OpenStack Octavia with SSL

Deploy Octavia on OpenStack 2024.2 with HTTPS termination using Barbican.

Step 1: Install Octavia Packages

sudo apt update
sudo apt install -y octavia-api octavia-worker octavia-health-manager octavia-housekeeping python3-octaviaclient

Step 2: Build and Upload Amphora Image

sudo apt install -y diskimage-builder
git clone https://opendev.org/openstack/octavia -b stable/2024.2
cd octavia/diskimage-create
./diskimage-create.sh -i ubuntu-minimal -s 3
openstack image create --disk-format qcow2 --container-format bare --private --tag amphora --file amphora-x64-haproxy.qcow2 amphora-image

Step 3: Generate Certificates

cd octavia/bin
source create_dual_intermediate_CA.sh
sudo mkdir -p /etc/octavia/certs
sudo cp -r dual_ca/etc/octavia/* /etc/octavia/certs/
sudo chown -R octavia:octavia /etc/octavia/certs

Step 4: Create Management Network

openstack network create lb-mgmt-net --provider-network-type flat --provider-physical-network physnet-mgmt
openstack subnet create --network lb-mgmt-net --subnet-range 172.16.0.0/24 --allocation-pool start=172.16.0.100,end=172.16.0.254 --gateway 172.16.0.1 lb-mgmt-subnet
openstack security group create lb-mgmt-sg
openstack security group rule create --protocol tcp --dst-port 9443 lb-mgmt-sg
openstack security group rule create --protocol icmp lb-mgmt-sg

Step 5: Configure Octavia

Edit /etc/octavia/octavia.conf:

[DEFAULT]
transport_url = rabbit://openstack:RABBIT_PASS@controller
[database]
connection = mysql+pymysql://octavia:OCTAVIA_PASS@controller/octavia
[keystone_authtoken]
www_authenticate_uri = http://controller:5000
auth_url = http://controller:5000
auth_type = password
project_name = service
username = octavia
password = OCTAVIA_PASS
[certificates]
ca_certificate = /etc/octavia/certs/server_ca.cert.pem
ca_private_key = /etc/octavia/certs/server_ca.key.pem
ca_private_key_passphrase = not-secure-passphrase
[haproxy_amphora]
server_ca = /etc/octavia/certs/server_ca.cert.pem
client_cert = /etc/octavia/certs/client.cert-and-key.pem
[controller_worker]
amp_image_tag = amphora
amp_flavor_id = <amphora-flavor-id>
amp_boot_network_list = <lb-mgmt-net-id>
amp_secgroup_list = <lb-mgmt-sg-id>
network_driver = allowed_address_pairs_driver
compute_driver = compute_nova_driver
[health_manager]
bind_ip = 172.16.0.2
bind_port = 5555
heartbeat_key = insecure-heartbeat-key

Create the amphora flavor:

openstack flavor create --id auto --ram 1024 --disk 3 --vcpus 1 --private amphora-flavor

Step 6: Sync Database and Start Services

sudo octavia-db-manage upgrade head
sudo systemctl enable --now octavia-api octavia-worker octavia-health-manager octavia-housekeeping

Step 7: Create HTTPS Load Balancer

Upload TLS certificates to Barbican:

CERT_ID=$(openstack secret store --name my-tls-cert --payload-content-type 'application/x-pem-file' --secret-type certificate --payload "$(cat server.pem)" -f value -c secret_id)
KEY_ID=$(openstack secret store --name my-tls-key --payload-content-type 'application/x-pem-file' --secret-type private_key --payload "$(cat server.key)" -f value -c secret_id)
openstack secret container create --name my-tls-container --type certificate --secret certificate=$CERT_ID --secret private_key=$KEY_ID

Create the load balancer with HTTPS termination:

openstack loadbalancer create --name web-lb --vip-subnet-id <subnet-id>
openstack loadbalancer listener create --name https-listener --protocol TERMINATED_HTTPS --protocol-port 443 --default-tls-container-ref <container-ref> web-lb
openstack loadbalancer pool create --name web-pool --protocol HTTP --lb-algorithm ROUND_ROBIN --listener https-listener
openstack loadbalancer member create --name web1 --address 192.168.1.10 --protocol-port 80 web-pool
openstack loadbalancer member create --name web2 --address 192.168.1.11 --protocol-port 80 web-pool
openstack loadbalancer healthmonitor create --type HTTP --delay 5 --timeout 3 --max-retries 3 --url-path /health web-pool

Verify

openstack loadbalancer list
openstack loadbalancer show web-lb
curl -k https://<vip-address>/

Troubleshooting

• Amphora stuck in PENDING: Check octavia-worker logs and verify image tag/flavor ID match config.
• Health manager not receiving heartbeats: Ensure bind_ip matches the management network IP.
• HTTPS 502 error: Verify backend members are reachable on port 80.
• Certificate errors: Check Barbican secret permissions and container type.

OpenStack Octavia with SSL installation involves configuring the service to handle secure HTTPS traffic. You will build the necessary virtual machine images, set up a management network, and use Barbican to store your SSL certificates. Finally, you create a load balancer that terminates SSL connections before forwarding traffic to your web servers.