Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / glance / b5584369f80dc9accf196404287dc5344dad1ae2^! / . / README.rst
commitb5584369f80dc9accf196404287dc5344dad1ae2[log] [tgz]
authorKirill Bespalov <kbespalov@mirantis.com>Mon Nov 20 16:42:07 2017 +0300
committerVasyl Saienko <vsaienko@mirantis.com>Tue Dec 12 18:10:48 2017 +0200
treebb8f6c355e00bb15ee0650eea97538df35593216
parentbbd870392bbf36b9c96a017a8ba2159d45ccf2dc [diff] [blame]
OpenStack HTTPS Endpoints support

Communication between services usually done via internal
endpoints that are located in internal network. In some
cases it is required to encrypt traffic even on internal
network. This patch unhardcode communication protocol between
Glance and other services. Also adds possibility to specify
ca_file to verify SSL certificates of remote peers.

This change is fully backward compatible.

Related-Prod: PROD-15737

Change-Id: I7aefbad5101acf68a045aa1595b99b1ab8947d6d

diff --git a/README.rst b/README.rst
index 02da35d..415c31f 100644
--- a/README.rst
+++ b/README.rst

@@ -127,58 +127,64 @@
           virtual_host: '/openstack'
         ....
 
-Client-side RabbitMQ TLS configuration:
----------------------------------------
+Configuring TLS communications
+------------------------------
 
-To enable TLS for oslo.messaging you need to provide the CA certificate.
 
-By default system-wide CA certs are used. Nothing should be specified except `ssl.enabled`.
+**Note:** by default system wide installed CA certs are used, so ``cacert_file`` param is optional, as well as ``cacert``.
+
+
+- **RabbitMQ TLS**
 
 .. code-block:: yaml
 
-  glance:
-    server:
-      ....
+ glance:
+   server:
       message_queue:
+        port: 5671
         ssl:
           enabled: True
+          (optional) cacert: cert body if the cacert_file does not exists
+          (optional) cacert_file: /etc/openstack/rabbitmq-ca.pem
+          (optional) version: TLSv1_2
 
 
-
-Use `cacert_file` option to specify the CA-cert file path explicitly:
+- **MySQL TLS**
 
 .. code-block:: yaml
 
-  glance:
-    server:
-      ....
-      message_queue:
+ glance:
+   server:
+      database:
         ssl:
           enabled: True
-          cacert_file: /etc/ssl/rabbitmq-ca.pem
+          (optional) cacert: cert body if the cacert_file does not exists
+          (optional) cacert_file: /etc/openstack/mysql-ca.pem
 
-To manage content of the `cacert_file` use the `cacert` option:
+- **Openstack HTTPS API**
+
+
+Set the ``https`` as protocol at ``glance:server`` sections:
 
 .. code-block:: yaml
 
-  glance:
-    server:
-      ....
-      message_queue:
-        ssl:
-          enabled: True
-          cacert: |
+ glance:
+   server:
+      identity:
+         protocol: https
+         (optional) cacert_file: /etc/openstack/proxy.pem
+      registry:
+         protocol: https
+         (optional) cacert_file: /etc/openstack/proxy.pem
+      storage:
+         engine: cinder, swift
+         cinder:
+            protocol: https
+           (optional) cacert_file: /etc/openstack/proxy.pem
+         swift:
+            store:
+                (optional) cafile: /etc/openstack/proxy.pem
 
-          -----BEGIN CERTIFICATE-----
-                    ...
-          -----END CERTIFICATE-------
-
-          cacert_file: /etc/openstack/rabbitmq-ca.pem
-
-
-Notice:
- * The `message_queue.port` is set to **5671** (AMQPS) by default if `ssl.enabled=True`.
- * Use `message_queue.ssl.version` if you need to specify protocol version. By default is TLSv1 for python < 2.7.9 and TLSv1_2 for version above.
 
 
 Enable Glance Image Cache: