Bug 1978286

Summary: [TestOnly] Verify deployment of Ceph on-wire encryption (msgr2 protocol) with director - Full Support
Product: Red Hat OpenStack Reporter: Gregory Charot <gcharot>
Component: cephAssignee: Giulio Fidente <gfidente>
Status: CLOSED CURRENTRELEASE QA Contact: Yogev Rabl <yrabl>
Severity: medium Docs Contact:
Priority: high    
Version: 16.2 (Train)CC: alfrgarc, astillma, fpantano, gcharot, gfidente, jamsmith, jdurgin, johfulto, lhh, lmarsh, mhicks, nwolf, spower, yrabl
Target Milestone: z2Keywords: FutureFeature, TestOnly, Triaged
Target Release: 16.2 (Train on RHEL 8.4)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Release Note
Doc Text:
Starting with Red Hat Ceph Storage 4, you can enable encryption for all traffic generated by the Ceph daemons over the network. + The secure mode setting for messenger v2 encrypts the communication between Ceph daemons and Ceph clients, effecting an end-to-end encryption. + A new tripleo-heat-templates parameter can enable the on-wire encryption between daemons and clients. To configure Ceph to enable the on-wire encryption between daemons and clients, add the following lines to the overcloud deployment environment files: + ---- parameter_defaults: CephMsgrSecureMode: true ----
 Story Points: ---
Clone Of: 1814033 Environment:
Last Closed: 2022-06-07 09:34:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1814033, 1855678    
Bug Blocks:    

Description Gregory Charot 2021-07-01 13:13:04 UTC 
This bugs aims to promote OSP + Ceph on-wire encryption from TP to GA

+++ This bug was initially created as a clone of Bug #1814033 +++

Ceph on-wire encryption via the msgr2 protocol as deployed by director needs to be verified by the Ceph Squad within the Storage DFG.

More details on how to implement the deployment captured in BZ1810315.

This is a TestOnly BZ.

--- Additional comment from RHEL Program Management on 2020-03-19 08:07:09 CET ---

This item has been properly Triaged and planned for the release, and Target Release is now set to match the release flag. For details, see https://mojo.redhat.com/docs/DOC-1144661#jive_content_id_OSP_Release_Planning

--- Additional comment from Giulio Fidente on 2020-03-19 08:08:49 CET ---

Yogev, if we're unable to test this for 16.0.2 let's change release flag and target milestone appropriately

--- Additional comment from RHEL Program Management on 2020-03-20 16:21:42 CET ---

This item has been properly Triaged and planned for the release, and Target Release is now set to match the release flag. For details, see https://mojo.redhat.com/docs/DOC-1195410

--- Additional comment from Scott Lewis on 2020-03-23 21:28:05 CET ---

This item has been properly Triaged and planned for the appropriate release, and is being tagged for tracking.

--- Additional comment from Chuck Copello on 2020-03-26 18:42:07 CET ---

Hi John, should Target Milestone be Beta or earlier for 16.1?

--- Additional comment from Gregory Charot on 2020-03-26 18:49:07 CET ---

We don't have the capacity to test this for 16.1GA so targeting 16.1.1 (hence the z1 TM)

--- Additional comment from Scott Lewis on 2020-03-30 17:30:15 CEST ---

This item has had a change in release flag, and has been removed from tracking for the GA.

--- Additional comment from Ben England on 2020-06-10 20:35:11 CEST ---

Has anyone succeeded in turning on Ceph encryption?  and verifying that it is being used?  I'm trying to use it in this build:

http://download.eng.bos.redhat.com/rhel-8/composes/auto/ceph-4.1-rhel-8/RHCEPH-4.1-RHEL-8-20200603.ci.1/

which installs RPMs with version 
with this documentation:

https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/4/html/data_security_and_hardening_guide/assembly-encryption-and-key-management#enabling-the-messenger-v2-protocol_sec

The installation procedure is described here:

https://docs.google.com/document/d/1iSL5PPXVn_6aDBcKGjvHVp5w0o3E9ztmSEDAQAisYEI/edit#heading=h.fwqv6d8xumgp

--- Additional comment from Gregory Charot on 2020-06-11 18:26:02 CEST ---

We planning to test this after 16.1GA as a testonly to ensure this does not break any OSP service integration. We target this for fall or so this year.

Thanks for your test/doc Ben, any concern / issue you would like to share?

--- Additional comment from Chuck Copello on 2020-06-16 14:45:17 CEST ---

Adding Andy to the CC: list and removing myself.

--- Additional comment from Chuck Copello on 2020-06-16 14:49:12 CEST ---

Adding Andy to the CC: list and removing myself.

--- Additional comment from Gregory Charot on 2020-06-25 14:25:32 CEST ---

Moving to z2 as z1 will be blockers only

--- Additional comment from Gregory Charot on 2020-10-21 11:55:03 CEST ---

moving to tech preview as per discussion with the Ceph team

--- Additional comment from Yogev Rabl on 2020-11-18 18:14:09 CET ---

Verified