Internode encryption
Mission Control can manage and orchestrate internode encryption for DSE and Cassandra clusters. Mission Control also supports using a root Certificate Authority (CA) that you provide. In this case, Mission Control uses an existing certificate issuer referenced in the cluster definition. When a new Mission Control cluster is created, Mission Control generates a new certificate for each node and signs it with the cluster’s root CA. It next generates the keystore and truststore for each node and configures the cluster to use them.
Mission Control supports the following scenarios:
-
Use the CA issuer designated by Mission Control
No internode encryption
Internode encryption can be disabled by setting the .spec.encryption.internodeEncryption.enabled field to false and disabling the certificate issuer creation in the MissionControlCluster spec with .spec.createIssuer set to false:
apiVersion: missioncontrol.datastax.com/v1beta1
kind: MissionControlCluster
metadata:
name: test-cluster
namespace: <namespace>
spec:
createIssuer: false
encryption:
internodeEncryption:
enabled: false
k8ssandra:
cassandra:
serverVersion: 6.8.38
serverType: dse
storageConfig:
cassandraDataVolumeClaimSpec:
storageClassName: standard
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
config:
jvmOptions:
heapSize: 512M
datacenters:
- metadata:
name: dc1
size: 3
resources:
requests:
memory: 1GiApply this updated MissionControlCluster resource by running the following command:
kubectl apply -f test-cluster.missioncontrolcluster.yamlMission Control-provided root CA generation and self-signing
A certificate authority (CA) is a trusted entity that stores, signs, and issues Transport Layer Security (TLS) certificates.
-
Create a
MissionControlClusterresource, by copying the following manifest and saving it in a file namedtest-cluster.missioncontrolcluster.yaml:apiVersion: missioncontrol.datastax.com/v1beta1 kind: MissionControlCluster metadata: name: test-cluster namespace: <namespace> spec: k8ssandra: cassandra: serverVersion: 6.8.38 serverType: dse storageConfig: cassandraDataVolumeClaimSpec: storageClassName: standard accessModes: - ReadWriteOnce resources: requests: storage: 5Gi config: jvmOptions: heapSize: 512M datacenters: - metadata: name: dc1 size: 3 resources: requests: memory: 1Gi -
Now apply the newly-created
MissionControlClusterresource by running the following command:kubectl apply -f test-cluster.missioncontrolcluster.yamlThe generated root CA secret is created within a few seconds. Reveal the secret with this command:
kubectl get secrets -n mission-control |grep internodeSample results
NAME TYPE DATA AGE mission-control-test-inode-selfsigned-ca-cert kubernetes.io/tls 3 12s -
Generated next are the cluster’s certificate secrets which are signed by the root CA. Reveal the certificate secrets with this command:
kubectl get secrets -n mission-control |grep inodeSample results
NAME TYPE DATA AGE mission-control-test-inode-selfsigned-ca-cert kubernetes.io/tls 3 27s test-dc1-default-sts-0-inode-cert kubernetes.io/tls 3 12s test-dc1-default-sts-0-inode-cert-keystore Opaque 2 12s test-dc1-default-sts-1-inode-cert kubernetes.io/tls 3 11s test-dc1-default-sts-1-inode-cert-keystore Opaque 2 11s test-dc1-default-sts-2-inode-cert kubernetes.io/tls 3 12s test-dc1-default-sts-2-inode-cert-keystore Opaque 2 12s -
The
-keystoresecrets are mounted appropriately in the Cassandra or DSE pods. The pods should then start within a few minutes. Run the followingkubectlcommand to check the pods' status:kubectl get podsSample results
NAME READY STATUS RESTARTS AGE test-dc1-default-sts-0 2/2 Running 0 18m test-dc1-default-sts-1 2/2 Running 0 18m test-dc1-default-sts-2 2/2 Running 0 18m
Use an alternate issuer supported by Cert-Manager
Mission Control supports using any alternative issuer in turn supported by cert-manager. Cert-Manager is an API used by K8ssandra to manage Transport Layer Security (TLS). Starting with the v1.0.0-beta.1 release of Mission Control, the following issuers are supported:
-
ACME, which allows relying on Let’s Encrypt
-
A wide range of external issuers
To use one of these alternative issuers, create it using the standard https://cert-manager.io/docs/configuration/
[Cert-Manager API] and then reference it as follows in the MissionControlCluster spec.
-
Save the specification in a file named
cluster.MissionControlCluster.yaml:apiVersion: missioncontrol.datastax.com/v1beta1 kind: MissionControlCluster metadata: name: cluster namespace: <namespace> spec: createIssuer: false encryption: internodeEncryption: certs: certTemplate: issuerRef: name: my-alternate-issuer k8ssandra: cassandra: serverVersion: 6.8.38 serverType: dse storageConfig: cassandraDataVolumeClaimSpec: storageClassName: standard accessModes: - ReadWriteOnce resources: requests: storage: 5Gi config: jvmOptions: heapSize: 512M datacenters: - metadata: name: dc1 size: 3 resources: requests: memory: 1Gi -
Apply the newly-created
cluster.MissionControlCluster.yamlfile with this command:kubectl apply -f cluster.MissionControlCluster.yaml -
Within moments a set of secrets should be created with certificates (secrets ending with
-cert) that are automatically generated and signed by the root CA. Reveal the secrets with this command (whereinodeis an alias forinternode):kubectl get secrets -n mission-control |grep inodeSample results
test-dc1-default-sts-0-inode-cert kubernetes.io/tls 3 11m test-dc1-default-sts-0-inode-cert-keystore Opaque 2 11m test-dc1-default-sts-1-inode-cert kubernetes.io/tls 3 11m test-dc1-default-sts-1-inode-cert-keystore Opaque 2 11m test-dc1-default-sts-2-inode-cert kubernetes.io/tls 3 11m test-dc1-default-sts-2-inode-cert-keystore Opaque 2 11m -
The
-keystoresecrets are mounted appropriately in the Cassandra or DSE pods. The pods should then start within a few minutes. Run the followingkubectlcommand to check the pods' status:kubectl get podsSample results
NAME READY STATUS RESTARTS AGE test-dc1-default-sts-0 2/2 Running 0 18m test-dc1-default-sts-1 2/2 Running 0 18m test-dc1-default-sts-2 2/2 Running 0 18m
