Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / cinder / 1550d6c0bcb79c9423f527a8b92dca218699b9eb^! / . / README.rst
commit1550d6c0bcb79c9423f527a8b92dca218699b9eb[log] [tgz]
authorKirill Bespalov <kbespalov@mirantis.com>Tue Nov 21 12:55:33 2017 +0300
committerVasyl Saienko <vsaienko@mirantis.com>Wed Dec 13 14:51:55 2017 +0000
tree5cd55cf7efc406fd37f2190fc7e0a15f85cb6ac5
parent3ca0cf2458989254f0ea3867d351f6fd4bb013a6 [diff] [blame]
OpenStack HTTPS Endpoints support

Communication between services usually done via internal
endpoints that are located in internal network. In some
cases it is required to encrypt traffic even on internal
network. This patch unhardcode communication protocol between
Cinder and other services. Also adds possibility to specify
ca_file to verify SSL certificates of remote peers.

PROD-15735

Change-Id: Ib441eb4b37f40ed6bf5209b9dcfbcf80480708a1

diff --git a/README.rst b/README.rst
index 1dc3850..9ef35aa 100644
--- a/README.rst
+++ b/README.rst

@@ -166,58 +166,52 @@
         ....
 
 
-**Client-side RabbitMQ TLS configuration.**
+Configuring TLS communications
+------------------------------
 
-|
 
-To enable TLS for oslo.messaging you need to provide the CA certificate.
-By default system-wide CA certs are used. Nothing should be specified except `ssl.enabled`.
+**Note:** by default system wide installed CA certs are used, so ``cacert_file`` param is optional, as well as ``cacert``.
+
+
+- **RabbitMQ TLS**
 
 .. code-block:: yaml
 
-  cinder:
-    controller or volume:
-      ....
+ cinder:
+   controller, volume:
       message_queue:
+        port: 5671
         ssl:
           enabled: True
+          (optional) cacert: cert body if the cacert_file does not exists
+          (optional) cacert_file: /etc/openstack/rabbitmq-ca.pem
+          (optional) version: TLSv1_2
 
 
-
-Use `cacert_file` option to specify the CA-cert file path explicitly:
+- **MySQL TLS**
 
 .. code-block:: yaml
 
-  cinder:
-    controller or volume:
-      ....
-      message_queue:
+ cinder:
+   controller:
+      database:
         ssl:
           enabled: True
-          cacert_file: /etc/ssl/rabbitmq-ca.pem
+          (optional) cacert: cert body if the cacert_file does not exists
+          (optional) cacert_file: /etc/openstack/mysql-ca.pem
 
-To manage content of the `cacert_file` use the `cacert` option:
+- **Openstack HTTPS API**
 
 .. code-block:: yaml
 
-  cinder:
-    controller or volume:
-      ....
-      message_queue:
-        ssl:
-          enabled: True
-          cacert: |
-
-          -----BEGIN CERTIFICATE-----
-                    ...
-          -----END CERTIFICATE-------
-
-          cacert_file: /etc/openstack/rabbitmq-ca.pem
-
-
-Notice:
- * The `message_queue.port` is set to **5671** (AMQPS) by default if `ssl.enabled=True`.
- * Use `message_queue.ssl.version` if you need to specify protocol version. By default is TLSv1 for python < 2.7.9 and TLSv1_2 for version above.
+ cinder:
+  controller, volume:
+      identity:
+         protocol: https
+         (optional) cacert_file: /etc/openstack/proxy.pem
+      glance:
+         protocol: https
+         (optional) cacert_file: /etc/openstack/proxy.pem