Update TLS docs

This adds notes about the undercloud's CA being automatically trusted since Rocky. Related-Bug: #1804642 Change-Id: I68d608e34e9ba95a58ada73be459d7b48b1e9c92
2018-11-22 15:06:30 +02:00 · 2018-11-22 15:06:30 +02:00 · 212d08ae6e
commit 212d08ae6e
parent 0137234dea
1 changed files with 19 additions and 7 deletions
--- a/doc/source/install/advanced_deployment/ssl.rst
+++ b/doc/source/install/advanced_deployment/ssl.rst
@ -23,8 +23,11 @@ a file name that follows the following pattern::
 This will be a PEM file in a format that HAProxy can understand (see the
 HAProxy documentation for more information on this).

-.. note:: As of the Rocky release, the default is to have TLS enabled through
-          this option.
+.. admonition:: Stable Branch
+   :class: stable
+
+   As of the Rocky release, the default is to have TLS enabled through
+   this option.

 This option for auto-generating certificates uses Certmonger to request
 and keep track of the certificate. So you will see a certificate with the
@ -42,6 +45,12 @@ located in the following path::
 This certificate will then be added to the trusted CA chain, since this is
 needed to be able to use the undercloud's endpoints with that certificate.

+.. admonition:: Stable Branch
+   :class: stable
+
+   As of the Rocky release, the default is for TripleO pass this CA
+   certificate to overcloud nodes so it'll be trusted.
+
 .. note:: If you need to access the undercloud from outside the node, the
          aforementioned file is the one you need to add to your trust store.
          So for RHEL-based systems you need to copy ``cm-local-ca.pem`` into
@ -342,6 +351,14 @@ of the overcloud and will be added to the trusted certificate chain of each of
 the nodes. You must be careful that the content is a block string in yaml and
 is in PEM format.

+.. admonition:: Stable Branch
+   :class: stable
+
+   As of Rocky, the undercloud now defaults to using TLS through the
+   autogenerated certificate. If you're upgrading your undercloud and
+   had the ``generate_service_certificate``, it also automatically passes
+   the CA certificate via the ``CAMap`` parameter.
+
 .. note:: In some cases, such as when using Ceph, the overcloud needs to trust
          the undercloud's CA certificate. If you're using the default CA in
          the undercloud, and autogenerated your certificates, you'll need to
@ -349,10 +366,5 @@ is in PEM format.
          ``/etc/pki/ca-trust/source/anchors/cm-local-ca.pem`` into the
          aforementioned ``CAMap`` parameter.

-.. note:: As of Rocky, the undercloud now defaults to using TLS through the
-          autogenerated certificate. If you're upgrading your undercloud and
-          had the ``generate_service_certificate`` parameter unset, you might
-          need to update your overcloud as well by adding the undercloud's CA
-          certificate to the ``CAMap`` parameter.

 .. include:: ./tls_everywhere.rst