Document client TLS properties for HTTP[S]-based peer discovery mechanisms

[michaelklishin]

Several peer discovery plugins use HTTP to communicate with their services and there is currently no clear explanation in the docs as to how to configure client TLS options (certificate, private key, verification depth, SNI target and so on) for HTTPS, which leads to questions such as rabbitmq/rabbitmq-peer-discovery-consul#14.

Even before https://github.com/rabbitmq/rabbitmq-peer-discovery-common/issues/6 is addressed a doc example can be provided since it is possible to configure httpc via the advanced.config file.

[haiyangu]

If we use rabbitmq-peer-discovery-k8s, and want to configure the default cipher suites, can this be configured in asvanced.config?

[michaelklishin]

@haiyangu this is not a support forum.

As the issue states, it comes down to Erlang HTTP client (httpc) configuration which supports all the same options as other TLS clients (and servers) in Erlang.

[lukebakken]

it is possible to configure httpc via the advanced.config file

This doesn't appear to be the case, see rabbitmq/rabbitmq-peer-discovery-common#9

[michaelklishin]

This is done for etcd (which no longer is HTTP1.1-based) but we have found out that some code changes may be necessary to make this easy for other mechanisms.

[lukebakken]

These settings need to be documented as well:

rabbitmq/rabbitmq-server#5155

A user ran into an issue with a CA cert in this discussion: docker-library/rabbitmq#709