Internode encryption
Mission Control can manage and orchestrate internode encryption for DataStax Enterprise (DSE), Hyper-Converged Database (HCD), and Apache Cassandra® clusters. Mission Control also supports using a root Certificate Authority (CA) that you provide. In this case, Mission Control uses an existing certificate issuer referenced in the cluster definition. When you create a new Mission Control cluster, Mission Control generates a new certificate for each node and signs it with the cluster’s root CA. Mission Control then generates the keystore and truststore for each node and configures the cluster to use them.
For more information about managing certificates and CAs, see Manage Mission Control certificate and certificate authority (CA) expiration.
Mission Control supports the following scenarios:
-
Use the CA issuer designated by Mission Control
No internode encryption
Internode encryption can be disabled by setting the .spec.encryption.internodeEncryption.enabled field to false and disabling the certificate issuer creation in the MissionControlCluster spec with .spec.createIssuer set to false:
apiVersion: missioncontrol.datastax.com/v1beta2
kind: MissionControlCluster
metadata:
name: test-cluster
namespace: NAMESPACE
spec:
createIssuer: false
encryption:
internodeEncryption:
enabled: false
k8ssandra:
cassandra:
serverVersion: SERVER_VERSION
serverType: SERVER_TYPE
storageConfig:
cassandraDataVolumeClaimSpec:
storageClassName: standard
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
config:
jvmOptions:
heapSize: 512M
datacenters:
- metadata:
name: dc1
size: 3
resources:
requests:
memory: 1Gi
Replace the following:
-
NAMESPACE: The namespace where the cluster is deployed. -
SERVER_VERSION: The version of the server, for example6.9.12for DSE or1.1.0for HCD -
SERVER_TYPE: The type of the server, for exampledseorhcd
Apply this updated MissionControlCluster resource by running the following command:
kubectl apply -f test-cluster.missioncontrolcluster.yaml
Mission Control-provided root CA generation and self-signing
A certificate authority (CA) is a trusted entity that stores, signs, and issues Transport Layer Security (TLS) certificates.
-
Create a
MissionControlClusterresource by copying the following manifest and saving it in a file namedtest-cluster.missioncontrolcluster.yaml:apiVersion: missioncontrol.datastax.com/v1beta2 kind: MissionControlCluster metadata: name: test-cluster namespace: NAMESPACE spec: k8ssandra: cassandra: serverVersion: SERVER_VERSION serverType: SERVER_TYPE storageConfig: cassandraDataVolumeClaimSpec: storageClassName: standard accessModes: - ReadWriteOnce resources: requests: storage: 5Gi config: jvmOptions: heapSize: 512M datacenters: - metadata: name: dc1 size: 3 resources: requests: memory: 1GiReplace the following:
-
NAMESPACE: The namespace where the cluster is deployed. -
SERVER_VERSION: The version of the server, for example6.9.12for DSE or1.1.0for HCD -
SERVER_TYPE: The type of the server, for exampledseorhcd
-
-
Run the following command to apply the newly-created
MissionControlClusterresource:kubectl apply -f test-cluster.missioncontrolcluster.yamlThe generated root CA secret is created within a few seconds.
-
Run the following command to reveal the secret:
kubectl get secrets -n mission-control |grep internodeResult
NAME TYPE DATA AGE mission-control-test-inode-selfsigned-ca-cert kubernetes.io/tls 3 12sGenerated next are the cluster’s certificate secrets which are signed by the root CA.
-
Run the following command to reveal the certificate secrets:
kubectl get secrets -n mission-control |grep inodeResult
NAME TYPE DATA AGE mission-control-test-inode-selfsigned-ca-cert kubernetes.io/tls 3 27s test-dc1-default-sts-0-inode-cert kubernetes.io/tls 3 12s test-dc1-default-sts-0-inode-cert-keystore Opaque 2 12s test-dc1-default-sts-1-inode-cert kubernetes.io/tls 3 11s test-dc1-default-sts-1-inode-cert-keystore Opaque 2 11s test-dc1-default-sts-2-inode-cert kubernetes.io/tls 3 12s test-dc1-default-sts-2-inode-cert-keystore Opaque 2 12s -
The
-keystoresecrets are mounted appropriately in the HCD, DSE, or Cassandra pods. The pods should then start within a few minutes. -
Optional: Run the following
kubectlcommand to check the pods' status:kubectl get podsResult
NAME READY STATUS RESTARTS AGE test-dc1-default-sts-0 2/2 Running 0 18m test-dc1-default-sts-1 2/2 Running 0 18m test-dc1-default-sts-2 2/2 Running 0 18m
Use an alternate issuer supported by Cert-Manager
Mission Control supports using any alternative issuer in turn supported by cert-manager. Cert-Manager is an API used by K8ssandra to manage Transport Layer Security (TLS). Starting with the v1.0.0-beta.1 release of Mission Control, the following issuers are supported:
-
ACME, which allows relying on Let’s Encrypt
-
A wide range of external issuers
To use one of these alternative issuers, create it using the standard https://cert-manager.io/docs/configuration/
[Cert-Manager API] and then reference it as follows in the MissionControlCluster spec.
-
Save the specification in a file named
cluster.MissionControlCluster.yaml:apiVersion: missioncontrol.datastax.com/v1beta2 kind: MissionControlCluster metadata: name: cluster namespace: NAMESPACE spec: createIssuer: false encryption: internodeEncryption: certs: certTemplate: issuerRef: name: my-alternate-issuer k8ssandra: cassandra: serverVersion: SERVER_VERSION serverType: SERVER_TYPE storageConfig: cassandraDataVolumeClaimSpec: storageClassName: standard accessModes: - ReadWriteOnce resources: requests: storage: 5Gi config: jvmOptions: heapSize: 512M datacenters: - metadata: name: dc1 size: 3 resources: requests: memory: 1GiReplace the following:
-
NAMESPACE: The namespace where the cluster is deployed. -
SERVER_VERSION: The version of the server, for example6.9.12for DSE or1.1.0for HCD -
SERVER_TYPE: The type of the server, for exampledseorhcd
-
-
Run the following command to apply the newly-created
cluster.MissionControlCluster.yamlfile:kubectl apply -f cluster.MissionControlCluster.yamlWithin moments a set of secrets should be created with certificates (secrets ending with
-cert) that are automatically generated and signed by the root CA. -
Run the following command to reveal the secrets (where
inodeis an alias forinternode):kubectl get secrets -n mission-control |grep inodeResult
test-dc1-default-sts-0-inode-cert kubernetes.io/tls 3 11m test-dc1-default-sts-0-inode-cert-keystore Opaque 2 11m test-dc1-default-sts-1-inode-cert kubernetes.io/tls 3 11m test-dc1-default-sts-1-inode-cert-keystore Opaque 2 11m test-dc1-default-sts-2-inode-cert kubernetes.io/tls 3 11m test-dc1-default-sts-2-inode-cert-keystore Opaque 2 11mThe
-keystoresecrets are mounted appropriately in the HCD, DSE, or Cassandra pods. The pods should then start within a few minutes. -
Optional: Run the following
kubectlcommand to check the pods' status:kubectl get podsResult
NAME READY STATUS RESTARTS AGE test-dc1-default-sts-0 2/2 Running 0 18m test-dc1-default-sts-1 2/2 Running 0 18m test-dc1-default-sts-2 2/2 Running 0 18m