e047fc42c6
This combines the client and server certificate options to make typical deployments simpler. The same certificate will be used by a fingergw acting as a client or a server. A new option is added to tell fingergw to use the cert only for client use; that way a fingergw can act as an unencrypted end-user gateway while still able to connect to encrypted servers. The options are renamed to tls_* to match zookeeper; once gearman is removed, we will have no ssl_* options. Documentation and a release note for TLS fingergw support is added. Change-Id: If3e445336de4644a5303f2ecc7c4a27e4320d042
23 lines
909 B
YAML
23 lines
909 B
YAML
---
|
|
features:
|
|
- |
|
|
The finger gateway and executor log streaming system now supports TLS
|
|
connections.
|
|
|
|
Normally zuul-web makes a direct connection to an executor in
|
|
order to stream logs. With this new option, that connection can
|
|
be encrypted if it crosses an untrusted network.
|
|
|
|
The ability to route log streaming connections through finger
|
|
gateway servers was recently added; these will also use TLS if
|
|
required.
|
|
|
|
The finger gateway server can also be used by end-users; in that
|
|
case it may need a TLS certificate to use if it is required to
|
|
connect to an encrypted executor or finger gateway to stream logs.
|
|
An option to disable using TLS when acting as a server is provided
|
|
for this case, since there are no TLS-enable finger clients.
|
|
|
|
See :attr:`fingergw.tls_cert` and related options to enable
|
|
encrypted connections for all three components.
|