Make amphora cert validity time configurable

This affects only the internal certificates that we generate and install
on Amphorae for use with the amphora-agent.

Change-Id: I8c3eb71246d339bd2d43092cce4e6122a49e9534
This commit is contained in:
Adam Harwell 2019-04-29 14:12:52 -07:00
parent 0cadb9adf9
commit 57d653cc63
5 changed files with 21 additions and 4 deletions

View File

@ -132,6 +132,7 @@
# ca_private_key_passphrase =
# server_certs_key_passphrase = insecure-key-do-not-use-this-key
# signing_digest = sha256
# cert_validity_time = 2592000 # 30 days = 30d * 24h * 60m * 60s = 2592000s
# storage_path = /var/lib/octavia/certificates/
# For the TLS management

View File

@ -59,7 +59,11 @@ certgen_opts = [
cfg.StrOpt('signing_digest',
default=TLS_DIGEST_DEFAULT,
help='Certificate signing digest. Defaults'
' to env[OS_OCTAVIA_CA_SIGNING_DIGEST] or "sha256".')
' to env[OS_OCTAVIA_CA_SIGNING_DIGEST] or "sha256".'),
cfg.IntOpt('cert_validity_time',
default=30 * 24 * 60 * 60,
help="The validity time for the Amphora Certificates "
"(in seconds)."),
]
certmgr_opts = [

View File

@ -21,7 +21,6 @@ from taskflow import task
from octavia.common import utils
CONF = cfg.CONF
CERT_VALIDITY = 2 * 365 * 24 * 60 * 60
class BaseCertTask(task.Task):
@ -45,7 +44,7 @@ class GenerateServerPEMTask(BaseCertTask):
def execute(self, amphora_id):
cert = self.cert_generator.generate_cert_key_pair(
cn=amphora_id,
validity=CERT_VALIDITY)
validity=CONF.certificates.cert_validity_time)
key = utils.get_six_compatible_server_certs_key_passphrase()
fer = fernet.Fernet(key)

View File

@ -16,11 +16,15 @@
from cryptography import fernet
import mock
from oslo_config import cfg
from octavia.certificates.common import local
from octavia.common import utils
from octavia.controller.worker.tasks import cert_task
import octavia.tests.unit.base as base
CONF = cfg.CONF
class TestCertTasks(base.TestCase):
@ -40,4 +44,4 @@ class TestCertTasks(base.TestCase):
dummy_cert.get_private_key()
)
mock_driver.generate_cert_key_pair.assert_called_once_with(
cn='123', validity=cert_task.CERT_VALIDITY)
cn='123', validity=CONF.certificates.cert_validity_time)

View File

@ -0,0 +1,9 @@
---
features:
- |
The validity period for locally generated certificates used inside Amphora
is now configurable. See ``[certificates] cert_validity_time``.
security:
- |
The default validity time for Amphora certificates has been reduced from
two years to 30 days.