diff options
author | Alex Shatov <alexs@att.com> | 2018-09-14 16:54:05 -0400 |
---|---|---|
committer | Alex Shatov <alexs@att.com> | 2018-09-14 16:54:05 -0400 |
commit | 6556fd79eb177d8ed7c390d56410b42afb4a0c70 (patch) | |
tree | a45f57fbdd4ba1468390868371484d299d23ed8c /etc_customize | |
parent | 1d693376205c66af93283d04e8e9740c947a7d02 (diff) |
4.3.0 policy-handler - tls to policy-engine
- tls to policy-engine
- tls on web-socket to policy-engine
- tls to deployment-handler
- no tls on the web-server side
= that is internal API
= will add TLS in R4
- policy-handler expecting the deployment process
to mount certs at /opt/app/policy_handler/etc/tls/certs/
- blueprint for policy-handler will be updated to contain
cert_directory : /opt/app/policy_handler/etc/tls/certs/
- the matching local etc/config.json has new part tls with:
= cert_directory : etc/tls/certs/
= cacert : cacert.pem
- new optional fields tls_ca_mode in config on consul that
specify where to find the cacert.pem for tls per each https/web-socket
values are:
"cert_directory" - use the cacert.pem stored locally in cert_directory
this is the default if cacert.pem file is found
"os_ca_bundle" - use the public ca_bundle provided by linux system.
this is the default if cacert.pem file not found
"do_not_verify" - special hack to turn off the verification by cacert
and hostname
- config on consul now has 2 new fields for policy_engine
= "tls_ca_mode" : "cert_directory"
= "tls_wss_ca_mode" : "cert_directory"
- config on consul now has 1 new field for deploy_handler
= "tls_ca_mode" : "cert_directory"
- removed customization for verify -- it is now a built-in feature
Change-Id: Ibe9120504ed6036d1ed4c84ff4cd8ad1d9e80f17
Signed-off-by: Alex Shatov <alexs@att.com>
Issue-ID: DCAEGEN2-611
Diffstat (limited to 'etc_customize')
0 files changed, 0 insertions, 0 deletions