Tomáš Nožička
Tomáš Nožička
When manager talks to ScyllaClusters over CQL it should use TLS. We need to look into how the manager can handle this as each ScyllaCluster has independent clientCA.
Currently, the user has to create additional ConfigMap to make the cluster secure. For security concerns, this should be the default. (There may need to be a transition period after...
Clusters in default configurations shall be secure by default. At this point we open a lot of insecure ports that we should not start by default and use the secure...
https://prow.scylla-operator.scylladb.com/view/gs/scylla-operator-prow/pr-logs/pull/scylladb_scylla-operator/1515/pull-scylla-operator-e2e-gke-parallel/1719428852968591360#1:test-build-log.txt%3A701 ``` • [FAILED] [11.152 seconds] ScyllaCluster should replace a node [It] using HostID based procedure when version of ScyllaDB is "docker.io/scylladb/scylla-enterprise:2023.1.0" github.com/scylladb/scylla-operator/test/e2e/set/scyllacluster/scyllacluster_replace.go:201 Timeline >> STEP: Creating a new namespace...
```[tasklist] - [ ] https://github.com/scylladb/scylla-operator/issues/1526 - [ ] https://github.com/scylladb/scylla-operator/issues/1785 - [ ] https://github.com/scylladb/scylla-operator/issues/1786 - [ ] #1743 - [ ] https://github.com/scylladb/scylla-operator/issues/1605 - [ ] Add architetural overview - [ ]...
ScyllaDB JMX service opens random port on `0.0.0.0` that is unsecured. We should disable that port by default. Also random port is bad an prevents us from validating open ports.
Currently, multiple services like: - scylla - node-exporter - jmx - sshd - supervisord - scylla-housekeeping - operator sidecar - rsyslog This is in contrast to all guidelines or the...
JMX service is deprecated in ScyllaDB and not used in any of the flows with the Operator either. It exposes 2 insecure ports: 7199 on 127.0.0.1 and random port on...
We need to start all ScyllaCluster as secure. That requires enforcing authorization and removing the default, well know, password. This also requires introducing a new path on how to configure...
On Kubernetes logs are mean to be collected on platform level and every container should run just 1 binary per process. This wasn't used in ayn of our flows but...