K8SSAND-1134 ⁃ Add support for enabling and disabling authentication in Medusa

[adutra]

This is a follow-up ticket after #170.

Medusa support has been merged recently; we need now to make K8ssandra controller apply authentication settings to Medusa. This includes filling in the right CQL user/password in medusa.ini, but might have other implications as well.

┆Issue is synchronized with this Jira Bug by Unito ┆epic: Backup/Restore Enhancement (Purge, Encryption) ┆fixVersions: k8ssandra-operator-v1.1.0 ┆friendlyId: K8SSAND-1134 ┆priority: Medium

[sync-by-unito[bot]]

➤ Jeff DiNoto commented:

We believe this is already completed, need to confirm with Alex Dutra

[adutra]

➤ Jeff DiNoto commented:

We believe this is already completed, need to confirm with Alex Dutra

I believe we do have some work to be done here.

Currently the medusa code is not reacting to the new K8ssandraClusterSpec.Auth field that was introduced in #170. More specifically, the UpdateMedusaInitContainer function is not disabling authentication when that field is false.

We also would need to enhance existing unit and e2e tests to exercise the use case when auth is disabled and Medusa is present.

@jdonenine @jsanda @adejanovski am I missing something here?

[adejanovski]

Currently the medusa code is not reacting to the new K8ssandraClusterSpec.Auth field that was introduced in #170. More specifically, the UpdateMedusaInitContainer function is not disabling authentication when that field is false.

It's fine as long as auth is supported. When auth is disabled, any user/password combination will be accepted, so we're good with what we have already 👍

[adutra]

Indeed but it would be cleaner if we explicitly refrain from passing credentials to medusa when auth is disabled.

[adutra]

Just to be clear, even with auth disabled a secret for Medusa is being created and replicated, then fed into the Medusa container through env vars. The Medusa client then opens a CQL connection using those credentials, but since the cluster is using AllowAllAuthenticator, the connection succeeds no matter what credentials are passed. We would like to suppress the secret creation/reconciliation + env var generation, when auth is disabled.