1. Home
  2. MCP Deployment Guide
  3. Deploy an MCP cluster manually
  4. Deploy an OpenStack environment manually
  5. Enable TLS support
  6. Enable TLS for client-server communications

Enable TLS for client-server communications

Enable TLS for client-server communicationsΒΆ

This section explains how to encrypt the communication paths between the OpenStack services and the message queue service (RabbitMQ) as well as the MySQL database.

Note

The procedures included in this section apply to new MCP OpenStack deployments only, unless specified otherwise.

To enable TLS for client-server communications:

  1. For each of the OpenStack services, enable the TLS protocol usage for messaging and database communications by changing the cluster model as shown in the examples below:

    • For a controller node:

      • The database server configuration example:

        classes:
- system.salt.minion.cert.mysql.server
- service.galera.ssl

parameters:
  barbican:
    server:
      database:
        ssl:
          enabled: True
  heat:
    server:
      database:
        ssl:
          enabled: True
  designate:
    server:
      database:
        ssl:
          enabled: True
  glance:
    server:
      database:
        ssl:
          enabled: True
  neutron:
    server:
      database:
        ssl:
          enabled: True
  nova:
    controller:
      database:
        ssl:
          enabled: True
  cinder:
    controller:
      database:
        ssl:
          enabled: True
    volume:
      database:
        ssl:
          enabled: True
  keystone:
    server:
      database:
        ssl:
          enabled: True

      • The messaging server configuration example:

        classes:
- service.rabbitmq.server.ssl
- system.salt.minion.cert.rabbitmq_server

parameters:

  designate:
    server:
      message_queue:
        port: 5671
        ssl:
          enabled: True

  barbican:
    server:
      message_queue:
        port: 5671
        ssl:
          enabled: True

  heat:
    server:
      message_queue:
        port: 5671
        ssl:
          enabled: True

  glance:
    server:
      message_queue:
        port: 5671
        ssl:
          enabled: True

  neutron:
    server:
      message_queue:
        port: 5671
        ssl:
          enabled: True
  nova:
    controller:
      message_queue:
        port: 5671
        ssl:
          enabled: True


  cinder:
    controller:
      message_queue:
        port: 5671
        ssl:
          enabled: True
    volume:
      message_queue:
        port: 5671
        ssl:
          enabled: True

  keystone:
    server:
      message_queue:
        port: 5671
        ssl:
          enabled: True

    • For a compute node, the messaging server configuration example:

      parameters:
  neutron:
    compute:
      message_queue:
        port: 5671
        ssl:
          enabled: True
  nova:
    compute:
      message_queue:
        port: 5671
        ssl:
          enabled: True

    • For a gateway node, the messaging configuration example:

      parameters:
  neutron:
    gateway:
      message_queue:
        port: 5671
        ssl:
          enabled: True

  2. Refresh the pillar data to synchronize the model update at all nodes:

    salt '*' saltutil.refresh_pillar
salt '*' saltutil.sync_all

  3. Proceed to Install OpenStack services.

updated: 2024-01-04 11:44