LbaaS v2 support

Registered by Ashish Ranjan

Add support for LBAASv2 in OpenContrail.

Currently OpenContrail supports LBAASv1 Openstack APIs. This blueprint is to add support for LBAASv2 Openstack APIs in OpenContrail which are available starting Liberty release of Openstack.

Summary
-------------
In LBAASv1 virtual-ip was tied to the port as well. This prevented the users from listening only
multiple ports for the same virtual-ip. Users would have had to create multiple load balancers
to achieve the same.
LBAASv2 handles this by decoupling the virtual ip address from the port. The object model has
the following resource:

- Loadbalancer (holds the virtual ip address)
- Listeners (one or many listeners with different ports, protocols etc)
- Pools
- Members
- Health monitors

In addition support for multiple certificates per listener has been added in conjunction with barbican
as the secure storage for certificates.

Controller changes
-------------------------
Controller now aggregates the configuration based on the provider. If haproxy is the provider then
the controller generates the configuration for haproxy and hence eliminates the need to send all
the loadbalancer resources down to the vrouter-agent. Only the generated config is sent to the
vrouter-agent as part of the service-instance.

Agent
---------

Agent receives the config information in the service-instance object from ifmap-server and writes
all the config in a file /var/lib/contrail/loadbalancer/<loadbalancer-uuid>.conf and spawns the
netns script.

For Example if the loadbalancer uuid is 84901e8e-753a-4427-a091-c785b115c7c3, then
agent would create the conf file /var/lib/contrail/loadbalancer/84901e8e-753a-4427-a091-c785b115c7c3.conf and spawns the netns script

Netns
--------

Netns finds the loadbalancer type from <loadbalancer-uuid>.conf and creates the conf file /var/lib/conrail/loadbalancer/<loadbalancer-type>/<loadbalancer-uuid>/<loadbalancer-type>.conf for the specified type and launches the specified type loadbalancer with the conf.

For Example if the loadbalacer type is haproxy and loadbalancer uuid is 84901e8e-753a-4427-a091-c785b115c7c3, then netns would create the conf file /var/lib/contrail/loadbalancer/haproxy/84901e8e-753a-4427-a091-c785b115c7c3/haproxy.conf and launches the haproxy with the conf.

SSL with Barbican
-------------------------
Barbican Server and Client are used for loadbalaning https traffic.

SSL certificate and private-key are stored in barbican server. Container will be created in barbican server using the certificate and private-key.

netns script gets the certificate and private-key from the specified container from barbican server through barbican client and stores in a pem file and updates the loadbalacer conf. loadbalnacer uses the pem file for the SSL handshake.

CLI to store certificate and private-key in barbican
------------------------------------------------------------------
- barbican secret store --payload-content-type='text/plain' --name='certificate' --payload="$(cat server.crt)" --os-identity-api-version 2.0

- barbican secret store --payload-content-type='text/plain' --name='private_key' --payload="$(cat server.key)" --os-identity-api-version 2.0

CLI to store certificate and private-key in container in barbican
----------------------------------------------------------------------------------
barbican container create --name='tls_container' --type='certificate' --secret="certificate=$(barbican secret list --os-identity-api-version 2.0 | awk '/ certificate / {print $2}')" --secret="private_key=$(barbican secret list --os-identity-api-version 2.0 | awk '/ private_key / {print $2}')" --os-identity-api-version 2.0

Example LB creation
----------------------------
- neutron net-create private-net

- neutron subnet-create --name private-subnet private-net 30.30.30.0/24

- neutron lbaas-loadbalancer-create $(neutron subnet-list | awk '/ private-subnet / {print $2}') --name lb1

- neutron lbaas-listener-create --loadbalancer lb1 --protocol-port 443 --protocol TERMINATED_HTTPS --name listener1 --default-tls-container=$(barbican container list --os-identity-api-version 2.0 | awk '/ tls_container / {print $2}')

- neutron lbaas-pool-create --name pool1 --protocol HTTP --listener listener1 --lb-algorithm ROUND_ROBIN

- neutron lbaas-member-create --subnet private-subnet --address 30.30.30.10 --protocol-port 80 mypool

- neutron lbaas-member-create --subnet private-subnet --address 30.30.30.11 --protocol-port 80 mypool

Blueprint information

Status:
Complete
Approver:
Ashish Ranjan
Priority:
Medium
Drafter:
Ashish Ranjan
Direction:
Needs approval
Assignee:
Rudra Rugge
Definition:
Approved
Series goal:
Accepted for r3.1
Implementation:
Implemented
Milestone target:
milestone icon r3.1.0.0-fcs
Started by
Rudra Rugge
Completed by
Ashish Ranjan

Related branches

Sprints

Whiteboard

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.