Murano components can work with SSL. This section provides information on how to set SSL properly.
Configure SSL for Murano API¶
To configure SSL for the Murano API service, modify the
[ssl] section in
[ssl] cert_file = <PATH> key_file = <PATH> ca_file = <PATH>
A path to the certificate file the server should use when binding to an SSL-wrapped socket.
A path to the private key file the server should use when binding to an SSL-wrapped socket.
A path to the CA certificate file the server should use to validate client certificates provided during an SSL handshake. This parameter is ignored if the
Murano API starts using SSL automatically after you point to the HTTPS protocol
instead of HTTP during the registration of the Murano API service
in endpoints, modifying the
publicurl argument to start with
SSL for Murano API is implemented the same way as in any other OpenStack component. See ssl python module for details.
Configure SSL for RabbitMQ¶
All murano components communicate with each other using RabbitMQ. By default, all messages in RabbitMQ are not encrypted. You can encrypt this interaction with SSL. Configure each RabbitMQ exchange separately.
Murano API <-> RabbitMQ <-> Murano engine¶
[default] section in the
Enable SSL for RabbitMQ:
# connect over SSL for RabbitMQ (boolean value) rabbit_use_ssl = true
Specify the paths to the SSL key file and SSL CA certificate in a regular
</PATH/TO/FILE>format without quotes or leave them empty to enable self-signed certificates:
# SSL version to use (valid only if SSL enabled). valid values # are TLSv1, SSLv23 and SSLv3. SSLv2 may be available on some # distributions (string value) kombu_ssl_version = # SSL key file (valid only if SSL enabled) (string value) kombu_ssl_keyfile = # SSL cert file (valid only if SSL enabled) (string value) kombu_ssl_certfile = # SSL certification authority file (valid only if SSL enabled) # (string value) kombu_ssl_ca_certs =
Murano agent -> RabbitMQ¶
To encrypt the communication between the murano agent and RabbitMQ,
ssl = True in the
[rabbitmq] section of
[rabbitmq] ... ssl = True insecure = False
If you want to configure the murano agent differently, you need to change the default template located in the murano core library. After you finish with the template modification, verify that you zip and re-upload the murano core library.
Configure SSL for the Dashboard¶
If you do not plan to use self-signed certificates, no additional
configurations are required. Just point your web browser to the URL
Otherwise, set the
MURANO_API_INSECURE parameter to