Support for OpenStack LBaaS Version 2.0 APIs
Starting with Release 3.1, Contrail provides support for the OpenStack Load Balancer as a Service (LBaaS) Version 2.0 APIs in the Liberty release of OpenStack.
Platform Support
Table 1 shows which Contrail with OpenStack release combinations support which version of OpenStack LBaaS APIs.
Contrail OpenStack Platform |
LBaaS Support |
|---|---|
Contrail-3.1-Liberty (and subsequent OS releases) |
Only LBaaS v2 is supported. |
Contrail-3.0-Liberty (and subsequent OS releases) |
LBaaS v1 is default. LBaaS v2 is Beta. |
<Contrail-any-release>-Kilo (and previous OS releases) |
Only LBaaS v1 is supported. |
Using OpenStack LBaaS Version 2.0
The OpenStack LBaaS Version 2.0 extension enables tenants to manage load balancers for VMs, for example, load-balancing client traffic from a network to application services, such as VMs, on the same network. The LBaaS Version 2.0 extension is used to create and manage load balancers, listeners, pools, members of a pool, and health monitors, and to view the status of a resource.
For LBaaS v2.0, the Contrail controller aggregates the configuration
by provider. For example, if haproxy is
the provider, the controller generates the configuration for haproxy and eliminates the need to send all of the
load-balancer resources to the vrouter-agent; only the generated configuration is sent, as part of the service
instance.
For more information about OpenStack v2.0 APIs, refer to the section LBaaS 2.0 (STABLE) (lbaas, loadbalancers, listeners, health_monitors, pools, members), at http://developer.openstack.org/api-ref-networking-v2-ext.html.
LBaaS v2.0 also allows users to listen to multiple ports for the same virtual IP, by decoupling the virtual IP address from the port.
The object model has the following resources:
Load balancer—Holds the virtual IP address
Listeners—One or many listeners with different ports, protocols, and so on
Pools
Members
Health monitors
Support for Multiple Certificates per Listener
Multiple certificates per listener are supported, with OpenStack Barbican as the storage for certificates. OpenStack Barbican is a REST API designed for the secure storage, provisioning, and management of secrets such as passwords, encryption keys, and X.509 certificates.
The following is an example CLI to store certificates in Barbican:
- barbican --os-identity-api-version 2.0 secret
store --payload-content-type='text/plain' --name='certificate' --payload="$(cat
server.crt)"
For more information about OpenStack Barbican, see: https://wiki.openstack.org/wiki/Barbican.
Neutron Load-Balancer Creation
The following is an example of Neutron load-balancer creation:
- neutron net-create private-net
- neutron subnet-create --name private-subnet private-net 10.30.30.0/24
- neutron lbaas-loadbalancer-create $(neutron subnet-list | awk '/ private-subnet / {print $2}') --name lb1
- neutron lbaas-listener-create --loadbalancer lb1 --protocol-port 443 --protocol TERMINATED_HTTPS --name listener1 --default-tls-container=$(barbican --os-identity-api-version 2.0 container list | awk '/ tls_container / {print $2}')
- neutron lbaas-pool-create --name pool1 --protocol HTTP --listener listener1 --lb-algorithm ROUND_ROBIN
- neutron lbaas-member-create --subnet private-subnet --address 30.30.30.10 --protocol-port 80 mypool
- neutron lbaas-member-create --subnet private-subnet --address 30.30.30.11 --protocol-port 80 mypool