
+	"crypto/tls"
 	"fmt"
 	"time"
 
@@ -36,6 +37,7 @@ type Configuration struct {
 	Consistency        string        `yaml:"consistency"`
 	Port               int           `yaml:"port"`
 	Authenticator      Authenticator `yaml:"authenticator"`
+	TLS                TLS
 }
 
 // Authenticator holds the authentication properties needed to connect to a Cassandra cluster
@@ -50,6 +52,16 @@ type BasicAuthenticator struct {
 	Password string `yaml:"password"`
 }
 
+// TLS Config
+type TLS struct {
+	Enabled                bool
+	ServerName             string
+	CertPath               string
+	KeyPath                string
+	CaPath                 string
+	EnableHostVerification bool
+}
+
 // ApplyDefaults copies settings from source unless its own value is non-zero.
 func (c *Configuration) ApplyDefaults(source *Configuration) {
 	if c.ConnectionsPerHost == 0 {
@@ -119,6 +131,17 @@ func (c *Configuration) NewCluster() *gocql.ClusterConfig {
 			Password: c.Authenticator.Basic.Password,
 		}
 	}
+	if c.TLS.Enabled {
+		cluster.SslOpts = &gocql.SslOptions{
+			Config: tls.Config{
+				ServerName: c.TLS.ServerName,
+			},
+			CertPath:               c.TLS.CertPath,
+			KeyPath:                c.TLS.KeyPath,
+			CaPath:                 c.TLS.CaPath,
+			EnableHostVerification: c.TLS.EnableHostVerification,
+		}
+	}
 	return cluster
 }