2259886 – [ODF-Hackaton]: Please add further documentation about the internals of ODF encryption in transit

Bug 2259886 - [ODF-Hackaton]: Please add further documentation about the internals of ODF encryption in transit

Summary: [ODF-Hackaton]: Please add further documentation about the internals of ODF e...

Keywords:
Status:	NEW
Alias:	None
Product:	Red Hat OpenShift Data Foundation
Classification:	Red Hat Storage
Component:	documentation
Sub Component:
Version:	4.14
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	low
Target Milestone:	---
Target Release:	---
Assignee:	Anjana Suparna Sriram
QA Contact:	Neha Berry
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-01-23 16:41 UTC by nravinas
Modified:	2024-07-22 12:06 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description nravinas 2024-01-23 16:41:54 UTC

**Describe the issue:**

The documentation doesn't detail how encryption in transit works for an ODF cluster. It just refers to how to enable it in the Deployment Guides very briefly:

>  To enable in-transit encryption, select In-transit encryption.
> 
>     Select a Network.
>     Click Next. 

There are no references in the Architecture or Troubleshooting guides regarding this feature. For example, one thing that will be worth covering is how the option `ms_mode=secure` is passed to the CephFS mount points. From my lab setup, this is from a pod mounting a CephFS file system with encryption on the wire enabled:

		sh-4.4$ mount | grep mnt
		10.0.91.79:3300,10.0.93.41:3300,10.0.93.166:3300,10.0.93.53:3300,10.0.93.164:3300:/volumes/csi/csi-vol-05e577bd-11be-4e5c-82b0-c3d2398b5e11/36bfbd9a-2e67-415b-a2eb-7be623b9e0e7 on /mnt type ceph (rw,relatime,seclabel,name=csi-cephfs-node,secret=<hidden>,**ms_mode=secure**,fsid=00000000-0000-0000-0000-000000000000,acl,mds_namespace=my-filesystem)

I thought either would set this parameter:

- Adding the variable `ROOK_CSI_ENABLE_CEPHFS": "true"` to the `rook-ceph-operator-config` cm.
- Setting the kernel mount option `kernelMountOptions: ms_mode=secure` in the CephFS storage class.

However, this is not the case. Neither the cm nor the sc is modified.  The encryption annotation 

		oc get storagecluster ocs-external-storagecluster -n openshift-storage -o json | jq -r '.spec.network.connections'
		{
		  "encryption": {
			"enabled": true
		  }
		}


in the storagecluster seems to suffice to set the `ms_mode=secure` mount option in the CephFS mount points. More details on how it works behind the scenes will be worth it. 

**Describe the task you were trying to accomplish:**

Provide further information on how the encryption in transit feature works internally. 

**Provide some further documentation details** 

N/A

**Suggestions for improvement:**

Add information about how the option `ms_mode=secure` is set for CephFS mount points.

**Document URL:**

Troubleshooting Guide: https://access.redhat.com/documentation/en-us/red_hat_openshift_data_foundation/4.14/html/troubleshooting_openshift_data_foundation
Architecture Guide: https://access.redhat.com/documentation/en-us/red_hat_openshift_data_foundation/4.14/html/red_hat_openshift_data_foundation_architecture

**Chapter/Section Number and Title:**

N/A, as there's no section covering this feature.

**Product Version:**

ODF 4.14

**Environment Details:**

N/A

**Any other versions of this document that also need this update:**

No

**Additional information:**

N/A

Note You need to log in before you can comment on or make changes to this bug.