Additional information: New documentation includes: - Using gdeploy to configure SSL during installation - Configuring SSL to use existing certificates - Configuring SSL on an existing installation
Just gathering the comments from comment6 ( from Kasturi ) and so that it becomes easy for reviewing. <content> To enable RHGS SSL/TLS encryption during the Gluster deployment using cockpit, make the following changes to the generated gdeploy configuration file by selecting 'Edit' button on the 'Review' Tab of cockpit UI 1. Edit the [volume1] section to have additional options [volume1] enable_ssl=yes ssl_clients=<Gluster_Network_IP1>,<Gluster_Network_IP2>,<Gluster_Network_IP3> 2. Edit the [volume2] and [volume3] sections to have the additional options [volume2] key=client.ssl,server.ssl,auth.ssl-allow value=on,on,"<Gluster_IP_Host1>;<Gluster_IP_Host2>;<Gluster_IP_Host3>" [volume3] key=client.ssl,server.ssl,auth.ssl-allow value=on,on,"<Gluster_IP_Host1>;<Gluster_IP_Host2>;<Gluster_IP_Host3>" </content> @Kasturi, does the above content look good ?
(In reply to SATHEESARAN from comment #8) > Just gathering the comments from comment6 ( from Kasturi ) and so that it > becomes easy for reviewing. > > <content> > > To enable RHGS SSL/TLS encryption during the Gluster deployment using > cockpit, make the following changes to the generated gdeploy configuration > file by selecting 'Edit' button on the 'Review' Tab of cockpit UI > > 1. Edit the [volume1] section to have additional options > > [volume1] > enable_ssl=yes > ssl_clients=<Gluster_Network_IP1>,<Gluster_Network_IP2>,<Gluster_Network_IP3> > > 2. Edit the [volume2] and [volume3] sections to have the additional options > > [volume2] > key=client.ssl,server.ssl,auth.ssl-allow > value=on,on,"<Gluster_IP_Host1>;<Gluster_IP_Host2>;<Gluster_IP_Host3>" > > [volume3] > key=client.ssl,server.ssl,auth.ssl-allow > value=on,on,"<Gluster_IP_Host1>;<Gluster_IP_Host2>;<Gluster_IP_Host3>" > > </content> > > @Kasturi, does the above content look good ? One more information: To begin with, we should have a NOTE to share the information that this configuration will use self-signed certs ( valid for 1 year ) for SSL/TLS based encryption. If user has got his own CA, then he needs to setup the SSL/TLS outside of Gluster deployment, following chapter in RHGS Admin guide
(In reply to SATHEESARAN from comment #8) > Just gathering the comments from comment6 ( from Kasturi ) and so that it > becomes easy for reviewing. > > <content> > > To enable RHGS SSL/TLS encryption during the Gluster deployment using > cockpit, make the following changes to the generated gdeploy configuration > file by selecting 'Edit' button on the 'Review' Tab of cockpit UI > > 1. Edit the [volume1] section to have additional options > > [volume1] > enable_ssl=yes > ssl_clients=<Gluster_Network_IP1>,<Gluster_Network_IP2>,<Gluster_Network_IP3> > > 2. Edit the [volume2] and [volume3] sections to have the additional options > > [volume2] > key=client.ssl,server.ssl,auth.ssl-allow > value=on,on,"<Gluster_IP_Host1>;<Gluster_IP_Host2>;<Gluster_IP_Host3>" > > [volume3] > key=client.ssl,server.ssl,auth.ssl-allow > value=on,on,"<Gluster_IP_Host1>;<Gluster_IP_Host2>;<Gluster_IP_Host3>" > > </content> > > @Kasturi, does the above content look good ? sas, yes it does look good
Laura, i heard that mostly customers will have there own certificate authority-issued certs. It is very less that one would use self-signed. changes in comment 10 looks good to me.
Laura, since enabling SSL with CA signed certs on HCI stack can't be done through gdeploy user has to follow the manual steps listed at doc [1]. We can provide this info in our Grafton doc where we have a section to configure HCI stack using CA signed certs. [1] https://access.redhat.com/documentation/en-US/Red_Hat_Storage/3.1/html-single/Administration_Guide/index.html#chap-Network_Encryption-New_Pool
*** Bug 1429427 has been marked as a duplicate of this bug. ***
1) Can we add a step to restart glusterd after step2 in A.1.2 section. other than this everything looks good. Any reason why this section is put in appendix ?
configuring encryption section looks good to me. Marking this verified.
Fixed in RHGS 3.3 documentation.