fix: handle ssl only scylla cluster setup (#4114)

* fix: adds SSL_ENABLED flag to start scylla cluster in ssl only mode This adds SSL_ENABLED flag to Makefile, so that when you run SSL_ENABLED=true make start-dev-env the scylla cluster will be created with ssl_only config. * fix: handle ssl only scylla clusters This fixes how SM decides which port to use when connecting to Scylla nodes. * fix: CQLAddr provides ssl or non-ssl addr depending on cluster conf. This replaces CQLAddr and CQLSSLAddr with one function which returns correct cql addr depending on cluster configuration. Also backup worker is modified a little bit to get cluster configuration with tls related info. * fix(Makefile): use yq to produce scylla config with ssl enabled This uses yq to delete non ssl port from scylla.yaml config and also merges it with scylla-ssl.yaml which contains requried parameters to enable ssl in scylla cluster. * fix: typo in testing/scylla/config/scylla-ssl.yaml Co-authored-by: karol-kokoszka <[email protected]> * fix(test): use scylla cluster with SSL for integration tests This enables ssl only scylla cluster for the most of our integration tests in ci. This also fixes cqlping test so it supports a scylla cluster with ssl. * fix(cluster): simplifies SingleHostSessionOption when dealing with SSL This changes the signature of SessionConfigOption so that SingleHostSession func can be simplified when Scylla cluster uses SSL. * fix(test): adds ssl support to cqlping integration tests This adds ssl related configuration options to cqlping integration tests config when ssl is enabled. * fix(test): adds ssl support to repair integration test This adds ssl support to repair integartion test case that uses cqlping * fix(test): adds ssl support to healthcheck integration tests * fix(test): unifies how SSL_ENABLED is used in testconfig * fix(ci): adds missing ssl-enabled option for a one entry in ci config * refactor: moves parsing of SSL_ENABLED env var to the testconfig pkg This refactor some parts of the tests that are using SSL_ENABLED env var. * fix(test): use cqlping with ssl for the restore test of old scylla ver This fixes how restore integration tests handle old Scylla versions: old versions require a restart after schema restoration. To ensure Scylla is up and running, the tests perform a CQL ping, which should be initialized correctly when SSL is enabled. --------- Co-authored-by: karol-kokoszka <[email protected]> (cherry picked from commit 75fb75c)
scylladb · Dec 11, 2024 · 667d081 · 667d081
1 parent f88fb9a
commit 667d081
Show file tree

Hide file tree

Showing 31 changed files with 501 additions and 235 deletions.
diff --git a/.github/actions/test-setup/action.yml b/.github/actions/test-setup/action.yml
@@ -18,6 +18,10 @@ inputs:
     description: "Should this action run 'make start-dev-env'"
     required: false
     default: 'true'
+  ssl-enabled:
+    description: "Specifies if Scylla cluster should use ssl only configuration or not"
+    required: false
+    default: 'true'
 
 runs:
   using: "composite"
@@ -42,5 +46,5 @@ runs:
 
     - name: Start dev env
       if: inputs.start-dev-env == 'true'
-      run: make start-dev-env SCYLLA_VERSION=${{ inputs.scylla-version }} IP_FAMILY=${{ inputs.ip-family }} RAFT_SCHEMA=${{ inputs.raft-schema }} TABLETS=${{ inputs.tablets }}
-      shell: bash
+      run: make start-dev-env SCYLLA_VERSION=${{ inputs.scylla-version }} IP_FAMILY=${{ inputs.ip-family }} RAFT_SCHEMA=${{ inputs.raft-schema }} TABLETS=${{ inputs.tablets }} SSL_ENABLED=${{ inputs.ssl-enabled }}
+      shell: bash
diff --git a/.github/cfg/integration-test-cfg.yaml b/.github/cfg/integration-test-cfg.yaml
@@ -2,48 +2,58 @@
   ip-family: IPV4
   raft-schema: disabled
   tablets: none
+  ssl-enabled: true
 
 - scylla-version: scylla-enterprise:2023.1.11
   ip-family: IPV4
   raft-schema: enabled
   tablets: none
+  ssl-enabled: true
 
 - scylla-version: scylla-enterprise:2023.1.11
   ip-family: IPV6
   raft-schema: enabled
   tablets: none
+  ssl-enabled: true
 
 - scylla-version: scylla-enterprise:2024.1.12
   ip-family: IPV4
   raft-schema: none
   tablets: none
+  ssl-enabled: true
 
 - scylla-version: scylla-enterprise:2024.1.12
   ip-family: IPV6
   raft-schema: none
   tablets: none
+  ssl-enabled: true
 
 - scylla-version: scylla:6.2.0
   ip-family: IPV4
   raft-schema: none
   tablets: disabled
+  ssl-enabled: true
 
 - scylla-version: scylla:6.2.0
   ip-family: IPV4
   raft-schema: none
   tablets: enabled
+  ssl-enabled: true
 
 - scylla-version: scylla:6.2.0
   ip-family: IPV6
   raft-schema: none
   tablets: enabled
+  ssl-enabled: false
 
 - scylla-version: scylla-enterprise-nightly:latest-enterprise
   ip-family: IPV4
   raft-schema: none
   tablets: disabled
+  ssl-enabled: true
 
 - scylla-version: scylla-enterprise-nightly:latest-enterprise
   ip-family: IPV4
   raft-schema: none
-  tablets: enabled
+  tablets: enabled
+  ssl-enabled: false
diff --git a/.github/cfg/integration-test-core.yaml b/.github/cfg/integration-test-core.yaml
@@ -27,9 +27,10 @@ jobs:
           ip-family: ${{ env.ip-family }}
           raft-schema: ${{ env.raft-schema }}
           tablets: ${{ env.tablets }}
+          ssl-enabled: ${{ env.ssl-enabled }}
 
       - name: Run tests
-        run: make pkg-integration-test IP_FAMILY=${{ env.ip-family }} PKG=./pkg/service/restore RUN='"TestRestoreTables.*Integration"'
+        run: make pkg-integration-test IP_FAMILY=${{ env.ip-family }} SSL_ENABLED=${{ env.ssl-enabled}} PKG=./pkg/service/restore RUN='"TestRestoreTables.*Integration"'
 
   restore-schema:
     name: Test restore schema
@@ -45,11 +46,11 @@ jobs:
           ip-family: ${{ env.ip-family }}
           raft-schema: ${{ env.raft-schema }}
           tablets: ${{ env.tablets }}
-
+          ssl-enabled: ${{ env.ssl-enabled }}
         # Go does not support negative lookahead in regex expressions, so it has to be done manually.
         # This regex ensures that all restore tests that didn't match restore-tables job will be run here.
       - name: Run tests
-        run: make pkg-integration-test IP_FAMILY=${{ env.ip-family }} PKG=./pkg/service/restore RUN='"TestRestore([^T]|.{1}[^a]|.{2}[^b]|.{3}[^l]|.{4}[^e]|.{5}[^s]).*Integration"'
+        run: make pkg-integration-test IP_FAMILY=${{ env.ip-family }} SSL_ENABLED=${{ env.ssl-enabled}} PKG=./pkg/service/restore RUN='"TestRestore([^T]|.{1}[^a]|.{2}[^b]|.{3}[^l]|.{4}[^e]|.{5}[^s]).*Integration"'
 
   backup:
     name: Test backup
@@ -65,9 +66,10 @@ jobs:
           ip-family: ${{ env.ip-family }}
           raft-schema: ${{ env.raft-schema }}
           tablets: ${{ env.tablets }}
+          ssl-enabled: ${{ env.ssl-enabled }}
 
       - name: Run tests
-        run: make pkg-integration-test IP_FAMILY=${{ env.ip-family }} PKG=./pkg/service/backup
+        run: make pkg-integration-test IP_FAMILY=${{ env.ip-family }} SSL_ENABLED=${{ env.ssl-enabled}} PKG=./pkg/service/backup
 
   repair:
     name: Test repair
@@ -83,9 +85,10 @@ jobs:
           ip-family: ${{ env.ip-family }}
           raft-schema: ${{ env.raft-schema }}
           tablets: ${{ env.tablets }}
+          ssl-enabled: ${{ env.ssl-enabled }}
 
       - name: Run tests
-        run: make pkg-integration-test IP_FAMILY=${{ env.ip-family }} PKG=./pkg/service/repair
+        run: make pkg-integration-test IP_FAMILY=${{ env.ip-family }} SSL_ENABLED=${{ env.ssl-enabled}} PKG=./pkg/service/repair
 
   small-pkg:
     name: Test other, smaller packages
@@ -94,9 +97,10 @@ jobs:
       - name: Check out code into the Go module directory
         uses: actions/checkout@v3
 
-      - name: Set IP_FAMILY var for all tests
+      - name: Set IP_FAMILY and SSL_ENABLED var for all tests
         run: |
           echo "IP_FAMILY=${{ env.ip-family }}" >> $GITHUB_ENV
+          echo "SSL_ENABLED=${{ env.ssl-enabled }}" >> $GITHUB_ENV
 
       - name: Setup testing dependencies
         uses: ./.github/actions/test-setup
@@ -105,6 +109,7 @@ jobs:
           ip-family: ${{ env.ip-family }}
           raft-schema: ${{ env.raft-schema }}
           tablets: ${{ env.tablets }}
+          ssl-enabled: ${{ env.ssl-enabled }}
 
       - name: Run cqlping tests
         run: make pkg-integration-test PKG=./pkg/ping/cqlping
@@ -128,4 +133,4 @@ jobs:
         run: make pkg-integration-test PKG=./pkg/store
 
       - name: Run migrate tests
-        run: make pkg-integration-test PKG=./pkg/schema/migrate
+        run: make pkg-integration-test PKG=./pkg/schema/migrate
diff --git a/.github/cfg/main.go b/.github/cfg/main.go
@@ -14,6 +14,7 @@ type integrationTestCfg struct {
 	IPFamily      string `yaml:"ip-family"`
 	RaftSchema    string `yaml:"raft-schema"`
 	Tablets       string `yaml:"tablets"`
+	SSLEnabled    string `yaml:"ssl-enabled,omitempty"`
 }
 
 func (cfg integrationTestCfg) name() string {
@@ -29,6 +30,10 @@ func (cfg integrationTestCfg) name() string {
 	if cfg.Tablets == "enabled" {
 		parts = append(parts, "tablets")
 	}
+	if cfg.SSLEnabled == "false" {
+		parts = append(parts, "nossl")
+
+	}
 	return strings.Join(parts, "-")
 }
 

diff --git a/.github/workflows/integration-tests-2023.1.11-IPV4-raftschema.yaml b/.github/workflows/integration-tests-2023.1.11-IPV4-raftschema.yaml
@@ -6,6 +6,7 @@ env:
     ip-family: IPV4
     raft-schema: enabled
     tablets: none
+    ssl-enabled: "true"
 jobs:
     backup:
         name: Test backup
@@ -19,9 +20,10 @@ jobs:
                 ip-family: ${{ env.ip-family }}
                 raft-schema: ${{ env.raft-schema }}
                 scylla-version: ${{ env.scylla-version }}
+                ssl-enabled: ${{ env.ssl-enabled }}
                 tablets: ${{ env.tablets }}
             - name: Run tests
-              run: make pkg-integration-test IP_FAMILY=${{ env.ip-family }} PKG=./pkg/service/backup
+              run: make pkg-integration-test IP_FAMILY=${{ env.ip-family }} SSL_ENABLED=${{ env.ssl-enabled}} PKG=./pkg/service/backup
     repair:
         name: Test repair
         runs-on: ubuntu-latest
@@ -34,9 +36,10 @@ jobs:
                 ip-family: ${{ env.ip-family }}
                 raft-schema: ${{ env.raft-schema }}
                 scylla-version: ${{ env.scylla-version }}
+                ssl-enabled: ${{ env.ssl-enabled }}
                 tablets: ${{ env.tablets }}
             - name: Run tests
-              run: make pkg-integration-test IP_FAMILY=${{ env.ip-family }} PKG=./pkg/service/repair
+              run: make pkg-integration-test IP_FAMILY=${{ env.ip-family }} SSL_ENABLED=${{ env.ssl-enabled}} PKG=./pkg/service/repair
     restore-schema:
         name: Test restore schema
         runs-on: ubuntu-latest
@@ -49,9 +52,10 @@ jobs:
                 ip-family: ${{ env.ip-family }}
                 raft-schema: ${{ env.raft-schema }}
                 scylla-version: ${{ env.scylla-version }}
+                ssl-enabled: ${{ env.ssl-enabled }}
                 tablets: ${{ env.tablets }}
             - name: Run tests
-              run: make pkg-integration-test IP_FAMILY=${{ env.ip-family }} PKG=./pkg/service/restore RUN='"TestRestore([^T]|.{1}[^a]|.{2}[^b]|.{3}[^l]|.{4}[^e]|.{5}[^s]).*Integration"'
+              run: make pkg-integration-test IP_FAMILY=${{ env.ip-family }} SSL_ENABLED=${{ env.ssl-enabled}} PKG=./pkg/service/restore RUN='"TestRestore([^T]|.{1}[^a]|.{2}[^b]|.{3}[^l]|.{4}[^e]|.{5}[^s]).*Integration"'
     restore-tables:
         name: Test restore tables
         runs-on: ubuntu-latest
@@ -64,24 +68,27 @@ jobs:
                 ip-family: ${{ env.ip-family }}
                 raft-schema: ${{ env.raft-schema }}
                 scylla-version: ${{ env.scylla-version }}
+                ssl-enabled: ${{ env.ssl-enabled }}
                 tablets: ${{ env.tablets }}
             - name: Run tests
-              run: make pkg-integration-test IP_FAMILY=${{ env.ip-family }} PKG=./pkg/service/restore RUN='"TestRestoreTables.*Integration"'
+              run: make pkg-integration-test IP_FAMILY=${{ env.ip-family }} SSL_ENABLED=${{ env.ssl-enabled}} PKG=./pkg/service/restore RUN='"TestRestoreTables.*Integration"'
     small-pkg:
         name: Test other, smaller packages
         runs-on: ubuntu-latest
         steps:
             - name: Check out code into the Go module directory
               uses: actions/checkout@v3
-            - name: Set IP_FAMILY var for all tests
+            - name: Set IP_FAMILY and SSL_ENABLED var for all tests
               run: |
                 echo "IP_FAMILY=${{ env.ip-family }}" >> $GITHUB_ENV
+                echo "SSL_ENABLED=${{ env.ssl-enabled }}" >> $GITHUB_ENV
             - name: Setup testing dependencies
               uses: ./.github/actions/test-setup
               with:
                 ip-family: ${{ env.ip-family }}
                 raft-schema: ${{ env.raft-schema }}
                 scylla-version: ${{ env.scylla-version }}
+                ssl-enabled: ${{ env.ssl-enabled }}
                 tablets: ${{ env.tablets }}
             - name: Run cqlping tests
               run: make pkg-integration-test PKG=./pkg/ping/cqlping

diff --git a/.github/workflows/integration-tests-2023.1.11-IPV4.yaml b/.github/workflows/integration-tests-2023.1.11-IPV4.yaml
@@ -6,6 +6,7 @@ env:
     ip-family: IPV4
     raft-schema: disabled
     tablets: none
+    ssl-enabled: "true"
 jobs:
     backup:
         name: Test backup
@@ -19,9 +20,10 @@ jobs:
                 ip-family: ${{ env.ip-family }}
                 raft-schema: ${{ env.raft-schema }}
                 scylla-version: ${{ env.scylla-version }}
+                ssl-enabled: ${{ env.ssl-enabled }}
                 tablets: ${{ env.tablets }}
             - name: Run tests
-              run: make pkg-integration-test IP_FAMILY=${{ env.ip-family }} PKG=./pkg/service/backup
+              run: make pkg-integration-test IP_FAMILY=${{ env.ip-family }} SSL_ENABLED=${{ env.ssl-enabled}} PKG=./pkg/service/backup
     repair:
         name: Test repair
         runs-on: ubuntu-latest
@@ -34,9 +36,10 @@ jobs:
                 ip-family: ${{ env.ip-family }}
                 raft-schema: ${{ env.raft-schema }}
                 scylla-version: ${{ env.scylla-version }}
+                ssl-enabled: ${{ env.ssl-enabled }}
                 tablets: ${{ env.tablets }}
             - name: Run tests
-              run: make pkg-integration-test IP_FAMILY=${{ env.ip-family }} PKG=./pkg/service/repair
+              run: make pkg-integration-test IP_FAMILY=${{ env.ip-family }} SSL_ENABLED=${{ env.ssl-enabled}} PKG=./pkg/service/repair
     restore-schema:
         name: Test restore schema
         runs-on: ubuntu-latest
@@ -49,9 +52,10 @@ jobs:
                 ip-family: ${{ env.ip-family }}
                 raft-schema: ${{ env.raft-schema }}
                 scylla-version: ${{ env.scylla-version }}
+                ssl-enabled: ${{ env.ssl-enabled }}
                 tablets: ${{ env.tablets }}
             - name: Run tests
-              run: make pkg-integration-test IP_FAMILY=${{ env.ip-family }} PKG=./pkg/service/restore RUN='"TestRestore([^T]|.{1}[^a]|.{2}[^b]|.{3}[^l]|.{4}[^e]|.{5}[^s]).*Integration"'
+              run: make pkg-integration-test IP_FAMILY=${{ env.ip-family }} SSL_ENABLED=${{ env.ssl-enabled}} PKG=./pkg/service/restore RUN='"TestRestore([^T]|.{1}[^a]|.{2}[^b]|.{3}[^l]|.{4}[^e]|.{5}[^s]).*Integration"'
     restore-tables:
         name: Test restore tables
         runs-on: ubuntu-latest
@@ -64,24 +68,27 @@ jobs:
                 ip-family: ${{ env.ip-family }}
                 raft-schema: ${{ env.raft-schema }}
                 scylla-version: ${{ env.scylla-version }}
+                ssl-enabled: ${{ env.ssl-enabled }}
                 tablets: ${{ env.tablets }}
             - name: Run tests
-              run: make pkg-integration-test IP_FAMILY=${{ env.ip-family }} PKG=./pkg/service/restore RUN='"TestRestoreTables.*Integration"'
+              run: make pkg-integration-test IP_FAMILY=${{ env.ip-family }} SSL_ENABLED=${{ env.ssl-enabled}} PKG=./pkg/service/restore RUN='"TestRestoreTables.*Integration"'
     small-pkg:
         name: Test other, smaller packages
         runs-on: ubuntu-latest
         steps:
             - name: Check out code into the Go module directory
               uses: actions/checkout@v3
-            - name: Set IP_FAMILY var for all tests
+            - name: Set IP_FAMILY and SSL_ENABLED var for all tests
               run: |
                 echo "IP_FAMILY=${{ env.ip-family }}" >> $GITHUB_ENV
+                echo "SSL_ENABLED=${{ env.ssl-enabled }}" >> $GITHUB_ENV
             - name: Setup testing dependencies
               uses: ./.github/actions/test-setup
               with:
                 ip-family: ${{ env.ip-family }}
                 raft-schema: ${{ env.raft-schema }}
                 scylla-version: ${{ env.scylla-version }}
+                ssl-enabled: ${{ env.ssl-enabled }}
                 tablets: ${{ env.tablets }}
             - name: Run cqlping tests
               run: make pkg-integration-test PKG=./pkg/ping/cqlping

diff --git a/.github/workflows/integration-tests-2023.1.11-IPV6-raftschema.yaml b/.github/workflows/integration-tests-2023.1.11-IPV6-raftschema.yaml
@@ -6,6 +6,7 @@ env:
     ip-family: IPV6
     raft-schema: enabled
     tablets: none
+    ssl-enabled: "true"
 jobs:
     backup:
         name: Test backup
@@ -19,9 +20,10 @@ jobs:
                 ip-family: ${{ env.ip-family }}
                 raft-schema: ${{ env.raft-schema }}
                 scylla-version: ${{ env.scylla-version }}
+                ssl-enabled: ${{ env.ssl-enabled }}
                 tablets: ${{ env.tablets }}
             - name: Run tests
-              run: make pkg-integration-test IP_FAMILY=${{ env.ip-family }} PKG=./pkg/service/backup
+              run: make pkg-integration-test IP_FAMILY=${{ env.ip-family }} SSL_ENABLED=${{ env.ssl-enabled}} PKG=./pkg/service/backup
     repair:
         name: Test repair
         runs-on: ubuntu-latest
@@ -34,9 +36,10 @@ jobs:
                 ip-family: ${{ env.ip-family }}
                 raft-schema: ${{ env.raft-schema }}
                 scylla-version: ${{ env.scylla-version }}
+                ssl-enabled: ${{ env.ssl-enabled }}
                 tablets: ${{ env.tablets }}
             - name: Run tests
-              run: make pkg-integration-test IP_FAMILY=${{ env.ip-family }} PKG=./pkg/service/repair
+              run: make pkg-integration-test IP_FAMILY=${{ env.ip-family }} SSL_ENABLED=${{ env.ssl-enabled}} PKG=./pkg/service/repair
     restore-schema:
         name: Test restore schema
         runs-on: ubuntu-latest
@@ -49,9 +52,10 @@ jobs:
                 ip-family: ${{ env.ip-family }}
                 raft-schema: ${{ env.raft-schema }}
                 scylla-version: ${{ env.scylla-version }}
+                ssl-enabled: ${{ env.ssl-enabled }}
                 tablets: ${{ env.tablets }}
             - name: Run tests
-              run: make pkg-integration-test IP_FAMILY=${{ env.ip-family }} PKG=./pkg/service/restore RUN='"TestRestore([^T]|.{1}[^a]|.{2}[^b]|.{3}[^l]|.{4}[^e]|.{5}[^s]).*Integration"'
+              run: make pkg-integration-test IP_FAMILY=${{ env.ip-family }} SSL_ENABLED=${{ env.ssl-enabled}} PKG=./pkg/service/restore RUN='"TestRestore([^T]|.{1}[^a]|.{2}[^b]|.{3}[^l]|.{4}[^e]|.{5}[^s]).*Integration"'
     restore-tables:
         name: Test restore tables
         runs-on: ubuntu-latest
@@ -64,24 +68,27 @@ jobs:
                 ip-family: ${{ env.ip-family }}
                 raft-schema: ${{ env.raft-schema }}
                 scylla-version: ${{ env.scylla-version }}
+                ssl-enabled: ${{ env.ssl-enabled }}
                 tablets: ${{ env.tablets }}
             - name: Run tests
-              run: make pkg-integration-test IP_FAMILY=${{ env.ip-family }} PKG=./pkg/service/restore RUN='"TestRestoreTables.*Integration"'
+              run: make pkg-integration-test IP_FAMILY=${{ env.ip-family }} SSL_ENABLED=${{ env.ssl-enabled}} PKG=./pkg/service/restore RUN='"TestRestoreTables.*Integration"'
     small-pkg:
         name: Test other, smaller packages
         runs-on: ubuntu-latest
         steps:
             - name: Check out code into the Go module directory
               uses: actions/checkout@v3
-            - name: Set IP_FAMILY var for all tests
+            - name: Set IP_FAMILY and SSL_ENABLED var for all tests
               run: |
                 echo "IP_FAMILY=${{ env.ip-family }}" >> $GITHUB_ENV
+                echo "SSL_ENABLED=${{ env.ssl-enabled }}" >> $GITHUB_ENV
             - name: Setup testing dependencies
               uses: ./.github/actions/test-setup
               with:
                 ip-family: ${{ env.ip-family }}
                 raft-schema: ${{ env.raft-schema }}
                 scylla-version: ${{ env.scylla-version }}
+                ssl-enabled: ${{ env.ssl-enabled }}
                 tablets: ${{ env.tablets }}
             - name: Run cqlping tests
               run: make pkg-integration-test PKG=./pkg/ping/cqlping