documentation for encryption

CONTRIBUTING.md

@@ -4,7 +4,6 @@ All PRs that require modifications to the `README.md` or `values.schema.json` fi
 The `brand.sh` script should then be executed using the upstream properties, i.e. `./brand.sh infinispan.conf`, and all
 modified `*.tpl`, `*.md` and `*.json` files added to the commit.
 
-All PRs that require modifications to the `values.yaml` or `test/tls_values.yaml.yq` must run `./build_examples.sh` to rebuild all the examples.
 
 # Creating a Release
 1. Update `Chart.yaml`

documentation/asciidoc/stories/assembly_configuring_encryption.adoc

@@ -0,0 +1,13 @@
+ifdef::context[:parent-context: {context}]
+[id='encryption']
+:context: network-access
+= Configuring encryption
+[role="_abstract"]
+Configure encryption for your {brandname}.
+
+include::{topics}/proc_enabling_endpoint_encryption.adoc[leveloffset=+1]
+include::{topics}/proc_enabling_transport_encryption.adoc[leveloffset=+1]
+
+// Restore the parent context.
+ifdef::parent-context[:context: {parent-context}]
+ifndef::parent-context[:!context:]

documentation/asciidoc/titles/stories.adoc

@@ -1,5 +1,6 @@
 include::{stories}/assembly_installing_helm_chart.adoc[leveloffset=+1]
 include::{stories}/assembly_configuring_servers.adoc[leveloffset=+1]
 include::{stories}/assembly_configuring_authentication.adoc[leveloffset=+1]
+include::{stories}/assembly_configuring_encryption.adoc[leveloffset=+1]
 include::{stories}/assembly_network_access.adoc[leveloffset=+1]
 include::{stories}/assembly_connecting_clusters.adoc[leveloffset=+1]

documentation/asciidoc/topics/proc_configuring_servers.adoc

@@ -27,8 +27,3 @@ For example, you can create caches at startup with any {brandname} configuration
 * Configure {brandname} Server endpoints with the `deploy.infinispan.server.endpoints` fields.
 * Configure {brandname} Server network interfaces and ports with the `deploy.infinispan.server.interfaces` and `deploy.infinispan.server.socketBindings` fields.
 * Configure {brandname} Server security mechanisms with the `deploy.infinispan.server.security` fields.
-+
-[NOTE]
-====
-The {brandname} chart does not currently support TLS/SSL security realms and encrypted client connections.
-====

documentation/asciidoc/topics/proc_enabling_endpoint_encryption.adoc

@@ -0,0 +1,31 @@
+[id='enabling-endpoint-encryption_{context}']
+= Enabling endpoint encryption
+
+[role="_abstract"]
+Enable TLS encryption on the endpoint.
+
+.Prerequisites
+* A secret containing the keystore
+
+.Procedure
+
+
++
+.Set the secret name in the deploy configuration
+[source,yaml,options="nowrap",subs=attributes+]
+----
+include::yaml/ssl_endpoint_secretname.yaml[]
+----
++
+.Enable TLS in the Realm
+
+Configure the keystore path in the endpoint realm. Secret is mounted at `/etc/encrypt/endpoint`. Alias and password for the keystore must be provided.
+
+[source,yaml,options="nowrap",subs=attributes+]
+----
+include::yaml/realm_encryption.yaml[]
+----
+
+[role="_additional-resources"]
+.Additional resources
+* link:{security_docs}[{brandname} Security Guide]

documentation/asciidoc/topics/proc_enabling_transport_encryption.adoc

@@ -0,0 +1,33 @@
+[id='enabling-transport-encryption_{context}']
+= Enabling endpoint encryption
+
+[role="_abstract"]
+Enable TLS encryption for the cluster transport.
+
+.Prerequisites
+* A secret containing the certificates
+
+.Procedure
+
+
++
+.Set the secret name in the deploy configuration.
+Secret is mounted at `/etc/encrypt/transport`.
+[source,yaml,options="nowrap",subs=attributes+]
+----
+include::yaml/ssl_transport_secretname.yaml[]
+----
++
+.Enable TLS in the JGroups stack
+
+Configure JGroups with the desired encryption, extending the `kubernetes` stack.  If needed, name and password for the keystore must be provided.
+
+
+[source,yaml,options="nowrap",subs=attributes+]
+----
+include::yaml/transport_encryption.yaml[]
+----
+
+[role="_additional-resources"]
+.Additional resources
+* link:{security_docs}[{brandname} Security Guide]

documentation/asciidoc/topics/yaml/realm_encryption.yaml

@@ -0,0 +1,12 @@
+deploy:
+  infinispan:
+    server:
+      security:
+        securityRealms:
+          - name: default
+            serverIdentities:
+              ssl:
+                keystore:
+                  alias: "server"
+                  path: "/etc/encrypt/endpoint/keystore.p12"
+                  password: "password"

documentation/asciidoc/topics/yaml/ssl_endpoint_secretname.yaml

@@ -0,0 +1,3 @@
+deploy:
+  ssl:
+    endpointSecretName: "tls-secret"

documentation/asciidoc/topics/yaml/ssl_transport_secretname.yaml

@@ -0,0 +1,3 @@
+deploy:
+  ssl:
+    transportSecretName: "tls-secret"

documentation/asciidoc/topics/yaml/transport_encryption.yaml

@@ -0,0 +1,21 @@
+  infinispan:
+    jgroups:
+      stack:
+        name: "encryption"
+        extends: "kubernetes"
+        SSL_KEY_EXCHANGE:
+          "keystore_name": "/etc/encrypt/transport/cert.p12"
+          "keystore_password": "password"
+          "stack.combine": "INSERT_AFTER"
+          "stack.position": "VERIFY_SUSPECT2"
+        ASYM_ENCRYPT:
+          "asym_algorithm": "RSA"
+          "asym_keylength": 3072
+          "change_key_on_coord_leave": "false"
+          "change_key_on_leave": "false"
+          "use_external_key_exchange": "true"
+          "stack.combine": "INSERT_BEFORE"
+          "stack.position": "pbcast.NAKACK2"
+    cacheContainer:
+      transport:
+         stack: encryption