From: Jiffin Tony Thottan <jthottan@redhat.com>
Date: Fri, 4 Dec 2020 10:54:07 +0000 (+0530)
Subject: doc/radosgw/vault: add documentation for ssl authentication
X-Git-Tag: v17.1.0~2207^2
X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=c2af1cdc132da6b56e7f902e009dfda3ec0e2066;p=ceph.git

doc/radosgw/vault: add documentation for ssl authentication

Now RGW server can use custom ssl certs to authenticate with vault
server, adding steps for the same

Signed-off-by: Jiffin Tony Thottan <jthottan@redhat.com>
---

diff --git a/doc/radosgw/vault.rst b/doc/radosgw/vault.rst
index 840bc5a09b59a..0f3cb8fd12105 100644
--- a/doc/radosgw/vault.rst
+++ b/doc/radosgw/vault.rst
@@ -400,6 +400,19 @@ Or, when using the transit secret engine::
 In the example above, the Gateway would only fetch transit encryption keys under
 ``https://vault-server:8200/v1/transit``.
 
+You can use custom ssl certs to authenticate with vault with help of
+following options::
+
+  rgw crypt vault verify ssl = true
+  rgw crypt vault ssl cacert = /etc/ceph/vault.ca
+  rgw crypt vault ssl clientcert = /etc/ceph/vault.crt
+  rgw crypt vault ssl clientkey = /etc/ceph/vault.key
+
+where vault.ca is CA certificate and vault.key/vault.crt are private key and ssl
+ceritificate generated for RGW to access the vault server. It highly recommended to
+set this option true, setting false is very dangerous and need to avoid since this
+runs in very secured enviroments.
+
 Transit engine compatibility support
 ------------------------------------
 The transit engine has compatibility support for previous