Description of problem: Openshift-Router [1] allows external users and client applications access to HTTP/HTTPS services. For the shiftstack (Openshift on Openstack) case, Kuryr-Kubernetes supports Openshift-Router based on Octavia L7 capabilities. The design of Kuryr-kubernets Openshift-Router/Ingress controller covered at [2] One of the secured routes [3] supported by Openshift-Router is HTTPS-pass-through. In pass-through mode SSL/TLS, HAProxy doesn’t have a certificate because it’s not going to decrypt the traffic and that means it’s never going to see the Host header. Instead, it needs to be told to wait for the SSL/TLS hello packets ( dump of client Hello packet could be found at [4] ) so it can sniff the SNI request and take routing/LB decision based on host_name filed in SNI. Octavia L7 LB should be extended to support routing based on SNI host name for HTTPS pass-through. [1] - https://docs.openshift.com/container-platform/3.9/install_config/router/index.html [2] - https://docs.openstack.org/kuryr-kubernetes/latest/devref/kuryr_kubernetes_ingress_design.html [3] - https://docs.openshift.com/container-platform/3.9/architecture/networking/routes.html#secured-routes [4] https://www.cloudshark.org/captures/a9718e5fdb28 Version-Release number of selected component (if applicable):
And here's [1] the upstream story [1] : https://storyboard.openstack.org/#!/story/2003109
Hi Assaf, This looks like a feature request for Octavia. Should we move it to OSP15?
Michael mentioned the implementation of this feature is available in Stein -- https://review.opendev.org/#/c/624267/. Nir will work on adding Tempest tests.