Bug 1610197 - Octavia L7 LB - doesn't support HTTPS pass-through (TLS-SNI)
Summary: Octavia L7 LB - doesn't support HTTPS pass-through (TLS-SNI)
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-octavia
Version: 16.0 (Train)
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: Carlos Goncalves
QA Contact: Bruna Bonguardo
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-07-31 07:48 UTC by Yossi Boaron
Modified: 2020-03-11 08:05 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-03-11 08:04:59 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenStack Storyboard 2003858 0 None None None 2019-06-06 14:57:52 UTC
OpenStack gerrit 624267 0 'None' MERGED Amp driver support sni option to send the hostname to backend 2020-05-13 17:30:24 UTC

Description Yossi Boaron 2018-07-31 07:48:53 UTC
Description of problem:

Openshift-Router [1] allows external users and client applications access to HTTP/HTTPS services. 

For the shiftstack (Openshift on Openstack) case,  Kuryr-Kubernetes supports Openshift-Router based on Octavia L7 capabilities.
The design of Kuryr-kubernets Openshift-Router/Ingress controller covered at [2]

One of the secured routes [3] supported by Openshift-Router is HTTPS-pass-through.

In pass-through mode SSL/TLS, HAProxy doesn’t have a certificate because it’s not going to decrypt the traffic and that means it’s never going to see the Host header. Instead, it needs to be told to wait for the SSL/TLS hello packets ( dump of client Hello packet could be found at [4] ) so it can sniff the SNI request and take routing/LB decision based on host_name filed in SNI.

Octavia L7 LB should be extended to support routing based on SNI host name for HTTPS pass-through.


[1] - https://docs.openshift.com/container-platform/3.9/install_config/router/index.html

[2] - https://docs.openstack.org/kuryr-kubernetes/latest/devref/kuryr_kubernetes_ingress_design.html

[3] - https://docs.openshift.com/container-platform/3.9/architecture/networking/routes.html#secured-routes

[4] https://www.cloudshark.org/captures/a9718e5fdb28
Version-Release number of selected component (if applicable):

Comment 1 Yossi Boaron 2018-07-31 12:22:01 UTC
And here's [1] the upstream story


[1] : https://storyboard.openstack.org/#!/story/2003109

Comment 2 Nir Magnezi 2018-08-01 14:05:02 UTC
Hi Assaf,

This looks like a feature request for Octavia.
Should we move it to OSP15?

Comment 7 Carlos Goncalves 2019-06-06 14:57:53 UTC
Michael mentioned the implementation of this feature is available in Stein -- https://review.opendev.org/#/c/624267/.
Nir will work on adding Tempest tests.


Note You need to log in before you can comment on or make changes to this bug.