Internode encryption

Mission Control can manage and orchestrate internode encryption for DSE and Cassandra clusters. Mission Control also supports using a root Certificate Authority (CA) that you provide. In this case, Mission Control uses an existing certificate issuer referenced in the cluster definition. When a new Mission Control cluster is created, Mission Control generates a new certificate for each node and signs it with the cluster’s root CA. It next generates the keystore and truststore for each node and configures the cluster to use them.

Mission Control supports the following scenarios:

No internode encryption

Internode encryption can be disabled by setting the .spec.encryption.internodeEncryption.enabled field to false and disabling the certificate issuer creation in the MissionControlCluster spec with .spec.createIssuer set to false:

apiVersion: missioncontrol.datastax.com/v1beta1
kind: MissionControlCluster
metadata:
  name: test-cluster
  namespace: <namespace>
spec:
  createIssuer: false
  encryption:
    internodeEncryption:
      enabled: false
  k8ssandra:
    cassandra:
      serverVersion: 6.8.38
      serverType: dse
      storageConfig:
        cassandraDataVolumeClaimSpec:
          storageClassName: standard
          accessModes:
            - ReadWriteOnce
          resources:
            requests:
              storage: 5Gi
      config:
        jvmOptions:
          heapSize: 512M
      datacenters:
        - metadata:
            name: dc1
          size: 3
          resources:
            requests:
              memory: 1Gi

Apply this updated MissionControlCluster resource by running the following command:

kubectl apply -f test-cluster.missioncontrolcluster.yaml

Mission Control-provided root CA generation and self-signing

A certificate authority (CA) is a trusted entity that stores, signs, and issues Transport Layer Security (TLS) certificates.

  1. Create a MissionControlCluster resource, by copying the following manifest and saving it in a file named test-cluster.missioncontrolcluster.yaml:

    apiVersion: missioncontrol.datastax.com/v1beta1
    kind: MissionControlCluster
    metadata:
      name: test-cluster
      namespace: <namespace>
    spec:
      k8ssandra:
        cassandra:
          serverVersion: 6.8.38
          serverType: dse
          storageConfig:
            cassandraDataVolumeClaimSpec:
              storageClassName: standard
              accessModes:
                - ReadWriteOnce
              resources:
                requests:
                  storage: 5Gi
          config:
            jvmOptions:
              heapSize: 512M
          datacenters:
            - metadata:
                name: dc1
              size: 3
              resources:
                requests:
                  memory: 1Gi
  2. Now apply the newly-created MissionControlCluster resource by running the following command:

    kubectl apply -f test-cluster.missioncontrolcluster.yaml

    The generated root CA secret is created within a few seconds. Reveal the secret with this command:

    % kubectl get secrets -n mission-control |grep internode
    Sample results
    NAME                                                    TYPE                                  DATA   AGE
    mission-control-test-inode-selfsigned-ca-cert           kubernetes.io/tls                     3      12s
  3. Generated next are the cluster’s certificate secrets which are signed by the root CA. Reveal the certificate secrets with this command:

    % kubectl get secrets -n mission-control |grep inode
    Sample results
    NAME                                                    TYPE                                  DATA   AGE
    mission-control-test-inode-selfsigned-ca-cert           kubernetes.io/tls                     3      27s
    test-dc1-default-sts-0-inode-cert                       kubernetes.io/tls                     3      12s
    test-dc1-default-sts-0-inode-cert-keystore              Opaque                                2      12s
    test-dc1-default-sts-1-inode-cert                       kubernetes.io/tls                     3      11s
    test-dc1-default-sts-1-inode-cert-keystore              Opaque                                2      11s
    test-dc1-default-sts-2-inode-cert                       kubernetes.io/tls                     3      12s
    test-dc1-default-sts-2-inode-cert-keystore              Opaque                                2      12s
  4. The -keystore secrets are mounted appropriately in the Cassandra or DSE pods. The pods should then start within a few minutes. Run the following kubectl command to check the pods' status:

    % kubectl get pods
    Sample results
    NAME                   READY STATUS   RESTARTS AGE
    test-dc1-default-sts-0 2/2   Running  0        18m
    test-dc1-default-sts-1 2/2   Running  0        18m
    test-dc1-default-sts-2 2/2   Running  0        18m

Use an alternate issuer supported by Cert-Manager

Mission Control supports using any alternative issuer in turn supported by cert-manager. Cert-Manager is an API used by K8ssandra to manage Transport Layer Security (TLS). Starting with the v1.0.0-beta.1 release of Mission Control, the following issuers are supported:

To use one of these alternative issuers, create it using the standard https://cert-manager.io/docs/configuration/ [Cert-Manager API] and then reference it as follows in the MissionControlCluster spec.

  1. Save the specification in a file named cluster.MissionControlCluster.yaml:

    apiVersion: missioncontrol.datastax.com/v1beta1
    kind: MissionControlCluster
    metadata:
      name: cluster
      namespace: <namespace>
    spec:
      createIssuer: false
      encryption:
        internodeEncryption:
          certs:
            certTemplate:
              issuerRef:
                name: my-alternate-issuer
      k8ssandra:
        cassandra:
          serverVersion: 6.8.38
          serverType: dse
          storageConfig:
            cassandraDataVolumeClaimSpec:
              storageClassName: standard
              accessModes:
                - ReadWriteOnce
              resources:
                requests:
                  storage: 5Gi
          config:
            jvmOptions:
              heapSize: 512M
          datacenters:
            - metadata:
                name: dc1
              size: 3
              resources:
                requests:
                  memory: 1Gi
  2. Apply the newly-created cluster.MissionControlCluster.yaml file with this command:

    kubectl apply -f cluster.MissionControlCluster.yaml
  3. Within moments a set of secrets should be created with certificates (secrets ending with -cert) that are automatically generated and signed by the root CA. Reveal the secrets with this command (where inode is an alias for internode):

    % kubectl get secrets -n mission-control |grep inode
    Sample results
    test-dc1-default-sts-0-inode-cert                       kubernetes.io/tls                     3      11m
    test-dc1-default-sts-0-inode-cert-keystore              Opaque                                2      11m
    test-dc1-default-sts-1-inode-cert                       kubernetes.io/tls                     3      11m
    test-dc1-default-sts-1-inode-cert-keystore              Opaque                                2      11m
    test-dc1-default-sts-2-inode-cert                       kubernetes.io/tls                     3      11m
    test-dc1-default-sts-2-inode-cert-keystore              Opaque                                2      11m
  4. The -keystore secrets are mounted appropriately in the Cassandra or DSE pods. The pods should then start within a few minutes. Run the following kubectl command to check the pods' status:

    % kubectl get pods
    Sample results
    NAME                   READY STATUS   RESTARTS AGE
    test-dc1-default-sts-0 2/2   Running  0        18m
    test-dc1-default-sts-1 2/2   Running  0        18m
    test-dc1-default-sts-2 2/2   Running  0        18m

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com