From b434781224397b6f5f77bf16665e0f239d7498ec Mon Sep 17 00:00:00 2001
From: rigazilla <vrigamon@redhat.com>
Date: Tue, 23 Jan 2024 11:08:27 +0100
Subject: [PATCH] moved to realm emcryption

---
 .../assembly_configuring_encryption.adoc      |  3 +-
 .../topics/proc_enabling_encryption.adoc      | 46 +++++++++++++++++++
 .../proc_enabling_endpoint_encryption.adoc    | 31 -------------
 .../proc_enabling_transport_encryption.adoc   | 33 -------------
 ...cryption.yaml => endpoint_encryption.yaml} |  2 +-
 .../topics/yaml/ssl_endpoint_secretname.yaml  |  3 --
 .../topics/yaml/ssl_transport_secretname.yaml |  3 --
 .../asciidoc/topics/yaml/tls_secretname.yaml  |  4 ++
 .../topics/yaml/transport_encryption.yaml     | 34 +++++++-------
 test/tls_values.snippet.yaml                  | 39 ++++++++--------
 10 files changed, 89 insertions(+), 109 deletions(-)
 create mode 100644 documentation/asciidoc/topics/proc_enabling_encryption.adoc
 delete mode 100644 documentation/asciidoc/topics/proc_enabling_endpoint_encryption.adoc
 delete mode 100644 documentation/asciidoc/topics/proc_enabling_transport_encryption.adoc
 rename documentation/asciidoc/topics/yaml/{realm_encryption.yaml => endpoint_encryption.yaml} (87%)
 delete mode 100644 documentation/asciidoc/topics/yaml/ssl_endpoint_secretname.yaml
 delete mode 100644 documentation/asciidoc/topics/yaml/ssl_transport_secretname.yaml
 create mode 100644 documentation/asciidoc/topics/yaml/tls_secretname.yaml

diff --git a/documentation/asciidoc/stories/assembly_configuring_encryption.adoc b/documentation/asciidoc/stories/assembly_configuring_encryption.adoc
index 15b99a0..f9cd7ab 100644
--- a/documentation/asciidoc/stories/assembly_configuring_encryption.adoc
+++ b/documentation/asciidoc/stories/assembly_configuring_encryption.adoc
@@ -5,8 +5,7 @@ ifdef::context[:parent-context: {context}]
 [role="_abstract"]
 Configure encryption for your {brandname}.
 
-include::{topics}/proc_enabling_endpoint_encryption.adoc[leveloffset=+1]
-include::{topics}/proc_enabling_transport_encryption.adoc[leveloffset=+1]
+include::{topics}/proc_enabling_encryption.adoc[leveloffset=+1]
 
 // Restore the parent context.
 ifdef::parent-context[:context: {parent-context}]
diff --git a/documentation/asciidoc/topics/proc_enabling_encryption.adoc b/documentation/asciidoc/topics/proc_enabling_encryption.adoc
new file mode 100644
index 0000000..a93511a
--- /dev/null
+++ b/documentation/asciidoc/topics/proc_enabling_encryption.adoc
@@ -0,0 +1,46 @@
+[id='enabling-endpoint-encryption_{context}']
+= Enabling TLS encryption
+
+[role="_abstract"]
+Encryption can be independently enabled for endpoint and cluster transport.
+
+.Prerequisites
+* A secret containing a certificate or a keystore. Endpoint and cluster should use
+different secrets.
+
+.Procedure
+
+.Set the secret name in the deploy configuration
+
+Provide the name of the secret containing the certificates.
+[source,yaml,options="nowrap",subs=attributes+]
+----
+include::yaml/tls_secretname.yaml[]
+----
+
+.Enable cluster transport TLS
+
+- Configure the keystore path in the transport realm; secret is mounted at `/etc/encrypt/transport`. Additionaly in the cluster transport realm the truststore must be configured
+with the same certificates, this allow the nodes to authenticate each other.
+Alias and password must be provided in case the secret contains a keystore.
+- Configure the transport stack to use the realm.
+
+[source,yaml,options="nowrap",subs=attributes+]
+----
+include::yaml/transport_encryption.yaml[]
+----
+
+
+.Enable endpoint TLS
+
+Configure the keystore path in the endpoint realm, secret is mounted at `/etc/encrypt/endpoint`.
+Alias and password must be provided in case the secret contains a keystore.
+
+[source,yaml,options="nowrap",subs=attributes+]
+----
+include::yaml/endpoint_encryption.yaml[]
+----
+
+[role="_additional-resources"]
+.Additional resources
+* link:{security_docs}[{brandname} Security Guide]
diff --git a/documentation/asciidoc/topics/proc_enabling_endpoint_encryption.adoc b/documentation/asciidoc/topics/proc_enabling_endpoint_encryption.adoc
deleted file mode 100644
index 2d07de6..0000000
--- a/documentation/asciidoc/topics/proc_enabling_endpoint_encryption.adoc
+++ /dev/null
@@ -1,31 +0,0 @@
-[id='enabling-endpoint-encryption_{context}']
-= Enabling endpoint encryption
-
-[role="_abstract"]
-Enable TLS encryption on the endpoint.
-
-.Prerequisites
-* A secret containing the keystore
-
-.Procedure
-
-
-+
-.Set the secret name in the deploy configuration
-[source,yaml,options="nowrap",subs=attributes+]
-----
-include::yaml/ssl_endpoint_secretname.yaml[]
-----
-+
-.Enable TLS in the Realm
-
-Configure the keystore path in the endpoint realm. Secret is mounted at `/etc/encrypt/endpoint`. Alias and password for the keystore must be provided.
-
-[source,yaml,options="nowrap",subs=attributes+]
-----
-include::yaml/realm_encryption.yaml[]
-----
-
-[role="_additional-resources"]
-.Additional resources
-* link:{security_docs}[{brandname} Security Guide]
diff --git a/documentation/asciidoc/topics/proc_enabling_transport_encryption.adoc b/documentation/asciidoc/topics/proc_enabling_transport_encryption.adoc
deleted file mode 100644
index adf6813..0000000
--- a/documentation/asciidoc/topics/proc_enabling_transport_encryption.adoc
+++ /dev/null
@@ -1,33 +0,0 @@
-[id='enabling-transport-encryption_{context}']
-= Enabling endpoint encryption
-
-[role="_abstract"]
-Enable TLS encryption for the cluster transport.
-
-.Prerequisites
-* A secret containing the certificates
-
-.Procedure
-
-
-+
-.Set the secret name in the deploy configuration.
-Secret is mounted at `/etc/encrypt/transport`.
-[source,yaml,options="nowrap",subs=attributes+]
-----
-include::yaml/ssl_transport_secretname.yaml[]
-----
-+
-.Enable TLS in the JGroups stack
-
-Configure JGroups with the desired encryption, extending the `kubernetes` stack.  If needed, name and password for the keystore must be provided.
-
-
-[source,yaml,options="nowrap",subs=attributes+]
-----
-include::yaml/transport_encryption.yaml[]
-----
-
-[role="_additional-resources"]
-.Additional resources
-* link:{security_docs}[{brandname} Security Guide]
diff --git a/documentation/asciidoc/topics/yaml/realm_encryption.yaml b/documentation/asciidoc/topics/yaml/endpoint_encryption.yaml
similarity index 87%
rename from documentation/asciidoc/topics/yaml/realm_encryption.yaml
rename to documentation/asciidoc/topics/yaml/endpoint_encryption.yaml
index eae222d..5542e33 100644
--- a/documentation/asciidoc/topics/yaml/realm_encryption.yaml
+++ b/documentation/asciidoc/topics/yaml/endpoint_encryption.yaml
@@ -9,4 +9,4 @@ deploy:
                 keystore:
                   alias: "server"
                   path: "/etc/encrypt/endpoint/keystore.p12"
-                  password: "password"
\ No newline at end of file
+                  password: "password"
diff --git a/documentation/asciidoc/topics/yaml/ssl_endpoint_secretname.yaml b/documentation/asciidoc/topics/yaml/ssl_endpoint_secretname.yaml
deleted file mode 100644
index 1f1f679..0000000
--- a/documentation/asciidoc/topics/yaml/ssl_endpoint_secretname.yaml
+++ /dev/null
@@ -1,3 +0,0 @@
-deploy:
-  ssl:
-    endpointSecretName: "tls-secret"
\ No newline at end of file
diff --git a/documentation/asciidoc/topics/yaml/ssl_transport_secretname.yaml b/documentation/asciidoc/topics/yaml/ssl_transport_secretname.yaml
deleted file mode 100644
index b11913b..0000000
--- a/documentation/asciidoc/topics/yaml/ssl_transport_secretname.yaml
+++ /dev/null
@@ -1,3 +0,0 @@
-deploy:
-  ssl:
-    transportSecretName: "tls-secret"
\ No newline at end of file
diff --git a/documentation/asciidoc/topics/yaml/tls_secretname.yaml b/documentation/asciidoc/topics/yaml/tls_secretname.yaml
new file mode 100644
index 0000000..11f27d1
--- /dev/null
+++ b/documentation/asciidoc/topics/yaml/tls_secretname.yaml
@@ -0,0 +1,4 @@
+deploy:
+  ssl:
+    endpointSecretName: "tls-secret"
+    transportSecretName: "tls-transport-secret"
\ No newline at end of file
diff --git a/documentation/asciidoc/topics/yaml/transport_encryption.yaml b/documentation/asciidoc/topics/yaml/transport_encryption.yaml
index 7fed62e..86bde1f 100644
--- a/documentation/asciidoc/topics/yaml/transport_encryption.yaml
+++ b/documentation/asciidoc/topics/yaml/transport_encryption.yaml
@@ -1,21 +1,19 @@
+deploy:
   infinispan:
-    jgroups:
-      stack:
-        name: "encryption"
-        extends: "kubernetes"
-        SSL_KEY_EXCHANGE:
-          "keystore_name": "/etc/encrypt/transport/cert.p12"
-          "keystore_password": "password"
-          "stack.combine": "INSERT_AFTER"
-          "stack.position": "VERIFY_SUSPECT2"
-        ASYM_ENCRYPT:
-          "asym_algorithm": "RSA"
-          "asym_keylength": 3072
-          "change_key_on_coord_leave": "false"
-          "change_key_on_leave": "false"
-          "use_external_key_exchange": "true"
-          "stack.combine": "INSERT_BEFORE"
-          "stack.position": "pbcast.NAKACK2"
     cacheContainer:
       transport:
-         stack: encryption
\ No newline at end of file
+         stack: "kubernetes"
+         urn:infinispan:server:14.0:securityRealm: "cluster-transport"
+    server:
+      security:
+        securityRealms:
+          - name: cluster-transport
+            serverIdentities:
+              ssl:
+                keystore:
+                  alias: "server"
+                  path: "/etc/encrypt/endpoint/cert.p12"
+                  password: "password"
+                truststore:
+                  alias: "server"
+                  path: "/etc/encrypt/endpoint/cert.p12"
diff --git a/test/tls_values.snippet.yaml b/test/tls_values.snippet.yaml
index d0dba1a..8df6d8e 100644
--- a/test/tls_values.snippet.yaml
+++ b/test/tls_values.snippet.yaml
@@ -3,26 +3,10 @@ deploy:
     endpointSecretName: "tls-secret"
     transportSecretName: "transport-tls-secret"
   infinispan:
-    jgroups:
-      stack:
-        name: "encryption"
-        extends: "kubernetes"
-        SSL_KEY_EXCHANGE:
-          "keystore_name": "/etc/encrypt/transport/cert.p12"
-          "keystore_password": "password"
-          "stack.combine": "INSERT_AFTER"
-          "stack.position": "VERIFY_SUSPECT2"
-        ASYM_ENCRYPT:
-          "asym_algorithm": "RSA"
-          "asym_keylength": 3072
-          "change_key_on_coord_leave": "false"
-          "change_key_on_leave": "false"
-          "use_external_key_exchange": "true"
-          "stack.combine": "INSERT_BEFORE"
-          "stack.position": "pbcast.NAKACK2"
     cacheContainer:
       transport:
-         stack: encryption
+         stack: "kubernetes"
+         urn:infinispan:server:14.0:securityRealm: "cluster-transport"
     server:
       security:
         securityRealms:
@@ -41,7 +25,26 @@ deploy:
                 path: "/etc/encrypt/endpoint/keystore.p12"
                 password: "password"
                           # [METRICS] Security realm for the metrics endpoint.
+        - name: "cluster-transport"
+         # Security realm for cluster transport. This setup is for encryption only, no authentication.
+         # All the cluster server will use the same certificate both for key and trust store.
+          propertiesRealm:
+            groupProperties:
+              path: groups.properties
+            groupsAttribute: Roles
+            userProperties:
+              path: users.properties
+          serverIdentities:
+            ssl:
+              keystore:
+                alias: "server"
+                path: "/etc/encrypt/transport/cert.p12"
+                password: "password"
+              truststore:
+                path: "/etc/encrypt/transport/cert.p12"
+                password: "password"
         - name: metrics
+        # [METRICS] Security realm for the metrics endpoint.
           propertiesRealm:
             groupProperties:
               path: metrics-groups.properties