blueprint and inputs for 4.3.0 policy-handler
- set up tls on policy-handler
- policy-handler expecting the deployment process
to mount certs at /opt/app/policy_handler/etc/tls/certs/
= cert_directory : /opt/app/policy_handler/etc/tls/certs/
= cacert : cacert.pem
- new optional fields tls_ca_mode in config on consul that
specify where to find the cacert.pem for tls per each https/web-socket
values are:
"cert_directory" - use the cacert.pem stored locally in cert_directory
this is the default if cacert.pem file is found
"os_ca_bundle" - use the public ca_bundle provided by linux system.
this is the default if cacert.pem file not found
"do_not_verify" - special hack to turn off the verification by cacert
and hostname
- config on consul now has 2 new fields for policy_engine
= "tls_ca_mode" : "cert_directory"
= "tls_wss_ca_mode" : "cert_directory"
- config on consul now has 1 new field for deploy_handler
= "tls_ca_mode" : "cert_directory"
Change-Id: Ida2d058cad93ddd1a583e1922bc5dc33c145fcba
Signed-off-by: Alex Shatov <alexs@att.com>
Issue-ID: DCAEGEN2-611