Bug 1326705

Summary: [RFE] Provide alternative for SSL termination of lbaas vip without barbican
Product: Red Hat OpenStack Reporter: Jaison Raju <jraju>
Component: openstack-neutron-lbaasAssignee: Assaf Muller <amuller>
Status: CLOSED WONTFIX QA Contact: Toni Freger <tfreger>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.0 (Kilo)CC: amuller, apevec, cgoncalves, cshastri, jraju, lhh, nyechiel
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-26 17:59:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Jaison Raju 2016-04-13 10:41:27 UTC 
1. Proposed title of this feature request  
  Provide alternative for SSL termination of lbaas vip without barbican

3. What is the nature and description of the request?  
  Neutron lbaas vips should have a configurable means for ssl termination without barbican.
4. Why does the customer need this? (List the business requirements here)  
  Upstream doc provides steps to configure ssl termination with barbican only
https://wiki.openstack.org/wiki/Network/LBaaS/docs/how-to-create-tls-loadbalancer
Although we do not provide barbican & there is not fixed timeline to include the same with our OpenStack release .
ssl/tls termination is mostly sought use case in neutron-lbaas .
We need to provide some solution until barbican is available .
5. How would the customer like to achieve this? (List the functional requirements here)  
  
6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.  
  
7. Is there already an existing RFE upstream or in Red Hat Bugzilla?  
No .
* Feature to get barbican to fedora:
https://bugzilla.redhat.com/show_bug.cgi?id=1190269
Comment 3 Assaf Muller 2016-06-04 02:18:35 UTC 
@Nir, can you confirm that Barbican is the way forward for TLS termination when using Octavia? If so, it makes sense to pursue the inclusion of Barbican in to OSP.
Comment 4 Nir Magnezi 2016-06-06 08:43:03 UTC 
(In reply to Assaf Muller from comment #3)
> @Nir, can you confirm that Barbican is the way forward for TLS termination
> when using Octavia? If so, it makes sense to pursue the inclusion of
> Barbican in to OSP.

"The initial supported implementation for TLS related functions will be Barbican, but the interface will be generic such that other implementations could be created later."

Source: http://octavia.io/review/master/specs/version0.5/tls-data-security.html

We should incorporate Barbican in OSP.
Comment 12 Assaf Muller 2018-06-26 17:59:06 UTC 
The focus is on Octavia now, which offers SSL termination using Barbican. There are no plans to offer an alternative at this time.