Bug 1326705 - [RFE] Provide alternative for SSL termination of lbaas vip without barbican
Summary: [RFE] Provide alternative for SSL termination of lbaas vip without barbican
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-neutron-lbaas
Version: 7.0 (Kilo)
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: ---
: ---
Assignee: Assaf Muller
QA Contact: Toni Freger
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-04-13 10:41 UTC by Jaison Raju
Modified: 2022-08-16 14:05 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-06-26 17:59:06 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker OSP-4550 0 None None None 2022-08-16 14:05:13 UTC
Red Hat Knowledge Base (Solution) 2256331 0 None None None 2016-04-13 11:15:04 UTC

Description Jaison Raju 2016-04-13 10:41:27 UTC
1. Proposed title of this feature request  
  Provide alternative for SSL termination of lbaas vip without barbican

3. What is the nature and description of the request?  
  Neutron lbaas vips should have a configurable means for ssl termination without barbican.
4. Why does the customer need this? (List the business requirements here)  
  Upstream doc provides steps to configure ssl termination with barbican only
https://wiki.openstack.org/wiki/Network/LBaaS/docs/how-to-create-tls-loadbalancer
Although we do not provide barbican & there is not fixed timeline to include the same with our OpenStack release .
ssl/tls termination is mostly sought use case in neutron-lbaas .
We need to provide some solution until barbican is available .
5. How would the customer like to achieve this? (List the functional requirements here)  
  
6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.  
  
7. Is there already an existing RFE upstream or in Red Hat Bugzilla?  
No .
* Feature to get barbican to fedora:
https://bugzilla.redhat.com/show_bug.cgi?id=1190269

Comment 3 Assaf Muller 2016-06-04 02:18:35 UTC
@Nir, can you confirm that Barbican is the way forward for TLS termination when using Octavia? If so, it makes sense to pursue the inclusion of Barbican in to OSP.

Comment 4 Nir Magnezi 2016-06-06 08:43:03 UTC
(In reply to Assaf Muller from comment #3)
> @Nir, can you confirm that Barbican is the way forward for TLS termination
> when using Octavia? If so, it makes sense to pursue the inclusion of
> Barbican in to OSP.

"The initial supported implementation for TLS related functions will be Barbican, but the interface will be generic such that other implementations could be created later."

Source: http://octavia.io/review/master/specs/version0.5/tls-data-security.html

We should incorporate Barbican in OSP.

Comment 12 Assaf Muller 2018-06-26 17:59:06 UTC
The focus is on Octavia now, which offers SSL termination using Barbican. There are no plans to offer an alternative at this time.


Note You need to log in before you can comment on or make changes to this bug.