From 212d08ae6ef6db4cb0096170b24ecf6dd5d21bc1 Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Robles Date: Thu, 22 Nov 2018 15:06:30 +0200 Subject: [PATCH] Update TLS docs This adds notes about the undercloud's CA being automatically trusted since Rocky. Related-Bug: #1804642 Change-Id: I68d608e34e9ba95a58ada73be459d7b48b1e9c92 --- .../install/advanced_deployment/ssl.rst | 26 ++++++++++++++----- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/doc/source/install/advanced_deployment/ssl.rst b/doc/source/install/advanced_deployment/ssl.rst index 1be7cfca..81500378 100644 --- a/doc/source/install/advanced_deployment/ssl.rst +++ b/doc/source/install/advanced_deployment/ssl.rst @@ -23,8 +23,11 @@ a file name that follows the following pattern:: This will be a PEM file in a format that HAProxy can understand (see the HAProxy documentation for more information on this). -.. note:: As of the Rocky release, the default is to have TLS enabled through - this option. +.. admonition:: Stable Branch + :class: stable + + As of the Rocky release, the default is to have TLS enabled through + this option. This option for auto-generating certificates uses Certmonger to request and keep track of the certificate. So you will see a certificate with the @@ -42,6 +45,12 @@ located in the following path:: This certificate will then be added to the trusted CA chain, since this is needed to be able to use the undercloud's endpoints with that certificate. +.. admonition:: Stable Branch + :class: stable + + As of the Rocky release, the default is for TripleO pass this CA + certificate to overcloud nodes so it'll be trusted. + .. note:: If you need to access the undercloud from outside the node, the aforementioned file is the one you need to add to your trust store. So for RHEL-based systems you need to copy ``cm-local-ca.pem`` into @@ -342,6 +351,14 @@ of the overcloud and will be added to the trusted certificate chain of each of the nodes. You must be careful that the content is a block string in yaml and is in PEM format. +.. admonition:: Stable Branch + :class: stable + + As of Rocky, the undercloud now defaults to using TLS through the + autogenerated certificate. If you're upgrading your undercloud and + had the ``generate_service_certificate``, it also automatically passes + the CA certificate via the ``CAMap`` parameter. + .. note:: In some cases, such as when using Ceph, the overcloud needs to trust the undercloud's CA certificate. If you're using the default CA in the undercloud, and autogenerated your certificates, you'll need to @@ -349,10 +366,5 @@ is in PEM format. ``/etc/pki/ca-trust/source/anchors/cm-local-ca.pem`` into the aforementioned ``CAMap`` parameter. -.. note:: As of Rocky, the undercloud now defaults to using TLS through the - autogenerated certificate. If you're upgrading your undercloud and - had the ``generate_service_certificate`` parameter unset, you might - need to update your overcloud as well by adding the undercloud's CA - certificate to the ``CAMap`` parameter. .. include:: ./tls_everywhere.rst