K
Q

Datastax Cassandra internode security kubernetes

1/28/2017

I have cassandra cluster over kubernetes deployed as Stateful Sets. I was looking to implement the internode security between pods. I am not sure how to implement as I am looking to scale and I don't want to restart cluster with new certificates after scaling.I have a docker entry script for tweaking the cassandra.yaml on container start in pods.

Can anyone please suggest what would be the best approach in such case ?

-- Avik Das
cassandra
datastax
kubernetes
ssl-certificate

Similar Questions

Unable to find Kubernetes apiserver's data in etcd3
Why is kubelet using dns on IPv6 localhost [::1]:53?
kubernetes getting Internal error occurred: failed to allocate a serviceIP: range is full when creating service w. nodeport.
Kubernetes - identical jobs, different parameters

1 Answer

1/30/2017

DataStax engineer here, I helped design the node-to-node certificate management feature in OpsCenter Lifecycle Manager. There's no fundamental requirement to restart all nodes after adding a new node/certificate, but it's easy to design your certificate management such that you accidentally end up with that requirement.

You must be creating a self-signed certificate for each node, adding each of those certificates to a truststore, and copying that truststore to every node. When you add a new node/cert, you must be adding a new cert to that truststore, re-copying it to every node, which then necessitates a Cassandra restart. That's how the DataStax documentation suggests to do things, and it is the easiest way to get started, but it's not the most scalable way to move into production.

Instead what you want to do is create a Certificate Authority. It doesn't have to be a publicly trusted CA like Verisign, it can be a private one created with the openssl command-line tool. Add the CA public-cert to the truststore and copy that to every node. At this point, you can create certificates for each node that are signed by that CA. Since every node already trusts the CA, you can add new nodes/certs at any time provided their node-to-node certs are signed by that CA (so hold onto the private and public parts of the CA), and each node will trust the signed cert.

Sadly, this is pretty confusing to implement if you don't have a a sufficient background with certificates in general and openssl (or another cert generation tool) specifically. It would take a lot more typing to explain it step by step. But you can google tutorials on setting up a CA pretty easily, and you already know how to do the JKS stuff to create the truststore... so you're at least a good chunk of the way there.

Also... I work on various deployment related stuff for DataStax. If you were interested I'd love to chat for half an hour about how you've done your Kubernetes setup and what worked well for you and what causes pain. Does stack overflow have a direct-messaging feature? If I can figure out how I'll shoot you my contact info.

-- Mike Lococo
Source: StackOverflow