Enable SSL for an OpenContrail API internal endpoint

Enable SSL for an OpenContrail API internal endpoint

Note

This feature is available starting from the MCP 2019.2.5 maintenance update. Before enabling the feature, follow the steps described in Apply maintenance updates.

This section describes how to manually enable SSL for an internal endpoint of the OpenContrail API.

To enable SSL for an OpenContrail API internal endpoint:

  1. Open your Git project repository with Reclass model on the cluster level.

  2. In cluster/<cluster_name>/opencontrail/init.yml, add the following parameters:

    parameters:
      _param:
    ...
        opencontrail_api_ssl_enabled: True
        opencontrail_api_protocol: https
    ...
    
  3. In cluster/<cluster_name>/opencontrail/analytics.yml, cluster/<cluster_name>/opencontrail/control.yml, and cluster/<cluster_name>/opencontrail/compute.yml, add the following class:

    classes:
    ...
      - system.salt.minion.cert.opencontrail.api
    ...
    
  4. Log in to the Salt Master node.

  5. Create certificates on the OpenContrail nodes:

    salt -C "I@opencontrail:database or I@opencontrail:compute" state.sls salt.minion.cert
    
  6. Configure the HAProxy services:

    salt -C "I@opencontrail:control" state.apply haproxy
    
  7. Configure the OpenContrail services:

    salt -C "I@opencontrail:database" state.apply opencontrail exclude=opencontrail.compute
    salt -C "I@opencontrail:compute" state.apply opencontrail.client
    
  8. Configure the nodes that run neutron-server:

    salt -C "I@neutron:server" state.apply neutron.server
    
  9. Restart the neutron-server service to use SSL to connect to contrail-api VIP:

    salt -C "I@neutron:server" service.restart neutron-server