Authentication with Security Bundle for Cassandra Scaler

[n0rm4l-me]

Proposal

Some managed solutions for Apache Cassandra are using bundle-based authentication.
It would be nice if Cassandra Scaler can support that too.

Use-Case

KEDA + Apache Astra support.

Is this a feature you are interested in implementing yourself?

No

Anything else?

No response

[yampml]

It would be nice to have this function!

[JorTurFer]

I think that this makes sense totally. Are you willing to open a PR with this functionality?

[rahulmansharamani14]

Hi @JorTurFer, Is there anyone working on this? If not, I'd like to give it a try.

[JorTurFer]

There isn't anybody working on this AFAIK, so feel free to tackle it 😄

[rahulmansharamani14]

Hi @JorTurFer @n0rm4l-me,
I’ve been exploring the Cassandra scaler to understand the changes required to implement support for security bundle-based authentication as described in this issue. I have a few clarifying questions to ensure alignment with the expectations:

1. Security Bundle Details: Could you provide an example or documentation reference for the type of security bundle (e.g., Apache Astra’s bundle) that needs to be supported? Does the bundle include all necessary credentials and connection details, such as certificates, keys, and endpoints?

2. Backward Compatibility: Should the existing authentication methods (e.g., username and password) remain functional alongside the new security bundle option?

3. Parameter Addition: Would adding a new metadata field like securityBundlePath for the bundle’s file location be acceptable, or do you foresee another approach?

4. Testing Expectations: Are there any specific scenarios or configurations you’d like tested, particularly for compatibility with existing authentication methods?

I’d appreciate any additional guidance or pointers, especially regarding how you see this feature fitting into KEDA’s overall architecture and contribution standards.

Thank you, and I look forward to your insights!

[n0rm4l-me]

Hi @rahulmansharamani14, thanks for checking on this.

I've created a demo Astra database and generated a Token which you can use for testing, please see the attached files. Bundle contains contact points and certificates, while token is used for authorization.

I've tried to use the information from the bundle to configure scaler, but I didn't found a way to configure certificates.

github-test-token.json
secure-connect-github-test.zip

Let me know if you need more details.

[rahulmansharamani14]

Hi @n0rm4l-me @JorTurFer, thanks for the files for testing. I wanted to roughly share my implementation plan with you for feedback before proceeding.

Proposed Implementation Plan

• Metadata Parsing: Add a new field, securityBundlePath, to accept the bundle file location. Ensure backward compatibility with existing authentication methods.

• Security Bundle Parsing: Implement logic to parse the bundle (e.g., JSON format) and extract required details: username, password, hosts, and TLS configuration.

• Connection Setup: Update createCassandraSession to use bundle-based credentials if provided, while retaining existing logic for other authentication methods.

End-User Workflow:

Here’s how the end-user workflow would look after this feature is implemented:

1. The user will store the security bundle file securely in a Kubernetes Secret.
2. The user will Reference the bundle in the ScaledObject and TriggerAuthentication resources.
3. The scaler retrieves the bundle, parses it, and establishes a secure connection to Cassandra.
4. The scaler executes the query and triggers scaling decisions based on the results.

Let me know if this approach is in the right direction. I'm happy to refine the plan further and raise a draft PR based on your feedback.

[n0rm4l-me]

@rahulmansharamani14
I believe the correct implementation should allow the user to provide the bundle itself. As for the username and password, the user can input them manually - there's no need to parse the token file. You can try providing the username and password in the usual way. This is how it is implemented in any Apache Cassandra driver.

[rahulmansharamani14]

@n0rm4l-me
I see. So you are saying user will extract this secure-connect-github-test.zip file and manually enter all necessary credentials and connection details such as certificates, keys, and endpoints as part of as part of the spec?

[n0rm4l-me]

@rahulmansharamani14 No, usually Cassandra driver pick ups all the necessary information from secure-connect-github-test.zip, but user extracts token and secret from github-test-token.json as username / password.