Configure Cassandra

TLS communication between the Cassandra datastore and runtime plane clients that talk to Cassandra is enabled by default. To complete the TLS setup, you must add the following configuration properties to overrides.yaml:

  • TLS root CA, certificate, and key files
  • Authentication credentials to allow clients in the runtime plane to connect with Cassandra

Follow these steps to configure Cassandra:

  1. Open the overrides.yaml file for edit if it is not already open.
  2. (GKE only. If your are not on GKE, go to the next step.) If you set up your GKE cluster to have a Regional location (recommended for production), set the cassandra object's storage.gcepd.replicationType property to regional-pd. If you set up a Zonal location, the replicationType must be none.

    For example:

    ...
    cassandra:
      storage:
        type: gcepd
        capacity: 50Gi
        gcepd:
          ## Set replicationType to 'none' if using a Zonal GKE
          replicationType: regional-pd
    ...

    For more information, see GKE cluster requirements.

  3. Add values for the sslRootCAPath, sslCertPath, and sslKeyPath. The following table describes these properties:
    Property Value
    cassandra.sslRootCAPath (Required)

    The path on your system to a TLS root certificate authority (CA) file.

    For testing purposes only, you can use a self-signed certificate, as described in Create a self-signed certificate/key pair. If using a self-signed cert, you can use the path to the certificate file instead of a root CA file.

    cassandra.sslCertPath (Required)

    The path on your system to a TLS certificate file.

    For testing purposes only, you can use a self-signed certificate, as described in Create a self-signed certificate/key pair.

    cassandra.sslKeyPath (Required)

    The path on your system to a TLS certificate file.

    For testing purposes only, you can use a self-signed certificate, as described in Create a self-signed certificate/key pair.

    For example:

    ...
    cassandra:
      storage:
        type: gcepd
        capacity: 50Gi
        gcepd:
          replicationType: regional-pd
      sslRootCAPath: path-to-file/cassandra-cert.pem
      sslCertPath: path-to-file/cassandra-keystore.pem
      sslKeyPath: path-to-file/cassandra-keystore.key
      auth:
        default:
          password: "password"
        admin:
          password: "password"
        ddl:
          password: "password"
        dml:
          password: "password"
    ...
  4. Internal Hybrid clients that connect to Cassandra must be authenticated. To provide this authentication, the Hybrid installation creates several database users that the clients use to connect to Cassandra. All you need to do is provide passwords for these users in the cassandra configuration, as explained below:
    User Type Configuration Property Description
    Administrator cassandra.auth.admin Used for any administrative activities performed on the Cassandra cluster.
    Default cassandra.auth.default Cassandra creates a default user when authentication is enabled.
    DDL (Data Definition Language) cassandra.auth.ddl Used by MART for any of the data definition tasks like keyspace creation, update, and deletion.
    DML (Data Manipulation Language) cassandra.auth.dml Used by the client communication to read and write data to Cassandra (KMS, KVM, Cache, and Quota).

    For example:

    cassandra:
      storage:
        type: gcepd
        capacity: 50Gi
        gcepd:
          replicationType: regional-pd
      sslRootCAPath: path-to-file/cassandra-cert.pem
      sslCertPath: path-to-file/cassandra-keystore.pem
      sslKeyPath: path-to-file/cassandra-keystore.key
      auth:
        default:
          password: "abc123"
        admin:
          password: "abc234"
        ddl:
          password: "abc345"
        dml:
          password: "abc456"
    ...
  5. Save the overrides.yaml file.
  6. Go to the next step, Expose the MART endpoint.

Create a self-signed certificate/key pair

For testing purposes, you can use a self-signed certificate/key pair for the Cassandra configuration.

To generate a self-signed certificate pair for the Cassandra configuration:

  1. Create a directory to contain the key and certificate for the MP.
  2. Execute the following commands to generate the key and certificate:
    openssl genrsa -des3 -out server.pass.key 2048
    openssl rsa -in server.pass.key -out cassandra.key
    openssl req -nodes -new -key cassandra.key -out cassandra.csr
    openssl x509 -req -sha256 -days 365 -in cassandra.csr -signkey cassandra.key -out cassandra.crt
  3. In the overrides.yaml configuration, provide the paths to the following files:
    • cassandra.key
    • cassandra.crt

Next Step

1 2 3 NEXT: 4: EXPOSE MART 5 6 7 8 9 10 11