1737457 – Support TLS-terminated HTTPS load balancer

Bug 1737457 - Support TLS-terminated HTTPS load balancer

Summary: Support TLS-terminated HTTPS load balancer

Keywords:
Status:	CLOSED EOL
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-octavia
Sub Component:
Version:	13.0 (Queens)
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	high
Target Milestone:	z11
Target Release:	13.0 (Queens)
Assignee:	Carlos Goncalves
QA Contact:	Bruna Bonguardo
Docs Contact:
URL:
Whiteboard:
Depends On:	1759476 1779141
Blocks:	1855005 1907440
TreeView+	depends on / blocked

Reported:	2019-08-05 12:08 UTC by Carlos Goncalves
Modified:	2023-07-10 17:19 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-07-10 17:19:22 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
OpenStack gerrit	690778	'None'	MERGED	Add TLS SNI scenario tests	2020-12-18 14:02:48 UTC
OpenStack gerrit	696358	'None'	MERGED	Add a mixed HTTP and HTTPS scenario test	2020-12-18 14:03:20 UTC
Red Hat Bugzilla	1779141	high	CLOSED	Support TLS-terminated HTTPS load balancer	2023-07-11 21:05:20 UTC
Red Hat Issue Tracker	OSP-7364	None	None	None	2022-02-22 06:02:03 UTC

Internal Links: 1752110 1779141

Description Carlos Goncalves 2019-08-05 12:08:31 UTC

With a TLS-terminated HTTPS load balancer, web clients communicate with the load balancer over TLS protocols. The load balancer terminates the TLS session and forwards the decrypted requests to the back-end servers. By terminating the TLS session on the load balancer, we offload the CPU-intensive encryption work to the load balancer, and enable the possibility of using advanced load balancer features, like Layer 7 features and header manipulation.

- https://docs.openstack.org/octavia/latest/user/guides/basic-cookbook.html#deploy-a-tls-terminated-https-load-balancer
- https://docs.openstack.org/octavia/latest/user/guides/basic-cookbook.html#deploy-a-tls-terminated-https-load-balancer-with-sni
- https://docs.openstack.org/octavia/latest/user/guides/basic-cookbook.html#deploy-http-and-tls-terminated-https-load-balancing-on-the-same-ip-and-backend

Presently, TLS-terminated HTTPS load balancers are not supported in any released OSP version. This is a much-needed feature required in production environments.

Comment 11 Carlos Goncalves 2019-11-19 11:38:22 UTC

TLS SNI scenario tests: https://review.opendev.org/#/c/690778/
Upstream CI jobs that run these tests are named octavia-v2-dsvm-tls-barbican.

Comment 12 Carlos Goncalves 2019-11-27 17:05:11 UTC

HTTP and TLS-terminated HTTPS load balancing on the same IP and backend scenario test: https://review.opendev.org/#/c/696358/

Comment 13 Carlos Goncalves 2019-12-03 12:04:21 UTC

RFE for OSP 16: https://bugzilla.redhat.com/show_bug.cgi?id=1779141

Comment 22 Lon Hohberger 2023-07-10 17:19:22 UTC

OSP13 support officially ended on 27 June 2023

Note You need to log in before you can comment on or make changes to this bug.