This section explains how to encrypt the communication paths between the OpenStack services and the message queue service (RabbitMQ) as well as the MySQL database.
Note
The procedures included in this section apply to new MCP OpenStack deployments only, unless specified otherwise.
To enable TLS for client-server communications:
For each of the OpenStack services, enable the TLS protocol usage for messaging and database communications by changing the cluster model as shown in the examples below:
For a controller node:
The database server configuration example:
classes:
- system.salt.minion.cert.mysql.server
- service.galera.ssl
parameters:
barbican:
server:
database:
ssl:
enabled: True
heat:
server:
database:
ssl:
enabled: True
designate:
server:
database:
ssl:
enabled: True
glance:
server:
database:
ssl:
enabled: True
neutron:
server:
database:
ssl:
enabled: True
nova:
controller:
database:
ssl:
enabled: True
cinder:
controller:
database:
ssl:
enabled: True
volume:
database:
ssl:
enabled: True
keystone:
server:
database:
ssl:
enabled: True
The messaging server configuration example:
classes:
- service.rabbitmq.server.ssl
- system.salt.minion.cert.rabbitmq_server
parameters:
designate:
server:
message_queue:
port: 5671
ssl:
enabled: True
barbican:
server:
message_queue:
port: 5671
ssl:
enabled: True
heat:
server:
message_queue:
port: 5671
ssl:
enabled: True
glance:
server:
message_queue:
port: 5671
ssl:
enabled: True
neutron:
server:
message_queue:
port: 5671
ssl:
enabled: True
nova:
controller:
message_queue:
port: 5671
ssl:
enabled: True
cinder:
controller:
message_queue:
port: 5671
ssl:
enabled: True
volume:
message_queue:
port: 5671
ssl:
enabled: True
keystone:
server:
message_queue:
port: 5671
ssl:
enabled: True
For a compute node, the messaging server configuration example:
parameters:
neutron:
compute:
message_queue:
port: 5671
ssl:
enabled: True
nova:
compute:
message_queue:
port: 5671
ssl:
enabled: True
For a gateway node, the messaging configuration example:
parameters:
neutron:
gateway:
message_queue:
port: 5671
ssl:
enabled: True
Refresh the pillar data to synchronize the model update at all nodes:
salt '*' saltutil.refresh_pillar
salt '*' saltutil.sync_all
Proceed to Install OpenStack services.