You need to mount a certificate file in the NCP Pod to configure certificate-based authentication with NSX-T API, or to configure a default certificate for SSL offloading for NSX-T load balancer.
For both cases, do the following:
- Create a secret with a certificate and a private key.
- Attach a secret volume to the NCP pod and mount the volume (see the ConfigMap sample below).
For certificate-based authentication with NSX-T API, specify the options nsx_api_cert_file and nsx_api_private_key_file under [nsx_v3] in the nsx-ncp-config ConfigMap with the mount path for the certificate and key.
For NSX-T load balancer SSL offloading, specify the options lb_default_cert_path and lb_priv_key_path under [nsx_v3] in the nsx-ncp-config ConfigMap with the mount path for the certificate and key.
ConfigMap section where you specify the paths to the certificate and key:
volumes:
- name: projected-volume
projected:
sources:
# ConfigMap nsx-ncp-config is expected to supply ncp.ini
- configMap:
name: nsx-ncp-config
items:
- key: ncp.ini
path: ncp.ini
# To use cert based auth, uncomment and update the secretName,
# then update ncp.ini with the mounted cert and key file paths
#- secret:
# name: nsx-secret
# items:
# - key: tls.crt
# path: nsx-cert/tls.crt
# - key: tls.key
# path: nsx-cert/tls.key
#- secret:
# name: lb-secret
# items:
# - key: tls.crt
# path: lb-cert/tls.crt
# - key: tls.key
# path: lb-cert/tls.key
# To use JWT based auth, uncomment and update the secretName.
#- secret:
# name: wcp-cluster-credentials
# items:
# - key: username
# path: vc/username
# - key: password
# path: vc/password
