-
Notifications
You must be signed in to change notification settings - Fork 74
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
K8SSAND-1841 ⁃ Stargate client-to-node encryption allows unencrypted connections #722
Comments
Stargate CQL uses a separate configuration file: provided with For reference, this was introduced in stargate/stargate#1992. |
oooooh, I see. |
Useful info from the discussions on #721:
What Stargate CQL needs is Note: reusing |
It seems like enabling client to node encryption in k8ssandra-operator, and despite the encryption settings being passed to Stargate, it is still possible to use cqlsh without any encryption setting to connect to the Stargate service. The Cassandra service refuses similar connection attempts in this case.
This can be easily reproduced with the encryption with Stargate manifest we use for e2e test:
test/testdata/fixtures/single-dc-encryption-stargate/k8ssandra.yaml
It requires to install first the following manifests to get the encryption stores:
test/testdata/fixtures/server-encryption-secret.yaml
test/testdata/fixtures/client-encryption-secret.yaml
Then ssh into one of the Cassandra pods and try both:
cqlsh --username test-superuser --password <superuser password> test-dc1-service
and
cqlsh --username test-superuser --password <superuser password> test-dc1-stargate-service
The former will fail but the latter will succeed.
┆Issue is synchronized with this Jira Task by Unito
┆friendlyId: K8SSAND-1841
┆priority: Medium
The text was updated successfully, but these errors were encountered: