• Glossary
  • Support
  • Downloads
  • DataStax Home
Get Live Help
Expand All
Collapse All

DataStax Project Mission Control

    • Overview
      • Release notes
      • FAQs
      • Get support
    • Installing DataStax Mission Control
      • Plan your install
      • Server-based Runtime Installer
        • Services setup with DataStax Mission Control Runtime Installer
      • Bring your own Kubernetes
        • Install Control Plane
        • Install Data Plane
    • Securing
      • Authentication
      • Connect LDAP authentication backend
      • Connect OpenID authentication backend
      • Client-to-node encryption
      • Internode encryption
      • Secure DataStax Mission Control
      • DSE Unified Authorization
    • Migrating
      • Migrate a DSE Cluster to DataStax Mission Control
    • Managing
      • Manage DSE clusters
        • Configure DSE
        • Cluster lifecycle
          • Create a cluster
          • Create a single-token cluster
          • Create a multi-token cluster
          • Changing cluster Replication Factor
          • Terminate a DSE cluster
          • Upgrade a DSE cluster
        • Datacenter lifecycle
          • Add a DSE datacenter
          • Terminate a DSE datacenter
        • Node lifecycle
          • Add DSE nodes
          • Terminate DSE nodes
          • Use per-node configurations
      • Manage DataStax Mission Control infrastructure
        • Manage projects
        • Manage clusters
        • Add a node to DataStax Mission Control clusters
        • Terminate a node from DataStax Mission Control clusters
        • Storage classes defined
      • Manage DataStax Mission Control resources
        • Access Admin Console
        • Configure DataStax Mission Control
        • Generate a support bundle
      • Observability
        • Metrics
    • Operations
      • Cleanup
      • Rebuild
      • Replace a node
      • Rolling restart
      • Upgrade SSTables
    • Reference
      • MissionControlCluster manifest
      • CassandraTask manifest
  • DataStax Project Mission Control
  • Securing
  • Internode encryption

Internode encryption

DataStax Mission Control is currently in Public Preview. DataStax Mission Control is not intended for production use, has not been certified for production workloads, and might contain bugs and other functional issues. There is no guarantee that DataStax Mission Control will ever become generally available. DataStax Mission Control is provided on an “AS IS” basis, without warranty or indemnity of any kind.

If you are interested in trying out DataStax Mission Control please join the Public Preview.

DataStax Mission Control can manage and orchestrate internode encryption for DSE and Cassandra clusters. DataStax Mission Control also supports using a root Certificate Authority (CA) that you provide. In this case, DataStax Mission Control uses an existing certificate issuer referenced in the cluster definition. When a new Mission Control cluster is created, DataStax Mission Control generates a new certificate for each node and signs it with the cluster’s root CA. It next generates the keystore and truststore for each node and configures the cluster to use them.

DataStax Mission Control supports the following scenarios:

  • Use the CA issuer designated by DataStax Mission Control

  • xref:No internode encryption

  • xref:Use an alternate issuer supported by Cert-Manager

No internode encryption

Internode encryption can be disabled by setting the .spec.encryption.internodeEncryption.enabled field to false and disabling the certificate issuer creation in the MissionControlCluster spec with .spec.createIssuer set to false:

apiVersion: missioncontrol.datastax.com/v1beta1
kind: MissionControlCluster
metadata:
  name: test-cluster
  namespace: <namespace>
spec:
  createIssuer: false
  encryption:
    internodeEncryption:
      enabled: false
  k8ssandra:
    cassandra:
      serverVersion: 6.8.38
      serverType: dse
      storageConfig:
        cassandraDataVolumeClaimSpec:
          storageClassName: standard
          accessModes:
            - ReadWriteOnce
          resources:
            requests:
              storage: 5Gi
      config:
        jvmOptions:
          heapSize: 512M
      datacenters:
        - metadata:
            name: dc1
          size: 3
          resources:
            requests:
              memory: 1Gi

Apply this updated MissionControlCluster resource by running the following command:

kubectl apply -f test-cluster.missioncontrolcluster.yaml

DataStax Mission Control-provided root CA generation and self-signing

A certificate authority (CA) is a trusted entity that stores, signs, and issues Transport Layer Security (TLS) certificates.

  1. Create a MissionControlCluster resource, by copying the following manifest and saving it in a file named test-cluster.missioncontrolcluster.yaml:

    apiVersion: missioncontrol.datastax.com/v1beta1
kind: MissionControlCluster
metadata:
  name: test-cluster
  namespace: <namespace>
spec:
  k8ssandra:
    cassandra:
      serverVersion: 6.8.38
      serverType: dse
      storageConfig:
        cassandraDataVolumeClaimSpec:
          storageClassName: standard
          accessModes:
            - ReadWriteOnce
          resources:
            requests:
              storage: 5Gi
      config:
        jvmOptions:
          heapSize: 512M
      datacenters:
        - metadata:
            name: dc1
          size: 3
          resources:
            requests:
              memory: 1Gi

  2. Now apply the newly-created MissionControlCluster resource by running the following command:

    kubectl apply -f test-cluster.missioncontrolcluster.yaml

    The generated root CA secret is created within a few seconds. Reveal the secret with this command:

    • kubectl command

    • Sample result

    % kubectl get secrets -n mission-control |grep internode
    NAME                                                    TYPE                                  DATA   AGE
mission-control-test-inode-selfsigned-ca-cert           kubernetes.io/tls                     3      12s

  3. Generated next are the cluster’s certificate secrets which are signed by the root CA. Reveal the certificate secrets with this command:

    • kubectl command

    • Sample result

    % kubectl get secrets -n mission-control |grep inode
    NAME                                                    TYPE                                  DATA   AGE
mission-control-test-inode-selfsigned-ca-cert           kubernetes.io/tls                     3      27s
test-dc1-default-sts-0-inode-cert                       kubernetes.io/tls                     3      12s
test-dc1-default-sts-0-inode-cert-keystore              Opaque                                2      12s
test-dc1-default-sts-1-inode-cert                       kubernetes.io/tls                     3      11s
test-dc1-default-sts-1-inode-cert-keystore              Opaque                                2      11s
test-dc1-default-sts-2-inode-cert                       kubernetes.io/tls                     3      12s
test-dc1-default-sts-2-inode-cert-keystore              Opaque                                2      12s

  4. The -keystore secrets are mounted appropriately in the Cassandra or DSE pods. The pods should then start within a few minutes. Run the following kubectl command to check the pods' status:

    • kubectl command

    • Sample result

    % kubectl get pods
    NAME                   READY STATUS   RESTARTS AGE
test-dc1-default-sts-0 2/2   Running  0        18m
test-dc1-default-sts-1 2/2   Running  0        18m
test-dc1-default-sts-2 2/2   Running  0        18m

Use an alternate issuer supported by Cert-Manager

DataStax Mission Control supports using any alternative issuer in turn supported by cert-manager. Cert-Manager is an API used by K8ssandra to manage Transport Layer Security (TLS). Starting with the v1.0.0-beta.1 release of DataStax Mission Control, the following issuers are supported:

  • Vault

  • Venafi

  • ACME, which allows relying on Let’s Encrypt

  • A wide range of external issuers

To use one of these alternative issuers, create it using the standard https://cert-manager.io/docs/configuration/ [Cert-Manager API] and then reference it as follows in the MissionControlCluster spec.

  1. Save the specification in a file named cluster.MissionControlCluster.yaml:

    apiVersion: missioncontrol.datastax.com/v1beta1
kind: MissionControlCluster
metadata:
  name: cluster
  namespace: <namespace>
spec:
  createIssuer: false
  encryption:
    internodeEncryption:
      certs:
        certTemplate:
          issuerRef:
            name: my-alternate-issuer
  k8ssandra:
    cassandra:
      serverVersion: 6.8.38
      serverType: dse
      storageConfig:
        cassandraDataVolumeClaimSpec:
          storageClassName: standard
          accessModes:
            - ReadWriteOnce
          resources:
            requests:
              storage: 5Gi
      config:
        jvmOptions:
          heapSize: 512M
      datacenters:
        - metadata:
            name: dc1
          size: 3
          resources:
            requests:
              memory: 1Gi

  2. Apply the newly-created cluster.MissionControlCluster.yaml file with this command:

    kubectl apply -f cluster.MissionControlCluster.yaml

  3. Within moments a set of secrets should be created with certificates (secrets ending with -cert) that are automatically generated and signed by the root CA. Reveal the secrets with this command (where inode is an alias for internode):

    • kubectl command

    • Sample results

    % kubectl get secrets -n mission-control |grep inode
    test-dc1-default-sts-0-inode-cert                       kubernetes.io/tls                     3      11m
test-dc1-default-sts-0-inode-cert-keystore              Opaque                                2      11m
test-dc1-default-sts-1-inode-cert                       kubernetes.io/tls                     3      11m
test-dc1-default-sts-1-inode-cert-keystore              Opaque                                2      11m
test-dc1-default-sts-2-inode-cert                       kubernetes.io/tls                     3      11m
test-dc1-default-sts-2-inode-cert-keystore              Opaque                                2      11m

  4. The -keystore secrets are mounted appropriately in the Cassandra or DSE pods. The pods should then start within a few minutes. Run the following kubectl command to check the pods' status:

    • kubectl command

    • Sample results

    % kubectl get pods
    NAME                   READY STATUS   RESTARTS AGE
test-dc1-default-sts-0 2/2   Running  0        18m
test-dc1-default-sts-1 2/2   Running  0        18m
test-dc1-default-sts-2 2/2   Running  0        18m
Client-to-node encryption Secure DataStax Mission Control

General Inquiries: +1 (650) 389-6000 info@datastax.com

© DataStax | Privacy policy | Terms of use

DataStax, Titan, and TitanDB are registered trademarks of DataStax, Inc. and its subsidiaries in the United States and/or other countries.

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries.

Kubernetes is the registered trademark of the Linux Foundation.

landing_page landingpage