RabbitMQ TLS support
OSCORE-385
Change-Id: I93ead9105820fe7462b7bd9b76d51f89ce5950c6
Releases: Mitaka, Newton, Ocata
Usage: see README.rst
diff --git a/README.rst b/README.rst
index e8ef14c..2047af9 100644
--- a/README.rst
+++ b/README.rst
@@ -736,6 +736,61 @@
virtual_host: '/openstack'
....
+Client-side RabbitMQ TLS configuration:
+
+|
+
+To enable TLS for oslo.messaging you need to provide the CA certificate.
+
+By default system-wide CA certs are used. Nothing should be specified except `ssl.enabled`.
+
+.. code-block:: yaml
+
+ neutron:
+ server, gateway, compute:
+ ....
+ message_queue:
+ ssl:
+ enabled: True
+
+
+
+Use `cacert_file` option to specify the CA-cert file path explicitly:
+
+.. code-block:: yaml
+
+ neutron:
+ server, gateway, compute:
+ ....
+ message_queue:
+ ssl:
+ enabled: True
+ cacert_file: /etc/ssl/rabbitmq-ca.pem
+
+To manage content of the `cacert_file` use the `cacert` option:
+
+.. code-block:: yaml
+
+ neutron:
+ server, gateway, compute:
+ ....
+ message_queue:
+ ssl:
+ enabled: True
+ cacert: |
+
+ -----BEGIN CERTIFICATE-----
+ ...
+ -----END CERTIFICATE-------
+
+ cacert_file: /etc/openstack/rabbitmq-ca.pem
+
+
+Notice:
+ * The `message_queue.port` is set to **5671** (AMQPS) by default if `ssl.enabled=True`.
+ * Use `message_queue.ssl.version` if you need to specify protocol version. By default is TLSv1 for python < 2.7.9 and TLSv1_2 for version above.
+
+
Enable auditing filter, ie: CADF
.. code-block:: yaml
diff --git a/neutron/compute.sls b/neutron/compute.sls
index a4faa97..bb80f21 100644
--- a/neutron/compute.sls
+++ b/neutron/compute.sls
@@ -1,4 +1,4 @@
-{% from "neutron/map.jinja" import compute, fwaas with context %}
+{% from "neutron/map.jinja" import compute, fwaas, system_cacerts_file with context %}
{%- if compute.enabled %}
neutron_compute_packages:
@@ -41,6 +41,9 @@
- file: /etc/neutron/neutron.conf
- file: /etc/neutron/plugins/ml2/openvswitch_agent.ini
- file: /etc/neutron/plugins/ml2/sriov_agent.ini
+ {%- if compute.message_queue.get('ssl',{}).get('enabled', False) %}
+ - file: rabbitmq_ca
+ {%- endif %}
{% endif %}
@@ -69,6 +72,9 @@
- file: /etc/neutron/metadata_agent.ini
{%- if fwaas.get('enabled', False) %}
- file: /etc/neutron/fwaas_driver.ini
+ {% endif %}
+ {%- if compute.message_queue.get('ssl',{}).get('enabled', False) %}
+ - file: rabbitmq_ca
{%- endif %}
- require:
- pkg: neutron_dvr_packages
@@ -107,5 +113,23 @@
- watch:
- file: /etc/neutron/neutron.conf
- file: /etc/neutron/plugins/ml2/openvswitch_agent.ini
+ {%- if compute.message_queue.get('ssl',{}).get('enabled', False) %}
+ - file: rabbitmq_ca
+ {%- endif %}
+
+
+{%- if compute.message_queue.get('ssl',{}).get('enabled', False) %}
+rabbitmq_ca:
+{%- if compute.message_queue.ssl.cacert is defined %}
+ file.managed:
+ - name: {{ compute.message_queue.ssl.cacert_file }}
+ - contents_pillar: neutron:compute:message_queue:ssl:cacert
+ - mode: 0444
+ - makedirs: true
+{%- else %}
+ file.exists:
+ - name: {{ compute.message_queue.ssl.get('cacert_file', system_cacerts_file) }}
+{%- endif %}
+{%- endif %}
{%- endif %}
diff --git a/neutron/files/mitaka/neutron-generic.conf.Debian b/neutron/files/mitaka/neutron-generic.conf.Debian
index 6956e60..36c7fc4 100644
--- a/neutron/files/mitaka/neutron-generic.conf.Debian
+++ b/neutron/files/mitaka/neutron-generic.conf.Debian
@@ -1,7 +1,7 @@
{%- if pillar.neutron.gateway is defined %}
-{%- from "neutron/map.jinja" import gateway as neutron with context %}
+{%- from "neutron/map.jinja" import system_cacerts_file, gateway as neutron with context %}
{%- else %}
-{%- from "neutron/map.jinja" import compute as neutron with context %}
+{%- from "neutron/map.jinja" import system_cacerts_file, compute as neutron with context %}
{%- endif %}
[DEFAULT]
@@ -1269,14 +1269,31 @@
# Deprecated group/name - [DEFAULT]/rabbit_hosts
#rabbit_hosts = $rabbit_host:$rabbit_port
#
+{%- set rabbit_port = neutron.message_queue.get('port', 5671 if neutron.message_queue.get('ssl',{}).get('enabled', False) else 5672) %}
{%- if neutron.message_queue.members is defined %}
rabbit_hosts = {% for member in neutron.message_queue.members -%}
- {{ member.host }}:{{ member.get('port', 5672) }}
+ {{ member.host }}:{{ member.get('port',rabbit_port) }}
{%- if not loop.last -%},{%- endif -%}
{%- endfor -%}
{%- else %}
rabbit_host = {{ neutron.message_queue.host }}
-rabbit_port = {{ neutron.message_queue.port }}
+rabbit_port = {{ rabbit_port }}
+{%- endif %}
+
+{%- if neutron.message_queue.get('ssl',{}).get('enabled', False) %}
+rabbit_use_ssl=true
+
+{%- if neutron.message_queue.ssl.version is defined %}
+kombu_ssl_version = {{ neutron.message_queue.ssl.version }}
+{%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
+kombu_ssl_version = TLSv1_2
+{%- endif %}
+
+{%- if neutron.message_queue.ssl.cacert_file is defined %}
+kombu_ssl_ca_certs = {{ neutron.message_queue.ssl.cacert_file }}
+{%- else %}
+kombu_ssl_ca_certs={{ system_cacerts_file }}
+{%- endif %}
{%- endif %}
rabbit_userid = {{ neutron.message_queue.user }}
diff --git a/neutron/files/mitaka/neutron-server.conf.Debian b/neutron/files/mitaka/neutron-server.conf.Debian
index 62d1a48..ad90ee9 100644
--- a/neutron/files/mitaka/neutron-server.conf.Debian
+++ b/neutron/files/mitaka/neutron-server.conf.Debian
@@ -1,4 +1,5 @@
-{%- from "neutron/map.jinja" import fwaas, server with context %}
+{%- from "neutron/map.jinja" import fwaas, server, system_cacerts_file with context %}
+
[DEFAULT]
#
@@ -844,7 +845,7 @@
auth_protocol=http
revocation_cache_time = 10
{% if server.backend.engine == "contrail" %}
-# LBaaS contrail neutron plugin for versions 3.x expects auth_type to be
+# LBaaS contrail neutron plugin for versions 3.x expects auth_type to be
# 'keystone' or 'noauth'
# This behaviour is fixed after the release MCP1.0 by using auth_strategy
# instead of auth_type, until this is backported to MCP1.0 auth_type must be
@@ -1365,14 +1366,31 @@
# Deprecated group/name - [DEFAULT]/rabbit_hosts
#rabbit_hosts = $rabbit_host:$rabbit_port
#
+{%- set rabbit_port = server.message_queue.get('port', 5671 if server.message_queue.get('ssl',{}).get('enabled', False) else 5672) %}
{%- if server.message_queue.members is defined %}
rabbit_hosts = {% for member in server.message_queue.members -%}
- {{ member.host }}:{{ member.get('port', 5672) }}
+ {{ member.host }}:{{ member.get('port',rabbit_port) }}
{%- if not loop.last -%},{%- endif -%}
{%- endfor -%}
{%- else %}
rabbit_host = {{ server.message_queue.host }}
-rabbit_port = {{ server.message_queue.port }}
+rabbit_port = {{ rabbit_port }}
+{%- endif %}
+
+{%- if server.message_queue.get('ssl',{}).get('enabled', False) %}
+rabbit_use_ssl=true
+
+{%- if server.message_queue.ssl.version is defined %}
+kombu_ssl_version = {{ server.message_queue.ssl.version }}
+{%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
+kombu_ssl_version = TLSv1_2
+{%- endif %}
+
+{%- if server.message_queue.ssl.cacert_file is defined %}
+kombu_ssl_ca_certs = {{ server.message_queue.ssl.cacert_file }}
+{%- else %}
+kombu_ssl_ca_certs={{ system_cacerts_file }}
+{%- endif %}
{%- endif %}
rabbit_userid = {{ server.message_queue.user }}
diff --git a/neutron/files/newton/neutron-generic.conf.Debian b/neutron/files/newton/neutron-generic.conf.Debian
index d901533..3d8c5fb 100644
--- a/neutron/files/newton/neutron-generic.conf.Debian
+++ b/neutron/files/newton/neutron-generic.conf.Debian
@@ -1,7 +1,7 @@
{%- if pillar.neutron.gateway is defined %}
-{%- from "neutron/map.jinja" import gateway as neutron with context %}
+{%- from "neutron/map.jinja" import system_cacerts_file, gateway as neutron with context %}
{%- else %}
-{%- from "neutron/map.jinja" import compute as neutron with context %}
+{%- from "neutron/map.jinja" import system_cacerts_file, compute as neutron with context %}
{%- endif %}
[DEFAULT]
@@ -525,14 +525,16 @@
# not set, we fall back to the rpc_backend option and driver specific
# configuration. (string value)
#transport_url = <None>
+
+{%- set rabbit_port = neutron.message_queue.get('port', 5671 if neutron.message_queue.get('ssl',{}).get('enabled', False) else 5672) %}
{%- if neutron.message_queue.members is defined %}
transport_url = rabbit://{% for member in neutron.message_queue.members -%}
- {{ neutron.message_queue.user }}:{{ neutron.message_queue.password }}@{{ member.host }}:{{ member.get('port', 5672) }}
+ {{ neutron.message_queue.user }}:{{ neutron.message_queue.password }}@{{ member.host }}:{{ member.get('port',rabbit_port) }}
{%- if not loop.last -%},{%- endif -%}
{%- endfor -%}
/{{ neutron.message_queue.virtual_host }}
{%- else %}
-transport_url = rabbit://{{ neutron.message_queue.user }}:{{ neutron.message_queue.password }}@{{ neutron.message_queue.host }}:{{ neutron.message_queue.port }}/{{ neutron.message_queue.virtual_host }}
+transport_url = rabbit://{{ neutron.message_queue.user }}:{{ neutron.message_queue.password }}@{{ neutron.message_queue.host }}:{{ rabbit_port }}/{{ neutron.message_queue.virtual_host }}
{%- endif %}
# The messaging driver to use, defaults to rabbit. Other drivers include amqp
@@ -1216,6 +1218,22 @@
# From oslo.messaging
#
+{%- if neutron.message_queue.get('ssl',{}).get('enabled', False) %}
+rabbit_use_ssl=true
+
+{%- if neutron.message_queue.ssl.version is defined %}
+kombu_ssl_version = {{ neutron.message_queue.ssl.version }}
+{%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
+kombu_ssl_version = TLSv1_2
+{%- endif %}
+
+{%- if neutron.message_queue.ssl.cacert_file is defined %}
+kombu_ssl_ca_certs = {{ neutron.message_queue.ssl.cacert_file }}
+{%- else %}
+kombu_ssl_ca_certs={{ system_cacerts_file }}
+{%- endif %}
+{%- endif %}
+
# Use durable queues in AMQP. (boolean value)
# Deprecated group/name - [DEFAULT]/amqp_durable_queues
# Deprecated group/name - [DEFAULT]/rabbit_durable_queues
diff --git a/neutron/files/newton/neutron-server.conf.Debian b/neutron/files/newton/neutron-server.conf.Debian
index 2aacbe3..76768ae 100644
--- a/neutron/files/newton/neutron-server.conf.Debian
+++ b/neutron/files/newton/neutron-server.conf.Debian
@@ -1,4 +1,4 @@
-{%- from "neutron/map.jinja" import server with context %}
+{%- from "neutron/map.jinja" import server, system_cacerts_file with context %}
[DEFAULT]
#
@@ -551,14 +551,16 @@
# not set, we fall back to the rpc_backend option and driver specific
# configuration. (string value)
#transport_url = <None>
+
+{%- set rabbit_port = server.message_queue.get('port', 5671 if server.message_queue.get('ssl',{}).get('enabled', False) else 5672) %}
{%- if server.message_queue.members is defined %}
transport_url = rabbit://{% for member in server.message_queue.members -%}
- {{ server.message_queue.user }}:{{ server.message_queue.password }}@{{ member.host }}:{{ member.get('port', 5672) }}
+ {{ server.message_queue.user }}:{{ server.message_queue.password }}@{{ member.host }}:{{ member.get('port',rabbit_port) }}
{%- if not loop.last -%},{%- endif -%}
{%- endfor -%}
/{{ server.message_queue.virtual_host }}
{%- else %}
-transport_url = rabbit://{{ server.message_queue.user }}:{{ server.message_queue.password }}@{{ server.message_queue.host }}:{{ server.message_queue.port }}/{{ server.message_queue.virtual_host }}
+transport_url = rabbit://{{ server.message_queue.user }}:{{ server.message_queue.password }}@{{ server.message_queue.host }}:{{ rabbit_port }}/{{ server.message_queue.virtual_host }}
{%- endif %}
# The messaging driver to use, defaults to rabbit. Other drivers include amqp
@@ -1301,6 +1303,22 @@
# From oslo.messaging
#
+{%- if server.message_queue.get('ssl',{}).get('enabled', False) %}
+rabbit_use_ssl=true
+
+{%- if server.message_queue.ssl.version is defined %}
+kombu_ssl_version = {{ server.message_queue.ssl.version }}
+{%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
+kombu_ssl_version = TLSv1_2
+{%- endif %}
+
+{%- if server.message_queue.ssl.cacert_file is defined %}
+kombu_ssl_ca_certs = {{ server.message_queue.ssl.cacert_file }}
+{%- else %}
+kombu_ssl_ca_certs={{ system_cacerts_file }}
+{%- endif %}
+{%- endif %}
+
# Use durable queues in AMQP. (boolean value)
# Deprecated group/name - [DEFAULT]/amqp_durable_queues
# Deprecated group/name - [DEFAULT]/rabbit_durable_queues
diff --git a/neutron/files/ocata/neutron-generic.conf.Debian b/neutron/files/ocata/neutron-generic.conf.Debian
index 8115aea..123386d 100644
--- a/neutron/files/ocata/neutron-generic.conf.Debian
+++ b/neutron/files/ocata/neutron-generic.conf.Debian
@@ -1,7 +1,7 @@
{%- if pillar.neutron.gateway is defined %}
-{%- from "neutron/map.jinja" import gateway as neutron with context %}
+{%- from "neutron/map.jinja" import system_cacerts_file, gateway as neutron with context %}
{%- else %}
-{%- from "neutron/map.jinja" import compute as neutron with context %}
+{%- from "neutron/map.jinja" import system_cacerts_file, compute as neutron with context %}
{%- endif %}
[DEFAULT]
@@ -590,14 +590,16 @@
# A URL representing the messaging driver to use and its full configuration.
# (string value)
#transport_url = <None>
+
+{%- set rabbit_port = neutron.message_queue.get('port', 5671 if neutron.message_queue.get('ssl',{}).get('enabled', False) else 5672) %}
{%- if neutron.message_queue.members is defined %}
transport_url = rabbit://{% for member in neutron.message_queue.members -%}
- {{ neutron.message_queue.user }}:{{ neutron.message_queue.password }}@{{ member.host }}:{{ member.get('port', 5672) }}
+ {{ neutron.message_queue.user }}:{{ neutron.message_queue.password }}@{{ member.host }}:{{ member.get('port',rabbit_port) }}
{%- if not loop.last -%},{%- endif -%}
{%- endfor -%}
/{{ neutron.message_queue.virtual_host }}
{%- else %}
-transport_url = rabbit://{{ neutron.message_queue.user }}:{{ neutron.message_queue.password }}@{{ neutron.message_queue.host }}:{{ neutron.message_queue.port }}/{{ neutron.message_queue.virtual_host }}
+transport_url = rabbit://{{ neutron.message_queue.user }}:{{ neutron.message_queue.password }}@{{ neutron.message_queue.host }}:{{ rabbit_port }}/{{ neutron.message_queue.virtual_host }}
{%- endif %}
# DEPRECATED: The messaging driver to use, defaults to rabbit. Other drivers
@@ -1524,6 +1526,22 @@
# From oslo.messaging
#
+{%- if neutron.message_queue.get('ssl',{}).get('enabled', False) %}
+rabbit_use_ssl=true
+
+{%- if neutron.message_queue.ssl.version is defined %}
+kombu_ssl_version = {{ neutron.message_queue.ssl.version }}
+{%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
+kombu_ssl_version = TLSv1_2
+{%- endif %}
+
+{%- if neutron.message_queue.ssl.cacert_file is defined %}
+kombu_ssl_ca_certs = {{ neutron.message_queue.ssl.cacert_file }}
+{%- else %}
+kombu_ssl_ca_certs={{ system_cacerts_file }}
+{%- endif %}
+{%- endif %}
+
# Use durable queues in AMQP. (boolean value)
# Deprecated group/name - [DEFAULT]/amqp_durable_queues
# Deprecated group/name - [DEFAULT]/rabbit_durable_queues
diff --git a/neutron/files/ocata/neutron-server.conf.Debian b/neutron/files/ocata/neutron-server.conf.Debian
index 1b9d28c..049544b 100644
--- a/neutron/files/ocata/neutron-server.conf.Debian
+++ b/neutron/files/ocata/neutron-server.conf.Debian
@@ -1,4 +1,4 @@
-{%- from "neutron/map.jinja" import fwaas, server with context %}
+{%- from "neutron/map.jinja" import fwaas, server, system_cacerts_file with context %}
[DEFAULT]
#
@@ -614,14 +614,16 @@
# A URL representing the messaging driver to use and its full configuration.
# (string value)
#transport_url = <None>
+
+{%- set rabbit_port = server.message_queue.get('port', 5671 if server.message_queue.get('ssl',{}).get('enabled', False) else 5672) %}
{%- if server.message_queue.members is defined %}
transport_url = rabbit://{% for member in server.message_queue.members -%}
- {{ server.message_queue.user }}:{{ server.message_queue.password }}@{{ member.host }}:{{ member.get('port', 5672) }}
+ {{ server.message_queue.user }}:{{ server.message_queue.password }}@{{ member.host }}:{{ member.get('port',rabbit_port) }}
{%- if not loop.last -%},{%- endif -%}
{%- endfor -%}
/{{ server.message_queue.virtual_host }}
{%- else %}
-transport_url = rabbit://{{ server.message_queue.user }}:{{ server.message_queue.password }}@{{ server.message_queue.host }}:{{ server.message_queue.port }}/{{ server.message_queue.virtual_host }}
+transport_url = rabbit://{{ server.message_queue.user }}:{{ server.message_queue.password }}@{{ server.message_queue.host }}:{{ rabbit_port }}/{{ server.message_queue.virtual_host }}
{%- endif %}
# DEPRECATED: The messaging driver to use, defaults to rabbit. Other drivers
@@ -1604,6 +1606,22 @@
# From oslo.messaging
#
+{%- if server.message_queue.get('ssl',{}).get('enabled', False) %}
+rabbit_use_ssl=true
+
+{%- if server.message_queue.ssl.version is defined %}
+kombu_ssl_version = {{ server.message_queue.ssl.version }}
+{%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
+kombu_ssl_version = TLSv1_2
+{%- endif %}
+
+{%- if server.message_queue.ssl.cacert_file is defined %}
+kombu_ssl_ca_certs = {{ server.message_queue.ssl.cacert_file }}
+{%- else %}
+kombu_ssl_ca_certs={{ system_cacerts_file }}
+{%- endif %}
+{%- endif %}
+
# Use durable queues in AMQP. (boolean value)
# Deprecated group/name - [DEFAULT]/amqp_durable_queues
# Deprecated group/name - [DEFAULT]/rabbit_durable_queues
diff --git a/neutron/gateway.sls b/neutron/gateway.sls
index 7871c9f..96d7e9f 100644
--- a/neutron/gateway.sls
+++ b/neutron/gateway.sls
@@ -1,11 +1,11 @@
-{% from "neutron/map.jinja" import gateway, fwaas with context %}
+{% from "neutron/map.jinja" import gateway, fwaas, system_cacerts_file with context %}
+
{%- if fwaas.get('enabled', False) %}
include:
- neutron.fwaas
{%- endif %}
{%- if gateway.enabled %}
-
neutron_gateway_packages:
pkg.installed:
- names: {{ gateway.pkgs }}
@@ -62,5 +62,23 @@
{%- if fwaas.get('enabled', False) %}
- file: /etc/neutron/fwaas_driver.ini
{%- endif %}
+ {%- if gateway.message_queue.get('ssl',{}).get('enabled', False) %}
+ - file: rabbitmq_ca
+ {%- endif %}
+
+
+{%- if gateway.message_queue.get('ssl',{}).get('enabled', False) %}
+rabbitmq_ca:
+{%- if gateway.message_queue.ssl.cacert is defined %}
+ file.managed:
+ - name: {{ gateway.message_queue.ssl.cacert_file }}
+ - contents_pillar: neutron:gateway:message_queue:ssl:cacert
+ - mode: 0444
+ - makedirs: true
+{%- else %}
+ file.exists:
+ - name: {{ gateway.message_queue.ssl.get('cacert_file', system_cacerts_file) }}
+{%- endif %}
+{%- endif %}
{%- endif %}
diff --git a/neutron/map.jinja b/neutron/map.jinja
index a4133d1..80aa94d 100644
--- a/neutron/map.jinja
+++ b/neutron/map.jinja
@@ -1,3 +1,7 @@
+{%- set system_cacerts_file = salt['grains.filter_by']({
+ 'Debian': '/etc/ssl/certs/ca-certificates.crt',
+ 'RedHat': '/etc/pki/tls/certs/ca-bundle.crt'
+})%}
{% set compute = salt['grains.filter_by']({
'Debian': {
diff --git a/neutron/server.sls b/neutron/server.sls
index 904a18c..eff9fb8 100644
--- a/neutron/server.sls
+++ b/neutron/server.sls
@@ -1,11 +1,11 @@
-{%- from "neutron/map.jinja" import server, fwaas with context %}
+{%- from "neutron/map.jinja" import server, fwaas, system_cacerts_file with context %}
+
{%- if fwaas.get('enabled', False) %}
include:
- neutron.fwaas
{%- endif %}
{%- if server.get('enabled', False) %}
-
{% if grains.os_family == 'Debian' %}
# This is here to avoid starting up wrongly configured service and to avoid
# issue with restart limits on systemd.
@@ -66,6 +66,9 @@
{%- endif %}
- watch:
- file: /etc/neutron/neutron.conf
+ {%- if server.message_queue.get('ssl',{}).get('enabled', False) %}
+ - file: rabbitmq_ca
+ {%- endif %}
{%- endif %}
@@ -214,6 +217,9 @@
{%- endif %}
- watch:
- file: /etc/neutron/neutron.conf
+ {%- if server.message_queue.get('ssl',{}).get('enabled', False) %}
+ - file: rabbitmq_ca
+ {%- endif %}
{%- if grains.get('virtual_subtype', None) == "Docker" %}
@@ -226,4 +232,19 @@
{%- endif %}
+
+{%- if server.message_queue.get('ssl',{}).get('enabled', False) %}
+rabbitmq_ca:
+{%- if server.message_queue.ssl.cacert is defined %}
+ file.managed:
+ - name: {{ server.message_queue.ssl.cacert_file }}
+ - contents_pillar: neutron:server:message_queue:ssl:cacert
+ - mode: 0444
+ - makedirs: true
+{%- else %}
+ file.exists:
+ - name: {{ server.message_queue.ssl.get('cacert_file', system_cacerts_file) }}
+{%- endif %}
+{%- endif %}
+
{%- endif %}
diff --git a/tests/pillar/ssl.sls b/tests/pillar/ssl.sls
new file mode 100644
index 0000000..3e79d83
--- /dev/null
+++ b/tests/pillar/ssl.sls
@@ -0,0 +1,9 @@
+include:
+ - .control_cluster
+
+neutron:
+ server:
+ message_queue:
+ port: 5671
+ ssl:
+ enabled: True