testcontainers-java icon indicating copy to clipboard operation
testcontainers-java copied to clipboard
verified publisher icon testcontainers

[Bug]: New CassandraContainer implementation fails when ssl is enabled and required

Open eddumelendez opened this issue 1 year ago • 5 comments

Module

Cassandra

Testcontainers version

1.20.2

Using the latest Testcontainers version?

Yes

Host OS

MacOS

Host Arch

ARM

Docker version

Client: Version: 24.0.6-rd API version: 1.43 Go version: go1.20.7 Git commit: da4c87c Built: Wed Sep 6 16:40:13 2023 OS/Arch: darwin/arm64 Context: tcd

Server: Testcontainers Cloud Engine: Version: 82+testcontainerscloud API version: 1.46 (minimum version 1.24) Go version: go1.21.12 Git commit: cc13f952511154a2866bddbb7dddebfe9e83b801 Built: Thu Aug 1 16:00:49 2024 OS/Arch: linux/amd64 Experimental: false containerd: Version: 1.7.12 GitCommit: runc: Version: 1.1.12-0ubuntu2~22.04.1 GitCommit: docker-init: Version: 0.19.0 GitCommit:

What happened?

Spring Boot project uses Testcontainers to test SSL against different services, one of them is Cassandra. Recent update to the new org.testcontainers.cassandra.CassandraContainer broke the integration test and fixed switching the default strategy. See https://github.com/spring-projects/spring-boot/commit/e0152097f366ba6a868eb5f26426695e471632e7#diff-b0a149f2cf485e597a8b639871643e71e78ba76bc12580da827bce321e7e4859

Relevant log output

INFO [nioEventLoopGroup-2-7] 2024-10-15 10:55:28,562 Message.java:826 - Unexpected exception during request; channel = [id: 0xa3393c93, L:0.0.0.0/0.0.0.0:9042 ! R:/127.0.0.1:41786] io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 0400000001000000160001000b43514c5f56455253494f4e0005332e302e30 at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1057) ~[netty-all-4.0.44.Final.jar:4.0.44.Final] at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:411) [netty-all-4.0.44.Final.jar:4.0.44.Final]

Additional Information

I've seen some ways to make it work given that the new CassandraContainer implementation relies on cqlsh

  1. Make client_encryption_options.optional false. But, it will lose the the whole point of enabling SSL. See https://github.com/spring-projects/spring-boot/blob/main/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-data-cassandra/src/dockerTest/resources/ssl/cassandra.yaml#L1061
  2. Configure cqlsh with ssl but needs the ssl flag.

eddumelendez avatar Oct 16 '24 03:10 eddumelendez

Hi @maximevw, your feedback is very welcome here :)

eddumelendez avatar Oct 16 '24 03:10 eddumelendez

Also, I think it would be nice to have integration tests for ssl as well and make them part of the docs.

eddumelendez avatar Oct 16 '24 03:10 eddumelendez

Hello @eddumelendez

I think the second option is better. We could add a method like withSsl to the CassandraContainer allowing the users to activate the ssl flag on cqlsh and specify the appropriate SSL client configuration. Sorry, I totally missed this point while I implemented cqlsh (I tested locally with SSL but the client_encryption_options.optional was true 🫣). I'm little busy right now, but I'll try to have a deeper look to this in the next days.

maximevw avatar Oct 16 '24 06:10 maximevw

Hello @eddumelendez @kiview

I submitted the PR #9419 to fix this issue. I let you review it.

maximevw avatar Oct 19 '24 16:10 maximevw

Hello @eddumelendez @kiview, Little up 🙂, I don't know if you think this PR is still useful. If yes, so I let you review as soon as you have time for it.

maximevw avatar Dec 02 '24 19:12 maximevw