1. Home
  2. MCP Deployment Guide
  3. Advanced configuration
  4. Configure load balancing with OpenStack Octavia
  5. Move the Octavia certificates from the gtw01 to the Salt Master node

Move the Octavia certificates from the gtw01 to the Salt Master node

Move the Octavia certificates from the gtw01 to the Salt Master node

Starting from the Q4‘18 MCP release, the certificates for connection to amphora are created on the Salt Master node and then loaded on the gtw nodes. Previously, they were created and stored on the gtw01 node. Therefore, if you have an existing OpenStack environment with Octavia where certificates were initially created on the gtw01 node, you can move these certificates to the Salt Master node to update your previously created load balancers.

To move certificates from the gtw01 to the Salt Master node:

  1. Log in to the Salt Master node.

  2. In /etc/salt/master.d/master.conf, verify that the file_recv parameter is set to True.

  3. Update the Octavia Salt formula:

    apt install --upgrade salt-formula-octavia

  4. Update the Reclass model:

    1. Remove the following classes from cluster/<cluster_name>/openstack/octavia_manager.yml:

      - system.salt.minion.ca.octavia_ca
- system.salt.minion.cert.octavia.amphora_client

    2. Add the following classes to cluster/<cluster_name>/infra/config.yml:

      - system.salt.minion.ca.octavia_amphora_ca
- system.salt.minion.cert.octavia.amphora_cluster_client

    3. TECHNICAL PREVIEW If you want to add the Octavia Cluster Manager to your OpenStack environment, change the following class

      - system.reclass.storage.system.openstack_gateway_single_octavia

      to

      - system.reclass.storage.system.openstack_gateway_cluster_octavia

  5. Load the certificates from the gtw01 to the Salt Master node:

    salt 'gtw01*' cp.push_dir /etc/octavia/certs upload_path=octavia_certs
salt 'gtw01*' cp.push_dir /etc/pki/ca/octavia_ca upload_path=octavia_certs
mkdir -p /srv/salt/env/prd/_certs
cp -R /var/cache/salt/master/minions/gtw01.<cluster_name>/files/octavia_certs/* \
/srv/salt/env/prd/_certs/octavia

  6. Refresh the pillars:

    salt-call state.sls reclass.storage
salt '*' saltutil.refresh_pillar
salt '*' saltutil.sync_all

  7. TECHNICAL PREVIEW If you are going to use the Octavia Cluster Manager:

    1. Rename the existing port on the gtw01 node:

      salt -C 'I@neutron:client' state.sls octavia._rename_hm_neutron_port

    2. Update monitor ports:

      salt -C 'I@neutron:client' state.sls neutron.client
salt '*' mine.update

  8. Apply the changes:

    salt -C 'I@octavia:manager' state.sls octavia
updated: 2024-01-04 11:44