Bug 1417210

Summary: [Doc RFE] [HCI] Document how to configure encryption (during deployment)
Product: [Red Hat Storage] Red Hat Gluster Storage Reporter: Anjana Suparna Sriram <asriram>
Component: DocumentationAssignee: Laura Bailey <lbailey>
Status: CLOSED CURRENTRELEASE QA Contact: RamaKasturi <knarra>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: knarra, lbailey, rhs-bugs, sankarshan, sasundar, storage-doc, storage-qa-internal
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-29 04:13:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1277939    

Description Anjana Suparna Sriram 2017-01-27 14:35:27 UTC 
Additional information: New documentation includes:

- Using gdeploy to configure SSL during installation
- Configuring SSL to use existing certificates
- Configuring SSL on an existing installation
Comment 8 SATHEESARAN 2017-03-16 02:32:43 UTC 
Just gathering the comments from comment6 ( from Kasturi ) and so that it becomes easy for reviewing.

<content>

To enable RHGS SSL/TLS encryption during the Gluster deployment using cockpit,  make the following changes to the generated gdeploy configuration file by selecting 'Edit' button on the 'Review' Tab of cockpit UI

1. Edit the [volume1] section to have additional options

[volume1]
enable_ssl=yes
ssl_clients=<Gluster_Network_IP1>,<Gluster_Network_IP2>,<Gluster_Network_IP3>

2. Edit the [volume2] and [volume3] sections to have the additional options

[volume2]
key=client.ssl,server.ssl,auth.ssl-allow
value=on,on,"<Gluster_IP_Host1>;<Gluster_IP_Host2>;<Gluster_IP_Host3>"

[volume3]
key=client.ssl,server.ssl,auth.ssl-allow
value=on,on,"<Gluster_IP_Host1>;<Gluster_IP_Host2>;<Gluster_IP_Host3>"

</content>

@Kasturi, does the above content look good ?
Comment 9 SATHEESARAN 2017-03-16 02:36:32 UTC 
(In reply to SATHEESARAN from comment #8)
> Just gathering the comments from comment6 ( from Kasturi ) and so that it
> becomes easy for reviewing.
> 
> <content>
> 
> To enable RHGS SSL/TLS encryption during the Gluster deployment using
> cockpit,  make the following changes to the generated gdeploy configuration
> file by selecting 'Edit' button on the 'Review' Tab of cockpit UI
> 
> 1. Edit the [volume1] section to have additional options
> 
> [volume1]
> enable_ssl=yes
> ssl_clients=<Gluster_Network_IP1>,<Gluster_Network_IP2>,<Gluster_Network_IP3>
> 
> 2. Edit the [volume2] and [volume3] sections to have the additional options
> 
> [volume2]
> key=client.ssl,server.ssl,auth.ssl-allow
> value=on,on,"<Gluster_IP_Host1>;<Gluster_IP_Host2>;<Gluster_IP_Host3>"
> 
> [volume3]
> key=client.ssl,server.ssl,auth.ssl-allow
> value=on,on,"<Gluster_IP_Host1>;<Gluster_IP_Host2>;<Gluster_IP_Host3>"
> 
> </content>
> 
> @Kasturi, does the above content look good ?

One more information:

To begin with, we should have a NOTE to share the information that this configuration will use self-signed certs ( valid for 1 year ) for SSL/TLS based encryption. If user has got his own CA, then he needs to setup the SSL/TLS outside of Gluster deployment, following chapter in RHGS Admin guide
Comment 11 RamaKasturi 2017-03-16 06:58:20 UTC 
(In reply to SATHEESARAN from comment #8)
> Just gathering the comments from comment6 ( from Kasturi ) and so that it
> becomes easy for reviewing.
> 
> <content>
> 
> To enable RHGS SSL/TLS encryption during the Gluster deployment using
> cockpit,  make the following changes to the generated gdeploy configuration
> file by selecting 'Edit' button on the 'Review' Tab of cockpit UI
> 
> 1. Edit the [volume1] section to have additional options
> 
> [volume1]
> enable_ssl=yes
> ssl_clients=<Gluster_Network_IP1>,<Gluster_Network_IP2>,<Gluster_Network_IP3>
> 
> 2. Edit the [volume2] and [volume3] sections to have the additional options
> 
> [volume2]
> key=client.ssl,server.ssl,auth.ssl-allow
> value=on,on,"<Gluster_IP_Host1>;<Gluster_IP_Host2>;<Gluster_IP_Host3>"
> 
> [volume3]
> key=client.ssl,server.ssl,auth.ssl-allow
> value=on,on,"<Gluster_IP_Host1>;<Gluster_IP_Host2>;<Gluster_IP_Host3>"
> 
> </content>
> 
> @Kasturi, does the above content look good ?

sas, yes it does look good
Comment 12 RamaKasturi 2017-03-16 07:02:21 UTC 
Laura, i heard that mostly customers will have there own certificate authority-issued certs. It is very less that one would use self-signed.

changes in comment 10 looks good to me.
Comment 25 RamaKasturi 2017-03-20 13:34:55 UTC 
Laura, since enabling SSL with CA signed certs on HCI stack  can't be done through gdeploy user has to follow the manual steps listed at doc [1]. We can  provide this info in our Grafton doc where we have a section to configure HCI stack using CA signed certs. 

[1] https://access.redhat.com/documentation/en-US/Red_Hat_Storage/3.1/html-single/Administration_Guide/index.html#chap-Network_Encryption-New_Pool
Comment 27 SATHEESARAN 2017-03-23 06:54:03 UTC 
*** Bug 1429427 has been marked as a duplicate of this bug. ***
Comment 32 RamaKasturi 2017-03-28 12:08:17 UTC 
1) Can we add a step to restart glusterd after step2 in A.1.2 section.

other than this everything looks good. Any reason why this section is put in appendix ?
Comment 36 RamaKasturi 2017-04-04 05:10:21 UTC 
configuring encryption section looks good to me. Marking this verified.
Comment 37 Laura Bailey 2017-08-29 04:13:05 UTC 
Fixed in RHGS 3.3 documentation.