Currently, murano does not have an official murano install guide located at [0], which affects murano maturity at [1]. This patch creates the official murano install guide following the tutorial here: [2]. Also adds tox entry for generating the install guide. [0] https://docs.openstack.org/project-install-guide/ocata/ubuntu-services.html [1] https://www.openstack.org/software/releases/ocata/components/murano [2] https://docs.openstack.org/contributor-guide/project-install-guide.html Change-Id: I98052b646f3b1e97915aa7382dd2e60eaa4a6137
5.2 KiB
SSL configuration
Murano components are able to work with SSL. This section will help you to configure proper settings for SSL configuration.
HTTPS for Murano API
SSL for the Murano API service can be configured in the ssl
section in /etc/murano/murano.conf
. Just point to a valid
SSL certificate. See the example below:
:
[ssl]
cert_file = PATH
key_file = PATH
ca_file = PATH
- cert_file Path to the certificate file the server should use when binding to an SSL-wrapped socket.
- key_file Path to the private key file the server should use when binding to an SSL-wrapped socket.
- ca_file Path to the CA certificate file the server should use to validate client certificates provided during an SSL handshake. This is ignored if cert_file and "key_file" are not set.
Note
The use of SSL is automatically started after pointing to an HTTPS protocol instead of HTTP, during the registration of the Murano API service endpoints (Change publicurl argument to start with https://).
SSL for Murano API is implemented like in any other OpenStack component. This is because Murano uses the ssl python module; more information about it can be found here.
SSL for RabbitMQ
All Murano components communicate with each other via RabbitMQ. This interaction can be encrypted with SSL. By default, all messages in Rabbit MQ are not encrypted. Each RabbitMQ Exchange should be configured separately.
Murano API <-> Rabbit MQ exchange <-> Murano Engine
Edit ssl parameters in default section of
/etc/murano/murano.conf
. Set the
rabbit_use_ssl
option to true and configure the
ssl kombu parameters. Specify the path to the SSL keyfile and SSL CA
certificate in a regular format: /path/to/file without quotes or leave
it empty to allow for self-signed certificates.
# connect over SSL for RabbitMQ (boolean value)
#rabbit_use_ssl=false
# SSL version to use (valid only if SSL enabled). valid values
# are TLSv1, SSLv23 and SSLv3. SSLv2 may be available on some
# distributions (string value)
#kombu_ssl_version=
# SSL key file (valid only if SSL enabled) (string value)
#kombu_ssl_keyfile=
# SSL cert file (valid only if SSL enabled) (string value)
#kombu_ssl_certfile=
# SSL certification authority file (valid only if SSL enabled)
# (string value)
#kombu_ssl_ca_certs=
Murano Agent -> Rabbit MQ exchange
In the main murano configuration file, there is a section named rabbitmq, which is responsible for setting up communication between Murano Agent and Rabbit MQ. Just set the ssl parameter to True to enable ssl.
[rabbitmq]
host = localhost
port = 5672
login = guest
password = guest
virtual_host = /
ssl = True
If you want to configure Murano Agent in a different way, change the default template. It can be found in the Murano Core Library, located at http://git.openstack.org/cgit/openstack/murano/tree/meta/io.murano/Resources/Agent-v1.template. Take a look at the appSettings section:
<appSettings>
<add key="rabbitmq.host" value="%RABBITMQ_HOST%"/>
<add key="rabbitmq.port" value="%RABBITMQ_PORT%"/>
<add key="rabbitmq.user" value="%RABBITMQ_USER%"/>
<add key="rabbitmq.password" value="%RABBITMQ_PASSWORD%"/>
<add key="rabbitmq.vhost" value="%RABBITMQ_VHOST%"/>
<add key="rabbitmq.inputQueue" value="%RABBITMQ_INPUT_QUEUE%"/>
<add key="rabbitmq.resultExchange" value=""/>
<add key="rabbitmq.resultRoutingKey" value="%RESULT_QUEUE%"/>
<add key="rabbitmq.durableMessages" value="true"/>
<add key="rabbitmq.ssl" value="%RABBITMQ_SSL%"/>
<add key="rabbitmq.allowInvalidCA" value="true"/>
<add key="rabbitmq.sslServerName" value=""/>
</appSettings>
The desired parameter should be set directly to the value of the key that you want to change. Quotes need to be kept. Thus you can change "rabbitmq.ssl" and "rabbitmq.port" values to make Rabbit MQ work with this exchange differently than the default Murano Engine way.
Note
After modification, don't forget to zip and re-upload the core library.
SSL for Murano Dashboard
If you are not going to use self-signed certificates, additional
configuration does not need to be done. Just prefix https in the URL.
Otherwise, set MURANO_API_INSECURE = True in Horizon's config
file. You can find it in
/etc/openstack-dashboard/local_settings.py.
.