Support user configs, user secrets and separate environments for cassandra and sidecar

deploy/crds/cassandraoperator_v1alpha1_cassandradatacenter_crd.yaml

@@ -27,8 +27,12 @@ spec:
           type: object
         spec:
           properties:
-            backupSecretVolume:
+            backupSecretVolumeSource:
               type: object
+            cassandraEnv:
+              items:
+                type: object
+              type: array
             cassandraImage:
               type: string
             cluster:
@@ -37,10 +41,6 @@ spec:
               type: string
             dataVolumeClaimSpec:
               type: object
-            env:
-              items:
-                type: object
-              type: array
             imagePullPolicy:
               type: string
             imagePullSecrets:
@@ -56,11 +56,15 @@ spec:
               type: boolean
             resources:
               type: object
+            sidecarEnv:
+              items:
+                type: object
+              type: array
             sidecarImage:
               type: string
             userConfigMapVolumeSource:
               type: object
-            userSecretVolume:
+            userSecretVolumeSource:
               type: object
           required:
           - nodes

doc/backup_restore.md

@@ -22,7 +22,7 @@ You can inspect the secret created via `kubectl describe secrets/awsbackuptest`
 Create a `CassandraDataCenter` CRD that injects the secret as environment variables that matches the AWS client libraries expected env variables:
 
 ```yaml
-  env:
+  sidecarEnv:
     - name: AWS_ACCESS_KEY_ID
       valueFrom:
         secretKeyRef:
@@ -65,7 +65,7 @@ spec:
     resources:
       requests:
         storage: 100Mi
-  env:
+  sidecarEnv:
     - name: AWS_ACCESS_KEY_ID
       valueFrom:
         secretKeyRef:
@@ -85,6 +85,9 @@ spec:
 To create a cluster using this yaml file use `kubectl apply -f myBackupCluster.yaml`
 
 ## Configuring GCP Object Storage via environment variables
+The backup credentials will be added to the sidecar container at the `/tmp/backup-creds` location. 
+Use this location to set GOOGLE_APPLICATION_CREDENTIALS environment variable to the key json file stored in the secret.
+
 First create a secret in kubernetes to hold a Google service account token/file (assuming they are stored in files named access and secret respectively).
 
 `kubectl create secret generic gcp-auth-reference --from-file=my_service_key.json`
@@ -118,14 +121,14 @@ spec:
     resources:
       requests:
         storage: 100Mi
-  userSecretSource:
+  backupSecretVolumeSource:
     name: gcp-auth-reference
     items:
       - key: my_service_key.json
         path:  my_service_key.json
-  env:
+  sidecarEnv:
     - name: GOOGLE_APPLICATION_CREDENTIALS
-      value: "/tmp/user-secret/my_service_key.json"
+      value: "/tmp/backup-creds/my_service_key.json"
     - name: GOOGLE_CLOUD_PROJECT
       value: "cassandra-operator"
     - name: BUCKET_NAME

doc/tls-encryption.md

@@ -0,0 +1,120 @@
+### SSL encryption
+
+This is an example for running cassandra with ssl encryption using the operator.
+Assuming you already have [generated keys](https://docs.datastax.com/en/cassandra/3.0/cassandra/configuration/secureSSLCertWithCA.html)  :
+* keystore.jks
+* trustore.jks
+* cacert.pem (containing the root certificate)
+
+Create a secret with those files :
+```bash
+kubectl create secret generic dc1-user-secret \
+  --from-file=keystore.jks \
+  --from-file=truststore.jks \
+  --from-file=cacert.pem
+```
+
+Create a config map with 2 entries:
+* a cassandra yaml fragment for configuring node-to-node and client-to-node encryption
+* `cqlshrc` to make cqlsh work with ssl
+
+For instance :
+```bash
+kubectl apply -f - <<EOF
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: dc1-user-config
+data:
+  cassandra_ssl: |
+    server_encryption_options:
+        internode_encryption: all
+        keystore: /tmp/user-secret-config/keystore.jks
+        # keystore_password: myKeyPass
+        truststore: /tmp/user-secret-config/truststore.jks
+        #truststore_password: truststorePass
+        # More advanced defaults below:
+        protocol: TLSv1.2
+        algorithm: SunX509
+        store_type: JKS
+        cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA]
+        require_client_auth: true
+    client_encryption_options:
+        enabled: true
+        keystore: /tmp/user-secret-config/keystore.jks  ## Path to your .keystore file
+        # keystore_password: keystore password  ## Password that you used to generate the keystore
+        truststore: /tmp/user-secret-config/truststore.jks  ## Path to your .truststore
+        #truststore_password: truststore password  ## Password that you used to generate the truststore
+        protocol: TLSv1.2
+        store_type: JKS
+        algorithm: SunX509
+        require_client_auth: false
+        cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA]
+  cqlshrc: |
+    [connection]
+    factory = cqlshlib.ssl.ssl_transport_factory
+    ssl = true
+
+    [ssl]
+    certfile = /tmp/user-secret-config/cacert.pem
+    validate = true
+
+    [authentication]
+    # username = cassandra // use the one provided during certificate generation
+    # password = cassandra // use the one provided during certificate generation
+EOF
+```
+
+## Deploying the cluster with TLS
+The credentials will be added to the cassandra container at the `/tmp/user-secret-config` location, so we use that in the
+`cqlshrc` configuration in the configMap example above.
+The yaml fragment and the cqlshrc are going to be added to the `/etc/cassandra/` inside the container.
+
+We also use an environment variable **CQLSHRC** to let operator move the `cqlshrc` file
+to the default folder where cqlsh will expect to find it (~/.cassandra)
+
+Create a `CassandraDataCenter` CRD that injects the secret, configuration and the environment variable
+into the cassandra container:
+
+```yaml
+apiVersion: stable.instaclustr.com/v1
+kind: CassandraDataCenter
+metadata:
+  name: foo-cassandra
+  labels:
+    app: cassandra
+    chart: cassandra-0.1.0
+    release: foo
+spec:
+  replicas: 3
+  cassandraImage: "gcr.io/cassandra-operator/cassandra:latest"
+  sidecarImage: "gcr.io/cassandra-operator/cassandra-sidecar:latest"
+  imagePullPolicy: IfNotPresent
+  resources:
+    limits:
+      memory: 512Mi
+    requests:
+      memory: 512Mi
+  dataVolumeClaim:
+    accessModes:
+    - ReadWriteOnce
+    resources:
+      requests:
+        storage: 100Mi
+  userSecretVolumeSource:
+    secretName: dc1-user-secret
+  userConfigMapVolumeSource:
+    name: dc1-user-config
+    #     type is a workaround for https://github.com/kubernetes/kubernetes/issues/68466
+    type: array
+    items:
+      - key: cassandra_ssl
+        path: cassandra.yaml.d/003-ssl.yaml
+      - key: cqlshrc
+        path: cqlshrc
+  cassandraEnv:
+    - name: CQLSHRC
+      value: "/etc/cassandra/cqlshrc"
+  prometheusEnabled: false
+```
+

docker/cassandra/entry-point

@@ -12,4 +12,12 @@ do
 done
 )
 
+# Copy over cqlshrc to a default location if defined as ENV
+if [[ ! -z "${CQLSHRC}" ]]; then
+    if [[ ! -e ~/.cassandra ]]; then
+        mkdir ~/.cassandra
+    fi
+    mv ${CQLSHRC} ~/.cassandra/
+fi
+
 exec /usr/sbin/cassandra

examples/go/example-datacenter.yaml

@@ -12,17 +12,20 @@ spec:
   imagePullPolicy: IfNotPresent
   imagePullSecrets:
     - name: regcred
-  backupSecretVolume:
-    secretName: backup-secret
+  backupSecretVolumeSource:
+    secretName: gcp-auth-reference
     #     type is a workaround for https://github.com/kubernetes/kubernetes/issues/68466
     type: array
     items:
-      - key: creds.json
-        path: creds.json
-  env:
+      - key: my-service-key.json
+        path: my-service-key.json
+  sidecarEnv:
     - name: GOOGLE_APPLICATION_CREDENTIALS
-      value: "/etc/google/creds.json"
-  userSecretVolume:
+      value: "/tmp/backup-creds/my-service-key.json"
+  cassandraEnv:
+    - name: CQLSHRC
+      value: "/etc/cassandra/cqlshrc"
+  userSecretVolumeSource:
     secretName: dc1-user-secret
   userConfigMapVolumeSource:
     name: dc1-user-config
@@ -33,8 +36,6 @@ spec:
         path: cassandra.yaml.d/003-ssl.yaml
       - key: cqlshrc
         path: cqlshrc
-      - key: install_cqlshrc
-        path: cassandra-env.sh.d/003-install-cqlshrc.sh
   resources:
     limits:
       memory: 1Gi

pkg/apis/cassandraoperator/v1alpha1/cassandradatacenter.go

@@ -16,14 +16,15 @@ type CassandraDataCenterSpec struct {
 	SidecarImage              string                       `json:"sidecarImage"`
 	ImagePullPolicy           v1.PullPolicy                `json:"imagePullPolicy"`
 	ImagePullSecrets          []v1.LocalObjectReference    `json:"imagePullSecrets,omitempty"`
-	BackupSecretVolume        v1.SecretVolumeSource        `json:"backupSecretVolume,omitempty"`
-	UserSecretVolume          v1.SecretVolumeSource        `json:"userSecretVolume,omitempty"`
-	UserConfigMapVolumeSource v1.ConfigMapVolumeSource     `json:"userConfigMapVolumeSource,omitempty"`
+	BackupSecretVolumeSource  *v1.SecretVolumeSource       `json:"backupSecretVolumeSource,omitempty"`
+	UserSecretVolumeSource    *v1.SecretVolumeSource       `json:"userSecretVolumeSource,omitempty"`
+	UserConfigMapVolumeSource *v1.ConfigMapVolumeSource    `json:"userConfigMapVolumeSource,omitempty"`
 	Resources                 v1.ResourceRequirements      `json:"resources"`
 	DataVolumeClaimSpec       v1.PersistentVolumeClaimSpec `json:"dataVolumeClaimSpec"`
 	PrivilegedSupported       bool                         `json:"privilegedSupported,omitempty"`
 	PrometheusSupport         bool                         `json:"prometheusSupport"`
-	Env                       []v1.EnvVar                  `json:"env,omitempty"`
+	SidecarEnv                []v1.EnvVar                  `json:"sidecarEnv,omitempty"`
+	CassandraEnv              []v1.EnvVar                  `json:"cassandraEnv,omitempty"`
 }
 
 // CassandraDataCenterStatus defines the observed state of CassandraDataCenter