From 9ef6d55594e69d0e484fc6518b5cf8b49eb7f4f1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9mi=20BUTET?= <remi@dropcontact.io>
Date: Tue, 27 Aug 2024 11:59:31 +0200
Subject: [PATCH] Add certificates settings for medusa encryption

---
 CHANGELOG/CHANGELOG-1.19.md                   |  2 ++
 apis/medusa/v1alpha1/medusa_types.go          | 26 ++++++++++++++++++-
 .../bases/k8ssandra.io_k8ssandraclusters.yaml | 24 +++++++++++++++++
 .../en/tasks/secure/encryption/_index.md      |  4 +++
 pkg/medusa/reconcile.go                       |  6 ++---
 5 files changed, 58 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG/CHANGELOG-1.19.md b/CHANGELOG/CHANGELOG-1.19.md
index 58ab84827..245bda2b0 100644
--- a/CHANGELOG/CHANGELOG-1.19.md
+++ b/CHANGELOG/CHANGELOG-1.19.md
@@ -14,3 +14,5 @@ Changelog for the K8ssandra Operator, new PRs should update the `unreleased` sec
 When cutting a new release, update the `unreleased` heading to the tag being generated and date, like `## vX.Y.Z - YYYY-MM-DD` and create a new placeholder section for  `unreleased` entries.
 
 ## unreleased
+
+* [FEATURE] Add customizable TLS certificate settings for Medusa
\ No newline at end of file
diff --git a/apis/medusa/v1alpha1/medusa_types.go b/apis/medusa/v1alpha1/medusa_types.go
index db88f7d8c..dfa49083f 100644
--- a/apis/medusa/v1alpha1/medusa_types.go
+++ b/apis/medusa/v1alpha1/medusa_types.go
@@ -117,6 +117,25 @@ type Storage struct {
 	PodStorage *PodStorageSettings `json:"podStorage,omitempty"`
 }
 
+type Certificates struct {
+	// Settings for TLS certificates used when client-side encryption is enabled with Medusa.
+
+	// Custom name for the CA certificate key in the Secret.
+	// Defaults to 'rootca.crt.
+	// +optional
+	Certfile string `json:"certfile,omitempty"`
+
+	// Custom name for the client certificate key in the Secret.
+	// Defaults to 'client.crt_signed'.
+	// +optional
+	Usercert string `json:"usercert,omitempty"`
+
+	// Custom name for the client private key in the Secret.
+	// Defaults to 'client.key'.
+	// +optional
+	Userkey string `json:"userkey,omitempty"`
+}
+
 type PodStorageSettings struct {
 	// Settings for the pod's storage when backups use the local storage provider.
 
@@ -161,11 +180,16 @@ type MedusaClusterTemplate struct {
 	StorageProperties Storage `json:"storageProperties,omitempty"`
 
 	// Certificates for Medusa if client encryption is enabled in Cassandra.
-	// The secret must be in the same namespace as Cassandra and must contain three keys: "rootca.crt", "client.crt_signed" and "client.key".
+	// The Secret should be in the same namespace as the Cassandra instance and must include the keys for the CA certificate, client certificate, and client private key.
+    // By default, the keys in the Secret are expected to be named "rootca.crt", "client.crt_signed", and "client.key". However, these names can be customized using the 'certfile', 'usercert', and 'userkey' options.
 	// See https://docs.datastax.com/en/developer/python-driver/latest/security/ for more information on the required files.
 	// +optional
 	CertificatesSecretRef corev1.LocalObjectReference `json:"certificatesSecretRef,omitempty"`
 
+    // Certificates settings for Medusa if client encryption is enabled in Cassandra.
+	// +optional
+	CertificatesSettings Certificates `json:"certificatesSettings,omitempty"`
+
 	// medusa-restore init container resources.
 	// +optional
 	InitContainerResources *corev1.ResourceRequirements `json:"initContainerResources,omitempty"`
diff --git a/config/crd/bases/k8ssandra.io_k8ssandraclusters.yaml b/config/crd/bases/k8ssandra.io_k8ssandraclusters.yaml
index c3977e758..c3d318647 100644
--- a/config/crd/bases/k8ssandra.io_k8ssandraclusters.yaml
+++ b/config/crd/bases/k8ssandra.io_k8ssandraclusters.yaml
@@ -25696,6 +25696,30 @@ spec:
                         type: string
                     type: object
                     x-kubernetes-map-type: atomic
+                  certificatesSettings:
+                    description: "Settings for TLS certificates used when client-side encryption
+                      is enabled with Medusa. The Secret must reside in the same namespace
+                      as the Cassandra instance. It must contain keys for the CA certificate,
+                      client certificate, and client private key. Custom names for these keys can
+                      be specified. See https://docs.datastax.com/en/developer/python-driver/latest/security/
+                      for more information on the required files."
+                    properties:
+                      certfile:
+                        default: rootca.crt
+                        description: "Custom name for the CA certificate key within the Secret's `data` field.
+                          Defaults to 'rootca.crt' if not specified"
+                        type: string
+                      usercert:
+                        default: client.crt_signed
+                        description: "Custom name for the client certificate key within the Secret's `data` field.
+                          Defaults to 'client.crt_signed' if not specified."
+                        type: string
+                      userkey:
+                        default: client.key
+                        description: "Custom name for the client private key within the Secret's `data` field.
+                          Defaults to 'client.key' if not specified."
+                        type: string
+                    type: object
                   containerImage:
                     description: |-
                       MedusaContainerImage is the image characteristics to use for Medusa containers. Leave nil
diff --git a/docs/content/en/tasks/secure/encryption/_index.md b/docs/content/en/tasks/secure/encryption/_index.md
index 18d60074e..e23412015 100644
--- a/docs/content/en/tasks/secure/encryption/_index.md
+++ b/docs/content/en/tasks/secure/encryption/_index.md
@@ -241,6 +241,10 @@ spec:
   medusa:
     certificatesSecretRef:
       name: client-certificates
+    certificatesSettings:
+      certfile: rootca.crt
+      usercert: client.crt_signed
+      userkey: client.key
 ```
 
 This will provide Medusa with the client certificate and key, as well as the root CA certificate, which will be used to connect to the Cassandra cluster through the Python Driver.
diff --git a/pkg/medusa/reconcile.go b/pkg/medusa/reconcile.go
index 4eb9891ee..c4989b88b 100644
--- a/pkg/medusa/reconcile.go
+++ b/pkg/medusa/reconcile.go
@@ -58,9 +58,9 @@ func CreateMedusaIni(kc *k8ss.K8ssandraCluster, dcConfig *cassandra.DatacenterCo
     [cassandra]
     use_sudo = false
     {{- if .Spec.Medusa.CertificatesSecretRef.Name }}
-    certfile = /etc/certificates/rootca.crt
-    usercert = /etc/certificates/client.crt_signed
-    userkey = /etc/certificates/client.key
+    certfile = /etc/certificates/{{ .Spec.Medusa.CertificatesSettings.Certfile }}
+    usercert = /etc/certificates/{{ .Spec.Medusa.CertificatesSettings.Usercert }}
+    userkey = /etc/certificates/{{ .Spec.Medusa.CertificatesSettings.Userkey }}
     {{- end}}
 
     [storage]