Open Stack

Hi,


A few months ago, as part of moving from legacy systems to Openstack, there
arose a requirement to support SSL APIs in our Openstack cloud
infrastructure at Ebay/Paypal. While the new v2 LBaaS API with its
considerable design improvements is in the process of addressing the SSL
requirements of LBaaS deployments, it is still under development and we had
to deploy a solution to address our immediate needs quicker.


There was a previous effort upstream [1] towards this, but that was
abandoned. Consequently, we came up with a different design for the LBaaS
SSL API that best suited our current requirements, and developed an interim
implementation that we currently have deployed on havana, but which can be
ported to later releases (icehouse/juno) with minimal changes since it’s
designed to be independent modularly and intersects existing code paths at
relatively few points.


We think that this API will be useful to the Openstack community and to
companies that are currently running Openstack clouds with LBaaS and need
SSL API support until LBaaS v2 comes out in Kilo or later, hence this mail
containing pointers to the code and instructions.


We have put up the code on github at:


Neutron:

——————

https://github.com/vijayendrabvs/ssl-python-neutronclient.git

branch: stable/havana


LBaaS Driver:

——————

https://github.com/vijayendrabvs/ssl-f5-neutron-lbaas.git

branch: havana


CLI:

——————

https://github.com/vijayendrabvs/ssl-neutron.git

branch: master



The CLI and API documentation is at:


https://github.com/vijayendrabvs/ssl-neutron/blob/stable/havana/SSL-API-README



We worked with the F5 Openstack team who provided their F5 LBaaS driver to
work with our deployment of F5 LBs. We added the necessary modules in their
driver to plumb SSL entities on the LB, in the F5 plugin and agent driver.


F5 has currently released its drivers under the Mozilla license, and is in
the process of releasing the same under Apache License to align with the
rest of Openstack code.


We do not currently intend to commit this code to upstream stable havana,
unless the community thinks that doing so can be useful and pushes for it.


At the time we developed this solution, HAProxy hadn’t come out with
version 1.5 yet and thus didn’t support SSL, and lack of cycles meant we
weren’t able to implement a reference implementation for HAProxy as well.
That said, doing so would build on the same approach we use with F5, in
reconfiguring HAProxy from the HAProxy driver to setup SSL termination on
VIPs.


A point to note is that we have relied on using the neutron db to store our
certs/cert chains/cert keys. While this meets our current requirements, we
wish to emphasize that this may not suit all deployments. The new LBaaS v2
API is designed to integrate with Barbican and thus address such
requirements.


Finally, going forward, we will need to write migration scripts once the
LBaaS v2 API is ready, and deploying v1’s SSL API will get us started
towards that goal.


Please let us know if you have any questions regarding the code or
deploying it - we would be happy to help!


Thanks,

Regards,

Vijay B


[1] https://review.openstack.org/#/c/74031/5
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20141015/d536d212/attachment.html>