commit 365d2439746115b02330155c2f98a4fe929e7293
author Kirill Bespalov <kbespalov@mirantis.com> Fri Jul 28 09:01:04 2017 +0300
committer Kirill Bespalov <kbespalov@mirantis.com> Fri Sep 15 07:04:04 2017 +0300
tree 20b861624532d5b260985addbf3617d0850fe831
parent 1b83901bbb0b485342f08a223b4d59979fd8f23c

RabbitMQ TLS support

OSCORE-380
Change-Id: I93ead9105820fe7462b7bd9b76d51f89ce5950c6
Releases: Mitaka, Newton, Ocata
Usage: see README.rst

README.rst

diff --git a/README.rst b/README.rst
index 04f22eb..af03680 100644
--- a/README.rst
+++ b/README.rst
@@ -125,6 +125,60 @@
           virtual_host: '/openstack'
         ....
 
+Client-side RabbitMQ TLS configuration:
+---------------------------------------
+
+To enable TLS for oslo.messaging you need to provide the CA certificate.
+
+By default system-wide CA certs are used. Nothing should be specified except `ssl.enabled`.
+
+.. code-block:: yaml
+
+  glance:
+    server:
+      ....
+      message_queue:
+        ssl:
+          enabled: True
+
+
+
+Use `cacert_file` option to specify the CA-cert file path explicitly:
+
+.. code-block:: yaml
+
+  glance:
+    server:
+      ....
+      message_queue:
+        ssl:
+          enabled: True
+          cacert_file: /etc/ssl/rabbitmq-ca.pem
+
+To manage content of the `cacert_file` use the `cacert` option:
+
+.. code-block:: yaml
+
+  glance:
+    server:
+      ....
+      message_queue:
+        ssl:
+          enabled: True
+          cacert: |
+
+          -----BEGIN CERTIFICATE-----
+                    ...
+          -----END CERTIFICATE-------
+
+          cacert_file: /etc/openstack/rabbitmq-ca.pem
+
+
+Notice:
+ * The `message_queue.port` is set to **5671** (AMQPS) by default if `ssl.enabled=True`.
+ * Use `message_queue.ssl.version` if you need to specify protocol version. By default is TLSv1 for python < 2.7.9 and TLSv1_2 for version above.
+
+
 Enable Glance Image Cache:
 
 .. code-block:: yaml