Murano components are able to work with SSL. This chapter will help you to make proper settings with SSL configuration.
SSL for Murano API service can be configured in ssl section in /etc/murano/murano.conf. Just point to a valid SSL certificate. See the example below:
[ssl]
cert_file = PATH
key_file = PATH
ca_file = PATH
The use of SSL is automatically started after point to HTTPS protocol instead of HTTP during registration Murano API service in endpoints (Change publicurl argument to start with https://). SSL for Murano API is implemented like in any other OpenStack component. This realization is based on ssl python module so more information about it can be found here.
All Murano components communicate with each other by RabbitMQ. This interaction can be encrypted with SSL. By default all messages in Rabbit MQ are not encrypted. Each RabbitMQ Exchange should be configured separately.
Murano API <-> Rabbit MQ exchange <-> Murano Engine
Edit ssl parameters in default section of /etc/murano/murano.conf. Set rabbit_use_ssl option to true and configure ssl kombu parameters. Specify the path to the SSL keyfile and SSL CA certificate in a regular format: /path/to/file without quotes or leave it empty to allow self-signed certificates.
# connect over SSL for RabbitMQ (boolean value)
#rabbit_use_ssl=false
# SSL version to use (valid only if SSL enabled). valid values
# are TLSv1, SSLv23 and SSLv3. SSLv2 may be available on some
# distributions (string value)
#kombu_ssl_version=
# SSL key file (valid only if SSL enabled) (string value)
#kombu_ssl_keyfile=
# SSL cert file (valid only if SSL enabled) (string value)
#kombu_ssl_certfile=
# SSL certification authority file (valid only if SSL enabled)
# (string value)
#kombu_ssl_ca_certs=
Murano Agent -> Rabbit MQ exchange
In main murano configuration file there is a section ,named rabbitmq, that is responsible for set up communication between Murano Agent and Rabbit MQ. Just set ssl parameter to True to enable ssl.
[rabbitmq]
host = localhost
port = 5672
login = guest
password = guest
virtual_host = /
ssl = True
insecure = False
If you want to configure Murano Agent in a different way change the default template. It can be found in Murano Core Library, located at http://git.openstack.org/cgit/openstack/murano/tree/meta/io.murano/Resources/Agent-v1.template. Take a look at appSettings section:
<appSettings>
<add key="rabbitmq.host" value="%RABBITMQ_HOST%"/>
<add key="rabbitmq.port" value="%RABBITMQ_PORT%"/>
<add key="rabbitmq.user" value="%RABBITMQ_USER%"/>
<add key="rabbitmq.password" value="%RABBITMQ_PASSWORD%"/>
<add key="rabbitmq.vhost" value="%RABBITMQ_VHOST%"/>
<add key="rabbitmq.inputQueue" value="%RABBITMQ_INPUT_QUEUE%"/>
<add key="rabbitmq.resultExchange" value=""/>
<add key="rabbitmq.resultRoutingKey" value="%RESULT_QUEUE%"/>
<add key="rabbitmq.durableMessages" value="true"/>
<add key="rabbitmq.ssl" value="%RABBITMQ_SSL%"/>
<add key="rabbitmq.allowInvalidCA" value="true"/>
<add key="rabbitmq.sslServerName" value=""/>
</appSettings>
Desired parameter should be set directly to the value of the key that you want to change. Quotes are need to be kept. Thus you can change “rabbitmq.ssl” and “rabbitmq.port” values to make Rabbit MQ work with this exchange in a different from Murano-Engine way. After modification, don’t forget to zip and re-upload core library.
If you are going not to use self-signed certificates additional configuration do not need to be done. Just point https in the URL. Otherwise, set MURANO_API_INSECURE = True on horizon config. You can find it in /etc/openstack-dashboard/local_settings.py..