Setup Octavia and Babrican in OpenStack for load balancer with SSL 

“big thanks to spatel /  and  johnsom  on freenode.



- ","  ## same range as octavia_management_net_subnet_allocation_pools:   

- network:
container_bridge: "br-lbaas"
container_type: "veth"
container_interface: "eth14"
host_bind_override: "eth14"
ip_from_q: "lbaas"
type: "raw"
net_name: "lbaas"
- neutron_linuxbridge_agent
- octavia-worker
- octavia-housekeeping
- octavia-health-manager

octavia-infra_hosts: *infrastructure_hosts
key-manager_hosts: *infrastructure_hosts


horizon_enable_neutron_lbaas: False
neutron_lbaas_octavia: true
octavia_ssh_enabled: true
octavia_provider_network_name: vlan
octavia_provider_segmentation_id: 555
octavia_provider_network_type: vlan
octavia_container_network_name: lbaas_address
octavia_legacy_policy: true

# Controllers 

in netplan, create an empty bridge

dhcp4: false
dhcp6: false

in /etc/rc.local ( make sure they run at boot)


# This sets up the link
ip link add v-br-vlan type veth peer name v-br-lbaas
ip link add link v-br-lbaas name v-br-lbaas.${VLAN_ID} type vlan id ${VLAN_ID}
ip link set v-br-vlan up
ip link set v-br-lbaas up
ip link set v-br-lbaas.${VLAN_ID} up
brctl addif br-lbaas v-br-lbaas.${VLAN_ID}
brctl addif br-vlan v-br-vlan

#run the playbooks to setup the container and the services. 


After the playbooks finish, get the octavia user password from secrets,  login and upload a ssh key as octavia_key .. without this, your lb instances  will not work.  Or you can use octavia_ssh_enabled: false to not login.


You will be able to create HTTP load balancer using the GUI. 


For creating SSL load balancer endpoint, you need to first have the SSL stored in babrican. 

First, we need to add the proper roles

So if your user is called testuser and project is testproj, you need to give it a creator role. 

openstack role add --user testuser --project testproj  creator


As the testuser 

openssl pkcs12 -export -inkey ssl.key -in ssl.crt -certfile -passout pass: -out ssl.p12

openstack secret store --name='domain.ssl' -t 'application/octet-stream' -e 'base64' --payload="$(base64 < ssl.p12)"

After this, you can to back to Horizon >> Network >> Load Balancers 
and then add TERMINATED_SSL endpoint and able to select domain.ssl certificate. 

About The Author