How to deploy Octavia load balancing in OpenStack and configure HTTPS termination with SSL certificates, including amphora setup, networking, and Barbican integration.

OpenStack Octavia with SSL

Octavia is the OpenStack load balancing service. It creates and manages load balancers as Nova instances (called amphorae) that distribute traffic across backend pools. This guide covers deploying Octavia on OpenStack 2024.2 Dalmatian and configuring HTTPS termination with SSL certificates.

Architecture Overview

Octavia creates dedicated VMs (amphorae) that run HAProxy. Traffic flows through these amphorae to reach backend application servers.

Component	Role
octavia-api	REST API endpoint
octavia-worker	Creates and manages amphorae
octavia-health-manager	Monitors amphora health
octavia-housekeeping	Cleans up stale resources
Amphora	HAProxy VM that processes traffic

Prerequisites

Requirement	Details
OpenStack	2024.2 Dalmatian with Nova, Neutron, Glance, Keystone
Network	A dedicated management network for amphora control
Image	Amphora image (Ubuntu-based HAProxy VM)
Certificates	CA cert/key for amphora TLS communication

Step 1: Install Octavia Packages

On the controller node:

sudo apt install -y octavia-api octavia-worker \
  octavia-health-manager octavia-housekeeping \
  python3-octaviaclient

Step 2: Build the Amphora Image

sudo apt install -y diskimage-builder
git clone https://opendev.org/openstack/octavia -b stable/2024.2
cd octavia/diskimage-create
./diskimage-create.sh -i ubuntu-minimal -s 3

Upload the image to Glance:

openstack image create --disk-format qcow2 \
  --container-format bare --private \
  --tag amphora \
  --file amphora-x64-haproxy.qcow2 amphora-image

Step 3: Generate Octavia Certificates

Octavia uses TLS for controller-to-amphora communication:

cd octavia/bin
source create_dual_intermediate_CA.sh
sudo mkdir -p /etc/octavia/certs
sudo cp -r dual_ca/etc/octavia/* /etc/octavia/certs/
sudo chown -R octavia:octavia /etc/octavia/certs

Step 4: Create the Management Network

openstack network create lb-mgmt-net --provider-network-type flat \
  --provider-physical-network physnet-mgmt
openstack subnet create --network lb-mgmt-net \
  --subnet-range 172.16.0.0/24 \
  --allocation-pool start=172.16.0.100,end=172.16.0.254 \
  --gateway 172.16.0.1 lb-mgmt-subnet

Create a security group for health checks:

openstack security group create lb-mgmt-sg
openstack security group rule create --protocol tcp --dst-port 9443 lb-mgmt-sg
openstack security group rule create --protocol icmp lb-mgmt-sg

Step 5: Configure Octavia

Edit /etc/octavia/octavia.conf:

[DEFAULT]
transport_url = rabbit://openstack:RABBIT_PASS@controller

[database]
connection = mysql+pymysql://octavia:OCTAVIA_PASS@controller/octavia

[keystone_authtoken]
www_authenticate_uri = http://controller:5000
auth_url = http://controller:5000
auth_type = password
project_name = service
username = octavia
password = OCTAVIA_PASS

[certificates]
ca_certificate = /etc/octavia/certs/server_ca.cert.pem
ca_private_key = /etc/octavia/certs/server_ca.key.pem
ca_private_key_passphrase = not-secure-passphrase

[haproxy_amphora]
server_ca = /etc/octavia/certs/server_ca.cert.pem
client_cert = /etc/octavia/certs/client.cert-and-key.pem

[controller_worker]
amp_image_tag = amphora
amp_flavor_id = <amphora-flavor-id>
amp_boot_network_list = <lb-mgmt-net-id>
amp_secgroup_list = <lb-mgmt-sg-id>
network_driver = allowed_address_pairs_driver
compute_driver = compute_nova_driver

[health_manager]
bind_ip = 172.16.0.2
bind_port = 5555
heartbeat_key = insecure-heartbeat-key

Create the amphora flavor:

openstack flavor create --id auto --ram 1024 --disk 3 --vcpus 1 \
  --private amphora-flavor

Step 6: Sync Database and Start Services

sudo octavia-db-manage upgrade head
sudo systemctl enable --now octavia-api octavia-worker \
  octavia-health-manager octavia-housekeeping

Step 7: Create an HTTPS Load Balancer

Upload your TLS certificate to Barbican (OpenStack secret store):

openstack secret store --name my-tls-cert \
  --payload-content-type 'application/octet-stream' \
  --secret-type certificate \
  --payload "$(cat server.pem)"

openstack secret container create --name my-tls-container \
  --type certificate \
  --secret certificate=<cert-secret-id> \
  --secret private_key=<key-secret-id>

Create the load balancer with HTTPS listener:

# Create LB
openstack loadbalancer create --name web-lb \
  --vip-subnet-id <subnet-id>

# Wait for ACTIVE
openstack loadbalancer show web-lb

# HTTPS listener with TLS termination
openstack loadbalancer listener create --name https-listener \
  --protocol TERMINATED_HTTPS \
  --protocol-port 443 \
  --default-tls-container-ref <container-ref> \
  web-lb

# Backend pool
openstack loadbalancer pool create --name web-pool \
  --protocol HTTP \
  --lb-algorithm ROUND_ROBIN \
  --listener https-listener

# Add members
openstack loadbalancer member create --name web1 \
  --address 192.168.1.10 --protocol-port 80 web-pool
openstack loadbalancer member create --name web2 \
  --address 192.168.1.11 --protocol-port 80 web-pool

# Health monitor
openstack loadbalancer healthmonitor create \
  --type HTTP --delay 5 --timeout 3 --max-retries 3 web-pool

Verify

openstack loadbalancer list
openstack loadbalancer show web-lb
curl -k https://<vip-address>/

Troubleshooting

Issue	Fix
Amphora stuck in PENDING	Check octavia-worker logs; verify image and flavor
Health manager not receiving heartbeats	Ensure bind_ip matches mgmt network
HTTPS 502 error	Verify backend members are healthy and reachable
Certificate errors	Check Barbican secret permissions and container format

Summary

Octavia provides production-grade load balancing for OpenStack. TERMINATED_HTTPS listeners handle SSL offloading at the amphora, reducing backend server load and centralizing certificate management.