Bug 1405891

Summary: [RFE] Reusing vdsm certs for Gluster infra
Product: [oVirt] ovirt-engine Reporter: SATHEESARAN <sasundar>
Component: BLL.InfraAssignee: bugs <bugs>
Status: CLOSED DEFERRED QA Contact: SATHEESARAN <sasundar>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.1.0CC: bugs, sabose, stirabos
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-04-23 07:16:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Gluster RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description SATHEESARAN 2016-12-19 05:04:13 UTC 
Description of problem:
-----------------------
Gluster supports SSL/TLS encryption on management path as well as data path, when enabled on the volume and management daemon.

keys, certs and ca files required for Gluster SSL/TLS to work are 
/etc/glusterfs.key, /etc/glusterfs.pem, /etc/glusterfs.ca respectively.

In the case of Grafton project ( hyperconverged RHV & RHGS ), Gluster could make use of vdsm certs which are generated already. This RFE is to find a detailed process for Gluster to reuse vdsm certs for SSL/TLS encryption.

Version-Release number of selected component (if applicable):
-------------------------------------------------------------
RHV 4.1

How reproducible:
-----------------
Not Applicable for RFE

Steps to Reproduce:
-------------------
Not Applicable for RFE

Actual results:
---------------
Gluster need to generate separate certs for SSL/TLS encryption

Expected results:
-----------------
There should be a flexible way for Gluster to reuse vdsm certs.

Additional info:
Comment 1 SATHEESARAN 2016-12-19 05:10:51 UTC 
This issue may sound like there is a solution straight-forward to use vdsm certs. The problem is the correct certs are generated and pushed from engine to the node,
only after the node is added to the engine.

In the case of hyperconvergence, we make use of self hosted-engine which again resides on the gluster volume. In this case, gluster cluster and gluster volumes are created well before hosted-engine deployment. The question here is how to make use of vdsm certs, which would get created post adding the host to the engine

So, we should find a way or process, to make use of vdsm certs for Gluster cluster creation and gluster volume creation. Hence this RFE.

Caveat to note here is, gluster cluster and gluster volume needs to be reinitialized ( restarted ) after enabling SSL/TLS encryption with management and data path.
Comment 6 Sahina Bose 2019-04-23 07:16:02 UTC 
Not a priority based on the customer use cases encountered so far. Closing this for now.