Example of a load balancing topology with TLS support

Example of a load balancing topology with TLS support

This section describes an example of the Nova instances working as simple HTTP web servers that return Hello, world from instance_name! as a response to requests. The example describes how to create a TLS-terminated HTTPS load balancer that is accessible from the Internet with a certificate stored in Barbican. This load balancer will distribute requests to the back-end servers over the non-encrypted HTTP protocol.

Caution

The load balancer certificate must be uploaded to Barbican under the octavia user, so that it can be used later during a listener creation. Therefore, make sure that a user that will create the load balancing topology has access to the Octavia service project (tenant).

Workflow:

  1. Log in to any OpenStack controller node.

  2. Create a load balancer with a VIP in the public subnet:

    openstack loadbalancer create --name lb1 --vip-subnet-id public-subnet
    
  3. Verify the load balancer VIP address:

    openstack loadbalancer list
    

    Example of system response extract:

    +-----------------+------+--------------+-------------+---------------------+----------+
    | id              | name | project_id   | vip_address | provisioning_status | provider |
    +-----------------+------+--------------+-------------+---------------------+----------+
    | 959b0946-75ba...| lb1  | 070bc4ddda...| 10.0.0.17   | ACTIVE              | octavia  |
    +-----------------+------+--------------+-------------+---------------------+----------+
    
  4. Combine the individual certificate, key, and intermediate certificate to a single PKCS12 file. For example:

    openssl pkcs12 -export -in certificate1.crt -inkey privatekey.key -out \
    test1.p12 -passout pass:
    

    Note

    Use the load balancer VIP address as a FQDN during the certificate generation.

  5. In the Octavia service tenant, create a secret in Barbican from the Octavia user:

    openstack secret store --name='tls_secret1' -t 'application/octet-stream' \
    -e 'base64' --payload="$(base64 < test1.p12)"
    
  6. Add acl for the created secret:

    secret_id=$(openstack secret list | awk '/ tls_secret1 / {print $2}')
    openstack acl user add -u $(openstack user show octavia -c id -f value) $secret_id
    
  7. Create a listener that uses the TERMINATED_HTTPS protocol and set the secret that was created in the step 5:

    openstack loadbalancer listener create --protocol-port 443 --protocol TERMINATED_HTTPS \
    --name listener1 --default-tls-container=$secret_id lb1
    
  8. Create a pool that will be used by listener1:

    openstack loadbalancer pool create --name pool1 --lb-algorithm ROUND_ROBIN \
    --listener listener1 --protocol HTTP
    
  9. Add members to the created pool with addresses 10.0.0.25 and 10.0.0.20:

    openstack loadbalancer member create --subnet-id public-subnet \
    --address 10.0.0.25 --protocol-port 80 pool1
    
    openstack loadbalancer member create --subnet-id public-subnet \
    --address 10.0.0.20 --protocol-port 80 pool1
    
  10. Obtain the load balancer VIP:

    openstack loadbalancer show lb1 -c vip_address -f value
    
  11. Using the load balancer VIP floating IP address, verify that requests are distributed between the two servers:

    curl --cacert certificate1.crt https://10.0.0.17
    Hello, world from VM1!
    curl --cacert certificate1.crt https://10.0.0.17
    Hello, world from VM2!
    

    Note

    Make sure that the security group allows traffic on port 443.