Expose Medusas ssl_verify option (#1166)

--------- Co-authored-by: Alexander Dejanovski <[email protected]>
k8ssandra · Jan 15, 2024 · f25850d · f25850d
1 parent bc9b9fd
commit f25850d
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 4 deletions.
diff --git a/CHANGELOG/CHANGELOG-1.12.md b/CHANGELOG/CHANGELOG-1.12.md
@@ -14,7 +14,9 @@ Changelog for the K8ssandra Operator, new PRs should update the `unreleased` sec
 When cutting a new release, update the `unreleased` heading to the tag being generated and date, like `## vX.Y.Z - YYYY-MM-DD` and create a new placeholder section for  `unreleased` entries.
 
 ## unreleased
-* [ENHANCEMENT] [#1160](https://github.com/k8ssandra/k8ssandra-operator/issues/1160) Allow disabling Reaper front-end auth.
-- [ENHANCEMENT] [#1115](https://github.com/k8ssandra/k8ssandra-operator/issues/1115) Add a validation check for the projected pod names length
+
 * [CHANGE] [#1050](https://github.com/k8ssandra/k8ssandra-operator/issues/1050) Remove unnecessary requeues in the Medusa controllers
-* [ENHANCEMENT] [#1161](https://github.com/k8ssandra/k8ssandra-operator/issues/1161) Update cass-operator Helm chart to 0.46.1. Adds containerPort for cass-operator metrics and changes cass-config-builder base from UBI7 to UBI8
+* [CHANGE] [#1165](https://github.com/k8ssandra/k8ssandra-operator/issues/1165) Upgrade to Medusa v0.17.1
+* [FEATURE] [#1165](https://github.com/k8ssandra/k8ssandra-operator/issues/1165) Expose Medusa ssl_verify option to allow disabling cert verification for some on prem S3 compatible systems
+* [ENHANCEMENT] [#1115](https://github.com/k8ssandra/k8ssandra-operator/issues/1115) Add a validation check for the projected pod names length
+* [ENHANCEMENT] [#1161](https://github.com/k8ssandra/k8ssandra-operator/issues/1161) Update cass-operator Helm chart to 0.46.1. Adds containerPort for cass-operator metrics and changes cass-config-builder base from UBI7 to UBI8
diff --git a/apis/medusa/v1alpha1/medusa_types.go b/apis/medusa/v1alpha1/medusa_types.go
@@ -96,6 +96,10 @@ type Storage struct {
 	// +optional
 	Secure bool `json:"secure,omitempty"`
 
+	// When using SSL, whether to also verify the certificate.
+	// +optional
+	SslVerify bool `json:"sslVerify,omitempty"`
+
 	// Age after which orphan sstables can be deleted from the storage backend.
 	// Protects from race conditions between purge and ongoing backups.
 	// Defaults to 10 days.

diff --git a/config/crd/bases/k8ssandra.io_k8ssandraclusters.yaml b/config/crd/bases/k8ssandra.io_k8ssandraclusters.yaml
@@ -27399,6 +27399,9 @@ spec:
                       secure:
                         description: Whether to use SSL for the storage backend.
                         type: boolean
+                      sslVerify:
+                        description: When using SSL, whether to also verify the certificate.
+                        type: boolean
                       storageProvider:
                         description: The storage backend to use for the backups.
                         enum:

diff --git a/pkg/medusa/reconcile.go b/pkg/medusa/reconcile.go
@@ -24,7 +24,7 @@ import (
 const (
 	DefaultMedusaImageRepository = "k8ssandra"
 	DefaultMedusaImageName       = "medusa"
-	DefaultMedusaVersion         = "0.17.0"
+	DefaultMedusaVersion         = "0.17.1"
 	DefaultMedusaPort            = 50051
 	DefaultProbeInitialDelay     = 10
 	DefaultProbeTimeout          = 1
@@ -88,6 +88,11 @@ func CreateMedusaIni(kc *k8ss.K8ssandraCluster) string {
     {{- else }}
     secure = True
     {{- end }}
+    {{- if not .Spec.Medusa.StorageProperties.SslVerify }}
+    ssl_verify = False
+    {{- else }}
+    ssl_verify = True
+    {{- end }}
     {{- if .Spec.Medusa.StorageProperties.BackupGracePeriodInDays }}
     backup_grace_period_in_days = {{ .Spec.Medusa.StorageProperties.BackupGracePeriodInDays }}
     {{- end }}

diff --git a/pkg/medusa/reconcile_test.go b/pkg/medusa/reconcile_test.go
@@ -189,6 +189,7 @@ func testMedusaIniSecured(t *testing.T) {
 					Region:                   "us-east-1",
 					Port:                     9001,
 					Secure:                   true,
+					SslVerify:                true,
 					BackupGracePeriodInDays:  7,
 				},
 				CassandraUserSecretRef: corev1.LocalObjectReference{
@@ -212,6 +213,7 @@ func testMedusaIniSecured(t *testing.T) {
 	assert.Contains(t, medusaIni, "region = us-east-1")
 	assert.Contains(t, medusaIni, "port = 9001")
 	assert.Contains(t, medusaIni, "secure = True")
+	assert.Contains(t, medusaIni, "ssl_verify = True")
 	assert.Contains(t, medusaIni, "backup_grace_period_in_days = 7")
 }
 
@@ -276,6 +278,7 @@ func testMedusaIniUnsecured(t *testing.T) {
 	assert.Contains(t, medusaIni, "region = us-east-1")
 	assert.Contains(t, medusaIni, "port = 9001")
 	assert.Contains(t, medusaIni, "secure = True")
+	assert.Contains(t, medusaIni, "ssl_verify = False")
 	assert.Contains(t, medusaIni, "backup_grace_period_in_days = 7")
 }