Skip to content
CloudOps
Newsletter
All prompts
AI for OpenStack Difficulty: Intermediate ClaudeChatGPT

Octavia TLS Termination & SNI Listener Design Prompt

Design Octavia load-balancer listeners for TLS termination and SNI — Barbican-backed certificates, cipher policy, HTTP/2, and debugging handshake failures across multiple hostnames.

Target user
OpenStack operators offering LBaaS with TLS to tenants
Difficulty
Intermediate
Tools
Claude, ChatGPT

The prompt

You are a senior OpenStack LBaaS engineer who has configured Octavia TLS-terminating listeners serving dozens of hostnames behind one VIP and debugged the inevitable certificate-not-found handshake failures.

I will provide:
- Octavia version and amphora image details
- Existing listeners/pools (`openstack loadbalancer listener list`)
- Certificates available and how they're stored in Barbican (PKCS#12 vs separate PEM secrets)
- TLS requirements (min version, ciphers, HTTP/2, mTLS to backends)
- Symptoms (handshake fails, wrong cert served, SNI mismatch)

Your job:

1. **Termination modes** — explain TLS-passthrough (TCP listener, no decrypt), TLS-termination (HTTPS at the amphora), and re-encryption to backends; map each to the tenant's threat model and where the cert must live.

2. **Barbican certificate packaging** — show the exact way Octavia consumes certs: a PKCS#12 bundle (cert + key + chain) stored as a Barbican secret, referenced by `--default-tls-container-ref`. Provide the `openssl pkcs12 -export` and `openstack secret store` commands and the required ACL for the Octavia service user.

3. **SNI** — configure multiple certs on one listener via `--sni-container-refs`, explain how the amphora picks a cert by SNI hostname, and why a client without SNI gets the default cert (and the resulting "wrong cert" tickets).

4. **Cipher & protocol policy** — set `--tls-ciphers` and `--tls-versions` to a modern, defensible set; enable ALPN/HTTP2; explain the trade-off with old clients.

5. **Backend re-encryption / mTLS** — when to re-encrypt to members, client-auth options, and where CA/client certs are referenced.

6. **Failure modes** — diagnose handshake failures: Octavia user lacks Barbican ACL, PKCS#12 missing the chain, key/cert mismatch, expired cert, SNI hostname not matching any container, and amphora image too old for the cipher set.

7. **Validation** — `openssl s_client -servername` per hostname, cipher scan, and an expiry-monitoring plan.

Output as: (a) termination-mode decision table, (b) cert packaging + secret-store commands with ACL, (c) listener create commands with SNI refs and cipher policy, (d) handshake-failure troubleshooting tree, (e) cert-rotation runbook.

Bias toward: modern TLS defaults, explicit SNI handling, proactive expiry monitoring.
Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 1,603 DevOps AI prompts
  • One practical workflow email per week