gateway: Final documentation update for initial PR

Signed-off-by: David Galloway <dgallowa@redhat.com>

diff --git a/roles/gateway/README.rst b/roles/gateway/README.rst
index 039046b4cc81958d75a4138763d2446d4f9db6e2..2a9821b166cef42360d6f21f81f8a92fa000d7b7 100644 (file)
--- a/roles/gateway/README.rst
+++ b/roles/gateway/README.rst
@@ -4,7 +4,7 @@ gateway
 This role can be used to set up a new OpenVPN gateway for a Ceph test lab 
 as well as maintain user access provided a secrets repo is configured.
 
-This role supports CentOS 7.2 only at this time.  It's current intended use
+This role supports CentOS 7.2 only at this time.  Its current intended use
 is to maintain the existing OpenVPN gateway in our Sepia_ lab.
 
 It does the following:
@@ -19,10 +19,41 @@ Prerequisites
 Variables
 +++++++++
 
-A list of packages to install that is specific to the role.  These lists are defined in the var files in ``vars/``::
+A list of packages to install that is specific to the role.  The list is defined in ``roles/gateway/vars/packages.yml``::
 
     packages: []
 
+The directory in which the OpenVPN server CA, keys, certs, and user file should be saved.  Defined in the secrets repo::
+
+    openvpn_data_dir: []
+
+Contains paths, file permission (modes), and data to store and maintain OpenVPN CA, cert, key, and main server config.  Consult your server.conf on what you should define here.  For reference, we have dh1024.pem, server.crt, server.key, and server.conf defined.  Defined in the secrets repo::
+
+    gateway_secrets: []
+
+    # Example:
+    gateway_secrets:
+      - path: "{{ openvpn_data_dir }}/server.crt"
+        mode: 0644
+        data: |
+          -----BEGIN CERTIFICATE-----
+          ...
+          -----END CERTIFICATE-----
+      - path: /etc/openvpn/server.conf
+        mode: 0644
+        data: |
+          script-security 2
+          ...
+          cert {{ openvpn_data_dir }}/server.crt
+
+A list of users that don't have their ssh pubkey added to the ``teuthology_user`` authorized_keys but still need VPN access::
+
+    openvpn_users: []
+
+    # Example:
+    openvpn_users:
+      - ovpn: user@host etc...
+
 Tags
 ++++
 
@@ -32,11 +63,19 @@ packages
 users
     Update OpenVPN users list
 
+Dependencies
+++++++++++++
+
+This role depends on the following roles:
+
+secrets
+    Provides a var, ``secrets_path``, containing the path of the secrets repository, a tree of ansible variable files.
+
 To Do
 +++++
 
 - Support installation of new OpenVPN gateway from scratch
-- Upload and maintain CA, keys, and certificates
+- Generate and pull (to secrets?) CA, keys, and certificates
 - Configure networking
 - Configure firewall
 - Configure fail2ban