tripleo

Octavia CA and client certs validity period are too short

Bug #1869203 reported by Gregory Thiemonge
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
High
Gregory Thiemonge

Bug Description

Reported in https://bugzilla.redhat.com/show_bug.cgi?id=1812056

By default, Director automatically creates the required private certificate authorities and issue the necessary certificates. However, the validity period of the generated certificates is limited to 365 days. Deployments with short-valid certificates are expected to start experiencing Octavia control plane problems on create, update and delete actions once over the 365 days.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-ansible (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/715209

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: master
Review: https://review.opendev.org/723545

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-ansible (master)

Reviewed: https://review.opendev.org/715209
Committed: https://git.openstack.org/cgit/openstack/tripleo-ansible/commit/?id=0f168dc9ca5b01fe616f196c2f49001d7882a2c8
Submitter: Zuul
Branch: master

commit 0f168dc9ca5b01fe616f196c2f49001d7882a2c8
Author: Gregory Thiemonge <email address hidden>
Date: Thu Mar 26 10:01:21 2020 +0100

    Increase validity period of Octavia CA and certificates

    Current validity period of Octavia CA and certificates is one year, this
    is too short for cloud deployments: Octavia services can no longer
    control a load balancer that has been running for more than one year
    (dataplane still works, but cannot be configured).

    This commit defines these values:
    - Octavia CA validity period is 50 years.
    - Octavia client certificate validity period is 10 years.

    For existing deployment, the existing CA private key is fetched from
    controllers, is updated using AES256 cipher if needed, then the key is
    used to generate a new CA. Using an existing private key for this CA
    allows to keep compability with existing client certificates.

    Change-Id: I435c86306ecd5e0cafeda9d8d468483b7a34f040
    Related-Bug: #1869203

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-ansible (stable/ussuri)

Related fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/744185

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-ansible (stable/train)

Related fix proposed to branch: stable/train
Review: https://review.opendev.org/745531

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-ansible (stable/ussuri)

Reviewed: https://review.opendev.org/744185
Committed: https://git.openstack.org/cgit/openstack/tripleo-ansible/commit/?id=f69dfefd055642f0fddfdf5e4bf910dbf98dea40
Submitter: Zuul
Branch: stable/ussuri

commit f69dfefd055642f0fddfdf5e4bf910dbf98dea40
Author: Gregory Thiemonge <email address hidden>
Date: Thu Mar 26 10:01:21 2020 +0100

    Increase validity period of Octavia CA and certificates

    Current validity period of Octavia CA and certificates is one year, this
    is too short for cloud deployments: Octavia services can no longer
    control a load balancer that has been running for more than one year
    (dataplane still works, but cannot be configured).

    This commit defines these values:
    - Octavia CA validity period is 50 years.
    - Octavia client certificate validity period is 10 years.

    For existing deployment, the existing CA private key is fetched from
    controllers, is updated using AES256 cipher if needed, then the key is
    used to generate a new CA. Using an existing private key for this CA
    allows to keep compability with existing client certificates.

    Change-Id: I435c86306ecd5e0cafeda9d8d468483b7a34f040
    Related-Bug: #1869203
    (cherry picked from commit 0f168dc9ca5b01fe616f196c2f49001d7882a2c8)

tags: added: in-stable-ussuri
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-common (stable/queens)

Related fix proposed to branch: stable/queens
Review: https://review.opendev.org/746913

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-ansible (stable/train)

Reviewed: https://review.opendev.org/745531
Committed: https://git.openstack.org/cgit/openstack/tripleo-ansible/commit/?id=f09b55266feffc4b25dd386575e7a78be4d15f42
Submitter: Zuul
Branch: stable/train

commit f09b55266feffc4b25dd386575e7a78be4d15f42
Author: Gregory Thiemonge <email address hidden>
Date: Thu Mar 26 10:01:21 2020 +0100

    Increase validity period of Octavia CA and certificates

    Current validity period of Octavia CA and certificates is one year, this
    is too short for cloud deployments: Octavia services can no longer
    control a load balancer that has been running for more than one year
    (dataplane still works, but cannot be configured).

    This commit defines these values:
    - Octavia CA validity period is 50 years.
    - Octavia client certificate validity period is 10 years.

    For existing deployment, the existing CA private key is fetched from
    controllers, is updated using AES256 cipher if needed, then the key is
    used to generate a new CA. Using an existing private key for this CA
    allows to keep compability with existing client certificates.

    Change-Id: I435c86306ecd5e0cafeda9d8d468483b7a34f040
    Related-Bug: #1869203
    (cherry picked from commit 0f168dc9ca5b01fe616f196c2f49001d7882a2c8)
    (cherry picked from commit f69dfefd055642f0fddfdf5e4bf910dbf98dea40)

tags: added: in-stable-train
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-common (stable/queens)

Reviewed: https://review.opendev.org/746913
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=734315ed7cca281ffa36d978f1db34df5fb8ec94
Submitter: Zuul
Branch: stable/queens

commit 734315ed7cca281ffa36d978f1db34df5fb8ec94
Author: Gregory Thiemonge <email address hidden>
Date: Tue Aug 18 14:34:00 2020 +0200

    Increase validity period of Octavia CA and certificates

    Current validity period of Octavia CA and certificates is one year, this
    is too short for cloud deployments: Octavia services can no longer
    control a load balancer that has been running for more than one year
    (dataplane still works, but cannot be configured).

    This commit defines these values:
    - Octavia CA validity period is 50 years.
    - Octavia client certificate validity period is 10 years.

    For existing deployment, the existing CA private key is fetched from
    controllers, is updated using AES256 cipher if needed, then the key is
    used to generate a new CA. Using an existing private key for this CA
    allows to keep compability with existing client certificates.

    Change-Id: I435c86306ecd5e0cafeda9d8d468483b7a34f040
    Related-Bug: #1869203
    (cherry picked from commit 0f168dc9ca5b01fe616f196c2f49001d7882a2c8)
    (cherry picked from commit f69dfefd055642f0fddfdf5e4bf910dbf98dea40)
    Note-Queens: cherry picked from tripleo-ansible/stein
    (cherry picked from commit f09b55266feffc4b25dd386575e7a78be4d15f42)

tags: added: in-stable-queens
Brent Eagles (beagles)
Changed in tripleo:
status: New → Fix Released
assignee: nobody → Gregory Thiemonge (gthiemonge)
Brent Eagles (beagles)
Changed in tripleo:
importance: Undecided → High
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on tripleo-ansible (master)

Change abandoned by "James Slagle <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/tripleo-ansible/+/723545
Reason: Abandoning this patch per the TripleO Patch Abandonment guidelines
(https://specs.openstack.org/openstack/tripleo-specs/specs/policy/patch-abandonment.html).
If you wish to have this restored and cannot do so yourself, please reach out
via #tripleo on OFTC or the OpenStack Dev mailing list.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.