From 89e35393db5c12c626d8880c822017c708e73152 Mon Sep 17 00:00:00 2001 From: Giulio Fidente Date: Tue, 1 Sep 2020 18:57:25 +0200 Subject: [PATCH] Add parameter and CI config to enable Ceph OTW encryption Starting with Ceph Nautilus it is possible to enable on-wire encryption between daemons and clients. This change adds a setting to optionally configure Ceph with OTW encryption and a setting in scenario001-standalone to test it. Change-Id: I5d046b814a211aec9051f5278f98a3e81580057c --- ci/environments/scenario001-standalone.yaml | 1 + deployment/ceph-ansible/ceph-base.yaml | 28 ++++++++++++++++++++- environments/ceph-ansible/ceph-ansible.yaml | 7 ++++++ 3 files changed, 35 insertions(+), 1 deletion(-) diff --git a/ci/environments/scenario001-standalone.yaml b/ci/environments/scenario001-standalone.yaml index d74a6f0246..5528c32a20 100644 --- a/ci/environments/scenario001-standalone.yaml +++ b/ci/environments/scenario001-standalone.yaml @@ -185,3 +185,4 @@ parameter_defaults: osdkey: osdvalue foo: bar NfsUrl: 127.0.0.1 + CephMsgrSecureMode: true diff --git a/deployment/ceph-ansible/ceph-base.yaml b/deployment/ceph-ansible/ceph-base.yaml index e406ac8dfd..212b7cc9f7 100644 --- a/deployment/ceph-ansible/ceph-base.yaml +++ b/deployment/ceph-ansible/ceph-base.yaml @@ -97,6 +97,12 @@ parameters: description: > The Ceph cluster name must be at least 1 character and contain only letters and numbers. + CephMsgrSecureMode: + type: boolean + default: false + description: > + Enable Ceph msgr2 secure mode to enable on-wire encryption between Ceph + daemons and also between Ceph clients and daemons. CephPoolDefaultPgNum: description: default pg_num to use for the RBD pools type: number @@ -332,6 +338,7 @@ parameter_groups: conditions: dashboard_is_enabled: {equals: [{get_param: CephEnableDashboard}, true]} + msgr_secure_mode: {equals: [{get_param: CephMsgrSecureMode}, true]} custom_registry_host: yaql: data: {get_param: ContainerCephDaemonImage} @@ -395,6 +402,17 @@ resources: expression: $.data.rightSplit(':', 1)[1] data: {get_param: ContainerCephDaemonImage} + MsgrSecureModeOverrides: + type: OS::Heat::Value + properties: + type: json + value: + vars: + global: + ms_cluster_mode: secure + ms_service_mode: secure + ms_client_mode: secure + DefaultCephConfigOverrides: type: OS::Heat::Value properties: @@ -581,7 +599,15 @@ outputs: ceph_pools: {get_attr: [CephBasePoolVars, value, vars]} manila_pools: {get_attr: [CephManilaPoolVars, value, vars]} ceph_keys: {get_attr: [CephKeyVars, value, vars]} - ceph_default_overrides: {get_attr: [DefaultCephConfigOverrides, value, vars]} + ceph_default_overrides: + if: + - msgr_secure_mode + - yaql: + expression: ($.data.default).mergeWith($.data.secure) + data: + default: {get_attr: [DefaultCephConfigOverrides, value, vars]} + secure: {get_attr: [MsgrSecureModeOverrides, value, vars]} + - {get_attr: [DefaultCephConfigOverrides, value, vars]} ceph_config_overrides: {get_param: CephConfigOverrides} - name: set ceph-ansible facts set_fact: diff --git a/environments/ceph-ansible/ceph-ansible.yaml b/environments/ceph-ansible/ceph-ansible.yaml index 1880b84d49..0e2e400ac8 100644 --- a/environments/ceph-ansible/ceph-ansible.yaml +++ b/environments/ceph-ansible/ceph-ansible.yaml @@ -16,3 +16,10 @@ parameter_defaults: GlanceBackend: rbd ## Uncomment below if enabling legacy telemetry # GnocchiBackend: rbd + + ## Set to enable on-wire encryption + ## Using secure mode can cause a performance degradation with the storage cluster. + ## The severity of the performance degradation can vary depending on several + ## environmental factors. + ## Test the performance impact in a non-production environment before implementing. + # CephMsgrSecureMode: true