Skip to content
This repository has been archived by the owner on Oct 20, 2022. It is now read-only.

Allow Istio to work with Cassandra and encrypt native connections #153

Merged
merged 4 commits into from
Dec 15, 2019
Merged

Allow Istio to work with Cassandra and encrypt native connections #153

merged 4 commits into from
Dec 15, 2019

Conversation

cscetbon
Copy link
Contributor

This PR removes Intranode and JMX ports from the Service, this way they are not proxyfied by Istio. When Istio proxyfies internodes ports it prevents local connections which is needed by Gossip protocol

HOST:PORT                                                           STATUS       SERVER      CLIENT           AUTHN POLICY                                 DESTINATION RULE
cassandra-e2e-exporter-jmx.cassandra-e2e.svc.cluster.local:9500     OK           STRICT      ISTIO_MUTUAL     /default                                     istio-system/default
cassandra-e2e.cassandra-e2e.svc.cluster.local:9042                  OK           STRICT      ISTIO_MUTUAL     /default                                     istio-system/default
cassandra-reaper.cassandra-e2e.svc.cluster.local:8080               OK           STRICT      ISTIO_MUTUAL     /default                                     istio-system/default

The proxy configuration that shows the TLS context can be found at https://pastebin.com/raw/jEmxXpwv

@fdehay
Copy link
Member

fdehay commented Dec 11, 2019

Question: if we remove the jmx port from the service, will we be able to:

  • have C* Reaper connect to the nodes?
  • have the operator contact the nodes for jolokia commands?

@cscetbon
Copy link
Contributor Author

cscetbon commented Dec 11, 2019
edited
Loading

Question: if we remove the jmx port from the service, will we be able to:

  • have C* Reaper connect to the nodes?
  • have the operator contact the nodes for jolokia commands?

Ports on pods are still exposed to the outside world

erdrix
erdrix approved these changes Dec 13, 2019
View reviewed changes
Copy link
Contributor

@erdrix erdrix left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Test with istio mTLS default configuration : https://istio.io/docs/setup/install/helm/, works well.

@Orange-cscetbon Orange-cscetbon merged commit 84f47a4 into Orange-OpenSource:master Dec 15, 2019
cscetbon pushed a commit that referenced this pull request Aug 13, 2020
@Orange-cscetbon
Merge pull request #153 from cscetbon/istio-mtls-native
133dcd7 
Allow Istio to work with Cassandra and encrypt native connections
@cscetbon cscetbon deleted the istio-mtls-native branch March 13, 2022 04:28
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@erdrix erdrix erdrix approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@cscetbon @fdehay @erdrix @Orange-cscetbon