Client-to-node encryption

Mission Control does not orchestrate client-to-node encryption. It can be enabled by generating the keystore and truststore for the client-to-node certificates and storing them as a secret in the same namespace as the cluster:

kubectl create secret generic client-encryption-stores --from-file=keystore.jks --from-literal=keystore-password=**KEYSTORE_PASSWORD** --from-file=truststore.jks --from-literal=truststore-password=**TRUSTSTORE_PASSWORD**

Replace the following:

  • KEYSTORE_PASSWORD: The password for the keystore

  • TRUSTSTORE_PASSWORD: The password for the truststore

Once the secret is created, reference it in the MissionControlCluster spec:

apiVersion: missioncontrol.datastax.com/v1beta2
kind: MissionControlCluster
metadata:
  name: test
spec:
  k8ssandra:
    cassandra:
      ...
      ...
      config:
        cassandraYaml:
          client_encryption_options:
              enabled: true
              require_client_auth: true
      clientEncryptionStores:
        keystoreSecretRef:
          name: client-encryption-stores
        truststoreSecretRef:
          name: client-encryption-stores
      ...
      ...

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com