1779141 – Support TLS-terminated HTTPS load balancer

Bug 1779141 - Support TLS-terminated HTTPS load balancer

Summary: Support TLS-terminated HTTPS load balancer

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-octavia
Sub Component:
Version:	16.0 (Train)
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	z2
Target Release:	16.0 (Train on RHEL 8.1)
Assignee:	Carlos Goncalves
QA Contact:	Bruna Bonguardo
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1737457
TreeView+	depends on / blocked

Reported:	2019-12-03 11:57 UTC by Carlos Goncalves
Modified:	2023-07-11 21:01 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-07-11 21:01:56 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
OpenStack gerrit	690778	'None'	MERGED	Add TLS SNI scenario tests	2020-12-11 06:21:59 UTC
OpenStack gerrit	696358	'None'	MERGED	Add a mixed HTTP and HTTPS scenario test	2020-12-11 06:21:29 UTC
Red Hat Bugzilla	1737457	urgent	CLOSED	Support TLS-terminated HTTPS load balancer	2023-07-10 17:25:43 UTC
Red Hat Issue Tracker	OSP-5218	None	None	None	2022-02-22 05:45:43 UTC

Internal Links: 1737457

Description Carlos Goncalves 2019-12-03 11:57:26 UTC

With a TLS-terminated HTTPS load balancer, web clients communicate with the load balancer over TLS protocols. The load balancer terminates the TLS session and forwards the decrypted requests to the back-end servers. By terminating the TLS session on the load balancer, we offload the CPU-intensive encryption work to the load balancer, and enable the possibility of using advanced load balancer features, like Layer 7 features and header manipulation.

- https://docs.openstack.org/octavia/latest/user/guides/basic-cookbook.html#deploy-a-tls-terminated-https-load-balancer
- https://docs.openstack.org/octavia/latest/user/guides/basic-cookbook.html#deploy-a-tls-terminated-https-load-balancer-with-sni
- https://docs.openstack.org/octavia/latest/user/guides/basic-cookbook.html#deploy-http-and-tls-terminated-https-load-balancing-on-the-same-ip-and-backend

Presently, TLS-terminated HTTPS load balancers are not supported in any released OSP version. This is a much-needed feature required in production environments.

Comment 5 Carlos Goncalves 2019-12-10 10:46:56 UTC

All tempest tests now merged upstream and available in OSP 16.

Comment 6 Toni Freger 2019-12-26 07:42:03 UTC

After OSP16 regression cycle we will write a test plan for TLS termination, in order to insure all corner cases and user experience suit our support level quality. 
Anita please prioritize it for next release, once we will test it we will verify the RFE. Thanks.

Comment 8 Toni Freger 2020-01-05 08:36:34 UTC

We haven't done with test plan yet, I'd like to reschedule this RFE to next zstream release, only then I will be able provide an ACK.If we will be able to finish with tests prior to GA and no urgent issue will be found we will change it back to OSP16.

Comment 9 Anita Tragler 2020-01-06 16:11:58 UTC

moved to 16.0.z1 for now to give QE time to test

Comment 11 shreshtha joshi 2020-02-10 06:02:27 UTC

Bugs should not move manually to QA. You need to move it to modified with FIV and let errata pick it up and move it to QA.

Comment 12 Carlos Goncalves 2020-02-10 06:38:27 UTC

This is the description for the TestOnly keyword in Bugzilla:

"Use this when there is no code delivery involved, or for use when code is already upstream and will be incorporated automatically to the next release for testing purposes only"

Comment 14 Bruna Bonguardo 2020-03-10 17:58:48 UTC

Manual tests were run, moving the RFE to VERIFIED

Note You need to log in before you can comment on or make changes to this bug.