Browse Source

Increase validity period of Octavia CA and certificates

Current validity period of Octavia CA and certificates is one year, this
is too short for cloud deployments: Octavia services can no longer
control a load balancer that has been running for more than one year
(dataplane still works, but cannot be configured).

This commit defines these values:
- Octavia CA validity period is 50 years.
- Octavia client certificate validity period is 10 years.

For existing deployment, the existing CA private key is fetched from
controllers, is updated using AES256 cipher if needed, then the key is
used to generate a new CA. Using an existing private key for this CA
allows to keep compability with existing client certificates.

Change-Id: I435c86306ecd5e0cafeda9d8d468483b7a34f040
Related-Bug: #1869203
(cherry picked from commit 0f168dc9ca)
(cherry picked from commit f69dfefd05)
Note-Queens: cherry picked from tripleo-ansible/stein
(cherry picked from commit f09b55266f)
changes/13/746913/1
Gregory Thiemonge 1 month ago
parent
commit
734315ed7c
4 changed files with 63 additions and 5 deletions
  1. +25
    -1
      playbooks/roles/octavia-controller-check/tasks/main.yml
  2. +36
    -3
      playbooks/roles/octavia-overcloud-config/tasks/certs_gen.yml
  3. +1
    -0
      playbooks/roles/octavia-overcloud-config/tasks/check_existing_certs.yml
  4. +1
    -1
      playbooks/roles/octavia-overcloud-config/tasks/main.yml

+ 25
- 1
playbooks/roles/octavia-controller-check/tasks/main.yml View File

@@ -30,6 +30,19 @@
- name: Store CA data
set_fact:
ca_cert: "{{ ca_file_data.content | b64decode }}"

- name: Get remaining validity period of the CA
shell: |
now=$(date +%s)
enddate=$(date +%s -d "$(openssl x509 -enddate -noout -in {{ octavia_confd_prefix }}/{{ ca_cert_path }} | cut -d= -f2)")
echo $((enddate - now))
register: validity_period

- name: Force CA update if remaining validity is less than 1 year
set_fact:
force_certs_update: true
when:
- (validity_period.stdout| int) < 31622400 # 31622400 seconds == 366 days
when:
- ca_file_stat.stat.exists | bool

@@ -46,9 +59,20 @@
slurp:
src: "{{ octavia_confd_prefix }}/{{ ca_private_key_path }}"
register: key_file_data
- name: Store CA data
- name: Store CA private key
set_fact:
ca_private_key: "{{ key_file_data.content | b64decode }}"

- name: Detect if key is encrypted with AES256
shell: grep -q 'AES-256-CBC' {{ octavia_confd_prefix }}/{{ ca_private_key_path }}
failed_when: false
register: ca_private_key_aes_256
- name: Store flag if a private key update is required
set_fact:
force_private_key_update: true
force_certs_update: true
when:
- ca_private_key_aes_256.rc != 0
when:
- ca_key_file_stat.stat.exists | bool



+ 36
- 3
playbooks/roles/octavia-overcloud-config/tasks/certs_gen.yml View File

@@ -27,7 +27,40 @@
- name: Generating certificate authority private key
become: true
shell: |
openssl genrsa -passout pass:{{ ca_passphrase }} -des3 -out {{ openssl_temp_dir }}/private/cakey.pem 2048
openssl genrsa -passout pass:{{ ca_passphrase }} -aes256 -out {{ openssl_temp_dir }}/private/cakey.pem 2048
when:
- not (force_certs_update | default(false) | bool)

- name: Reuse previous CA private key
block:
- name: Write previous CA private key
copy:
content: "{{ private_key_content }}"
dest: "{{ openssl_temp_dir }}/private/cakey.pem"
no_log: true
when:
- force_certs_update | default(false) | bool
- not (force_private_key_update | default(false) | bool)

- name: Reuse and update previous CA private key
block:
- name: Write previous CA private key
copy:
content: "{{ private_key_content }}"
dest: "{{ openssl_temp_dir }}/private/cakey.old.pem"
no_log: true

- name: Update CA private key
shell: |
openssl rsa -aes256 \
-passin pass:{{ ca_passphrase }} \
-passout pass:{{ ca_passphrase }} \
-in {{ openssl_temp_dir }}/private/cakey.old.pem \
-out {{ openssl_temp_dir }}/private/cakey.pem
when:
- force_certs_update | default(false) | bool
- force_private_key_update | default(false) | bool

- name: Reading private key
become: true
shell: cat {{ openssl_temp_dir }}/private/cakey.pem
@@ -41,7 +74,7 @@
shell: |
openssl req -x509 -passin pass:{{ ca_passphrase }} -new -nodes -key {{ openssl_temp_dir }}/private/cakey.pem \
-subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" \
-days 365 -config {{ openssl_temp_dir }}/openssl.cnf \
-days 18250 -config {{ openssl_temp_dir }}/openssl.cnf \
-out {{ openssl_temp_dir }}/ca_01.pem
- name: Reading CA certificate
become: true
@@ -61,7 +94,7 @@
become: true
shell: |
openssl ca -config {{ openssl_temp_dir }}/openssl.cnf -passin pass:{{ ca_passphrase }} -in {{ openssl_temp_dir }}/client.csr \
-days 365 -out {{ openssl_temp_dir }}/client-.pem -batch
-days 3650 -out {{ openssl_temp_dir }}/client-.pem -batch
- name: Read service private key and public certifcate
become: true
shell: |


+ 1
- 0
playbooks/roles/octavia-overcloud-config/tasks/check_existing_certs.yml View File

@@ -65,5 +65,6 @@
update_certs: false
when:
- (octavia_node_count | int) == (ca_certs | length)
- not (force_certs_update | default(false))
when:
- (ca_certs | length) > 0

+ 1
- 1
playbooks/roles/octavia-overcloud-config/tasks/main.yml View File

@@ -11,4 +11,4 @@
- include_tasks: certs_gen.yml
when:
- generate_certs | bool
- (generate_ca | default(true)) | bool
- (generate_ca | default(true)) | bool or (force_certs_update | default(false) | bool)

Loading…
Cancel
Save