Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / heat / 00da251b2a0456f022211512cec3c1ca51c6c0d8^! / . / README.rst
commit00da251b2a0456f022211512cec3c1ca51c6c0d8[log] [tgz]
authorKirill Bespalov <kbespalov@mirantis.com>Tue Nov 21 13:21:21 2017 +0300
committerVasyl Saienko <vsaienko@mirantis.com>Thu Jan 18 13:44:56 2018 +0200
treebda13da028e442255be3e4f7673fc7288dab9de9
parenta2ad973ee50ff3753cf61f9569a95891369112f1 [diff] [blame]
OpenStack HTTPS Endpoints support

Communication between services usually done via internal
endpoints that are located in internal network. In some
cases it is required to encrypt traffic even on internal
network. This patch unhardcode communication protocol between
Heat and other services. Also adds possibility to specify
ca_file to verify SSL certificates of remote peers.

Related-Prod: PROD-16162

Change-Id: I1cbad13b7cef9f6f8d9ab73a0689e76b94ebef05

diff --git a/README.rst b/README.rst
index 41b793b..6e703b8 100644
--- a/README.rst
+++ b/README.rst

@@ -178,45 +178,55 @@
           virtual_host: '/openstack'
         ....
 
-Client-side RabbitMQ TLS configuration:
 
-|
 
-To enable TLS for oslo.messaging you need to provide the CA certificate.
+Configuring TLS communications
+-------------------------------
 
-By default system-wide CA certs are used. Nothing should be specified except `ssl.enabled`.
 
-.. code-block:: yaml
+ **Note:** by default system wide installed CA certs are used, so ``cacert_file`` param is optional, as well as ``cacert``.
 
-      ....
-      message_queue:
-        ssl:
-          enabled: True
 
-Use `cacert_file` param to specify the CA-cert file location explicitly:
+ - **RabbitMQ TLS**
 
-.. code-block:: yaml
+ .. code-block:: yaml
 
-      ....
-      message_queue:
-        ssl:
-          enabled: True
-          cacert_file: /etc/ssl/rabbitmq-ca.pem
+  heat:
+    server:
+       message_queue:
+         port: 5671
+         ssl:
+           enabled: True
+           (optional) cacert: cert body if the cacert_file does not exists
+           (optional) cacert_file: /etc/openstack/rabbitmq-ca.pem
+           (optional) version: TLSv1_2
 
-To manage content of the `cacert_file` use the `cacert` param:
 
-.. code-block:: yaml
+ - **MySQL TLS**
 
-      ....
-      message_queue:
-        ssl:
-          enabled: True
-          cacert: { file content here }
-          cacert_file: /etc/openstack/rabbitmq-ca.pem
+ .. code-block:: yaml
 
-Notice:
- * The `message_queue.port` is set to **5671** (AMQPS) by default if `ssl.enabled=True`.
- * Use `message_queue.ssl.version` if you need to specify protocol version. By default is TLSv1 for python < 2.7.9 and TLSv1_2 for version above.
+  heat:
+    server:
+       database:
+         ssl:
+           enabled: True
+           (optional) cacert: cert body if the cacert_file does not exists
+           (optional) cacert_file: /etc/openstack/mysql-ca.pem
+
+ - **Openstack HTTPS API**
+
+ .. code-block:: yaml
+
+  heat:
+   server:
+       identity:
+          protocol: https
+          (optional) cacert_file: /etc/openstack/proxy.pem
+       clients:
+          keystone:
+            protocol: https
+            (optional) cacert_file: /etc/openstack/proxy.pem
 
 
 Documentation and Bugs