OpenContrail

LBAASv2 support in OpenContrail

Registered by Rudra Rugge

Add support for LBAASv2 in OpenContrail.

Currently OpenContrail supports LBAASv1 Openstack APIs. This blueprint is to add support for LBAASv2 Openstack APIs in OpenContrail which are available starting Liberty release of Openstack.

Summary
-------------
In LBAASv1 virtual-ip was tied to the port as well. This prevented the users from listening only
multiple ports for the same virtual-ip. Users would have had to create multiple load balancers
to achieve the same.
LBAASv2 handles this by decoupling the virtual ip address from the port. The object model has
the following resource:

- Loadbalancer (holds the virtual ip address)
- Listeners (one or many listeners with different ports, protocols etc)
- Pools
- Members
- Health monitors

In addition support for multiple certificates per listener has been added in conjunction with barbican
as the secure storage for certificates.

Controller changes
-------------------------
Controller now aggregates the configuration based on the provider. If haproxy is the provider then
the controller generates the configuration for haproxy and hence eliminates the need to send all
the loadbalancer resources down to the vrouter-agent. Only the generated config is sent to the
vrouter-agent as part of the service-instance.

Agent
---------

SSL with Barbican
-------------------------

CLI to store certificates in barbican
----------------------------------------------
- barbican --os-identity-api-version 2.0 secret store --payload-content-type='text/plain' --name='certificate' --payload="$(cat server.crt)"

Example LB creation
----------------------------
- neutron net-create private-net

- neutron subnet-create --name private-subnet private-net 30.30.30.0/24

- neutron lbaas-loadbalancer-create $(neutron subnet-list | awk '/ private-subnet / {print $2}') --name lb1

- neutron lbaas-listener-create --loadbalancer lb1 --protocol-port 443 --protocol TERMINATED_HTTPS --name listener1 --default-tls-container=$(barbican --os-identity-api-version 2.0 container list | awk '/ tls_container / {print $2}')

- neutron lbaas-pool-create --name pool1 --protocol HTTP --listener listener1 --lb-algorithm ROUND_ROBIN

- neutron lbaas-member-create --subnet private-subnet --address 30.30.30.10 --protocol-port 80 mypool

- neutron lbaas-member-create --subnet private-subnet --address 30.30.30.11 --protocol-port 80 mypool

Blueprint information

Status:
Started
Approver:
Rudra Rugge
Priority:
High
Drafter:
Rudra Rugge
Direction:
Approved
Assignee:
Yuvaraja Mariappan
Definition:
Review
Series goal:
Accepted for trunk
Implementation:
Good progress
Milestone target:
None
Started by
Rudra Rugge

Related branches

Sprints

Whiteboard

(?)

Work Items

Nearby

This blueprint contains Public information 
Everyone can see this information.