From 734315ed7cca281ffa36d978f1db34df5fb8ec94 Mon Sep 17 00:00:00 2001
From: Gregory Thiemonge <gthiemon@redhat.com>
Date: Tue, 18 Aug 2020 14:34:00 +0200
Subject: [PATCH] Increase validity period of Octavia CA and certificates

Current validity period of Octavia CA and certificates is one year, this
is too short for cloud deployments: Octavia services can no longer
control a load balancer that has been running for more than one year
(dataplane still works, but cannot be configured).

This commit defines these values:
- Octavia CA validity period is 50 years.
- Octavia client certificate validity period is 10 years.

For existing deployment, the existing CA private key is fetched from
controllers, is updated using AES256 cipher if needed, then the key is
used to generate a new CA. Using an existing private key for this CA
allows to keep compability with existing client certificates.

Change-Id: I435c86306ecd5e0cafeda9d8d468483b7a34f040
Related-Bug: #1869203
(cherry picked from commit 0f168dc9ca5b01fe616f196c2f49001d7882a2c8)
(cherry picked from commit f69dfefd055642f0fddfdf5e4bf910dbf98dea40)
Note-Queens: cherry picked from tripleo-ansible/stein
(cherry picked from commit f09b55266feffc4b25dd386575e7a78be4d15f42)
---
 .../octavia-controller-check/tasks/main.yml   | 26 ++++++++++++-
 .../tasks/certs_gen.yml                       | 39 +++++++++++++++++--
 .../tasks/check_existing_certs.yml            |  1 +
 .../octavia-overcloud-config/tasks/main.yml   |  2 +-
 4 files changed, 63 insertions(+), 5 deletions(-)

diff --git a/playbooks/roles/octavia-controller-check/tasks/main.yml b/playbooks/roles/octavia-controller-check/tasks/main.yml
index c86e29421..b4b541293 100644
--- a/playbooks/roles/octavia-controller-check/tasks/main.yml
+++ b/playbooks/roles/octavia-controller-check/tasks/main.yml
@@ -30,6 +30,19 @@
     - name: Store CA data
       set_fact:
         ca_cert: "{{ ca_file_data.content | b64decode }}"
+
+    - name: Get remaining validity period of the CA
+      shell: |
+        now=$(date +%s)
+        enddate=$(date +%s -d "$(openssl x509 -enddate -noout -in {{ octavia_confd_prefix }}/{{ ca_cert_path }} | cut -d= -f2)")
+        echo $((enddate - now))
+      register: validity_period
+
+    - name: Force CA update if remaining validity is less than 1 year
+      set_fact:
+        force_certs_update: true
+      when:
+        - (validity_period.stdout| int) < 31622400  # 31622400 seconds == 366 days
   when:
     - ca_file_stat.stat.exists | bool
 
@@ -46,9 +59,20 @@
       slurp:
         src: "{{ octavia_confd_prefix }}/{{ ca_private_key_path }}"
       register: key_file_data
-    - name: Store CA data
+    - name: Store CA private key
       set_fact:
         ca_private_key: "{{ key_file_data.content | b64decode }}"
+
+    - name: Detect if key is encrypted with AES256
+      shell: grep -q 'AES-256-CBC' {{ octavia_confd_prefix }}/{{ ca_private_key_path }}
+      failed_when: false
+      register: ca_private_key_aes_256
+    - name: Store flag if a private key update is required
+      set_fact:
+        force_private_key_update: true
+        force_certs_update: true
+      when:
+        - ca_private_key_aes_256.rc != 0
   when:
     - ca_key_file_stat.stat.exists | bool
 
diff --git a/playbooks/roles/octavia-overcloud-config/tasks/certs_gen.yml b/playbooks/roles/octavia-overcloud-config/tasks/certs_gen.yml
index 2ebe02a4b..84fb5d4ad 100644
--- a/playbooks/roles/octavia-overcloud-config/tasks/certs_gen.yml
+++ b/playbooks/roles/octavia-overcloud-config/tasks/certs_gen.yml
@@ -27,7 +27,40 @@
   - name: Generating certificate authority private key
     become: true
     shell: |
-      openssl genrsa -passout pass:{{ ca_passphrase }} -des3 -out {{ openssl_temp_dir }}/private/cakey.pem 2048
+      openssl genrsa -passout pass:{{ ca_passphrase }} -aes256 -out {{ openssl_temp_dir }}/private/cakey.pem 2048
+    when:
+      - not (force_certs_update | default(false) | bool)
+
+  - name: Reuse previous CA private key
+    block:
+      - name: Write previous CA private key
+        copy:
+          content: "{{ private_key_content }}"
+          dest: "{{ openssl_temp_dir }}/private/cakey.pem"
+        no_log: true
+    when:
+      - force_certs_update | default(false) | bool
+      - not (force_private_key_update | default(false) | bool)
+
+  - name: Reuse and update previous CA private key
+    block:
+      - name: Write previous CA private key
+        copy:
+          content: "{{ private_key_content }}"
+          dest: "{{ openssl_temp_dir }}/private/cakey.old.pem"
+        no_log: true
+
+      - name: Update CA private key
+        shell: |
+          openssl rsa -aes256 \
+              -passin pass:{{ ca_passphrase }} \
+              -passout pass:{{ ca_passphrase }} \
+              -in {{ openssl_temp_dir }}/private/cakey.old.pem \
+              -out {{ openssl_temp_dir }}/private/cakey.pem
+    when:
+      - force_certs_update | default(false) | bool
+      - force_private_key_update | default(false) | bool
+
   - name: Reading private key
     become: true
     shell: cat {{ openssl_temp_dir }}/private/cakey.pem
@@ -41,7 +74,7 @@
     shell: |
       openssl req -x509 -passin pass:{{ ca_passphrase }} -new -nodes -key {{ openssl_temp_dir }}/private/cakey.pem \
                   -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" \
-                  -days 365 -config {{ openssl_temp_dir }}/openssl.cnf \
+                  -days 18250 -config {{ openssl_temp_dir }}/openssl.cnf \
                   -out {{ openssl_temp_dir }}/ca_01.pem
   - name: Reading CA certificate
     become: true
@@ -61,7 +94,7 @@
     become: true
     shell: |
       openssl ca -config {{ openssl_temp_dir }}/openssl.cnf -passin pass:{{ ca_passphrase }} -in {{ openssl_temp_dir }}/client.csr \
-                 -days 365 -out {{ openssl_temp_dir }}/client-.pem -batch
+                 -days 3650 -out {{ openssl_temp_dir }}/client-.pem -batch
   - name: Read service private key and public certifcate
     become: true
     shell: |
diff --git a/playbooks/roles/octavia-overcloud-config/tasks/check_existing_certs.yml b/playbooks/roles/octavia-overcloud-config/tasks/check_existing_certs.yml
index 93d3bfefc..8ee192c82 100644
--- a/playbooks/roles/octavia-overcloud-config/tasks/check_existing_certs.yml
+++ b/playbooks/roles/octavia-overcloud-config/tasks/check_existing_certs.yml
@@ -65,5 +65,6 @@
         update_certs: false
       when:
         - (octavia_node_count | int) == (ca_certs | length)
+        - not (force_certs_update | default(false))
   when:
     - (ca_certs | length) > 0
diff --git a/playbooks/roles/octavia-overcloud-config/tasks/main.yml b/playbooks/roles/octavia-overcloud-config/tasks/main.yml
index 62acf3d14..8d0026364 100644
--- a/playbooks/roles/octavia-overcloud-config/tasks/main.yml
+++ b/playbooks/roles/octavia-overcloud-config/tasks/main.yml
@@ -11,4 +11,4 @@
   - include_tasks: certs_gen.yml
     when:
       - generate_certs | bool
-      - (generate_ca | default(true)) | bool
+      - (generate_ca | default(true)) | bool or (force_certs_update | default(false) | bool)