Using TLS protects the communications within your cloud environment from tampering and eavesdropping. This section explains how to configure the OpenStack databases backends to require TLS.
Caution
TLS for MySQL is supported starting from the Pike OpenStack release.
Note
The procedures included in this section apply to new MCP OpenStack deployments only, unless specified otherwise.
To encrypt RabbitMQ and MySQL communications:
Add the following classes to the cluster model of the nodes where the server is located:
For the RabbitMQ server:
classes:
### Enable tls, contains paths to certs/keys
- service.rabbitmq.server.ssl
### Definition of cert/key
- system.salt.minion.cert.rabbitmq_server
For the MySQL server (Galera cluster):
classes:
### Enable tls, contains paths to certs/keys
- service.galera.ssl
### Definition of cert/key
- system.salt.minion.cert.mysql.server
Verify that each node trusts the CA certificates that come from the Salt Master node:
_param:
salt_minion_ca_host: cfg01.${_param:cluster_domain}
salt:
minion:
trusted_ca_minions:
- cfg01.${_param:cluster_domain}
Deploy RabbitMQ and MySQL as described in Install support services.
Apply the changes by executing the salt.minion state:
salt -I salt:minion:enabled state.apply salt.minion
See also