8.2. Enabling Encryption for a New Red Hat Openshift Container Storage Setup

You can configure network encryption for a new Red Hat Openshift Container Storage setup for both I/O encryption and management encryption.

8.2.1. Enabling Management Encryption

Though Red Hat Gluster Storage can be configured only for I/O encryption without using management encryption, it is recommended to have management encryption. If you want to enable SSL only on the I/O path, skip this section and proceed with Section 8.2.2, “Enabling I/O encryption for a Volume”.
On the server

Perform the following on all the server, ie, the OpenShift nodes on which Red Hat Gluster Storage pods are running.

  1. Create the /var/lib/glusterd/secure-access file. 
    # touch /var/lib/glusterd/secure-access
On the clients

Perform the following on the clients, that is, on all the remaining OpenShift nodes on which Red Hat Gluster Storage is not running.

  1. Create the /var/lib/glusterd/secure-access file. 
    # touch /var/lib/glusterd/secure-access

Note

All the Red Hat Gluster Storage volumes are mounted on the OpenShift nodes and then bind mounted to the application pods. Hence, it is not required to perform any encryption related operations specifically on the application pods.
After running the commands on the server and clients, deploy Red Hat Openshift Container Storage. For more information, see https://access.redhat.com/documentation/en-us/red_hat_openshift_container_storage/3.11/html-single/deployment_guide/#chap-Documentation-Red_Hat_Gluster_Storage_Container_Native_with_OpenShift_Platform-Setting_the_environment-Deploy_CNS

8.2.2. Enabling I/O encryption for a Volume

Enable the I/O encryption between the servers and clients:

Note

The servers are the OpenShift nodes on which Red Hat Gluster Storage pods are running.
The clients are the remaining OpenShift nodes on which Red Hat Gluster Storage is not running.
  1. Ensure Red Hat Openshift Container Storage is deployed before proceeding with further steps. For more information see, https://access.redhat.com/documentation/en-us/red_hat_openshift_container_storage/3.11/html-single/deployment_guide/#chap-Documentation-Red_Hat_Gluster_Storage_Container_Native_with_OpenShift_Platform-Setting_the_environment-Deploy_CNS
  2. You can either create a statically provisioned volume or a dynamically provisioned volume. For more information about static provisioning of volumes, see https://access.redhat.com/documentation/en-us/red_hat_openshift_container_storage/3.11/html-single/operations_guide/#chap-Documentation-Red_Hat_Gluster_Storage_Container_Native_with_OpenShift_Platform-OpenShift_Creating_Persistent_Volumes-Static_Prov. For more information about dynamic provisioning of volumes, see https://access.redhat.com/documentation/en-us/red_hat_openshift_container_storage/3.11/html-single/operations_guide/#chap-Documentation-Red_Hat_Gluster_Storage_Container_Native_with_OpenShift_Platform-OpenShift_Creating_Persistent_Volumes-Dynamic_Prov

    Note

    To enable encryption during the creation of statically provisioned volume, execute the following command: 
     # heketi-cli volume create --size=100 --gluster-volume-options="client.ssl on","server.ssl on"
  3. Stop the volume by executing the following command: 
    # oc rsh <gluster_pod_name> gluster volume stop VOLNAME
    The gluster pod name is the name of one of the Red Hat Gluster Storage pods of the trusted storage pool to which the volume belongs.

    Note

    To get the VOLNAME, execute the following command: 
    # oc describe pv <pv_name>
    For example: 
    # oc describe pv  pvc-01569c5c-1ec9-11e7-a794-005056b38171
Name:           pvc-01569c5c-1ec9-11e7-a794-005056b38171
Labels:         <none>
StorageClass:   fast
Status:         Bound
Claim:          storage-project/storage-claim68
Reclaim Policy: Delete
Access Modes:   RWO
Capacity:       1Gi
Message:
Source:
    Type:               Glusterfs (a Glusterfs mount on the host that shares a pod's lifetime)
    EndpointsName:      glusterfs-dynamic-storage-claim68
    Path:               vol_0e81e5d6e46dcbf02c11ffd9721fca28
    ReadOnly:           false
No events.
    The VOLNAME is the value of "path" in the above output.
  4. Set the list of common names of all the servers to access the volume. Ensure to include the common names of clients which will be allowed to access the volume. 
    # oc rsh <gluster_pod_name> gluster volume set VOLNAME auth.ssl-allow 'server1,server2,server3,client1,client2,client3'

    Note

    If you set auth.ssl-allow option with * as value, any TLS authenticated clients can mount and access the volume from the application side. Hence, you set the option's value to * or provide common names of clients as well as the nodes in the trusted storage pool.
  5. Enable the client.ssl and server.ssl options on the volume. 
    # oc rsh <gluster_pod_name> gluster volume set VOLNAME client.ssl on
# oc rsh <gluster_pod_name> gluster volume set VOLNAME server.ssl on
  6. Start the volume. 
    # oc rsh <gluster_pod_name> gluster volume start VOLNAME