Bug 1961664

Summary: [doc][noobaa] Explain how to configure TLS certificate for application accessing TLS encrypted object storage endpoint
Product: [Red Hat Storage] Red Hat OpenShift Data Foundation Reporter: Martin Bukatovic <mbukatov>
Component: documentationAssignee: Erin Donnelly <edonnell>
Status: ASSIGNED --- QA Contact: Daniel HorĂ¡k <dahorak>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.6CC: asriram, dahorak, ebenahar, edonnell, jthottan, nbecker, odf-bz-bot
Target Milestone: ---Keywords: Security
Target Release: ---Flags: edonnell: needinfo? (nbecker)
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Bukatovic 2021-05-18 12:51:33 UTC 
Document URL
============

https://access.redhat.com/documentation/en-us/red_hat_openshift_container_storage/4.6/html/managing_hybrid_and_multicloud_resources/object-bucket-claim

Section Number and Name
=======================

Section 8.1. Dynamic Object Bucket Claim

Describe the issue
==================

The text explains how to create ObjectBucketClaim so that OCS/NooBaa provisions
an object bucket based on the request, and how to use the provisioned bucket in
an application.

Since the object service endpoint is encrypted via tls, an application accesing
the endpoint also needs to have access to ssl certificate which will help the
app to verify that the endpoint is correct. But this information is missing in
the text.

Suggestions for improvement
===========================

A new step should be added into the section, eg. between step #2 (which
explains how to set env variables like BUCKET_NAME, BUCKET_HOST, ... in yaml
spec of an app) and step #3 (which tells the reader to run oc apply).

This step should include a description how to:

- locate tls certificate the noobaa endpoint is signed with
- how to make the certificate available in the containerized app

Additional information
======================

The endpoint seems to be self signed.
Comment 12 Martin Bukatovic 2022-07-15 13:02:12 UTC 
Could we use "OpenShift Service CA Operator"[1] for this use case? Is there an opportunity for NooBaa to make this integration easier?

[1] https://github.com/openshift/service-ca-operator/blob/master/README.md