This directory contains all Kubernetes resources required to run a Apache Cassandra cluster on OpenShift 4 with cass-operator
. It optionally provides TLS encryption for client connections and inter-node communication with certificates managed by cert-manager
.
- OpenShift 4 cluster
- A storage class named
gp2
withvolumeBindingMode: WaitForFirstConsumer
oc
CLI configured to communicate with the clustermake
make setup
make deploy-cassandra-base
This will create a single DC, 3-node Cassandra cluster with 3 racks. Verify the cluster is up and healthy:
oc get pods
NAME READY STATUS RESTARTS AGE
demo-cluster-dc1-rack1-sts-0 2/2 Running 0 7m12s
demo-cluster-dc1-rack2-sts-0 2/2 Running 0 7m12s
demo-cluster-dc1-rack3-sts-0 2/2 Running 0 7m12s
oc get cassdc dc1
...
Status:
Cassandra Operator Progress: Ready
Create the TLS infrastructure (issuers / CA certificate) with cert-manager
# Create the TLS infrastructure
make setup-issuers
First we must request a signed certificate from the issuer
# Request a TLS certificate for use with this DC
make create-cluster-certificate
Then we perform the following steps to deploy the certificate and enable TLS. Note we must deploy the certificate and keystore before enabling TLS this is handled within thetls-disabled
version of the CassandraDatacenter
spec. The following tls-optional
version enables TLS, but doesn't require its usage. This allows for transitioning the cluster from unencrypted to encrypted communication. Finally we perform one more rolling restart on the cluster requiring TLS for all communication.
# Perform each step only after the rolling restart of the cluster is complete
make deploy-cassandra-tls-disabled
make deploy-cassandra-tls-optional
make deploy-cassandra-tls-enforced
While this demo uses cert-manager
to manage the certificate process it is not required. You may optionally create a Kubernetes Secret
which contains a keystore
and truststore
.