To provide for confidentiality and integrity of network traffic inside your OpenStack deployment, Mirantis recommends using cryptographic protective measures, such as the Transport Layer Security (TLS) protocol. MCP provides solutions for various TLS encryption use cases. The most common ones are described below.
By default, only the traffic that is transmitted over public networks is encrypted. However, cryptography support, TLS encryption, and optionally X.509-based certificate authentication is also available for the MCP management plane services like MySQL, RabbitMQ, libvirt control channel and live migration data channel, and libvirt NoVNC proxy.
When deploying an MCP OpenStack environment, consider enabling cryptographic measures to better protect the MCP cluster from eavesdropping and public to control plane attacks:
MCP Deployment Guide: Enable TLS for cluster internal API HTTP transport
MCP Deployment Guide: Enable TLS for RabbitMQ and MySQL server-server communications
MCP Deployment Guide: Enable TLS for RabbitMQ and MySQL client-server communications
MCP Deployment Guide: Enable TLS for Libvirt control channel and live migration data
MCP Deployment Guide: Enable TLS for Libvirt VNC to NoVNC clients (since Queens release)
See also