LBaaS reference implementation TLS support

https://blueprints.launchpad.net/neutron/+spec/lbaas-ref-impl-tls-support

LBaaS reference HAProxy implementation needs improvement to support TLS including SNI.

This blueprint describes the changes that should be made to the HAProxy reference implementation to allow features provided by the blueprints: https://blueprints.launchpad.net/neutron/+spec/lbaas-ssl-termination https://blueprints.launchpad.net/neutron/+spec/lbaas-refactor-haproxy-namespace-driver-to-new-driver-interface and its successors to be implemented.

Problem Description

The reference driver and its utilities currently do not support ‘advanced’ features hindering the forward development of advanced API features suggested in the ‘lbaas-ssl-termination’ blueprint.

In order to support TLS offloading configurations the reference driver (HAProxy) must be updated to ensure proper ‘backend’ behavior and capabilities.

Features not currently supported in HAProxy 1.4 (current stable):
  • TLS termination.
  • TLS Source IP session persistence
  • X-Forwarded-For headers for TLS connections.
  • TLS Source IP load balancing method
  • TLS re-encryption

This spec will not include scope for L7, source_ip session persistence, TLS session ID session persistence, source_ip load balancing algorithm, TLS re-encryption as well as x-forwarded-for or certificate based client authentication.

Scope of this spec is to include TLS which includes SNI support.

Proposed Change

The current reference driver named ‘namespace_driver’ utilizes HAProxy 1.4. Update to use HAProxy 1.5(dependent on packaging)

In order to implement these features a few things need to be done:

1. Update HAProxy config. The configuration will be built using Jinja as specified in spec: “https://blueprints.launchpad.net/neutron/+spec/ lbaas-refactor-haproxy-namespace-driver-to-new-driver-interface” and will expand on it to include TLS features.

The configuration utility will configure new directories and files for HAProxy and certificates in the structure below. This will ensure no name collisions.

$state_path/lbaas/$lb_uuid/
$state_path/lbaas/$lb_uuid/$cert1_barbican_id.pem
$state_path/lbaas/$lb_uuid/$cert2_barbican_id.pem
$state_path/lbaas/$lb_uuid/$certN_barbican_id.pem
$state_path/lbaas/$lb_uuid/haproxy.conf
$state_path/lbaas/$lb_uuid/run/
$state_path/lbaas/$lb_uuid/run/haproxy.pid
$state_path/lbaas/$lb_uuid/run/haproxy_stats.sock

2. The pem file containing the private key will be written with permissions such that its only readable by root to protect security credentials.

Modification of neutron.agent.linux.util#replace_file to accept an optional ‘file_mode’ argument to specify permissions other then default ‘0644’. This protects against race condition where attacker reads the private key before the file permissions are set.

3. There are also tear down methods i.e. undeploy_instance that will need to be updated for proper clean up. (kill pids)

Additional Thoughts: Those using devstack will not be able to use this feature unless manually installed or devstack itself is updated. This would need to be updated on that side at some point.

Data Model Impact

None

REST API Impact

None. This blueprint is intended to provide capabilities that can be supported in future versions of the REST API.

Security Impact

Users private key will be written into a file readable by root on the local file system of the network node.

Notifications Impact

None

Other End User Impact

Devstack will need to be updated to install the new packages(HAProxy 1.5).

Performance Impact

Additional calls will have to be made to spawn additional instances.

TLS offloading increases overhead to the network node.

IPv6 Impact

None

Other Deployer Impact

Deployer will need to ensure new dependencies are installed.

Developer Impact

Developers will need to ensure they are using the additional utilities based on the lb configuration.

Developers will need to create a utility to retrieve Barbican secrets/data.

Community Impact

This change has been in review since Juno. Much discussion has taken place over IRC and the mailing list.

Alternatives

Alternatively, if we would like to support different TLS offloading tools like Stud we could support plugin or extensions that are loaded in front of HAProxy.

Implementation

Assignee(s)

Primary assignee:
phillip-toohill
Other contributors:
dlundquist

Work Items

Update haproxy ‘haproxy.conf’ and jinja templates to handle new configurations. Update namespace_driver methods for new actions. Testing.

Testing

Tempest Tests

  • Add TLS to existing LBaaS tempest tests

Functional Tests

  • Test to verify SSL termination

API Tests

None

Documentation Impact

User Documentation

Document behavior and capabilities of the refactored reference implementation.

Developer Documentation

Document behavior and capabilities of the refactored reference implementation.