doc/radosgw/vault: add documentation for ssl authentication

author Jiffin Tony Thottan <jthottan@redhat.com>

Fri, 4 Dec 2020 10:54:07 +0000 (16:24 +0530)

committer Jiffin Tony Thottan <jthottan@redhat.com>

Fri, 16 Apr 2021 17:37:59 +0000 (23:07 +0530)
author Jiffin Tony Thottan <jthottan@redhat.com>
Fri, 4 Dec 2020 10:54:07 +0000 (16:24 +0530)
committer Jiffin Tony Thottan <jthottan@redhat.com>
Fri, 16 Apr 2021 17:37:59 +0000 (23:07 +0530)
diff --git a/doc/radosgw/vault.rst b/doc/radosgw/vault.rst

index 840bc5a09b59aed32e671e3a1afcc3138c5ee950..0f3cb8fd12105ff7883e3493f973a310ccb015c7 100644 (file)
--- a/doc/radosgw/vault.rst
+++ b/doc/radosgw/vault.rst
@@ -400,6 +400,19 @@ Or, when using the transit secret engine::
  In the example above, the Gateway would only fetch transit encryption keys under
  ``https://vault-server:8200/v1/transit``.
  
+You can use custom ssl certs to authenticate with vault with help of
+following options::
+
+  rgw crypt vault verify ssl = true
+  rgw crypt vault ssl cacert = /etc/ceph/vault.ca
+  rgw crypt vault ssl clientcert = /etc/ceph/vault.crt
+  rgw crypt vault ssl clientkey = /etc/ceph/vault.key
+
+where vault.ca is CA certificate and vault.key/vault.crt are private key and ssl
+ceritificate generated for RGW to access the vault server. It highly recommended to
+set this option true, setting false is very dangerous and need to avoid since this
+runs in very secured enviroments.
+
  Transit engine compatibility support
  ------------------------------------
  The transit engine has compatibility support for previous
author	Jiffin Tony Thottan <jthottan@redhat.com>
	Fri, 4 Dec 2020 10:54:07 +0000 (16:24 +0530)
committer	Jiffin Tony Thottan <jthottan@redhat.com>
	Fri, 16 Apr 2021 17:37:59 +0000 (23:07 +0530)