Note
This feature is available starting from the MCP 2019.2.5 maintenance update. Before enabling the feature, follow the steps described in Apply maintenance updates.
This section describes how to manually enable SSL for an internal endpoint of the OpenContrail API.
To enable SSL for an OpenContrail API internal endpoint:
Open your Git project repository with Reclass model on the cluster level.
In cluster/<cluster_name>/opencontrail/init.yml, add the following
parameters:
parameters:
_param:
...
opencontrail_api_ssl_enabled: True
opencontrail_api_protocol: https
...
In cluster/<cluster_name>/opencontrail/analytics.yml,
cluster/<cluster_name>/opencontrail/control.yml, and
cluster/<cluster_name>/opencontrail/compute.yml, add the following
class:
classes:
...
- system.salt.minion.cert.opencontrail.api
...
Log in to the Salt Master node.
Create certificates on the OpenContrail nodes:
salt -C "I@opencontrail:database or I@opencontrail:compute" state.sls salt.minion.cert
Configure the HAProxy services:
salt -C "I@opencontrail:control" state.apply haproxy
Configure the OpenContrail services:
salt -C "I@opencontrail:database" state.apply opencontrail exclude=opencontrail.compute
salt -C "I@opencontrail:compute" state.apply opencontrail.client
Configure the nodes that run neutron-server:
salt -C "I@neutron:server" state.apply neutron.server
Restart the neutron-server service to use SSL to connect to
contrail-api VIP:
salt -C "I@neutron:server" service.restart neutron-server