Disabling encryption in-transit after deployment in external mode

Learn how to disable encryption in-transit after the deployment of a cluster in external mode.

1. Remove and check encryption in-transit configurations.

   [root@ceph-client ~]# ceph config rm global ms_client_mode
   [root@ceph-client ~]# ceph config rm global ms_cluster_mode
   [root@ceph-client ~]# ceph config rm global ms_service_mode
   [root@ceph-client ~]# ceph config rm global rbd_default_map_options
   
   [root@ceph-client ~]# ceph config dump | grep ms_
   [root@ceph-client ~]#

2. Restart all Ceph daemons.

   [root@ceph-client ~]# ceph orch ls --format plain | tail -n +2 | awk '{print $1}' | xargs -I {} ceph orch restart {}
   Scheduled to restart alertmanager.osd-0 on host 'osd-0'
   Scheduled to restart ceph-exporter.osd-0 on host 'osd-0'
   Scheduled to restart ceph-exporter.osd-2 on host 'osd-2'
   Scheduled to restart ceph-exporter.osd-3 on host 'osd-3'
   Scheduled to restart ceph-exporter.osd-1 on host 'osd-1'
   Scheduled to restart crash.osd-0 on host 'osd-0'
   Scheduled to restart crash.osd-2 on host 'osd-2'
   Scheduled to restart crash.osd-3 on host 'osd-3'
   Scheduled to restart crash.osd-1 on host 'osd-1'
   Scheduled to restart grafana.osd-0 on host 'osd-0'
   Scheduled to restart mds.fsvol001.osd-0.lpciqk on host 'osd-0'
   Scheduled to restart mds.fsvol001.osd-2.wocnxz on host 'osd-2'
   Scheduled to restart mgr.osd-0.dtkyni on host 'osd-0'
   Scheduled to restart mgr.osd-2.kqcxwu on host 'osd-2'
   Scheduled to restart mon.osd-2 on host 'osd-2'
   Scheduled to restart mon.osd-3 on host 'osd-3'
   Scheduled to restart mon.osd-1 on host 'osd-1'
   Scheduled to restart node-exporter.osd-0 on host 'osd-0'
   Scheduled to restart node-exporter.osd-2 on host 'osd-2'
   Scheduled to restart node-exporter.osd-3 on host 'osd-3'
   Scheduled to restart node-exporter.osd-1 on host 'osd-1'
   Scheduled to restart osd.1 on host 'osd-0'
   Scheduled to restart osd.4 on host 'osd-0'
   Scheduled to restart osd.0 on host 'osd-2'
   Scheduled to restart osd.5 on host 'osd-2'
   Scheduled to restart osd.2 on host 'osd-3'
   Scheduled to restart osd.6 on host 'osd-3'
   Scheduled to restart osd.3 on host 'osd-1'
   Scheduled to restart osd.7 on host 'osd-1'
   Scheduled to restart prometheus.osd-0 on host 'osd-0'
   Scheduled to restart rgw.rgw.ssl.osd-1.smzpfj on host 'osd-1'

   [root@ceph-client ~]# ceph orch ps
   NAME                       HOST   PORTS             STATUS          REFRESHED  AGE  MEM USE  MEM LIM  VERSION           IMAGE ID      CONTAINER ID
   alertmanager.osd-0         osd-0  *:9093,9094       running (116s)     9s ago  10h    19.5M        -  0.26.0            7dbf12091920  4694a72d4bbd
   ceph-exporter.osd-0        osd-0                    running (19s)      9s ago  10h    7310k        -  18.2.1-229.el9cp  3fd804e38f5b  49bdc7d99471
   ceph-exporter.osd-1        osd-1                    running (97s)     26s ago  10h    7285k        -  18.2.1-229.el9cp  3fd804e38f5b  7000d59d23b4
   ceph-exporter.osd-2        osd-2                    running (76s)     26s ago  10h    7306k        -  18.2.1-229.el9cp  3fd804e38f5b  3907515cc352
   ceph-exporter.osd-3        osd-3                    running (49s)     26s ago  10h    6971k        -  18.2.1-229.el9cp  3fd804e38f5b  3f3952490780
   crash.osd-0                osd-0                    running (17s)      9s ago  10h    6878k        -  18.2.1-229.el9cp  3fd804e38f5b  38e041fb86e3
   crash.osd-1                osd-1                    running (96s)     26s ago  10h    6895k        -  18.2.1-229.el9cp  3fd804e38f5b  21ce3ef7d896
   crash.osd-2                osd-2                    running (74s)     26s ago  10h    6899k        -  18.2.1-229.el9cp  3fd804e38f5b  210ca9c8d928
   crash.osd-3                osd-3                    running (47s)     26s ago  10h    6899k        -  18.2.1-229.el9cp  3fd804e38f5b  710d42d9d138
   grafana.osd-0              osd-0  *:3000            running (114s)     9s ago  10h    72.9M        -  10.4.0-pre        f142b583a1b1  3dc5e2248e95
   mds.fsvol001.osd-0.qjntcu  osd-0                    running (99s)      9s ago  10h    17.5M        -  18.2.1-229.el9cp  3fd804e38f5b  50efa881c04b
   mds.fsvol001.osd-2.qneujv  osd-2                    running (51s)     26s ago  10h    15.3M        -  18.2.1-229.el9cp  3fd804e38f5b  a306f2d2d676
   mgr.osd-0.zukgyq           osd-0  *:9283,8765,8443  running (21s)      9s ago  10h     442M        -  18.2.1-229.el9cp  3fd804e38f5b  8ef9b728675e
   mgr.osd-1.jqfyal           osd-1  *:8443,9283,8765  running (92s)     26s ago  10h     480M        -  18.2.1-229.el9cp  3fd804e38f5b  1ab52db89bfd
   mon.osd-1                  osd-1                    running (90s)     26s ago  10h    41.7M    2048M  18.2.1-229.el9cp  3fd804e38f5b  88d1fe1e10ac
   mon.osd-2                  osd-2                    running (72s)     26s ago  10h    31.1M    2048M  18.2.1-229.el9cp  3fd804e38f5b  02f57d3bb44f
   mon.osd-3                  osd-3                    running (45s)     26s ago  10h    24.0M    2048M  18.2.1-229.el9cp  3fd804e38f5b  5e3783f2b4fa
   node-exporter.osd-0        osd-0  *:9100            running (15s)      9s ago  10h    7843k        -  1.7.0             8c904aa522d0  2dae2127349b
   node-exporter.osd-1        osd-1  *:9100            running (94s)     26s ago  10h    11.2M        -  1.7.0             8c904aa522d0  010c3fcd55cd
   node-exporter.osd-2        osd-2  *:9100            running (69s)     26s ago  10h    17.2M        -  1.7.0             8c904aa522d0  436f2d513f31
   node-exporter.osd-3        osd-3  *:9100            running (41s)     26s ago  10h    12.4M        -  1.7.0             8c904aa522d0  5579f0d494b8
   osd.0                      osd-0                    running (109s)     9s ago  10h     126M    4096M  18.2.1-229.el9cp  3fd804e38f5b  997076cd39d4
   osd.1                      osd-1                    running (85s)     26s ago  10h     139M    4096M  18.2.1-229.el9cp  3fd804e38f5b  08b720f0587d
   osd.2                      osd-2                    running (65s)     26s ago  10h     143M    4096M  18.2.1-229.el9cp  3fd804e38f5b  104ad4227163
   osd.3                      osd-3                    running (36s)     26s ago  10h    94.5M    1435M  18.2.1-229.el9cp  3fd804e38f5b  db8b265d9f43
   osd.4                      osd-0                    running (104s)     9s ago  10h     164M    4096M  18.2.1-229.el9cp  3fd804e38f5b  50dcbbf7e012
   osd.5                      osd-1                    running (80s)     26s ago  10h     131M    4096M  18.2.1-229.el9cp  3fd804e38f5b  63b21fe970b5
   osd.6                      osd-3                    running (32s)     26s ago  10h     243M    1435M  18.2.1-229.el9cp  3fd804e38f5b  26c7ba208489
   osd.7                      osd-2                    running (61s)     26s ago  10h     130M    4096M  18.2.1-229.el9cp  3fd804e38f5b  871a2b75e64f
   prometheus.osd-0           osd-0  *:9095            running (12s)      9s ago  10h    44.6M        -  2.48.0            58069186198d  e49a064d2478
   rgw.rgw.ssl.osd-1.bsmbgd   osd-1  *:80              running (78s)     26s ago  10h    75.4M        -  18.2.1-229.el9cp  3fd804e38f5b  d03c9f7ae4a4

3. Patch the storagecluster to update encryption enabled as false in the storage cluster specification.

   oc patch storagecluster ocs-external-storagecluster -n openshift-storage --type json --patch  '[{ "op": "replace", "path": "/spec/network", "value": {"connections": {"encryption": {"enabled": false}}} }]'
   storagecluster.ocs.openshift.io/ocs-external-storagecluster patched

4. Check the configurations.

   oc get storagecluster
   NAME                          AGE   PHASE   EXTERNAL   CREATED AT             VERSION
   ocs-external-storagecluster   12h   Ready   true       2024-11-06T20:48:03Z   4.18.0

   oc get storagecluster ocs-external-storagecluster -o yaml | yq '.spec.network.connections'
   encryption:
     enabled: false

5. Remount existing volumes.
   Depending on your best practices for application maintenance, you can choose the best approach for your environment to remount or remap volumes. One way to remount is to delete the existing application pod and bring up another application pod to use the volume. Another option is to drain the nodes where the applications are running. This ensures that the volume is unmounted from the current pod and then mounted to a new pod, allowing for remapping or remounting of the volume.