From 804c1cb669756abd512477263269def90ba3e077 Mon Sep 17 00:00:00 2001
From: Mark Goddard <mark@stackhpc.com>
Date: Thu, 9 Jun 2022 15:31:22 +0100
Subject: [PATCH] docs: add information about enabling TLS to automated guide

It only covers the internal API VIP, since we don't have a separate
external API in the development environment.

Change-Id: I28f2b43ddb8bad6097e690e766f0348b1b8a296b
---
 doc/source/contributor/automated.rst | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/doc/source/contributor/automated.rst b/doc/source/contributor/automated.rst
index c0e7cc657..4383f0556 100644
--- a/doc/source/contributor/automated.rst
+++ b/doc/source/contributor/automated.rst
@@ -81,6 +81,30 @@ This can be added using the following commands::
     sudo ip l set eth1 up
     sudo ip l set eth1 master breth1
 
+Configuration
+-------------
+
+Enable TLS
+^^^^^^^^^^
+
+Apply the following configuration if you wish to enable TLS for the OpenStack
+API:
+
+Set the following option in ``config/src/kayobe-config/etc/kayobe/kolla.yml``:
+
+.. code-block:: yaml
+
+   kolla_enable_tls_internal: "yes"
+
+Set the following options in
+``config/src/kayobe-config/etc/kayobe/kolla/globals.yml``:
+
+.. code-block:: yaml
+
+   kolla_copy_ca_into_containers: "yes"
+   openstack_cacert: "{% if os_distribution == 'ubuntu' %}/etc/ssl/certs/ca-certificates.crt{% else %}/etc/pki/tls/certs/ca-bundle.crt{% endif %}"
+   kolla_admin_openrc_cacert: "{% if os_distribution == 'ubuntu' %}/etc/ssl/certs/ca-certificates.crt{% else %}/etc/pki/tls/certs/ca-bundle.crt{% endif %}"
+
 Usage
 -----
 
@@ -101,6 +125,10 @@ its dependencies in a Python virtual environment::
    changes will not been seen until you reinstall the package. To do this you
    can run ``./dev/install.sh``.
 
+If you are using TLS and wish to generate self-signed certificates::
+
+    export KAYOBE_OVERCLOUD_GENERATE_CERTIFICATES=1
+
 Run the ``dev/overcloud-deploy.sh`` script to deploy the OpenStack control
 plane::