Add parameter and CI config to enable Ceph OTW encryption

Starting with Ceph Nautilus it is possible to enable on-wire encryption between daemons and clients. This change adds a setting to optionally configure Ceph with OTW encryption and a setting in scenario001-standalone to test it. Change-Id: I5d046b814a211aec9051f5278f98a3e81580057c
2020-09-01 18:57:25 +02:00 · 2020-09-01 18:57:25 +02:00 · 89e35393db
commit 89e35393db
parent 01c72fbb99
3 changed files with 35 additions and 1 deletions
--- a/ci/environments/scenario001-standalone.yaml
+++ b/ci/environments/scenario001-standalone.yaml
@ -185,3 +185,4 @@ parameter_defaults:
      osdkey: osdvalue
    foo: bar
  NfsUrl: 127.0.0.1
+  CephMsgrSecureMode: true
--- a/deployment/ceph-ansible/ceph-base.yaml
+++ b/deployment/ceph-ansible/ceph-base.yaml
@ -97,6 +97,12 @@ parameters:
      description: >
        The Ceph cluster name must be at least 1 character and contain only
        letters and numbers.
+  CephMsgrSecureMode:
+    type: boolean
+    default: false
+    description: >
+      Enable Ceph msgr2 secure mode to enable on-wire encryption between Ceph
+      daemons and also between Ceph clients and daemons.
  CephPoolDefaultPgNum:
    description: default pg_num to use for the RBD pools
    type: number
@ -332,6 +338,7 @@ parameter_groups:

 conditions:
  dashboard_is_enabled: {equals: [{get_param: CephEnableDashboard}, true]}
+  msgr_secure_mode: {equals: [{get_param: CephMsgrSecureMode}, true]}
  custom_registry_host:
    yaql:
      data: {get_param: ContainerCephDaemonImage}
@ -395,6 +402,17 @@ resources:
            expression: $.data.rightSplit(':', 1)[1]
            data: {get_param: ContainerCephDaemonImage}

+  MsgrSecureModeOverrides:
+    type: OS::Heat::Value
+    properties:
+      type: json
+      value:
+        vars:
+          global:
+            ms_cluster_mode: secure
+            ms_service_mode: secure
+            ms_client_mode: secure
+
  DefaultCephConfigOverrides:
    type: OS::Heat::Value
    properties:
@ -581,7 +599,15 @@ outputs:
                ceph_pools: {get_attr: [CephBasePoolVars, value, vars]}
                manila_pools: {get_attr: [CephManilaPoolVars, value, vars]}
                ceph_keys: {get_attr: [CephKeyVars, value, vars]}
-                ceph_default_overrides: {get_attr: [DefaultCephConfigOverrides, value, vars]}
+                ceph_default_overrides:
+                  if:
+                  - msgr_secure_mode
+                  - yaql:
+                      expression: ($.data.default).mergeWith($.data.secure)
+                      data:
+                        default: {get_attr: [DefaultCephConfigOverrides, value, vars]}
+                        secure: {get_attr: [MsgrSecureModeOverrides, value, vars]}
+                  - {get_attr: [DefaultCephConfigOverrides, value, vars]}
                ceph_config_overrides: {get_param: CephConfigOverrides}
            - name: set ceph-ansible facts
              set_fact:
--- a/environments/ceph-ansible/ceph-ansible.yaml
+++ b/environments/ceph-ansible/ceph-ansible.yaml
@ -16,3 +16,10 @@ parameter_defaults:
  GlanceBackend: rbd
  ## Uncomment below if enabling legacy telemetry
  # GnocchiBackend: rbd
+
+  ## Set to enable on-wire encryption
+  ## Using secure mode can cause a performance degradation with the storage cluster.
+  ## The severity of the performance degradation can vary depending on several
+  ## environmental factors.
+  ## Test the performance impact in a non-production environment before implementing.
+  # CephMsgrSecureMode: true