Backport [1.7.x]: Cassandra: Refactor PEM parsing logic (#11861) #11921
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backports #11861 to 1.7.x
Original PR description:
Description
This fixes an issue in the Cassandra database plugin TLS logic where providing only a custom CA doesn't work when using
pem_bundle
and partially works withpem_json
. This now supports setting either a client certificate & private key, a custom CA, or both.How does this work?
The
certutil.ParsePEMBundle
function makes assumptions about the PEM data it is parsing:Certificate
field rather thanCAChain
which ends up not being interpreted correctly when converting to atls.Config
.A new function has been written (
pemBundleToTLSConfig
) that parses the PEM bundle very similarly tocertutil.ParsePEMBundle
but does not make either of those assumptions.Similarly, the
certutil.ParsePKIJSON
function ends up having some similar assumptions, however it does parse the CA correctly and thus thetls.Config
works when connecting to Cassandra. However, the CA is also included as a client certificate when it shouldn't be. However, it appears that Cassandra will ignore a provided client certificate if not configured to use mTLS.A new function was created (
jsonBundleToTLSConfig
) that parses the certificate data into atls.Config
object.Testing
Additional automated tests were added in
connection_producer_test.go
that start up a Cassandra instance using TLS with a custom CA and connects to it using the same custom CA.Also this was tested with a real Cassandra instance (also configured with a custom CA) and a real Vault instance configured to use just the custom CA when talking to Cassandra.