OpenStack Octavia with SSL

Setup Octavia and Babrican in OpenStack for load balancer with SSL 

“big thanks to spatel /  and  johnsom  on freenode.

openstack_user_config.yml

cidr_networks
 lbaas: 172.29.232.0/22

used_ips:
- "172.29.232.100,172.29.235.250"  ## same range as octavia_management_net_subnet_allocation_pools:   

- network:
container_bridge: "br-lbaas"
container_type: "veth"
container_interface: "eth14"
host_bind_override: "eth14"
ip_from_q: "lbaas"
type: "raw"
net_name: "lbaas"
group_binds:
- neutron_linuxbridge_agent
- octavia-worker
- octavia-housekeeping
- octavia-health-manager


octavia-infra_hosts: *infrastructure_hosts
key-manager_hosts: *infrastructure_hosts

user_variables.yml

horizon_enable_neutron_lbaas: False
neutron_lbaas_octavia: true
octavia_ssh_enabled: true
octavia_management_net_subnet_allocation_pools: 172.29.232.100-172.29.235.250
octavia_management_net_subnet_cidr: 172.29.232.0/22
octavia_provider_network_name: vlan
octavia_provider_segmentation_id: 555
octavia_provider_network_type: vlan
octavia_container_network_name: lbaas_address
octavia_legacy_policy: true



# Controllers

in netplan, create an empty bridge

br-lbaas:
 dhcp4: false
 dhcp6: false

in /etc/rc.local ( make sure they run at boot)

#!/bin/bash
VLAN_ID=555

# This sets up the link
ip link add v-br-vlan type veth peer name v-br-lbaas
ip link add link v-br-lbaas name v-br-lbaas.${VLAN_ID} type vlan id ${VLAN_ID}
ip link set v-br-vlan up
ip link set v-br-lbaas up
ip link set v-br-lbaas.${VLAN_ID} up
brctl addif br-lbaas v-br-lbaas.${VLAN_ID}
brctl addif br-vlan v-br-vlan


#run the playbooks to setup the container and the services. 

 

After the playbooks finish, get the octavia user password from secrets,  login and upload a ssh key as octavia_key .. without this, your lb instances  will not work.  Or you can use octavia_ssh_enabled: false to not login.

 

You will be able to create HTTP load balancer using the GUI. 


——————————–

For creating SSL load balancer endpoint, you need to first have the SSL stored in babrican. 

First, we need to add the proper roles

So if your user is called testuser and project is testproj, you need to give it a creator role. 

openstack role add --user testuser --project testproj  creator

 

As the testuser 

openssl pkcs12 -export -inkey ssl.key -in ssl.crt -certfile ssl.ca -passout pass: -out ssl.p12

openstack secret store --name='domain.ssl' -t 'application/octet-stream' -e 'base64' --payload="$(base64 < ssl.p12)"

After this, you can to back to Horizon >> Network >> Load Balancers 
and then add TERMINATED_SSL endpoint and able to select domain.ssl certificate. 

About The Author

Support for the documentation and for OpenStack is provided on irc.oftc.net IRC on #openstack and #openstack-ansible channels via username: admin1