Enable TLS for RabbitMQ and MySQL back ends

Enable TLS for RabbitMQ and MySQL back ends

Using TLS protects the communications within your cloud environment from tampering and eavesdropping. This section explains how to configure the OpenStack databases back ends to require TLS.

Caution

TLS for MySQL is supported starting from the Pike OpenStack release.

Note

The procedures included in this section apply to new MCP OpenStack deployments only, unless specified otherwise.

To encrypt RabbitMQ and MySQL communications:

  1. Add the following classes to the cluster model of the nodes where the server is located:

    • For the RabbitMQ server:

      classes:
        ### Enable tls, contains paths to certs/keys
        - service.rabbitmq.server.ssl
        ### Definition of cert/key
        - system.salt.minion.cert.rabbitmq_server
      
    • For the MySQL server (Galera cluster):

      classes:
        ### Enable tls, contains paths to certs/keys
        - service.galera.ssl
        ### Definition of cert/key
        - system.salt.minion.cert.mysql.server
      
  2. Verify that each node trusts the CA certificates that come from the Salt Master node:

    _param:
       salt_minion_ca_host: cfg01.${_param:cluster_domain}
    salt:
       minion:
          trusted_ca_minions:
            -  cfg01.${_param:cluster_domain}
    
  3. Deploy RabbitMQ and MySQL as described in Install support services.

  4. Apply the changes by executing the salt.minion state:

    salt -I salt:minion:enabled state.apply salt.minion
    

See also