Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / cinder / 01614c073a4ccc9a7ab0f028f94faea5a0a9d526^! / . / README.rst
commit01614c073a4ccc9a7ab0f028f94faea5a0a9d526[log] [tgz]
authorKirill Bespalov <kbespalov@mirantis.com>Mon Jul 31 17:06:09 2017 +0300
committerKirill Bespalov <kbespalov@mirantis.com>Thu Sep 14 17:48:34 2017 +0300
treed6368f88bfc48c2f28cd82831ce6ee6de476e29e
parentef4c7d0b92f1fc5a74e3b942bca264b5412e35f7 [diff] [blame]
RabbitMQ TLS support

OSCORE-381
Change-Id: I93ead9105820fe7462b7bd9b76d51f89ce5950c6
Releases: Mitaka, Newton, Ocata
Usage: see README.rst

diff --git a/README.rst b/README.rst
index 72f353d..59e3fcc 100644
--- a/README.rst
+++ b/README.rst

@@ -57,7 +57,7 @@
             multihost: true
             multipath: true
             pool: SAS7K2
-        audit: 
+        audit:
           enabled: false
         osapi_max_limit: 500
 
@@ -157,6 +157,62 @@
           virtual_host: '/openstack'
         ....
 
+
+**Client-side RabbitMQ TLS configuration.**
+
+|
+
+To enable TLS for oslo.messaging you need to provide the CA certificate.
+By default system-wide CA certs are used. Nothing should be specified except `ssl.enabled`.
+
+.. code-block:: yaml
+
+  cinder:
+    controller or volume:
+      ....
+      message_queue:
+        ssl:
+          enabled: True
+
+
+
+Use `cacert_file` option to specify the CA-cert file path explicitly:
+
+.. code-block:: yaml
+
+  cinder:
+    controller or volume:
+      ....
+      message_queue:
+        ssl:
+          enabled: True
+          cacert_file: /etc/ssl/rabbitmq-ca.pem
+
+To manage content of the `cacert_file` use the `cacert` option:
+
+.. code-block:: yaml
+
+  cinder:
+    controller or volume:
+      ....
+      message_queue:
+        ssl:
+          enabled: True
+          cacert: |
+
+          -----BEGIN CERTIFICATE-----
+                    ...
+          -----END CERTIFICATE-------
+
+          cacert_file: /etc/openstack/rabbitmq-ca.pem
+
+
+Notice:
+ * The `message_queue.port` is set to **5671** (AMQPS) by default if `ssl.enabled=True`.
+ * Use `message_queue.ssl.version` if you need to specify protocol version. By default is TLSv1 for python < 2.7.9 and TLSv1_2 for version above.
+
+
+
 Cinder setup with zeroing deleted volumes
 
 .. code-block:: yaml
@@ -434,7 +490,7 @@
             type_name: GPFS-SILVER
             engine: gpfs
             mount_point: '/mnt/gpfs-openstack/cinder/silver'
-  
+
 Cinder setup with HP LeftHand
 
 .. code-block:: yaml
@@ -456,7 +512,7 @@
 
 .. code-block:: yaml
 
-    cinder type-key normal-storage set hplh:data_pl=r-10-2 hplh:provisioning=full 
+    cinder type-key normal-storage set hplh:data_pl=r-10-2 hplh:provisioning=full
 
 Cinder setup with Solidfire
 
@@ -521,7 +577,7 @@
           ceph_user: cinder
           ceph_chunk_size: 134217728
           restore_discard_excess_bytes: false
-          
+
 Enable auditing filter, ie: CADF
 
 .. code-block:: yaml