You need to mount a certificate file in the NCP Pod to configure certificate-based authentication with NSX API, or to configure a default certificate for SSL offloading for the NSXload balancer.

For both cases, do the following:
  • Create a secret with a certificate and a private key.
  • Attach a secret volume to the NCP pod and mount the volume (see the ConfigMap sample below).

For certificate-based authentication with NSX API, specify the options nsx_api_cert_file and nsx_api_private_key_file under [nsx_v3] in the nsx-ncp-config ConfigMap with the mount path for the certificate and key.

For NSX load balancer SSL offloading, specify the options lb_default_cert_path and lb_priv_key_path under [nsx_v3] in the nsx-ncp-config ConfigMap with the mount path for the certificate and key.

ConfigMap section where you specify the paths to the certificate and key:
      volumes:
        - name: projected-volume
          projected:
            sources:
              # ConfigMap nsx-ncp-config is expected to supply ncp.ini
              - configMap:
                  name: nsx-ncp-config
                  items:
                    - key: ncp.ini
                      path: ncp.ini
              # To use cert based auth, uncomment and update the secretName,
              # then update ncp.ini with the mounted cert and key file paths
              #- secret:
              #    name: nsx-secret
              #    items:
              #      - key: tls.crt
              #        path: nsx-cert/tls.crt
              #      - key: tls.key
              #        path: nsx-cert/tls.key
              #- secret:
              #    name: lb-secret
              #    items:
              #      - key: tls.crt
              #        path: lb-cert/tls.crt
              #      - key: tls.key
              #        path: lb-cert/tls.key
              # To use JWT based auth, uncomment and update the secretName.
              #- secret:
              #    name: wcp-cluster-credentials
              #    items:
              #      - key: username
              #        path: vc/username
              #      - key: password
              #        path: vc/password