OpenStack HTTPS Endpoints support
Communication between services usually done via internal
endpoints that are located in internal network. In some
cases it is required to encrypt traffic even on internal
network. This patch unhardcode communication protocol between
Nova and other services. Also adds possibility to specify
ca_file to verify SSL certificates of remote peers.
This change is fully backward compatible.
Related-Prod: PROD-15737
Change-Id: Ic2f07c9dc064150b0c5721104550623778844114
diff --git a/README.rst b/README.rst
index c3a67f1..7aaedd9 100644
--- a/README.rst
+++ b/README.rst
@@ -159,58 +159,80 @@
enabled: true
-Client-side RabbitMQ TLS configuration:
----------------------------------------
+Configuring TLS communications
+------------------------------
-To enable TLS for oslo.messaging you need to provide the CA certificate.
-By default system-wide CA certs is used. Nothing should be specified except `ssl.enabled`.
+**Note:** by default system wide installed CA certs are used, so ``cacert_file`` param is optional, as well as ``cacert``.
+
+
+
+- **RabbitMQ TLS**
.. code-block:: yaml
- nova:
- controller:
- ....
+ nova:
+ compute:
message_queue:
+ port: 5671
ssl:
enabled: True
+ (optional) cacert: cert body if the cacert_file does not exists
+ (optional) cacert_file: /etc/openstack/rabbitmq-ca.pem
+ (optional) version: TLSv1_2
-
-Use `cacert_file` option to specify the CA-cert file path explicitly:
+- **MySQL TLS**
.. code-block:: yaml
- nova:
- controller:
- ....
- message_queue:
+ nova:
+ controller:
+ database:
ssl:
enabled: True
- cacert_file: /etc/ssl/rabbitmq-ca.pem
+ (optional) cacert: cert body if the cacert_file does not exists
+ (optional) cacert_file: /etc/openstack/mysql-ca.pem
-To manage content of the `cacert_file` use the `cacert` option:
+- **Openstack HTTPS API**
+
+
+Set the ``https`` as protocol at ``nova:compute`` and ``nova:controller`` sections :
.. code-block:: yaml
- nova:
- controller:
- ....
- message_queue:
- ssl:
- enabled: True
- cacert: |
-
- -----BEGIN CERTIFICATE-----
- ...
- -----END CERTIFICATE-------
-
- cacert_file: /etc/openstack/rabbitmq-ca.pem
+ nova:
+ controller :
+ identity:
+ protocol: https
+ (optional) cacert_file: /etc/openstack/proxy.pem
+ network:
+ protocol: https
+ (optional) cacert_file: /etc/openstack/proxy.pem
+ glance:
+ protocol: https
+ (optional) cacert_file: /etc/openstack/proxy.pem
-Notice:
- * The `message_queue.port` is set to **5671** (AMQPS) by default if `ssl.enabled=True`.
- * Use `message_queue.ssl.version` if you need to specify protocol version. By default is TLSv1 for python < 2.7.9 and TLSv1_2 for version above.
+.. code-block:: yaml
+
+ nova:
+ compute:
+ identity:
+ protocol: https
+ (optional) cacert_file: /etc/openstack/proxy.pem
+ network:
+ protocol: https
+ (optional) cacert_file: /etc/openstack/proxy.pem
+ image:
+ protocol: https
+ (optional) cacert_file: /etc/openstack/proxy.pem
+ ironic:
+ protocol: https
+ (optional) cacert_file: /etc/openstack/proxy.pem
+
+
+**Note:** the barbican, cinder and placement url endpoints are discovering using service catalog.
Compute nodes