Increase validity period of Octavia CA and certificates
Current validity period of Octavia CA and certificates is one year, this is too short for cloud deployments: Octavia services can no longer control a load balancer that has been running for more than one year (dataplane still works, but cannot be configured). This commit defines these values: - Octavia CA validity period is 50 years. - Octavia client certificate validity period is 10 years. For existing deployment, the existing CA private key is fetched from controllers, is updated using AES256 cipher if needed, then the key is used to generate a new CA. Using an existing private key for this CA allows to keep compability with existing client certificates. Change-Id: I435c86306ecd5e0cafeda9d8d468483b7a34f040 Related-Bug: #1869203
This commit is contained in:
parent
d3e7a42cda
commit
0f168dc9ca
|
@ -30,6 +30,19 @@
|
|||
- name: Store CA data
|
||||
set_fact:
|
||||
ca_cert: "{{ ca_file_data.content | b64decode }}"
|
||||
|
||||
- name: Get remaining validity period of the CA
|
||||
shell: |
|
||||
now=$(date +%s)
|
||||
enddate=$(date +%s -d "$(openssl x509 -enddate -noout -in {{ octavia_confd_prefix }}/{{ ca_cert_path }} | cut -d= -f2)")
|
||||
echo $((enddate - now))
|
||||
register: validity_period
|
||||
|
||||
- name: Force CA update if remaining validity is less than 1 year
|
||||
set_fact:
|
||||
force_certs_update: true
|
||||
when:
|
||||
- (validity_period.stdout| int) < 31622400 # 31622400 seconds == 366 days
|
||||
when:
|
||||
- ca_file_stat.stat.exists | bool
|
||||
|
||||
|
@ -46,9 +59,20 @@
|
|||
slurp:
|
||||
src: "{{ octavia_confd_prefix }}/{{ ca_private_key_path }}"
|
||||
register: key_file_data
|
||||
- name: Store CA data
|
||||
- name: Store CA private key
|
||||
set_fact:
|
||||
ca_private_key: "{{ key_file_data.content | b64decode }}"
|
||||
|
||||
- name: Detect if key is encrypted with AES256
|
||||
shell: grep -q 'AES-256-CBC' {{ octavia_confd_prefix }}/{{ ca_private_key_path }}
|
||||
failed_when: false
|
||||
register: ca_private_key_aes_256
|
||||
- name: Store flag if a private key update is required
|
||||
set_fact:
|
||||
force_private_key_update: true
|
||||
force_certs_update: true
|
||||
when:
|
||||
- ca_private_key_aes_256.rc != 0
|
||||
when:
|
||||
- ca_key_file_stat.stat.exists | bool
|
||||
|
||||
|
|
|
@ -35,7 +35,39 @@
|
|||
- name: Generating certificate authority private key
|
||||
become: true
|
||||
shell: |
|
||||
openssl genrsa -passout pass:{{ ca_passphrase }} -des3 -out {{ openssl_temp_dir }}/private/cakey.pem 2048
|
||||
openssl genrsa -passout pass:{{ ca_passphrase }} -aes256 -out {{ openssl_temp_dir }}/private/cakey.pem 2048
|
||||
when:
|
||||
- not (force_certs_update | default(false) | bool)
|
||||
|
||||
- name: Reuse previous CA private key
|
||||
block:
|
||||
- name: Write previous CA private key
|
||||
copy:
|
||||
content: "{{ private_key_content }}"
|
||||
dest: "{{ openssl_temp_dir }}/private/cakey.pem"
|
||||
no_log: true
|
||||
when:
|
||||
- force_certs_update | default(false) | bool
|
||||
- not (force_private_key_update | default(false) | bool)
|
||||
|
||||
- name: Reuse and update previous CA private key
|
||||
block:
|
||||
- name: Write previous CA private key
|
||||
copy:
|
||||
content: "{{ private_key_content }}"
|
||||
dest: "{{ openssl_temp_dir }}/private/cakey.old.pem"
|
||||
no_log: true
|
||||
|
||||
- name: Update CA private key
|
||||
shell: |
|
||||
openssl rsa -aes256 \
|
||||
-passin pass:{{ ca_passphrase }} \
|
||||
-passout pass:{{ ca_passphrase }} \
|
||||
-in {{ openssl_temp_dir }}/private/cakey.old.pem \
|
||||
-out {{ openssl_temp_dir }}/private/cakey.pem
|
||||
when:
|
||||
- force_certs_update | default(false) | bool
|
||||
- force_private_key_update | default(false) | bool
|
||||
|
||||
- name: Reading private key
|
||||
become: true
|
||||
|
@ -51,7 +83,7 @@
|
|||
shell: |
|
||||
openssl req -x509 -passin pass:{{ ca_passphrase }} -new -nodes -key {{ openssl_temp_dir }}/private/cakey.pem \
|
||||
-subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" \
|
||||
-days 365 -config {{ openssl_temp_dir }}/openssl.cnf \
|
||||
-days 18250 -config {{ openssl_temp_dir }}/openssl.cnf \
|
||||
-out {{ openssl_temp_dir }}/ca_01.pem
|
||||
|
||||
- name: Reading CA certificate
|
||||
|
@ -74,7 +106,7 @@
|
|||
become: true
|
||||
shell: |
|
||||
openssl ca -config {{ openssl_temp_dir }}/openssl.cnf -passin pass:{{ ca_passphrase }} -in {{ openssl_temp_dir }}/client.csr \
|
||||
-days 365 -out {{ openssl_temp_dir }}/client-.pem -batch
|
||||
-days 3650 -out {{ openssl_temp_dir }}/client-.pem -batch
|
||||
|
||||
- name: Read service private key and public certifcate
|
||||
become: true
|
||||
|
|
|
@ -65,5 +65,6 @@
|
|||
update_certs: false
|
||||
when:
|
||||
- (octavia_node_count | int) == (ca_certs | length)
|
||||
- not (force_certs_update | default(false))
|
||||
when:
|
||||
- (ca_certs | length) > 0
|
||||
|
|
|
@ -13,4 +13,4 @@
|
|||
- include_tasks: certs_gen.yml
|
||||
when:
|
||||
- generate_certs | bool
|
||||
- (generate_ca | default(true)) | bool
|
||||
- (generate_ca | default(true)) | bool or (force_certs_update | default(false) | bool)
|
||||
|
|
Loading…
Reference in New Issue