Difference between revisions of "Neutron/LBaaS/SSL"
(→Data model change) |
(→Resources change) |
||
| Line 17: | Line 17: | ||
Database persistent | Database persistent | ||
| − | + | * front_end_termination | |
| − | + | Boolean default=False | |
| − | + | Not Mandatory | |
| − | + | Visible | |
| − | + | * front_end_protocols | |
| − | + | String - allowed values: ssl3, tls10, tls11 | |
| − | + | Mandatory if termination enabled | |
| − | + | visible if termination enabled | |
| − | + | * front_end_cipher_suite: | |
| − | + | String | |
| − | + | Mandatory if termination enabled | |
| − | + | Visible if termination enabled | |
| − | + | * back_end_encryption | |
| − | + | Boolean default=False | |
| − | + | Not Mandatory | |
| − | + | Visible | |
| − | + | * back_end_protocols | |
| − | + | String - allowed values: ssl3, tls10, tls11 | |
| − | + | Mandatory if termination enabled | |
| − | + | Visible if termination enabled | |
| − | + | * back_end_cipher_suite: | |
| − | + | String | |
| − | + | Mandatory if termination enabled | |
| − | + | visible if termination enabled | |
Transient | Transient | ||
| − | + | * passphrase | |
| − | + | * public_key (PEM Formatted) | |
| − | + | * private_key (PEM Formatted) | |
=== Data model change === | === Data model change === | ||
Revision as of 08:59, 19 November 2013
Contents
Description
Terminating SSL connection on the load balancer and encrypting traffic back to the back end nodes, is a capabilities expected from modern load balancers and incorporated into many applications. This capability enables better certificate management and improved application based load balancing (ex: cookie based persistency, L7 Policies, etc.)
Rationale
Giving user the ability to use SSL on LBaaS.
User should be able to apply SSL certificates on LBaaS and configure SSL on vip, front-end and back-end.
API change
No API change
Resources change
LBaaS extension's resource attributes map should be extended with new parameters on the VIP object:
Database persistent
* front_end_termination
Boolean default=False
Not Mandatory
Visible
* front_end_protocols
String - allowed values: ssl3, tls10, tls11
Mandatory if termination enabled
visible if termination enabled
* front_end_cipher_suite:
String
Mandatory if termination enabled
Visible if termination enabled
* back_end_encryption
Boolean default=False
Not Mandatory
Visible
* back_end_protocols
String - allowed values: ssl3, tls10, tls11
Mandatory if termination enabled
Visible if termination enabled
* back_end_cipher_suite:
String
Mandatory if termination enabled
visible if termination enabled
Transient
* passphrase * public_key (PEM Formatted) * private_key (PEM Formatted)
Data model change
Vip database entity should be extended with new columns:
front_end_termination - Boolean front_end_protocols - String front_end_cipher_type: ENUM back_end_encryption - Boolean back_end_protocols - String back_end_cipher_type: ENUM
DB Migration
Vip table should be altered with new columns.
New columns of each existing Vip row should be populated with default values:
front_end_termination - False front_end_protocols - None front_end_cipher_type: None back_end_termination - False back_end_protocols - None back_end_cipher_type: None
Implementation Plan
- Modifying LBaaS Vip resources' attribute map with new parameters
- Modifying LBaaS Vip DB Model with new parameters
- Modifying LBaaS Vip DB Model tests to account new parameters if needed
- Modifying LBaaS HA-Proxy driver to support SSL
- Update HA-Proxy to version 1.5 {TBD}
