moved to realm emcryption

documentation/asciidoc/stories/assembly_configuring_encryption.adoc

@@ -5,8 +5,7 @@ ifdef::context[:parent-context: {context}]
 [role="_abstract"]
 Configure encryption for your {brandname}.
 
-include::{topics}/proc_enabling_endpoint_encryption.adoc[leveloffset=+1]
-include::{topics}/proc_enabling_transport_encryption.adoc[leveloffset=+1]
+include::{topics}/proc_enabling_encryption.adoc[leveloffset=+1]
 
 // Restore the parent context.
 ifdef::parent-context[:context: {parent-context}]

documentation/asciidoc/topics/proc_enabling_encryption.adoc

@@ -0,0 +1,46 @@
+[id='enabling-endpoint-encryption_{context}']
+= Enabling TLS encryption
+
+[role="_abstract"]
+Encryption can be independently enabled for endpoint and cluster transport.
+
+.Prerequisites
+* A secret containing a certificate or a keystore. Endpoint and cluster should use
+different secrets.
+
+.Procedure
+
+.Set the secret name in the deploy configuration
+
+Provide the name of the secret containing the certificate.
+[source,yaml,options="nowrap",subs=attributes+]
+----
+include::yaml/tls_secretname.yaml[]
+----
+
+.Enable cluster transport TLS
+
+- Configure the keystore path in the transport realm; secret is mounted at `/etc/encrypt/transport`. The truststore must be configured
+with the same certificates, this allow the nodes to authenticate each other.
+Alias and password must be provided in case the secret contains a keystore.
+- Configure the transport stack to use the realm.
+
+[source,yaml,options="nowrap",subs=attributes+]
+----
+include::yaml/transport_encryption.yaml[]
+----
+
+
+.Enable endpoint TLS
+
+Configure the keystore path in the endpoint realm, secret is mounted at `/etc/encrypt/endpoint`.
+Alias and password must be provided in case the secret contains a keystore.
+
+[source,yaml,options="nowrap",subs=attributes+]
+----
+include::yaml/endpoint_encryption.yaml[]
+----
+
+[role="_additional-resources"]
+.Additional resources
+* link:{security_docs}[{brandname} Security Guide]

documentation/asciidoc/topics/yaml/realm_encryption.yaml → documentation/asciidoc/topics/yaml/endpoint_encryption.yaml

@@ -9,4 +9,4 @@ deploy:
                 keystore:
                   alias: "server"
                   path: "/etc/encrypt/endpoint/keystore.p12"
-                  password: "password"
+                  password: "password"

documentation/asciidoc/topics/yaml/tls_secretname.yaml

@@ -0,0 +1,4 @@
+deploy:
+  ssl:
+    endpointSecretName: "tls-secret"
+    transportSecretName: "tls-transport-secret"

documentation/asciidoc/topics/yaml/transport_encryption.yaml

@@ -1,21 +1,19 @@
+deploy:
   infinispan:
-    jgroups:
-      stack:
-        name: "encryption"
-        extends: "kubernetes"
-        SSL_KEY_EXCHANGE:
-          "keystore_name": "/etc/encrypt/transport/cert.p12"
-          "keystore_password": "password"
-          "stack.combine": "INSERT_AFTER"
-          "stack.position": "VERIFY_SUSPECT2"
-        ASYM_ENCRYPT:
-          "asym_algorithm": "RSA"
-          "asym_keylength": 3072
-          "change_key_on_coord_leave": "false"
-          "change_key_on_leave": "false"
-          "use_external_key_exchange": "true"
-          "stack.combine": "INSERT_BEFORE"
-          "stack.position": "pbcast.NAKACK2"
     cacheContainer:
       transport:
-         stack: encryption
+         stack: "kubernetes"
+         urn:infinispan:server:14.0:securityRealm: "cluster-transport"
+    server:
+      security:
+        securityRealms:
+          - name: cluster-transport
+            serverIdentities:
+              ssl:
+                keystore:
+                  alias: "server"
+                  path: "/etc/encrypt/endpoint/cert.p12"
+                  password: "password"
+                truststore:
+                  alias: "server"
+                  path: "/etc/encrypt/endpoint/cert.p12"

test/tls_values.snippet.yaml

@@ -3,26 +3,10 @@ deploy:
     endpointSecretName: "tls-secret"
     transportSecretName: "transport-tls-secret"
   infinispan:
-    jgroups:
-      stack:
-        name: "encryption"
-        extends: "kubernetes"
-        SSL_KEY_EXCHANGE:
-          "keystore_name": "/etc/encrypt/transport/cert.p12"
-          "keystore_password": "password"
-          "stack.combine": "INSERT_AFTER"
-          "stack.position": "VERIFY_SUSPECT2"
-        ASYM_ENCRYPT:
-          "asym_algorithm": "RSA"
-          "asym_keylength": 3072
-          "change_key_on_coord_leave": "false"
-          "change_key_on_leave": "false"
-          "use_external_key_exchange": "true"
-          "stack.combine": "INSERT_BEFORE"
-          "stack.position": "pbcast.NAKACK2"
     cacheContainer:
       transport:
-         stack: encryption
+         stack: "kubernetes"
+         urn:infinispan:server:14.0:securityRealm: "cluster-transport"
     server:
       security:
         securityRealms:
@@ -41,7 +25,26 @@ deploy:
                 path: "/etc/encrypt/endpoint/keystore.p12"
                 password: "password"
                           # [METRICS] Security realm for the metrics endpoint.
+        - name: "cluster-transport"
+         # Security realm for cluster transport. This setup is for encryption only, no authentication.
+         # All the cluster server will use the same certificate both for key and trust store.
+          propertiesRealm:
+            groupProperties:
+              path: groups.properties
+            groupsAttribute: Roles
+            userProperties:
+              path: users.properties
+          serverIdentities:
+            ssl:
+              keystore:
+                alias: "server"
+                path: "/etc/encrypt/transport/cert.p12"
+                password: "password"
+              truststore:
+                path: "/etc/encrypt/transport/cert.p12"
+                password: "password"
         - name: metrics
+        # [METRICS] Security realm for the metrics endpoint.
           propertiesRealm:
             groupProperties:
               path: metrics-groups.properties