Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1779141

Summary: Support TLS-terminated HTTPS load balancer
Product: Red Hat OpenStack Reporter: Carlos Goncalves <cgoncalves>
Component: openstack-octaviaAssignee: Carlos Goncalves <cgoncalves>
Status: CLOSED CURRENTRELEASE QA Contact: Bruna Bonguardo <bbonguar>
Severity: high Docs Contact:
Priority: high    
Version: 16.0 (Train)CC: astillma, bbonguar, gregraka, ihrachys, lpeer, majopela, sclewis, scohen, shrjoshi, tfreger
Target Milestone: z2Keywords: FutureFeature, TestOnly, Triaged
Target Release: 16.0 (Train on RHEL 8.1)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-07-11 21:01:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1737457    

Description Carlos Goncalves 2019-12-03 11:57:26 UTC 
With a TLS-terminated HTTPS load balancer, web clients communicate with the load balancer over TLS protocols. The load balancer terminates the TLS session and forwards the decrypted requests to the back-end servers. By terminating the TLS session on the load balancer, we offload the CPU-intensive encryption work to the load balancer, and enable the possibility of using advanced load balancer features, like Layer 7 features and header manipulation.

- https://docs.openstack.org/octavia/latest/user/guides/basic-cookbook.html#deploy-a-tls-terminated-https-load-balancer
- https://docs.openstack.org/octavia/latest/user/guides/basic-cookbook.html#deploy-a-tls-terminated-https-load-balancer-with-sni
- https://docs.openstack.org/octavia/latest/user/guides/basic-cookbook.html#deploy-http-and-tls-terminated-https-load-balancing-on-the-same-ip-and-backend

Presently, TLS-terminated HTTPS load balancers are not supported in any released OSP version. This is a much-needed feature required in production environments.
Comment 5 Carlos Goncalves 2019-12-10 10:46:56 UTC 
All tempest tests now merged upstream and available in OSP 16.
Comment 6 Toni Freger 2019-12-26 07:42:03 UTC 
After OSP16 regression cycle we will write a test plan for TLS termination, in order to insure all corner cases and user experience suit our support level quality. 
Anita please prioritize it for next release, once we will test it we will verify the RFE. Thanks.
Comment 8 Toni Freger 2020-01-05 08:36:34 UTC 
We haven't done with test plan yet, I'd like to reschedule this RFE to next zstream release, only then I will be able provide an ACK.If we will be able to finish with tests prior to GA and no urgent issue will be found we will change it back to OSP16.
Comment 9 Anita Tragler 2020-01-06 16:11:58 UTC 
moved to 16.0.z1 for now to give QE time to test
Comment 11 shreshtha joshi 2020-02-10 06:02:27 UTC 
Bugs should not move manually to QA. You need to move it to modified with FIV and let errata pick it up and move it to QA.
Comment 12 Carlos Goncalves 2020-02-10 06:38:27 UTC 
This is the description for the TestOnly keyword in Bugzilla:

"Use this when there is no code delivery involved, or for use when code is already upstream and will be incorporated automatically to the next release for testing purposes only"
Comment 14 Bruna Bonguardo 2020-03-10 17:58:48 UTC 
Manual tests were run, moving the RFE to VERIFIED