How can I configure internode encryption (i.e., TLS) for Cassandra in K8ssandra?
There is chart property,
cassandraYamlConfigMap, with which you can specify a ConfigMap that contains your custom
cassandra.yaml. The properties that you supply will be merged with those generated by k8ssandra with yours taking precedence.
Note that your
cassandra.yaml does not need to be a complete config file. It is sufficient to specify only the properties you are interested in since it will get merged with the based configuration file generated by K8ssandra.
There are some additional properties required for internode and client encryption because you need to specify the keystore and truststore secrets so that volume mounts can be created. Note that you need to create the keystore and truststore secrets in advance.
See the inline docs for the new chart properties here.
Here is an example chart properties file that demonstrates the new properties:
cassandra: version: 4.0.1 cassandraYamlConfigMap: cassandra-config encryption: keystoreSecret: keystore keystoreMountPath: /mnt/keystore truststoreSecret: truststore truststoreMountPath: /mnt/truststore heap: size: 512M datacenters: - name: dc1 size: 1
There are a couple things to note about the charts properties. First,
truststoreSecret refer to secrets that should live in the same namespace in which k8ssandra is installed. The user should create those secrets before installing (or upgrading k8ssandra).
truststoreMountPath specify where those secrets should be mounted in the Cassandra pods. These properties must be specified and must match what is specified in
Here is an example of a ConfigMap that contains my custom cassandra.yaml:
apiVersion: v1 kind: ConfigMap metadata: name: cassandra-config data: cassandra.yaml: |- server_encryption_options: internode_encryption: all keystore: /mnt/keystore/keystore.jks keystore_password: cassandra truststore: /mnt/truststore/truststore.jks truststore_password: cassandra
K8ssandra uses Cass Operator to manage Cassandra. With that in mind I recommend the following for further reading: