From eff3172c0732f9ae2971b999ca634ef60f9e5bb1 Mon Sep 17 00:00:00 2001
From: Erik Merkle <erik.merkle@datastax.com>
Date: Tue, 9 Sep 2025 14:07:03 -0500
Subject: [PATCH 1/2] Allow certificates with older algorithms

This patch changes the crypto policy in UBI9
based images to LEGACY to so that older algortithms
can still be used for internode encryption. As
of RedHat 9, older algorithms like SHA1 were
disabled by default.
---
 CHANGELOG.md                         | 1 +
 cassandra-trunk/Dockerfile-trunk.ubi | 3 +++
 cassandra/Dockerfile-4.0.ubi         | 4 +++-
 cassandra/Dockerfile-4.1.ubi         | 4 +++-
 cassandra/Dockerfile-5.0.ubi         | 3 +++
 dse/Dockerfile-dse6.9.ubi            | 5 ++++-
 6 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index bc5479c8..9cf8afd6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,7 @@ Changelog for Management API, new PRs should update the `main / unreleased` sect
 ## unreleased
 * [ENHANCEMENT] [#686](https://github.com/k8ssandra/management-api-for-apache-cassandra/issues/686) Avoid pulling from Apache archives
 * [BUGFIX] [#684](https://github.com/k8ssandra/management-api-for-apache-cassandra/issues/684) Fix Cassandra trunk builds
+* [BUGFIX] [#678](https://github.com/k8ssandra/management-api-for-apache-cassandra/issues/678) Older certificates broken for UBI9
 
 ## v0.1.108 [2025-08-2020]
 * [CHANGE] [#670](https://github.com/k8ssandra/management-api-for-apache-cassandra/issues/670) Update OpenJDK 11 install for UBI based images
diff --git a/cassandra-trunk/Dockerfile-trunk.ubi b/cassandra-trunk/Dockerfile-trunk.ubi
index ee462cd7..209e15e2 100644
--- a/cassandra-trunk/Dockerfile-trunk.ubi
+++ b/cassandra-trunk/Dockerfile-trunk.ubi
@@ -177,6 +177,9 @@ RUN chmod +x /usr/local/bin/docker-entrypoint.sh && \
 # fix for the missing mtab in the containerd
   ln -sf /proc/mounts /etc/mtab
 
+# Set OS crypto policy to LEGACY to allow for older algorithms
+RUN update-crypto-policies --set LEGACY
+
 ENV TINI_VERSION=v0.19.0
 ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini-${TARGETARCH} /tini
 RUN chmod +x /tini
diff --git a/cassandra/Dockerfile-4.0.ubi b/cassandra/Dockerfile-4.0.ubi
index 1506aa4d..22eadd73 100644
--- a/cassandra/Dockerfile-4.0.ubi
+++ b/cassandra/Dockerfile-4.0.ubi
@@ -119,7 +119,9 @@ RUN microdnf install -y --nodocs shadow-utils \
     && useradd -m -d "$CASSANDRA_HOME" -r -g cassandra -G root --uid=999 cassandra \
     && microdnf update && rm -rf /var/cache/yum \
 # Install packages needed during install process
-    && microdnf install -y --nodocs temurin-11-jdk tzdata-java python3 zlib findutils which hostname iproute procps util-linux glibc-langpack-en wget tar \
+    && microdnf install -y --nodocs temurin-11-jdk tzdata-java python3 zlib findutils which hostname iproute procps util-linux glibc-langpack-en wget tar crypto-policies-scripts \
+# Set OS crypto policy to LEGACY to allow for older algorithms
+    && update-crypto-policies --set LEGACY \
     && microdnf clean all
 
 # Copy trimmed installation
diff --git a/cassandra/Dockerfile-4.1.ubi b/cassandra/Dockerfile-4.1.ubi
index b7245ca2..c0b9e154 100644
--- a/cassandra/Dockerfile-4.1.ubi
+++ b/cassandra/Dockerfile-4.1.ubi
@@ -121,7 +121,9 @@ RUN microdnf install -y --nodocs shadow-utils \
     && useradd -m -d "$CASSANDRA_HOME" -r -g cassandra -G root --uid=999 cassandra \
     && microdnf update && rm -rf /var/cache/yum \
 # Install packages needed during install process
-    && microdnf install -y --nodocs temurin-11-jdk tzdata-java python3 zlib findutils which hostname iproute procps util-linux glibc-langpack-en wget tar \
+    && microdnf install -y --nodocs temurin-11-jdk tzdata-java python3 zlib findutils which hostname iproute procps util-linux glibc-langpack-en wget tar crypto-policies-scripts \
+# Set OS crypto policy to LEGACY to allow for older algorithms
+    && update-crypto-policies --set LEGACY \
     && microdnf clean all
 
 # Copy trimmed installation
diff --git a/cassandra/Dockerfile-5.0.ubi b/cassandra/Dockerfile-5.0.ubi
index 4fdb0180..2977b975 100644
--- a/cassandra/Dockerfile-5.0.ubi
+++ b/cassandra/Dockerfile-5.0.ubi
@@ -121,6 +121,9 @@ RUN chmod +x /usr/local/bin/docker-entrypoint.sh && \
 # fix for the missing mtab in the containerd
   ln -sf /proc/mounts /etc/mtab
 
+# Set OS crypto policy to LEGACY to allow for older algorithms
+RUN update-crypto-policies --set LEGACY
+
 ENV TINI_VERSION=v0.19.0
 ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini-${TARGETARCH} /tini
 RUN chmod +x /tini
diff --git a/dse/Dockerfile-dse6.9.ubi b/dse/Dockerfile-dse6.9.ubi
index de0e4a81..edfa7ca0 100644
--- a/dse/Dockerfile-dse6.9.ubi
+++ b/dse/Dockerfile-dse6.9.ubi
@@ -30,7 +30,10 @@ COPY dse/files/adoptium.repo /etc/yum.repos.d/adoptium.repo
 
 # Install runtime dependencies and updates
 RUN microdnf update && rm -rf /var/cache/yum && \
-    microdnf install --nodocs -y temurin-11-jdk python39 zlib libaio which findutils hostname iproute shadow-utils procps util-linux glibc-langpack-en wget tar && microdnf clean all
+    microdnf install --nodocs -y temurin-11-jdk python39 zlib libaio which findutils hostname iproute shadow-utils procps util-linux glibc-langpack-en wget tar crypto-policies-scripts \
+# Set OS crypto policy to LEGACY to allow for older algorithms
+    && update-crypto-policies --set LEGACY \
+    && microdnf clean all
 
 WORKDIR $HOME
 

From baf38db04f398466d9b92f0c38c6650800adfd2e Mon Sep 17 00:00:00 2001
From: Erik Merkle <erik.merkle@datastax.com>
Date: Fri, 19 Sep 2025 13:17:45 -0500
Subject: [PATCH 2/2] Update CHANGELOG for CDC Agent v2.3.2

Adds a chengelog entry for commit:
79b049e9a2f89dbf2285eaadd24048a77b61953b
---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9cf8afd6..635cbfcc 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,6 +11,7 @@ Changelog for Management API, new PRs should update the `main / unreleased` sect
 
 ## unreleased
 * [ENHANCEMENT] [#686](https://github.com/k8ssandra/management-api-for-apache-cassandra/issues/686) Avoid pulling from Apache archives
+* [ENHANCEMENT] [#680](https://github.com/k8ssandra/management-api-for-apache-cassandra/issues/680) Update cdc-agent to 2.3.2
 * [BUGFIX] [#684](https://github.com/k8ssandra/management-api-for-apache-cassandra/issues/684) Fix Cassandra trunk builds
 * [BUGFIX] [#678](https://github.com/k8ssandra/management-api-for-apache-cassandra/issues/678) Older certificates broken for UBI9