octavia #2

  • By james-page
  • Latest version (#2)
  • bionic, cosmic
  • Stable

Description

Octavia is an open source, operator-scale load balancing solution designed to
work with OpenStack.

Octavia was borne out of the Neutron LBaaS project. Octavia has become the
reference implementation for Neutron LBaaS version 2.

Octavia accomplishes its delivery of load balancing services by managing a
fleet of virtual machines, containers, or bare metal servers collectively
known as amphorae which it spins up on demand. This on-demand, horizontal
scaling feature differentiates Octavia from other load balancing solutions,
thereby making Octavia truly suited "for the cloud."

OpenStack Rocky or later is required.


Overview

This charm provides the Octavia load balancer service for an OpenStack Cloud.

OpenStack Rocky or later is required.

Usage

Octavia and the Octavia charm relies on services from a fully functional OpenStack Cloud and expects to be able to consume images from glance, create networks in Neutron, consume certificate secrets from Barbican (preferably utilizing a Vault backend) and spin up instances with Nova.

There is a overlay bundle to be used in conjunction with the OpenStack Base bundle.

Please refer to the Octavia LBaaS section of the OpenStack Charms Deployment Guide

Required configuration

After the deployment is complete and has settled, you must run the configure-resources action on the lead unit.

This will prompt it to configure required resources in the deployed cloud for Octavia to operate.

You must also configure certificates for internal communication between the controller and its load balancer instances.

Excerpt from the upstream operator maintenance guide:

Octavia secures the communication between the amphora agent and the control plane with two-way SSL encryption. To accomplish that, several certificates are distributed in the system:

  • Control plane:
  • Amphora certificate authority (CA) certificate: Used to validate amphora certificates if Octavia acts as a Certificate Authority to issue new amphora certificates
  • Client certificate: Used to authenticate with the amphora
  • Amphora:
  • Client CA certificate: Used to validate control plane client certificate
  • Amphora certificate: Presented to control plane processes to prove amphora identity.

The charm represents this with the following mandatory configuration options:

  • lb-mgmt-issuing-cacert

  • lb-mgmt-issuing-ca-private-key

  • lb-mgmt-issuing-ca-key-passphrase

  • lb-mgmt-controller-cacert

  • lb-mgmt-controller-cert

You must issue/request certificates that meets your organizations requirements.

NOTE It is important not to use the same CA certificate for both lb-mgmt-issuing-cacert and lb-mgmt-controller-cacert configuration options. Failing to keep them separate may lead to abuse of certificate data to gain access to other Amphora instances in the event one of them is compromised.

To get you started we include an example of generating your own certificates:

mkdir -p demoCA/newcerts
touch demoCA/index.txt
touch demoCA/index.txt.attr
openssl genrsa -passout pass:foobar -des3 -out issuing_ca_key.pem 2048
openssl req -x509 -passin pass:foobar -new -nodes -key issuing_ca_key.pem \
    -config /etc/ssl/openssl.cnf \
    -subj "/C=US/ST=Somestate/O=Org/CN=www.example.com" \
    -days 30 \
    -out issuing_ca.pem

openssl genrsa -passout pass:foobar -des3 -out controller_ca_key.pem 2048
openssl req -x509 -passin pass:foobar -new -nodes \
        -key controller_ca_key.pem \
    -config /etc/ssl/openssl.cnf \
    -subj "/C=US/ST=Somestate/O=Org/CN=www.example.com" \
    -days 30 \
    -out controller_ca.pem
openssl req \
    -newkey rsa:2048 -nodes -keyout controller_key.pem \
    -subj "/C=US/ST=Somestate/O=Org/CN=www.example.com" \
    -out controller.csr
openssl ca -passin pass:foobar -config /etc/ssl/openssl.cnf \
    -cert controller_ca.pem -keyfile controller_ca_key.pem \
    -create_serial -batch \
    -in controller.csr -days 30 -out controller_cert.pem
cat controller_cert.pem controller_key.pem > controller_cert_bundle.pem

To apply the configuration execute:

juju config octavia \
    lb-mgmt-issuing-cacert="$(base64 controller_ca.pem)" \
    lb-mgmt-issuing-ca-private-key="$(base64 controller_ca_key.pem)" \
    lb-mgmt-issuing-ca-key-passphrase=foobar \
    lb-mgmt-controller-cacert="$(base64 controller_ca.pem)" \
    lb-mgmt-controller-cert="$(base64 controller_cert_bundle.pem)"

Optional resource configuration

By executing the configure-resources action the charm will create the resources required for operation of the Octavia service. If you want to manage these resources yourself you must set the create-mgmt-network configuration option to False.

You can at any time use the configure-resources action to prompt immediate resource discovery.

To let the charm discover the resources and apply the appropriate configuration
to Octavia, you must use Neutron resource tags.

The UUID of the Nova flavor you want to use must be set with the
custom-amp-flavor-id configuration option.

Resource type Tag Description
Neutron Network charm-octavia Management network
Neutron Subnet charm-octavia Management network subnet
Neutron Router charm-octavia (Optional) Router for IPv6 RA or north/south mgmt traffic
Amphora Security Group charm-octavia Security group for Amphora ports
Controller Security Group charm-octavia-health Security group for Controller ports

Bugs

Please report bugs on Launchpad.

For general questions please refer to the OpenStack Charm Guide.

Configuration

ssl_key
(string) SSL key to use with certificate specified as ssl_cert.
vip_iface
(string) Default network interface to use for HA vip when it cannot be automatically determined.
eth0
amp-image-tag
(string) Glance image tag for selection of Amphorae image to boot load balancer instances.
octavia-amphora
haproxy-server-timeout
(int) Server timeout configuration in ms for haproxy, used in HA configurations. If not provided, default value of 90000ms is used.
lb-mgmt-issuing-ca-private-key
(string) Note that setting this configuration option is mandatory. . Private key for the Certificate Authority set in ``lb-mgmt-issuing-ca``. . Note that these certificates are not used for any load balancer payload data.
loadbalancer-topology
(string) Load balancer topology configuration. . Supported values are 'SINGLE' and 'ACTIVE_STANDBY'.
SINGLE
worker-multiplier
(float) The CPU core multiplier to use when configuring worker processes. By default, the number of workers for each daemon is set to twice the number of CPU cores a service unit has. When deployed in a LXD container, this default value will be capped to 4 workers unless this configuration option is set.
use-syslog
(boolean) Setting this to True will allow supporting services to log to syslog.
haproxy-queue-timeout
(int) Queue timeout configuration in ms for haproxy, used in HA configurations. If not provided, default value of 9000ms is used.
ssl_cert
(string) SSL certificate to install and use for API ports. Setting this value and ssl_key will enable reverse proxying, point Glance's entry in the Keystone catalog to use https, and override any certficiate and key issued by Keystone (if it is configured to do so).
spare-pool-size
(int) Number of Amphora instances to hold in the spare pool to reduce spin-up time for new load balancers. . The default behaviour is to not maintain any spare servers.
lb-mgmt-issuing-cacert
(string) Note that setting this configuration option is mandatory. . Certificate Authority Certificate used to issue new certificates stored on the ``Amphora`` load balancer instances. The ``Amphorae`` use them to authenticate themselves to the ``Octavia`` controller services. . Note due to security concerns it is important not use the same CA certificate for both ``lb-mgmt-issuing-cacert`` and ``lb-mgmt-controller-cacert`` configuration options. Failing to keep them separate may lead to abuse of certificate data to gain access to other ``Amphora`` instances in the event one of them is compromised. . Note that these certificates are not used for any load balancer payload data.
os-public-network
(string) The IP address and netmask of the OpenStack Public network (e.g., 192.168.0.0/24) . This network will be used for public endpoints.
lb-mgmt-issuing-ca-key-passphrase
(string) Note that setting this configuration option is mandatory. . Passphrase for the key set in ``lb-mgmt-ca-private-key``. . NOTE: As of this writing Octavia requires the private key to be protected with a passphrase. . Note that these certificates are not used for any load balancer payload data.
os-admin-network
(string) The IP address and netmask of the OpenStack Admin network (e.g., 192.168.0.0/24) . This network will be used for admin endpoints.
haproxy-client-timeout
(int) Client timeout configuration in ms for haproxy, used in HA configurations. If not provided, default value of 90000ms is used.
os-public-hostname
(string) The hostname or address of the public endpoints created in the keystone identity provider. . This value will be used for public endpoints. For example, an os-public-hostname set to 'api-public.example.com' with ssl enabled will create the following endpoint for neutron-api: . https://api-public.example.com:9696/
custom-amp-flavor-id
(string) ID of Nova flavor Octavia should use when launching ``Amphorae`` instances. . The default behaviour is to let the charm create and maintain the flavor.
action-managed-upgrade
(boolean) If True enables openstack upgrades for this charm via juju actions. You will still need to set openstack-origin to the new repository but instead of an upgrade running automatically across all units, it will wait for you to execute the openstack-upgrade action for this charm on each unit. If False it will revert to existing behavior of upgrading all units on config change.
os-admin-hostname
(string) The hostname or address of the admin endpoints created in the keystone identity provider. . This value will be used for admin endpoints. For example, an os-admin-hostname set to 'api-admin.example.com' with ssl enabled will create the following endpoint for neutron-api: . https://api-admin.example.com:9696/
use-internal-endpoints
(boolean) Openstack mostly defaults to using public endpoints for internal communication between services. If set to True this option will configure services to use internal endpoints where possible.
create-mgmt-network
(boolean) The ``octavia`` charm utilizes Neutron Resource tags to locate networks, security groups and ports for use with the service. . If none are found the default behaviour is to create the resources required for management of the load balancer instances. . Set this to False if you want to be in control of creation and management of these resources yourself. Please note that the service will not be fully operational until they are available. . Refer to the documentation on https://jujucharms.com/octavia/ for a complete list of resources required and how they should be tagged.
True
dns-ha
(boolean) Use DNS HA with MAAS 2.0. Note if this is set do not set vip settings below.
lb-mgmt-controller-cert
(string) Note that setting this configuration option is mandatory. . Certificate used by the ``Octavia`` controller to authenticate itself to its ``Amphorae``. . Note that these certificates are not used for any load balancer payload data.
vip_cidr
(int) Default CIDR netmask to use for HA vip when it cannot be automatically determined.
24
openstack-origin
(string) Repository from which to install OpenStack. May be one of the following: distro (default) ppa:somecustom/ppa (PPA name must include OpenStack Release) deb url sources entry|key id or a supported Ubuntu Cloud Archive pocket. Supported Ubuntu Cloud Archive pockets include: cloud:trusty-liberty cloud:trusty-juno cloud:trusty-kilo cloud:trusty-liberty cloud:trusty-mitaka Note that updating this setting to a source that is known to provide a later version of OpenStack will trigger a software upgrade.
distro
os-internal-network
(string) The IP address and netmask of the OpenStack Internal network (e.g., 192.168.0.0/24) . This network will be used for internal endpoints.
region
(string) OpenStack Region
RegionOne
vip
(string) Virtual IP(s) to use to front API services in HA configuration. If multiple networks are being used, a VIP should be provided for each network, separated by spaces.
ssl_ca
(string) SSL CA to use with the certificate and key provided - this is only required if you are providing a privately signed ssl_cert and ssl_key.
debug
(boolean) Enable debug logging
os-internal-hostname
(string) The hostname or address of the internal endpoints created in the keystone identity provider. . This value will be used for internal endpoints. For example, an os-internal-hostname set to 'api-internal.example.com' with ssl enabled will create the following endpoint for neutron-api: . https://api-internal.example.com:9696/
haproxy-connect-timeout
(int) Connect timeout configuration in ms for haproxy, used in HA configurations. If not provided, default value of 9000ms is used.
amp-image-owner-id
(string) Restrict glance image selection to a specific owner ID. This is a recommended security setting.
lb-mgmt-controller-cacert
(string) Note that setting this configuration option is mandatory. . Certificate Authority Certificate installed on ``Amphorae`` with the purpose of the ``Amphora`` agent using it to authenticate connections from ``Octavia`` controller services. . Note due to security concerns it is important not use the same CA certificate for both ``lb-mgmt-issuing-cacert`` and ``lb-mgmt-controller-cacert`` configuration options. Failing to keep them separate may lead to abuse of certificate data to gain access to other ``Amphora`` instances in the event one of them is compromised. . Note that these certificates are not used for any load balancer payload data.