Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 1517470

Summary: setup and suggestions related to etcd tls auth is not described in installation guide
Product: Red Hat Gluster Storage Reporter: Martin Bukatovic <mbukatov>
Component: doc-RHGS_Web_AdministrationAssignee: storage-doc
Status: CLOSED CURRENTRELEASE QA Contact: Filip Balák <fbalak>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rhgs-3.3CC: asriram, fbalak, rghatvis, rhs-bugs, sanandpa
Target Milestone: ---Keywords: Security, ZStream
Target Release: RHGS 3.3.1   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-05-30 17:59:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Martin Bukatovic 2017-11-25 18:33:56 UTC
Document URL

Describe the issue

Setup and suggestions related to tls etcd client-server authentication (between
etcd and tendrl components) is not described in installation guide.

To enable etcd client server tls based authentication, one needs to create and 
distribute tls cert files himself, and then configure tendrl-ansible via ansible
variables accordingly.

Authentication based on tls is not configured by tendrl-ansible by default. If
unconfigured, etcd will be deployed without any authentication, allowing anyone
to access it.

Comment 2 Martin Bukatovic 2017-11-25 18:40:31 UTC
Upstream documentation

Installation guide[1] notes:

> To run secure ETCD (SSL/TLS based client server encryption and auth), please
> refer to:
> Note: this is covered by tendrl-ansible, but it's disabled by default, as the
> issuing and deployment of tls certificates on all machines is out of scope of
> tendrl-ansible and you need to do it yourself first.

tendrl-ansible then describes ansible variables related to tls auth in readme
of tendrl-server role[2], see description of etcd_tls_client_auth,
etcd_cert_file, etcd_key_file, etcd_trusted_ca_file variables.


Comment 4 Filip Balák 2017-12-11 15:10:44 UTC
Looks ok. Checked content with current implementation and also all issues from gdoc are fixed.