Configuring internode encryption (TLS) in K8ssandra

How can I configure internode encryption (i.e., TLS) for Cassandra in K8ssandra?

K8ssandra 1.4.0 included some changes that should make it possible to configure TLS. For reference this is the ticket, and this is the corresponding PR.

There is chart property, cassandraYamlConfigMap, with which you can specify a ConfigMap that contains your custom cassandra.yaml. The properties that you supply will be merged with those generated by k8ssandra with yours taking precedence.

Note that your cassandra.yaml does not need to be a complete config file. It is sufficient to specify only the properties you are interested in since it will get merged with the based configuration file generated by K8ssandra.

There are some additional properties required for internode and client encryption because you need to specify the keystore and truststore secrets so that volume mounts can be created. Note that you need to create the keystore and truststore secrets in advance.

See the inline docs for the new chart properties here.

Here is an example chart properties file that demonstrates the new properties:

cassandra:
  version: 4.0.1
  cassandraYamlConfigMap: cassandra-config
  encryption:
    keystoreSecret: keystore
    keystoreMountPath: /mnt/keystore
    truststoreSecret: truststore
    truststoreMountPath: /mnt/truststore
  heap:
    size: 512M
  datacenters:
  - name: dc1
    size: 1

There are a couple things to note about the charts properties. First, keystoreSecret and truststoreSecret refer to secrets that should live in the same namespace in which k8ssandra is installed. The user should create those secrets before installing (or upgrading k8ssandra).

Secondly, keystoreMountPath and truststoreMountPath specify where those secrets should be mounted in the Cassandra pods. These properties must be specified and must match what is specified in cassandra.yaml.

Here is an example of a ConfigMap that contains my custom cassandra.yaml:

apiVersion: v1
kind: ConfigMap
metadata:
  name: cassandra-config
data:
  cassandra.yaml: |-
    server_encryption_options:
      internode_encryption: all
      keystore: /mnt/keystore/keystore.jks
      keystore_password: cassandra
      truststore: /mnt/truststore/truststore.jks
      truststore_password: cassandra

K8ssandra uses Cass Operator to manage Cassandra. With that in mind I recommend the following for further reading:

• This article covers configuring TLS for a cass-operator managed cluster using cert-manager.
• This ticket provides a detailed explanation of how Cass Operator configure internode encryption.