Created attachment 2009715 [details]
ODF Cluster create security screen

Describe the issue:  Documentation doesn't provide much detail on implementing data encryption in-transit with Messenger v2 protocol.  The Planning your deployment guide[1]  does states that it can be enabled at deployment but doesn't reference how or why  

In the Deploying OpenShift Data Foundation guides[2], there is no reference to the In-transit encryption checkbox (see attached screen shot) in step 6. Optional: In the Security and network page, configure the following based on your requirement.  This section just covers the Enable data encryption for block and file storage checkbox for cluster wide or KMS. 
 

Describe the task you were trying to accomplish:  
Enabling encryption in transit at deployment or for a cluster that was already deployed.  When deploying on a new cluster, the checkbox sets the following parameters to `secure` when selected and to `crc` when not selected.  

ms_cluster_mode
ms_service_mode
ms_client_mode

Can these Ceph parameters be modified after deployment using the rook-ceph-toolbox or in the rook-ceph-operator configMap?

Suggestions for improvement:  Provide additional details in the Planning your deployment guide i.e. where it is enabled in the deployment process and when it is enabled the additional security it provides (see below from IBM).  In the deployment guides, include the details for the In-transit encryption checkbox in the Creating ODF Cluster sections.

From the IBM documentation on IBM Storage Ceph [https://www.ibm.com/docs/en/storage-ceph/6?topic=management-messenger-v2-protocol]:

The msgr2 protocol supports two connection modes:

* crc

- Provides strong initial authentication when a connection is established with cephx.
- Provides a crc32c integrity check to protect against bit flips.
- Does not provide protection against a malicious man-in-the-middle attack.
- Does not prevent an eavesdropper from seeing all post-authentication traffic.

* secure

- Provides strong initial authentication when a connection is established with cephx.
- Provides full encryption of all post-authentication traffic.
- Provides a cryptographic integrity check.

The default mode is crc.


Document URL:

[1] Planning Your Deployment: 
https://access.redhat.com/documentation/en-us/red_hat_openshift_data_foundation/4.14/html/planning_your_deployment/security-considerations_rhodf#data_encryption_in_transit_via_red_hat_ceph_storage_s_messenger_version_2_protocol

[2] 
Deploying OpenShift Data Foundation using bare metal infrastructure 
https://access.redhat.com/documentation/en-us/red_hat_openshift_data_foundation/4.14/html/deploying_openshift_data_foundation_using_bare_metal_infrastructure/deploy-using-local-storage-devices-bm#creating-openshift-data-foundation-cluster-on-bare-metal_local-bare-metal

Deploying OpenShift Data Foundation on VMware vSphere
https://access.redhat.com/documentation/en-us/red_hat_openshift_data_foundation/4.14/html/deploying_openshift_data_foundation_on_vmware_vsphere/deploy-using-local-storage-devices-vmware#creating-openshift-data-foundation-cluster-on-vmware_local-storage

Deploying OpenShift Data Foundation on AWS
https://access.redhat.com/documentation/en-us/red_hat_openshift_data_foundation/4.14/html/deploying_openshift_data_foundation_using_amazon_web_services/deploy-using-dynamic-storage-devices-aws#creating-an-openshift-data-foundation-service_cloud-storage

Deploying OpenShift Data Foundation on Azure
https://access.redhat.com/documentation/en-us/red_hat_openshift_data_foundation/4.14/html/deploying_openshift_data_foundation_using_microsoft_azure/deploying-openshift-data-foundation-on-microsoft-azure_azure#creating-an-openshift-data-foundation-service_azure

Deploying OpenShift Data Foundation on IBM Power
https://access.redhat.com/documentation/en-us/red_hat_openshift_data_foundation/4.14/html/deploying_openshift_data_foundation_using_ibm_power/deploy-using-local-storage-devices-ibm-power#creating-openshift-data-foundation-cluster-on-ibm-power_local-ibm-power

Deploying OpenShift Data Foundation on Google Cloud
https://access.redhat.com/documentation/en-us/red_hat_openshift_data_foundation/4.14/html/deploying_and_managing_openshift_data_foundation_using_google_cloud/deploying_openshift_data_foundation_on_google_cloud#creating-an-openshift-data-foundation-service_gcp

Deploying OpenShift Data Foundation on Red Hat OpenStack
https://access.redhat.com/documentation/en-us/red_hat_openshift_data_foundation/4.14/html/deploying_and_managing_openshift_data_foundation_using_red_hat_openstack_platform/deploying_openshift_data_foundation_on_red_hat_openstack_platform_in_internal_mode#creating-an-openshift-data-foundation-service_internal-osp

Deploying OpenShift Data Foundation on any platform
https://access.redhat.com/documentation/en-us/red_hat_openshift_data_foundation/4.14/html/deploying_openshift_data_foundation_on_any_platform/deploy-using-local-storage-devices-bm#creating-openshift-data-foundation-cluster-on-any-platform_agnostic

Chapter/Section Number and Title:  See above links.

Product Version: ODF v4.x

Environment Details:

Any other versions of this document that also needs this update:

The section on creating the storage clusters in the deployment guides for some guides do include reference to the In-transit encryption checkbox but the bullet numbering is incorrect and the Select Network is referenced twice (see screenshots for reference for each guide).  Some guides don't reference the checkbox at all.