This section describes an example of the Nova instances working as simple
HTTP web servers that return Hello, world from instance_name! as a
response to requests. The example describes how to create a TLS-terminated
HTTPS load balancer that is accessible from the Internet with a certificate
stored in Barbican. This load balancer will distribute requests to the
back-end servers over the non-encrypted HTTP protocol.
Caution
The load balancer certificate must be uploaded to Barbican
under the octavia user, so that it can be used later during
a listener creation. Therefore, make sure that a user that
will create the load balancing topology has access to the
Octavia service project (tenant).
Workflow:
Log in to any OpenStack controller node.
Create a load balancer with a VIP in the public subnet:
openstack loadbalancer create --name lb1 --vip-subnet-id public-subnet
Verify the load balancer VIP address:
openstack loadbalancer list
Example of system response extract:
+-----------------+------+--------------+-------------+---------------------+----------+
| id | name | project_id | vip_address | provisioning_status | provider |
+-----------------+------+--------------+-------------+---------------------+----------+
| 959b0946-75ba...| lb1 | 070bc4ddda...| 10.0.0.17 | ACTIVE | octavia |
+-----------------+------+--------------+-------------+---------------------+----------+
Combine the individual certificate, key, and intermediate certificate to a single PKCS12 file. For example:
openssl pkcs12 -export -in certificate1.crt -inkey privatekey.key -out \
test1.p12 -passout pass:
Note
Use the load balancer VIP address as a FQDN during the certificate generation.
In the Octavia service tenant, create a secret in Barbican from the Octavia user:
openstack secret store --name='tls_secret1' -t 'application/octet-stream' \
-e 'base64' --payload="$(base64 < test1.p12)"
Add acl for the created secret:
secret_id=$(openstack secret list | awk '/ tls_secret1 / {print $2}')
openstack acl user add -u $(openstack user show octavia -c id -f value) $secret_id
Create a listener that uses the TERMINATED_HTTPS protocol and
set the secret that was created in the step 5:
openstack loadbalancer listener create --protocol-port 443 --protocol TERMINATED_HTTPS \
--name listener1 --default-tls-container=$secret_id lb1
Create a pool that will be used by listener1:
openstack loadbalancer pool create --name pool1 --lb-algorithm ROUND_ROBIN \
--listener listener1 --protocol HTTP
Add members to the created pool with addresses 10.0.0.25 and 10.0.0.20:
openstack loadbalancer member create --subnet-id public-subnet \
--address 10.0.0.25 --protocol-port 80 pool1
openstack loadbalancer member create --subnet-id public-subnet \
--address 10.0.0.20 --protocol-port 80 pool1
Obtain the load balancer VIP:
openstack loadbalancer show lb1 -c vip_address -f value
Using the load balancer VIP floating IP address, verify that requests are distributed between the two servers:
curl --cacert certificate1.crt https://10.0.0.17
Hello, world from VM1!
curl --cacert certificate1.crt https://10.0.0.17
Hello, world from VM2!
Note
Make sure that the security group allows traffic on port 443.