feat(cassandra): add ssl option cassandra (#3151)

* Added SSL Option

* Passed tests

* Implemented SSL Support

* Implemented SSL Support

* Implemented SSL Support

* Revert go.mod and go.sum

* Revert go.mod and go.sum

* Golint fix

* Golint fix

* Govet fix

* reduce wait time, revert container place and removed WithTLS options

* Added SSL With option

* Added SSL With option

* Devide Run function n sub function to reduce complexity

* make Options private

* removed setupTls function and moved to WithSSL Options

* Fix Sec warning InsecureSkipVerify

* Fix lint

* added cassandra ssl option

* removed InsecureSkipVerify variable

* added mising docs and modify TlsConfig method

* doc changes

---------

Co-authored-by: Mitul Shah <mitul.shah@zoodmall.com>
Co-authored-by: Manuel de la Peña <mdelapenya@gmail.com>

Author: 3 people

docs/modules/cassandra.md

@@ -70,6 +70,24 @@ In the case you have a custom config file for Cassandra, it's possible to copy t
 !!!warning
     You should provide a valid Cassandra configuration file, otherwise the container will fail to start.
 
+#### WithTLS
+
+- Not available until the next release <a href="https://github.com/testcontainers/testcontainers-go"><span class="tc-version">:material-tag: main</span></a>
+
+If you need to enable TLS/SSL encryption for client connections, you can use the `cassandra.WithTLS()` option. 
+
+When enabled, the container will:
+- Generate self-signed certificates automatically
+- Configure Cassandra to use client encryption
+- Expose the SSL port (9142)
+
+Use the `TLSConfig()` method on the returned container to get the `*tls.Config` for client connections. The method returns an error if TLS was not enabled via `WithTLS()`.
+
+<!--codeinclude-->
+[Creating a Cassandra container with TLS](../../modules/cassandra/examples_test.go) inside_block:runCassandraContainerWithTLS
+[Getting TLS connection configuration](../../modules/cassandra/examples_test.go) inside_block:getTLSConnectionHost
+<!--/codeinclude-->
+
 {% include "../features/common_functional_options_list.md" %}
 
 ### Container Methods
@@ -85,3 +103,13 @@ This method returns the host and port of the Cassandra container, using the defa
 <!--codeinclude-->
 [Get connection host](../../modules/cassandra/cassandra_test.go) inside_block:connectionHost
 <!--/codeinclude-->
+
+#### TLSConfig
+
+- Not available until the next release <a href="https://github.com/testcontainers/testcontainers-go"><span class="tc-version">:material-tag: main</span></a>
+
+This method returns the TLS configuration for secure connections to the Cassandra container. It can only be used when the container was created with the `WithTLS()` option. Returns an error if TLS was not enabled.
+
+<!--codeinclude-->
+[Get TLS config](../../modules/cassandra/cassandra_test.go) inside_block:tlsConfig
+<!--/codeinclude-->

modules/cassandra/cassandra.go

@@ -1,7 +1,11 @@
 package cassandra
 
 import (
+	"bytes"
 	"context"
+	"crypto/tls"
+	_ "embed"
+	"errors"
 	"fmt"
 	"io"
 	"path/filepath"
@@ -12,20 +16,37 @@ import (
 )
 
 const (
-	port = "9042/tcp"
+	port    = "9042/tcp"
+	sslPort = "9142/tcp"
 )
 
+//go:embed testdata/cassandra-ssl.yaml
+var sslConfigYAML []byte
+
 // CassandraContainer represents the Cassandra container type used in the module
 type CassandraContainer struct {
 	testcontainers.Container
+	settings options
 }
 
 // ConnectionHost returns the host and port of the cassandra container, using the default, native 9042 port, and
 // obtaining the host and exposed port from the container
 func (c *CassandraContainer) ConnectionHost(ctx context.Context) (string, error) {
+	if c.settings.tlsEnabled {
+		return c.PortEndpoint(ctx, sslPort, "")
+	}
 	return c.PortEndpoint(ctx, port, "")
 }
 
+// TLSConfig returns the TLS configuration for secure client connections.
+// Returns an error if TLS is not enabled on the container.
+func (c *CassandraContainer) TLSConfig() (*tls.Config, error) {
+	if !c.settings.tlsEnabled {
+		return nil, errors.New("TLS is not enabled on this container")
+	}
+	return c.settings.tlsConfig, nil
+}
+
 // WithConfigFile sets the YAML config file to be used for the cassandra container
 // It will also set the "configFile" parameter to the path of the config file
 // as a command line argument to the container.
@@ -71,6 +92,16 @@ func RunContainer(ctx context.Context, opts ...testcontainers.ContainerCustomize
 
 // Run creates an instance of the Cassandra container type
 func Run(ctx context.Context, img string, opts ...testcontainers.ContainerCustomizer) (*CassandraContainer, error) {
+	// Process custom options to extract settings
+	settings := defaultOptions()
+	for _, opt := range opts {
+		if opt, ok := opt.(Option); ok {
+			if err := opt(&settings); err != nil {
+				return nil, fmt.Errorf("apply option: %w", err)
+			}
+		}
+	}
+
 	moduleOpts := []testcontainers.ContainerCustomizer{
 		testcontainers.WithExposedPorts(port),
 		testcontainers.WithEnv(map[string]string{
@@ -90,12 +121,55 @@ func Run(ctx context.Context, img string, opts ...testcontainers.ContainerCustom
 		),
 	}
 
+	// Configure TLS if enabled
+	if settings.tlsEnabled {
+		tlsCerts, err := createTLSCerts()
+		if err != nil {
+			return nil, fmt.Errorf("create TLS certs: %w", err)
+		}
+
+		// Store the TLS config for client connections
+		settings.tlsConfig = tlsCerts.TLSConfig
+
+		// Add SSL port and configure networking for SSL
+		// We need CASSANDRA_BROADCAST_RPC_ADDRESS when CASSANDRA_RPC_ADDRESS is 0.0.0.0
+		moduleOpts = append(moduleOpts,
+			testcontainers.WithExposedPorts(sslPort),
+			testcontainers.WithEnv(map[string]string{
+				"CASSANDRA_BROADCAST_RPC_ADDRESS": "127.0.0.1",
+			}),
+		)
+
+		// Mount the SSL config and keystore
+		moduleOpts = append(moduleOpts,
+			testcontainers.WithFiles(
+				testcontainers.ContainerFile{
+					Reader:            bytes.NewReader(sslConfigYAML),
+					ContainerFilePath: "/etc/cassandra/cassandra.yaml",
+					FileMode:          0o644,
+				},
+				testcontainers.ContainerFile{
+					Reader:            bytes.NewReader(tlsCerts.KeystoreBytes),
+					ContainerFilePath: "/etc/cassandra/certs/keystore.p12",
+					FileMode:          0o644,
+				},
+			),
+		)
+
+		// Update wait strategy to also wait for SSL port
+		moduleOpts = append(moduleOpts,
+			testcontainers.WithAdditionalWaitStrategy(
+				wait.ForListeningPort(sslPort),
+			),
+		)
+	}
+
 	moduleOpts = append(moduleOpts, opts...)
 
 	ctr, err := testcontainers.Run(ctx, img, moduleOpts...)
 	var c *CassandraContainer
 	if ctr != nil {
-		c = &CassandraContainer{Container: ctr}
+		c = &CassandraContainer{Container: ctr, settings: settings}
 	}
 
 	if err != nil {

modules/cassandra/cassandra_test.go

@@ -117,3 +117,57 @@ func TestCassandraWithInitScripts(t *testing.T) {
 		require.Equal(t, Test{ID: 1, Name: "NAME"}, test)
 	})
 }
+
+func TestCassandraWithTLS(t *testing.T) {
+	ctx := context.Background()
+
+	// withTLS {
+	ctr, err := cassandra.Run(ctx, "cassandra:4.1.3", cassandra.WithTLS())
+	// }
+	testcontainers.CleanupContainer(t, ctr)
+	require.NoError(t, err)
+
+	// tlsConfig {
+	// Verify TLS config is available
+	tlsConfig, err := ctr.TLSConfig()
+	require.NoError(t, err)
+	// }
+	require.NotNil(t, tlsConfig, "TLSConfig should not be nil when TLS is enabled")
+
+	// Get SSL connection host
+	// connectionHostSSL {
+	connectionHost, err := ctr.ConnectionHost(ctx)
+	// }
+	require.NoError(t, err)
+
+	// Create cluster with TLS
+	cluster := gocql.NewCluster(connectionHost)
+	cluster.SslOpts = &gocql.SslOptions{
+		Config: tlsConfig,
+	}
+
+	session, err := cluster.CreateSession()
+	require.NoError(t, err)
+	defer session.Close()
+
+	// Verify connection works by querying system table
+	var clusterName string
+	err = session.Query("SELECT cluster_name FROM system.local").Scan(&clusterName)
+	require.NoError(t, err)
+	require.Equal(t, "Test Cluster", clusterName)
+
+	// Test data operations over TLS
+	err = session.Query("CREATE KEYSPACE tls_test_keyspace WITH REPLICATION = {'class' : 'SimpleStrategy', 'replication_factor' : 1}").Exec()
+	require.NoError(t, err)
+
+	err = session.Query("CREATE TABLE tls_test_keyspace.test_table (id int PRIMARY KEY, name text)").Exec()
+	require.NoError(t, err)
+
+	err = session.Query("INSERT INTO tls_test_keyspace.test_table (id, name) VALUES (1, 'TLS_TEST')").Exec()
+	require.NoError(t, err)
+
+	var test Test
+	err = session.Query("SELECT id, name FROM tls_test_keyspace.test_table WHERE id=1").Scan(&test.ID, &test.Name)
+	require.NoError(t, err)
+	require.Equal(t, Test{ID: 1, Name: "TLS_TEST"}, test)
+}

modules/cassandra/examples_test.go

@@ -67,3 +67,71 @@ func ExampleRun() {
 	// true
 	// 4.1.3
 }
+
+func ExampleRun_withTLS() {
+	// runCassandraContainerWithTLS {
+	ctx := context.Background()
+
+	cassandraContainer, err := cassandra.Run(ctx,
+		"cassandra:4.1.3",
+		cassandra.WithTLS(),
+	)
+	defer func() {
+		if err := testcontainers.TerminateContainer(cassandraContainer); err != nil {
+			log.Printf("failed to terminate container: %s", err)
+		}
+	}()
+	if err != nil {
+		log.Printf("failed to start container: %s", err)
+		return
+	}
+	// }
+
+	state, err := cassandraContainer.State(ctx)
+	if err != nil {
+		log.Printf("failed to get container state: %s", err)
+		return
+	}
+
+	fmt.Println(state.Running)
+
+	// getTLSConnectionHost {
+	connectionHost, err := cassandraContainer.ConnectionHost(ctx)
+	if err != nil {
+		log.Printf("failed to get SSL connection host: %s", err)
+		return
+	}
+
+	// Get TLS config for secure connection
+	tlsConfig, err := cassandraContainer.TLSConfig()
+	if err != nil {
+		log.Printf("failed to get TLS config: %s", err)
+		return
+	}
+	// }
+
+	cluster := gocql.NewCluster(connectionHost)
+	cluster.SslOpts = &gocql.SslOptions{
+		Config: tlsConfig,
+	}
+
+	session, err := cluster.CreateSession()
+	if err != nil {
+		log.Printf("failed to create session: %s", err)
+		return
+	}
+	defer session.Close()
+
+	var version string
+	err = session.Query("SELECT release_version FROM system.local").Scan(&version)
+	if err != nil {
+		log.Printf("failed to query: %s", err)
+		return
+	}
+
+	fmt.Println(version)
+
+	// Output:
+	// true
+	// 4.1.3
+}

modules/cassandra/go.mod

@@ -6,8 +6,10 @@ toolchain go1.24.7
 
 require (
 	github.com/gocql/gocql v1.6.0
+	github.com/mdelapenya/tlscert v0.2.0
 	github.com/stretchr/testify v1.11.1
 	github.com/testcontainers/testcontainers-go v0.40.0
+	software.sslmate.com/src/go-pkcs12 v0.6.0
 )
 
 require (

modules/cassandra/go.sum

@@ -72,6 +72,8 @@ github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 h1:6E+4a0GO5zZEnZ
 github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I=
 github.com/magiconair/properties v1.8.10 h1:s31yESBquKXCV9a/ScB3ESkOjUYYv+X0rg8SYxI99mE=
 github.com/magiconair/properties v1.8.10/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
+github.com/mdelapenya/tlscert v0.2.0 h1:7H81W6Z/4weDvZBNOfQte5GpIMo0lGYEeWbkGp5LJHI=
+github.com/mdelapenya/tlscert v0.2.0/go.mod h1:O4njj3ELLnJjGdkN7M/vIVCpZ+Cf0L6muqOG4tLSl8o=
 github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
 github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
 github.com/moby/go-archive v0.1.0 h1:Kk/5rdW/g+H8NHdJW2gsXyZ7UnzvJNOy6VKJqueWdcQ=
@@ -174,3 +176,5 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=
 gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA=
+software.sslmate.com/src/go-pkcs12 v0.6.0 h1:f3sQittAeF+pao32Vb+mkli+ZyT+VwKaD014qFGq6oU=
+software.sslmate.com/src/go-pkcs12 v0.6.0/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI=

modules/cassandra/options.go

@@ -0,0 +1,47 @@
+package cassandra
+
+import (
+	"crypto/tls"
+
+	"github.com/testcontainers/testcontainers-go"
+)
+
+// options holds the configuration settings for the Cassandra container.
+type options struct {
+	tlsEnabled bool
+	tlsConfig  *tls.Config
+}
+
+// Compiler check to ensure that Option implements the testcontainers.ContainerCustomizer interface.
+var _ testcontainers.ContainerCustomizer = (Option)(nil)
+
+// Option is an option for the Cassandra container.
+type Option func(*options) error
+
+// Customize is a NOOP. It's defined to satisfy the testcontainers.ContainerCustomizer interface.
+func (o Option) Customize(*testcontainers.GenericContainerRequest) error {
+	// NOOP to satisfy interface.
+	return nil
+}
+
+// defaultOptions returns the default options for the Cassandra container.
+func defaultOptions() options {
+	return options{
+		tlsEnabled: false,
+		tlsConfig:  nil,
+	}
+}
+
+// WithTLS enables TLS/SSL on the Cassandra container.
+// When enabled, the container will:
+//   - Generate self-signed certificates
+//   - Configure Cassandra to use client encryption
+//   - Expose the SSL port (9142)
+//
+// Use TLSConfig() on the returned container to get the *tls.Config for client connections.
+func WithTLS() Option {
+	return func(o *options) error {
+		o.tlsEnabled = true
+		return nil
+	}
+}