Add SSL configuration section
Change-Id: I763e2e7f1aabae84a0542e1fdcc640c0eb99c295
This commit is contained in:
@@ -527,4 +527,143 @@ service murano-api start
|
||||
</programlisting>
|
||||
</section>
|
||||
</section>
|
||||
<section id="ssl">
|
||||
<title>SSL configuration</title>
|
||||
<section>
|
||||
<title>HTTPS for Murano API</title>
|
||||
<para>
|
||||
SSL for Murano API service
|
||||
can be enabled in <emphasis>ssl</emphasis> section in
|
||||
<emphasis>/etc/murano-api.conf</emphasis>. The use of SSL is
|
||||
automatically implemented by using a URL starting with HTTPS instead of HTTP.
|
||||
SSL configuration example using the included sample certificates:
|
||||
</para>
|
||||
<programlisting>
|
||||
<![CDATA[
|
||||
[ssl]
|
||||
enable = True
|
||||
certfile = <path to keystone.pem>
|
||||
keyfile = <path to keystone.pem>
|
||||
ca_certs = <path to ca.pem>
|
||||
cert_required = True
|
||||
]]>
|
||||
</programlisting>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>
|
||||
<emphasis>enable:</emphasis> True enables SSL. Defaults to False.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<emphasis>certfile:</emphasis> Path to Keystone public certificate file.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<emphasis>keyfile:</emphasis> Path to Keystone private certificate file.
|
||||
If the private key is included in the certfile, the keyfile maybe omitted.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<emphasis>ca_certs:</emphasis> Path to CA trust chain.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<emphasis>cert_required:</emphasis>
|
||||
Requires client certificate. Defaults to False.
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
<section>
|
||||
<title>SSL for RabbitMQ</title>
|
||||
<para>
|
||||
All Murano components communicate with each other
|
||||
by RabbitMQ. This interaction can be encrypted with SSL. By
|
||||
default all messages in Rabbit MQ are not encrypted.
|
||||
Each RabbitMQ Exchange should be configured separately.
|
||||
</para>
|
||||
<section>
|
||||
<title>Murano API -> Rabbit MQ exchange</title>
|
||||
<para>
|
||||
Edit <emphasis>rabbitmq</emphasis> section in <emphasis>/etc/murano-api.conf</emphasis>
|
||||
and set ssl option to True to enable SSL. Specify the path to the
|
||||
SSL CA certificate in regular format: /path/to/file without quotes or leave it empty to allow
|
||||
self-signed certificates.
|
||||
</para>
|
||||
<programlisting>
|
||||
<![CDATA[
|
||||
[rabbitmq]
|
||||
|
||||
# Use SSL for RabbitMQ connections (True or False)
|
||||
ssl = True
|
||||
|
||||
# Path to SSL CA certificate or empty to allow self signed server certificate
|
||||
ca_certs =
|
||||
]]>
|
||||
</programlisting>
|
||||
</section>
|
||||
<section>
|
||||
<title>Rabbit MQ -> Murano Conductor exchange</title>
|
||||
<para>
|
||||
Open <emphasis>/etc/murano-conductor/conductor.conf</emphasis>
|
||||
and configure <emphasis>rabbitmq</emphasis> section in the same way:
|
||||
Enable ssl option to True and set CA certificate path or leave it empty to allow
|
||||
self-signed certificates.
|
||||
</para>
|
||||
<programlisting>
|
||||
<![CDATA[
|
||||
[rabbitmq]
|
||||
|
||||
# Use SSL for RabbitMQ connections (True or False)
|
||||
ssl = True
|
||||
|
||||
# Path to SSL CA certificate or empty to allow self signed server certificate
|
||||
ca_certs = /home/user/certificates/example.crt
|
||||
]]>
|
||||
</programlisting>
|
||||
</section>
|
||||
<section>
|
||||
<title>Murano Agent -> Rabbit MQ exchange</title>
|
||||
<para>
|
||||
By default all Murano Conductor configuration settings apply to Murano Agent.
|
||||
If you want to configure Murano Agent in a different way change the default template. It can be found
|
||||
here:<emphasis>/murano-conductor/data/templates/agent-config/Default.template.</emphasis>
|
||||
Take a look at appSettings section:
|
||||
</para>
|
||||
<programlisting>
|
||||
<![CDATA[
|
||||
<appSettings>
|
||||
<add key="rabbitmq.host" value="%RABBITMQ_HOST%"/>
|
||||
<add key="rabbitmq.port" value="%RABBITMQ_PORT%"/>
|
||||
<add key="rabbitmq.user" value="%RABBITMQ_USER%"/>
|
||||
<add key="rabbitmq.password"
|
||||
value="%RABBITMQ_PASSWORD%"/>
|
||||
<add key="rabbitmq.vhost" value="%RABBITMQ_VHOST%"/>
|
||||
<add key="rabbitmq.inputQueue"
|
||||
value="%RABBITMQ_INPUT_QUEUE%"/>
|
||||
<add key="rabbitmq.resultExchange" value=""/>
|
||||
<add key="rabbitmq.resultRoutingKey"
|
||||
value="%RESULT_QUEUE%"/>
|
||||
<add key="rabbitmq.durableMessages" value="true"/>
|
||||
|
||||
<add key="rabbitmq.ssl" value="%RABBITMQ_SSL%"/>
|
||||
<add key="rabbitmq.allowInvalidCA" value="true"/>
|
||||
<add key="rabbitmq.sslServerName" value=""/>
|
||||
</appSettings>
|
||||
]]>
|
||||
</programlisting>
|
||||
<para>
|
||||
Desired parameter should be set directly to the value of the key
|
||||
that you want to change. Quotes are need to be kept.
|
||||
Thus you can change "rabbitmq.ssl" and "rabbitmq.port" values to
|
||||
make Rabbit MQ work with this exchange in a different from
|
||||
Murano-Conductor way.
|
||||
</para>
|
||||
</section>
|
||||
</section>
|
||||
</section>
|
||||
</chapter>
|
Reference in New Issue
Block a user