Current validity period of Octavia CA and certificates is one year, this
is too short for cloud deployments: Octavia services can no longer
control a load balancer that has been running for more than one year
(dataplane still works, but cannot be configured).
This commit defines these values:
- Octavia CA validity period is 50 years.
- Octavia client certificate validity period is 10 years.
For existing deployment, the existing CA private key is fetched from
controllers, is updated using AES256 cipher if needed, then the key is
used to generate a new CA. Using an existing private key for this CA
allows to keep compability with existing client certificates.
(cherry picked from commit 0f168dc9ca)
(cherry picked from commit f69dfefd05)
Note-Queens: cherry picked from tripleo-ansible/stein
(cherry picked from commit f09b55266f)
This patch adds ansible for creating resources required for octavia load
balancers in the overcloud and updating the octavia configuration. While
this can be used directly from the command line, it is intended to be
driven from heat via mistral workflow.