Red Hat Training

A Red Hat training course is available for Red Hat Gluster Storage

17.2. Enabling Encryption for a New Container-Native Storage Setup

You can configure network encryption for a new Container-Native Storage setup for both I/O encryption and management encryption.

17.2.1. Enabling Management Encryption

Though Red Hat Gluster Storage can be configured only for I/O encryption without using management encryption, it is recommended to have management encryption. If you want to enable SSL only on the I/O path, skip this section and proceed with Section 17.2.2, “Enabling I/O encryption for a Volume”.
On the server

Perform the following on all the server, ie, the OpenShift nodes on which Red Hat Gluster Storage pods are running.

  1. Create the /var/lib/glusterd/secure-access file.
    # touch /var/lib/glusterd/secure-access
On the clients

Perform the following on the clients, ie. on all the remaining OpenShift nodes on which Red Hat Gluster Storage is not running.

  1. Create the /var/lib/glusterd/secure-access file.
    # touch /var/lib/glusterd/secure-access

Note

All the Red Hat Gluster Storage volumes are mounted on the OpenShift nodes and then bind mounted to the application pods. Hence, it is not required to perform any encryption related operations specifically on the application pods.
After running the commands on the server and clients, deploy Container-Native Storage. For more information, see Section 8.2, “ Deploying Containerized Red Hat Gluster Storage Solutions”

17.2.2. Enabling I/O encryption for a Volume

Enable the I/O encryption between the servers and clients:

Note

The servers are the OpenShift nodes on which Red Hat Gluster Storage pods are running.
The clients are the remaining OpenShift nodes on which Red Hat Gluster Storage is not running.
  1. Ensure Container-Native Storage is deployed before proceeding with further steps. For more information see, Section 8.2, “ Deploying Containerized Red Hat Gluster Storage Solutions”
  2. You can either create a statically provisioned volume or a dynamically provisioned volume. For more information about static provisioning of volumes, see Section 9.1.1, “Static Provisioning of Volumes” . For more information about dynamic provisioning of volumes, see Section 9.1.2, “Dynamic Provisioning of Volumes”

    Note

    To enable encryption during the creation of statically provisioned volume, execute the following command:
     # heketi-cli volume create --size=100 --gluster-volume-options="client.ssl on","server.ssl on"
  3. Stop the volume by executing the following command:
    # oc rsh <gluster_pod_name> gluster volume stop VOLNAME
    The gluster pod name is the name of one of the Red Hat Gluster Storage pods of the trusted storage pool to which the volume belongs.

    Note

    To get the VOLNAME, execute the following command:
    # oc describe pv <pv_name>
    For example:
    # oc describe pv  pvc-01569c5c-1ec9-11e7-a794-005056b38171
    Name:           pvc-01569c5c-1ec9-11e7-a794-005056b38171
    Labels:         <none>
    StorageClass:   fast
    Status:         Bound
    Claim:          storage-project/storage-claim68
    Reclaim Policy: Delete
    Access Modes:   RWO
    Capacity:       1Gi
    Message:
    Source:
        Type:               Glusterfs (a Glusterfs mount on the host that shares a pod's lifetime)
        EndpointsName:      glusterfs-dynamic-storage-claim68
        Path:               vol_0e81e5d6e46dcbf02c11ffd9721fca28
        ReadOnly:           false
    No events.
    The VOLNAME is the value of "path" in the above output.
  4. Set the list of common names of all the servers to access the volume. Ensure to include the common names of clients which will be allowed to access the volume.
    # oc rsh <gluster_pod_name> gluster volume set VOLNAME auth.ssl-allow 'server1,server2,server3,client1,client2,client3'

    Note

    If you set auth.ssl-allow option with * as value, any TLS authenticated clients can mount and access the volume from the application side. Hence, you set the option's value to * or provide common names of clients as well as the nodes in the trusted storage pool.
  5. Enable the client.ssl and server.ssl options on the volume using the heketi-cli.
    # oc rsh <gluster_pod_name> gluster volume set VOLNAME client.ssl on
    # oc rsh <gluster_pod_name> gluster volume set VOLNAME server.ssl on
  6. Start the volume.
    # oc rsh <gluster_pod_name> gluster volume start VOLNAME