RabbitMQ TLS support
Releases: Mitaka, Newton, Ocata
Usage: see README.rst
OSCORE-140
Change-Id: I56dca7b8741c04700d8b283dc31196fae5fcc535
diff --git a/README.rst b/README.rst
index 5b601e4..05ec88a 100644
--- a/README.rst
+++ b/README.rst
@@ -145,6 +145,61 @@
# Add key without value to remove line from policy.json
'compute:create:attach_network':
+
+Client-side RabbitMQ TLS configuration:
+---------------------------------------
+
+To enable TLS for oslo.messaging you need to provide the CA certificate.
+
+By default system-wide CA certs is used. Nothing should be specified except `ssl.enabled`.
+
+.. code-block:: yaml
+
+ nova:
+ controller:
+ ....
+ message_queue:
+ ssl:
+ enabled: True
+
+
+
+Use `cacert_file` option to specify the CA-cert file path explicitly:
+
+.. code-block:: yaml
+
+ nova:
+ controller:
+ ....
+ message_queue:
+ ssl:
+ enabled: True
+ cacert_file: /etc/ssl/rabbitmq-ca.pem
+
+To manage content of the `cacert_file` use the `cacert` option:
+
+.. code-block:: yaml
+
+ nova:
+ controller:
+ ....
+ message_queue:
+ ssl:
+ enabled: True
+ cacert: |
+
+ -----BEGIN CERTIFICATE-----
+ ...
+ -----END CERTIFICATE-------
+
+ cacert_file: /etc/openstack/rabbitmq-ca.pem
+
+
+Notice:
+ * The `message_queue.port` is set to **5671** (AMQPS) by default if `ssl.enabled=True`.
+ * Use `message_queue.ssl.version` if you need to specify protocol version. By default is TLSv1 for python < 2.7.9 and TLSv1_2 for version above.
+
+
Compute nodes
-------------
@@ -241,7 +296,7 @@
.. code-block:: yaml
nova:
- controller:
+ compute:
....
message_queue:
engine: rabbitmq
@@ -254,7 +309,6 @@
virtual_host: '/openstack'
....
-
Nova with ephemeral configured with Ceph
.. code-block:: yaml