Bug 1737457

Summary: Support TLS-terminated HTTPS load balancer
Product: Red Hat OpenStack Reporter: Carlos Goncalves <cgoncalves>
Component: openstack-octaviaAssignee: Carlos Goncalves <cgoncalves>
Status: CLOSED EOL QA Contact: Bruna Bonguardo <bbonguar>
Severity: high Docs Contact:
Priority: urgent    
Version: 13.0 (Queens)CC: ealcaniz, gregraka, gthiemon, ihrachys, lpeer, majopela, scohen, tfreger
Target Milestone: z11Keywords: FutureFeature, TestOnly, Triaged, ZStream
Target Release: 13.0 (Queens)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-07-10 17:19:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1759476, 1779141    
Bug Blocks: 1855005, 1907440    

Description Carlos Goncalves 2019-08-05 12:08:31 UTC 
With a TLS-terminated HTTPS load balancer, web clients communicate with the load balancer over TLS protocols. The load balancer terminates the TLS session and forwards the decrypted requests to the back-end servers. By terminating the TLS session on the load balancer, we offload the CPU-intensive encryption work to the load balancer, and enable the possibility of using advanced load balancer features, like Layer 7 features and header manipulation.

- https://docs.openstack.org/octavia/latest/user/guides/basic-cookbook.html#deploy-a-tls-terminated-https-load-balancer
- https://docs.openstack.org/octavia/latest/user/guides/basic-cookbook.html#deploy-a-tls-terminated-https-load-balancer-with-sni
- https://docs.openstack.org/octavia/latest/user/guides/basic-cookbook.html#deploy-http-and-tls-terminated-https-load-balancing-on-the-same-ip-and-backend

Presently, TLS-terminated HTTPS load balancers are not supported in any released OSP version. This is a much-needed feature required in production environments.
Comment 11 Carlos Goncalves 2019-11-19 11:38:22 UTC 
TLS SNI scenario tests: https://review.opendev.org/#/c/690778/
Upstream CI jobs that run these tests are named octavia-v2-dsvm-tls-barbican.
Comment 12 Carlos Goncalves 2019-11-27 17:05:11 UTC 
HTTP and TLS-terminated HTTPS load balancing on the same IP and backend scenario test: https://review.opendev.org/#/c/696358/
Comment 13 Carlos Goncalves 2019-12-03 12:04:21 UTC 
RFE for OSP 16: https://bugzilla.redhat.com/show_bug.cgi?id=1779141
Comment 22 Lon Hohberger 2023-07-10 17:19:22 UTC 
OSP13 support officially ended on 27 June 2023