fix: handle ssl only scylla cluster setup

Makefile

@@ -20,6 +20,8 @@ SCYLLA_VERSION?=scylla:6.0.1
 IP_FAMILY?=IPV4
 RAFT_SCHEMA?=none
 TABLETS?=enabled
+# if true starts the scylla cluster with ssl only config
+SSL_ENABLED?=false
 
 MANAGER_CONFIG := testing/scylla-manager/scylla-manager.yaml
 PUBLIC_NET := 192.168.200.
@@ -171,7 +173,7 @@ start-dev-env: .testing-up deploy-agent build-cli
 
 .PHONY: .testing-up
 .testing-up:
-	@IPV6=$(IPV6) SCYLLA_VERSION=$(SCYLLA_VERSION) RAFT_SCHEMA=$(RAFT_SCHEMA) TABLETS=$(TABLETS) make -C testing build down up
+	@IPV6=$(IPV6) SCYLLA_VERSION=$(SCYLLA_VERSION) RAFT_SCHEMA=$(RAFT_SCHEMA) TABLETS=$(TABLETS) SSL_ENABLED=$(SSL_ENABLED) make -C testing build down up
 
 .PHONY: dev-env-status
 dev-env-status:  ## Checks status of docker containers and cluster nodes

README.md

@@ -81,6 +81,11 @@ for IPv6 environment:
 IPV6=true make start-dev-env
 ```
 
+for SSL scylla cluster:
+```bash
+SSL_ENABLED=true make start-dev-env
+```
+
 This command will:
 1. Build custom Scylla Docker image (testing/scylla)
 2. Compile server, agent and sctool binaries

pkg/ping/cqlping/cqlping_integration_test.go

@@ -8,10 +8,11 @@ package cqlping
 import (
 	"context"
 	"crypto/tls"
-	"github.com/scylladb/scylla-manager/v3/pkg/testutils/testconfig"
 	"testing"
 	"time"
 
+	"github.com/scylladb/scylla-manager/v3/pkg/testutils/testconfig"
+
 	"github.com/scylladb/go-log"
 	"github.com/scylladb/scylla-manager/v3/pkg/ping"
 	"github.com/scylladb/scylla-manager/v3/pkg/scyllaclient"
@@ -24,7 +25,7 @@ func TestPingIntegration(t *testing.T) {
 	client := newTestClient(t, log.NewDevelopmentWithLevel(zapcore.InfoLevel).Named("client"), nil)
 	defer client.Close()
 
-	sessionHosts, err := cluster.GetRPCAddresses(context.Background(), client, []string{testconfig.ManagedClusterHost()})
+	sessionHosts, err := cluster.GetRPCAddresses(context.Background(), client, []string{testconfig.ManagedClusterHost()}, false)
 	if err != nil {
 		t.Fatal(err)
 	}

pkg/service/cluster/service.go

@@ -617,9 +617,12 @@ func SingleHostSessionConfigOption(host string) SessionConfigOption {
 			return errors.Wrapf(err, "fetch node (%s) info", host)
 		}
 		cqlAddr := ni.CQLAddr(host)
+		if ni.ClientEncryptionEnabled {
+			cqlAddr = ni.CQLSSLAddr(host)
+		}
 		cfg.Hosts = []string{cqlAddr}
-		cfg.HostFilter = gocql.WhiteListHostFilter(cqlAddr)
 		cfg.DisableInitialHostLookup = true
+		cfg.HostFilter = gocql.WhiteListHostFilter(cqlAddr)
 		return nil
 	}
 }
@@ -643,9 +646,14 @@ func (s *Service) GetSession(ctx context.Context, clusterID uuid.UUID, opts ...S
 			return session, err
 		}
 	}
-	// Fill hosts if they weren't specified by the options
+
+	clusterInfo, err := s.GetClusterByID(ctx, clusterID)
+	if err != nil {
+		return session, errors.Wrap(err, "cluster by id")
+	}
+	// Fill hosts if they weren't specified by the options or make sure that they use correct rpc address.
 	if len(cfg.Hosts) == 0 {
-		sessionHosts, err := GetRPCAddresses(ctx, client, client.Config().Hosts)
+		sessionHosts, err := GetRPCAddresses(ctx, client, client.Config().Hosts, clusterInfo.ForceTLSDisabled || clusterInfo.ForceNonSSLSessionPort)
 		if err != nil {
 			s.logger.Info(ctx, "Gets session", "err", err)
 			if errors.Is(err, ErrNoRPCAddressesFound) {
@@ -662,7 +670,7 @@ func (s *Service) GetSession(ctx context.Context, clusterID uuid.UUID, opts ...S
 	if err := s.extendClusterConfigWithAuthentication(clusterID, ni, cfg); err != nil {
 		return session, err
 	}
-	if err := s.extendClusterConfigWithTLS(ctx, clusterID, ni, cfg); err != nil {
+	if err := s.extendClusterConfigWithTLS(clusterInfo, ni, cfg); err != nil {
 		return session, err
 	}
 
@@ -695,36 +703,22 @@ func (s *Service) extendClusterConfigWithAuthentication(clusterID uuid.UUID, ni
 	return nil
 }
 
-func (s *Service) extendClusterConfigWithTLS(ctx context.Context, clusterID uuid.UUID, ni *scyllaclient.NodeInfo, cfg *gocql.ClusterConfig) error {
-	cluster, err := s.GetClusterByID(ctx, clusterID)
-	if err != nil {
-		return errors.Wrap(err, "get cluster by id")
-	}
-
-	cqlPort := ni.CQLPort()
+func (s *Service) extendClusterConfigWithTLS(cluster *Cluster, ni *scyllaclient.NodeInfo, cfg *gocql.ClusterConfig) error {
 	if ni.ClientEncryptionEnabled && !cluster.ForceTLSDisabled {
-		if !cluster.ForceNonSSLSessionPort {
-			cqlPort = ni.CQLSSLPort()
-		}
 		cfg.SslOpts = &gocql.SslOptions{
 			Config: &tls.Config{
 				InsecureSkipVerify: true,
 			},
 		}
 		if ni.ClientEncryptionRequireAuth {
-			keyPair, err := s.loadTLSIdentity(clusterID)
+			keyPair, err := s.loadTLSIdentity(cluster.ID)
 			if err != nil {
 				return err
 			}
 			cfg.SslOpts.Config.Certificates = []tls.Certificate{keyPair}
 		}
 	}
 
-	p, err := strconv.Atoi(cqlPort)
-	if err != nil {
-		return errors.Wrap(err, "parse cql port")
-	}
-	cfg.Port = p
 	return nil
 }
 
@@ -770,7 +764,7 @@ var ErrNoRPCAddressesFound = errors.New("no RPC addresses found")
 // GetRPCAddresses accepts client and hosts parameters that are used later on to query client.NodeInfo endpoint
 // returning RPC addresses for given hosts.
 // RPC addresses are the ones that scylla uses to accept CQL connections.
-func GetRPCAddresses(ctx context.Context, client *scyllaclient.Client, hosts []string) ([]string, error) {
+func GetRPCAddresses(ctx context.Context, client *scyllaclient.Client, hosts []string, clusterSSLDisabled bool) ([]string, error) {
 	var sessionHosts []string
 	var combinedError error
 	for _, h := range hosts {
@@ -779,7 +773,11 @@ func GetRPCAddresses(ctx context.Context, client *scyllaclient.Client, hosts []s
 			combinedError = multierr.Append(combinedError, err)
 			continue
 		}
-		sessionHosts = append(sessionHosts, ni.CQLAddr(h))
+		addr := ni.CQLAddr(h)
+		if ni.ClientEncryptionEnabled && !clusterSSLDisabled {
+			addr = ni.CQLSSLAddr(h)
+		}
+		sessionHosts = append(sessionHosts, addr)
 	}
 
 	if len(sessionHosts) == 0 {

pkg/service/restore/service_restore_integration_test.go

@@ -1737,7 +1737,7 @@ func (h *restoreTestHelper) restartScylla() {
 		b := backoff.WithContext(backoff.WithMaxRetries(
 			backoff.NewConstantBackOff(500*time.Millisecond), 10), ctx)
 		if err := backoff.Retry(func() error {
-			sessionHosts, err = cluster.GetRPCAddresses(ctx, h.Client, []string{host})
+			sessionHosts, err = cluster.GetRPCAddresses(ctx, h.Client, []string{host}, false)
 			return err
 		}, b); err != nil {
 			h.T.Fatal(err)

pkg/testutils/db/db.go

@@ -83,7 +83,7 @@ func CreateManagedClusterSession(tb testing.TB, empty bool, client *scyllaclient
 	tb.Helper()
 	ctx := context.Background()
 
-	sessionHosts, err := cluster.GetRPCAddresses(ctx, client, client.Config().Hosts)
+	sessionHosts, err := cluster.GetRPCAddresses(ctx, client, client.Config().Hosts, false)
 	if err != nil {
 		tb.Log(err)
 		if errors.Is(err, cluster.ErrNoRPCAddressesFound) {

testing/Makefile

@@ -62,8 +62,15 @@ up:
 	@echo "==> Generating encryption files"
 	@cd scylla/certs && ./generate.sh
 	@echo "==> Generating Scylla configuration"
+
+ifeq ($(SSL_ENABLED),true)
+	@cp scylla/config/scylla-ssl.yaml scylla/scylla.yaml
+	@cp scylla/config/cqlshrc-ssl scylla/cqlshrc
+else 
 	@cp scylla/config/scylla.yaml scylla/scylla.yaml
 	@cp scylla/config/cqlshrc scylla/cqlshrc
+endif
+
 ifeq ($(RAFT_SCHEMA),enabled)
 	@$(YQ) write -i scylla/scylla.yaml 'consistent_cluster_management' true
 endif
@@ -108,6 +115,9 @@ endif
 	@until [ 1 -le $$($(SM_NODETOOL) status | grep -c "UN") ]; do echo -n "."; sleep 2; done ; echo ""
 
 	@./nodes_exec "rm /root/.cqlshrc || true"
+	@./nodes_exec "mkdir -p /root/.cassandra" 
+	@./nodes_cp "scylla/cqlshrc" "/root/.cassandra/cqlshrc"
+
 	@echo "==> Adding Minio user"
 	./minio/add_user.sh || true
 	@echo "==> Initialising cluster"

testing/docker-compose.yaml

@@ -12,9 +12,6 @@ services:
       - type: bind
         source: ./scylla/certs/
         target: /etc/scylla/certs
-      - type: bind
-        source: ./scylla/cqlshrc
-        target: /root/.cassandra/cqlshrc
     networks:
       public:
       second:
@@ -32,9 +29,6 @@ services:
       - type: bind
         source: ./scylla/certs/
         target: /etc/scylla/certs
-      - type: bind
-        source: ./scylla/cqlshrc
-        target: /root/.cassandra/cqlshrc
     networks:
       public:
       second:
@@ -52,9 +46,6 @@ services:
       - type: bind
         source: ./scylla/certs/
         target: /etc/scylla/certs/
-      - type: bind
-        source: ./scylla/cqlshrc
-        target: /root/.cassandra/cqlshrc
     networks:
       public:
       second:
@@ -72,9 +63,6 @@ services:
       - type: bind
         source: ./scylla/certs/
         target: /etc/scylla/certs
-      - type: bind
-        source: ./scylla/cqlshrc
-        target: /root/.cassandra/cqlshrc
     networks:
       public:
       second:
@@ -92,9 +80,6 @@ services:
       - type: bind
         source: ./scylla/certs/
         target: /etc/scylla/certs
-      - type: bind
-        source: ./scylla/cqlshrc
-        target: /root/.cassandra/cqlshrc
     networks:
       public:
       second:
@@ -112,9 +97,6 @@ services:
       - type: bind
         source: ./scylla/certs/
         target: /etc/scylla/certs
-      - type: bind
-        source: ./scylla/cqlshrc
-        target: /root/.cassandra/cqlshrc
     networks:
       public:
       second:
@@ -132,9 +114,6 @@ services:
       - type: bind
         source: ./scylla/certs/
         target: /etc/scylla/certs
-      - type: bind
-        source: ./scylla/cqlshrc
-        target: /root/.cassandra/cqlshrc
     networks:
       public:
       second:
@@ -152,9 +131,6 @@ services:
       - type: bind
         source: ./scylla/certs/
         target: /etc/scylla/certs
-      - type: bind
-        source: ./scylla/cqlshrc
-        target: /root/.cassandra/cqlshrc
     networks:
       public:
       second: