From 894a896361e0304cfa40faef67f25d0bda7c4504 Mon Sep 17 00:00:00 2001 From: Jiffin Tony Thottan Date: Fri, 4 Dec 2020 16:24:07 +0530 Subject: [PATCH] doc/radosgw/vault: add documentation for ssl authentication Now RGW server can use custom ssl certs to authenticate with vault server, adding steps for the same Signed-off-by: Jiffin Tony Thottan (cherry picked from commit c2af1cdc132da6b56e7f902e009dfda3ec0e2066) --- doc/radosgw/vault.rst | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/doc/radosgw/vault.rst b/doc/radosgw/vault.rst index 840bc5a09b59a..0f3cb8fd12105 100644 --- a/doc/radosgw/vault.rst +++ b/doc/radosgw/vault.rst @@ -400,6 +400,19 @@ Or, when using the transit secret engine:: In the example above, the Gateway would only fetch transit encryption keys under ``https://vault-server:8200/v1/transit``. +You can use custom ssl certs to authenticate with vault with help of +following options:: + + rgw crypt vault verify ssl = true + rgw crypt vault ssl cacert = /etc/ceph/vault.ca + rgw crypt vault ssl clientcert = /etc/ceph/vault.crt + rgw crypt vault ssl clientkey = /etc/ceph/vault.key + +where vault.ca is CA certificate and vault.key/vault.crt are private key and ssl +ceritificate generated for RGW to access the vault server. It highly recommended to +set this option true, setting false is very dangerous and need to avoid since this +runs in very secured enviroments. + Transit engine compatibility support ------------------------------------ The transit engine has compatibility support for previous -- 2.39.5