From 57d653cc63d409b8670961e2a6a2556ce9231498 Mon Sep 17 00:00:00 2001 From: Adam Harwell Date: Mon, 29 Apr 2019 14:12:52 -0700 Subject: [PATCH] Make amphora cert validity time configurable This affects only the internal certificates that we generate and install on Amphorae for use with the amphora-agent. Change-Id: I8c3eb71246d339bd2d43092cce4e6122a49e9534 --- etc/octavia.conf | 1 + octavia/certificates/common/local.py | 6 +++++- octavia/controller/worker/tasks/cert_task.py | 3 +-- .../tests/unit/controller/worker/tasks/test_cert_task.py | 6 +++++- ...hora-cert-validity-configurable-7defc508b1174f89.yaml | 9 +++++++++ 5 files changed, 21 insertions(+), 4 deletions(-) create mode 100644 releasenotes/notes/make-amphora-cert-validity-configurable-7defc508b1174f89.yaml diff --git a/etc/octavia.conf b/etc/octavia.conf index d080745ad1..d855ae31b5 100644 --- a/etc/octavia.conf +++ b/etc/octavia.conf @@ -132,6 +132,7 @@ # ca_private_key_passphrase = # server_certs_key_passphrase = insecure-key-do-not-use-this-key # signing_digest = sha256 +# cert_validity_time = 2592000 # 30 days = 30d * 24h * 60m * 60s = 2592000s # storage_path = /var/lib/octavia/certificates/ # For the TLS management diff --git a/octavia/certificates/common/local.py b/octavia/certificates/common/local.py index 6b211e208a..03ffab7966 100644 --- a/octavia/certificates/common/local.py +++ b/octavia/certificates/common/local.py @@ -59,7 +59,11 @@ certgen_opts = [ cfg.StrOpt('signing_digest', default=TLS_DIGEST_DEFAULT, help='Certificate signing digest. Defaults' - ' to env[OS_OCTAVIA_CA_SIGNING_DIGEST] or "sha256".') + ' to env[OS_OCTAVIA_CA_SIGNING_DIGEST] or "sha256".'), + cfg.IntOpt('cert_validity_time', + default=30 * 24 * 60 * 60, + help="The validity time for the Amphora Certificates " + "(in seconds)."), ] certmgr_opts = [ diff --git a/octavia/controller/worker/tasks/cert_task.py b/octavia/controller/worker/tasks/cert_task.py index 64690469b6..dffbfbdf39 100644 --- a/octavia/controller/worker/tasks/cert_task.py +++ b/octavia/controller/worker/tasks/cert_task.py @@ -21,7 +21,6 @@ from taskflow import task from octavia.common import utils CONF = cfg.CONF -CERT_VALIDITY = 2 * 365 * 24 * 60 * 60 class BaseCertTask(task.Task): @@ -45,7 +44,7 @@ class GenerateServerPEMTask(BaseCertTask): def execute(self, amphora_id): cert = self.cert_generator.generate_cert_key_pair( cn=amphora_id, - validity=CERT_VALIDITY) + validity=CONF.certificates.cert_validity_time) key = utils.get_six_compatible_server_certs_key_passphrase() fer = fernet.Fernet(key) diff --git a/octavia/tests/unit/controller/worker/tasks/test_cert_task.py b/octavia/tests/unit/controller/worker/tasks/test_cert_task.py index f116c4b8d9..6bb9b184ea 100644 --- a/octavia/tests/unit/controller/worker/tasks/test_cert_task.py +++ b/octavia/tests/unit/controller/worker/tasks/test_cert_task.py @@ -16,11 +16,15 @@ from cryptography import fernet import mock +from oslo_config import cfg + from octavia.certificates.common import local from octavia.common import utils from octavia.controller.worker.tasks import cert_task import octavia.tests.unit.base as base +CONF = cfg.CONF + class TestCertTasks(base.TestCase): @@ -40,4 +44,4 @@ class TestCertTasks(base.TestCase): dummy_cert.get_private_key() ) mock_driver.generate_cert_key_pair.assert_called_once_with( - cn='123', validity=cert_task.CERT_VALIDITY) + cn='123', validity=CONF.certificates.cert_validity_time) diff --git a/releasenotes/notes/make-amphora-cert-validity-configurable-7defc508b1174f89.yaml b/releasenotes/notes/make-amphora-cert-validity-configurable-7defc508b1174f89.yaml new file mode 100644 index 0000000000..d625e3c028 --- /dev/null +++ b/releasenotes/notes/make-amphora-cert-validity-configurable-7defc508b1174f89.yaml @@ -0,0 +1,9 @@ +--- +features: + - | + The validity period for locally generated certificates used inside Amphora + is now configurable. See ``[certificates] cert_validity_time``. +security: + - | + The default validity time for Amphora certificates has been reduced from + two years to 30 days.