scylla-operator
scylla-operator copied to clipboard
scylladb
Support Encryption in Transit - Client to Node
Having deployed ScyllaDB manually for a few years, the new operator is amazing! Thanks for the time and investment.
While comparing current deployments with an operator deployed cluster, this issue is the only inhibitor to maintain our current security posture. Any general outlook on client to node encryption?
@osenbach Thanks for trying it out, we appreciate the feedback!
Client to Node encryption is not currently supported, although i think it can be set up manually - i haven't tried. Unfortunately we don't have any documentation about it. But if you're already experienced with setting up Scylla clusters manually, you may be able to do it right. For client to node encryption you will need to enable it in Scylla configuration file and have a valid certificate and keyfile.
To enable client encryption, you can create a ConfigMap inside the same namespace, and specify it's name in ScyllaCluster.spec.datacenter.racks[*].scyllaConfig. Content of this ConfigMap will be merged with the default scylla.yaml, so it is enough to just fill client_encryption_options:
client_encryption_options:
enabled: true
certificate: /mnt/scylla-db.crt
keyfile: /mnt/scylla-db.key
Certificate and keyfile have to be manually generated and then mounted to the Scylla Pod using ScyllaCluster.spec.datacenter.racks[*].volumes and ScyllaCluster.spec.datacenter.racks[*].volumeMounts.
Make sure to mount cert and key in Pod under the same path provided in ConfigMap.
Automation around it is something we plan to support, although I don't have an ETA.
This is perfect. I just started mucking around with a custom config via the ConfigMap, and my next step was to figure out how to get the certs onto each server. Thanks for the guidance, and I can now hopefully mirror my exact config.
This is beautifully implemented to allow customizations. I have a new 4.4.3 cluster up and running with the operator, in the same security posture as a semi-manual 3.x cluster.
values.cluster.yaml:
developerMode: false
datacenter: us-south
racks:
- name: us-south-1
members: 2
storage:
capacity: 5Gi
resources:
limits:
cpu: 1
memory: 4Gi
requests:
cpu: 1
memory: 4Gi
volumes:
- name: scylla-certs
secret:
secretName: scylla-certs
defaultMode: 0400
items:
- key: tls.crt
path: scylla-im.cert.pem
- key: tls.key
path: scylla-im.key.pem
- name: intermediate-ca
secret:
secretName: intermediate-ca
defaultMode: 0400
items:
- key: tls.crt
path: ca-chain.cert.pem
volumeMounts:
- name: scylla-certs
mountPath: "/etc/scylla-certs"
readOnly: true
- name: intermediate-ca
mountPath: "/etc/intermediate-ca"
readOnly: true
scylla.yaml:
authenticator: PasswordAuthenticator
authorizer: CassandraAuthorizer
client_encryption_options:
enabled: true
certificate: /etc/scylla-certs/scylla-im.cert.pem
keyfile: /etc/scylla-certs/scylla-im.key.pem
internode_compression: dc
server_encryption_options:
internode_encryption: all
certificate: /etc/scylla-certs/scylla-im.cert.pem
keyfile: /etc/scylla-certs/scylla-im.key.pem
truststore: /etc/intermediate-ca/ca-chain.cert.pem
require_client_auth: true
write_request_timeout_in_ms: 30000
Used https://jamielinux.com/docs/openssl-certificate-authority to create CAs and certs
Created the secrets via:
kubectl -n scylla create secret tls scylla-certs --cert=intermediate/certs/scylla-im.cert.pem --key=intermediate/private/scylla-im.key.pem
kubectl -n scylla create secret tls intermediate-ca --cert=intermediate/certs/ca-chain.cert.pem --key=intermediate/private/intermediate.key.pem