Clarify TLS
* Make TLS simpler and more accurate. * Apply README template. * Adjust config.yaml re use of Vault. Related-Bug: #1871442 Change-Id: Ia819cb03d30f6b4e0a04cc388e7243849800455a
This commit is contained in:
Peter Matulis
parent
612eb5cedc
commit
a00ecabe67
49
README.md
49
README.md
|
|
@ -14,8 +14,10 @@ charms officially supported by the OpenStack Charms project are published by
|
|||
|
||||
## Configuration
|
||||
|
||||
This section covers common configuration options. See file `config.yaml` for
|
||||
the full list of options, along with their descriptions and default values.
|
||||
This section covers common and/or important configuration options. See file
|
||||
`config.yaml` for the full list of options, along with their descriptions and
|
||||
default values. See the [Juju documentation][juju-docs-config-apps] for details
|
||||
on configuring applications.
|
||||
|
||||
#### `min-cluster-size`
|
||||
|
||||
|
|
@ -36,15 +38,6 @@ there is no guarantee that a candidate will be found in the stated UCA pocket.
|
|||
software upgrade. See [OpenStack upgrade][cdg-upgrade-openstack] in the
|
||||
[OpenStack Charms Deployment Guide][cdg].
|
||||
|
||||
#### `ssl`
|
||||
|
||||
The `ssl` option enables encryption for client-server communication. It can
|
||||
take on several values:
|
||||
|
||||
* 'off': disables SSL (the default)
|
||||
* 'on': enables SSL for compatible clients
|
||||
* 'only': enforces SSL
|
||||
|
||||
## Deployment
|
||||
|
||||
To deploy a single rabbitmq-server unit:
|
||||
|
|
@ -62,18 +55,17 @@ When more than one unit is deployed the charm will bring up a native RabbitMQ
|
|||
HA active/active cluster. The ``min-cluster-size`` option should be used (see
|
||||
description above).
|
||||
|
||||
To deploy a three-node cluster:
|
||||
See [Infrastructure high availability][cdg-ha-rabbitmq] in the [OpenStack Charms
|
||||
Deployment Guide][cdg] for details.
|
||||
|
||||
juju deploy -n 3 --config min-cluster-size=3 rabbitmq-server
|
||||
|
||||
### SSL
|
||||
### TLS
|
||||
|
||||
Communication between the AMQP message queue and client services (OpenStack
|
||||
applications) can be encrypted with SSL. There are two methods for managing
|
||||
keys and certificates:
|
||||
applications) can be TLS-encrypted. There are two methods for managing keys and
|
||||
certificates:
|
||||
|
||||
1. with Vault
|
||||
1. manually (via `openssl` commands and charm options)
|
||||
1. manually (via charm options)
|
||||
|
||||
Vault can set up private keys and server certificates for an application. It
|
||||
also stores a central CA certificate for the cloud. See the
|
||||
|
|
@ -81,11 +73,6 @@ also stores a central CA certificate for the cloud. See the
|
|||
|
||||
Vault is the recommended method and is what will be covered here.
|
||||
|
||||
Enable SSL by passing the `ssl` option (see description above) to the deployed
|
||||
rabbitmq-server application:
|
||||
|
||||
juju config rabbitmq-server ssl=only
|
||||
|
||||
The private key and server certificate (and its signing) are managed via a
|
||||
relation made to the vault application:
|
||||
|
||||
|
|
@ -103,13 +90,19 @@ Actions allow specific operations to be performed on a per-unit basis.
|
|||
* `pause`
|
||||
* `resume`
|
||||
|
||||
To display action descriptions run `juju actions rabbitmq-server`. If the charm
|
||||
is not deployed then see file ``actions.yaml``.
|
||||
To display action descriptions run `juju actions --schema rabbitmq-server`. If
|
||||
the charm is not deployed then see file ``actions.yaml``.
|
||||
|
||||
# Documentation
|
||||
|
||||
The OpenStack Charms project maintains two documentation guides:
|
||||
|
||||
* [OpenStack Charm Guide][cg]: for project information, including development
|
||||
and support notes
|
||||
* [OpenStack Charms Deployment Guide][cdg]: for charm usage information
|
||||
|
||||
# Bugs
|
||||
|
||||
Please report bugs on [Launchpad][lp-bugs-charm-rabbitmq-server].
|
||||
|
||||
For general charm questions refer to the [OpenStack Charm Guide][cg].
|
||||
|
||||
<!-- LINKS -->
|
||||
|
|
@ -122,3 +115,5 @@ For general charm questions refer to the [OpenStack Charm Guide][cg].
|
|||
[charms-requires-rabbitmq]: https://jaas.ai/search?requires=rabbitmq
|
||||
[vault-charm]: https://jaas.ai/vault
|
||||
[uca]: https://wiki.ubuntu.com/OpenStack/CloudArchive
|
||||
[cdg-ha-rabbitmq]: https://docs.openstack.org/project-deploy-guide/charm-deployment-guide/latest/app-ha.html#rabbitmq
|
||||
[juju-docs-config-apps]: https://juju.is/docs/configuring-applications
|
||||
|
|
|
|||
|
|
@ -148,8 +148,11 @@ options:
|
|||
Enable SSL for client communication. Valid values are 'off', 'on', and
|
||||
'only'. If ssl_key, ssl_cert, ssl_ca are provided then those values will
|
||||
be used. Otherwise the service will act as its own certificate authority
|
||||
and pass its CA cert to clients. For clustered RabbitMQ, ssl_key and
|
||||
ssl_cert must be provided.
|
||||
and pass its CA certificate to clients. For clustered RabbitMQ, ssl_key
|
||||
and ssl_cert must be provided.
|
||||
.
|
||||
Vault can be used instead of the ssl_* config values and works for
|
||||
clustered and non-clustered cases.
|
||||
ssl_enabled:
|
||||
type: boolean
|
||||
default: False
|
||||
|
|
|
|||
Loading…
Reference in New Issue