Make amphora cert validity time configurable

This affects only the internal certificates that we generate and install on Amphorae for use with the amphora-agent. Change-Id: I8c3eb71246d339bd2d43092cce4e6122a49e9534
2019-04-29 14:12:52 -07:00 · 2019-04-29 14:12:52 -07:00 · 57d653cc63
commit 57d653cc63
parent 0cadb9adf9
5 changed files with 21 additions and 4 deletions
--- a/etc/octavia.conf
+++ b/etc/octavia.conf
@ -132,6 +132,7 @@
 # ca_private_key_passphrase =
 # server_certs_key_passphrase = insecure-key-do-not-use-this-key
 # signing_digest = sha256
+# cert_validity_time = 2592000  # 30 days = 30d * 24h * 60m * 60s = 2592000s
 # storage_path = /var/lib/octavia/certificates/

 # For the TLS management
--- a/octavia/certificates/common/local.py
+++ b/octavia/certificates/common/local.py
@ -59,7 +59,11 @@ certgen_opts = [
    cfg.StrOpt('signing_digest',
               default=TLS_DIGEST_DEFAULT,
               help='Certificate signing digest. Defaults'
-                    ' to env[OS_OCTAVIA_CA_SIGNING_DIGEST] or "sha256".')
+                    ' to env[OS_OCTAVIA_CA_SIGNING_DIGEST] or "sha256".'),
+    cfg.IntOpt('cert_validity_time',
+               default=30 * 24 * 60 * 60,
+               help="The validity time for the Amphora Certificates "
+                    "(in seconds)."),
 ]

 certmgr_opts = [
--- a/octavia/controller/worker/tasks/cert_task.py
+++ b/octavia/controller/worker/tasks/cert_task.py
@ -21,7 +21,6 @@ from taskflow import task
 from octavia.common import utils

 CONF = cfg.CONF
-CERT_VALIDITY = 2 * 365 * 24 * 60 * 60


 class BaseCertTask(task.Task):
@ -45,7 +44,7 @@ class GenerateServerPEMTask(BaseCertTask):
    def execute(self, amphora_id):
        cert = self.cert_generator.generate_cert_key_pair(
            cn=amphora_id,
-            validity=CERT_VALIDITY)
+            validity=CONF.certificates.cert_validity_time)
        key = utils.get_six_compatible_server_certs_key_passphrase()
        fer = fernet.Fernet(key)

--- a/octavia/tests/unit/controller/worker/tasks/test_cert_task.py
+++ b/octavia/tests/unit/controller/worker/tasks/test_cert_task.py
@ -16,11 +16,15 @@
 from cryptography import fernet
 import mock

+from oslo_config import cfg
+
 from octavia.certificates.common import local
 from octavia.common import utils
 from octavia.controller.worker.tasks import cert_task
 import octavia.tests.unit.base as base

+CONF = cfg.CONF
+

 class TestCertTasks(base.TestCase):

@ -40,4 +44,4 @@ class TestCertTasks(base.TestCase):
            dummy_cert.get_private_key()
        )
        mock_driver.generate_cert_key_pair.assert_called_once_with(
-            cn='123', validity=cert_task.CERT_VALIDITY)
+            cn='123', validity=CONF.certificates.cert_validity_time)
--- a/releasenotes/notes/make-amphora-cert-validity-configurable-7defc508b1174f89.yaml
+++ b/releasenotes/notes/make-amphora-cert-validity-configurable-7defc508b1174f89.yaml
@ -0,0 +1,9 @@
+---
+features:
+  - |
+    The validity period for locally generated certificates used inside Amphora
+    is now configurable. See ``[certificates] cert_validity_time``.
+security:
+  - |
+    The default validity time for Amphora certificates has been reduced from
+    two years to 30 days.