Client-to-node encryption
Mission Control does not orchestrate client-to-node encryption. It can be enabled by generating the keystore and truststore for the client-to-node certificates and storing them as a secret in the same namespace as the cluster:
kubectl create secret generic client-encryption-stores --from-file=keystore.jks --from-literal=keystore-password=<keystore password> --from-file=truststore.jks --from-literal=truststore-password=<truststore password>
Once the secret is created, reference it in the MissionControlCluster
spec:
apiVersion: missioncontrol.datastax.com/v1beta1
kind: MissionControlCluster
metadata:
name: test
spec:
k8ssandra:
cassandra:
...
...
config:
cassandraYaml:
client_encryption_options:
enabled: true
require_client_auth: true
clientEncryptionStores:
keystoreSecretRef:
name: client-encryption-stores
truststoreSecretRef:
name: client-encryption-stores
...
...