tripleo

  1. Bug #1869203
  2. Comment #3

Comment 3 for bug 1869203

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-ansible (master)

Reviewed: https://review.opendev.org/715209
Committed: https://git.openstack.org/cgit/openstack/tripleo-ansible/commit/?id=0f168dc9ca5b01fe616f196c2f49001d7882a2c8
Submitter: Zuul
Branch: master

commit 0f168dc9ca5b01fe616f196c2f49001d7882a2c8
Author: Gregory Thiemonge <email address hidden>
Date: Thu Mar 26 10:01:21 2020 +0100

    Increase validity period of Octavia CA and certificates

    Current validity period of Octavia CA and certificates is one year, this
    is too short for cloud deployments: Octavia services can no longer
    control a load balancer that has been running for more than one year
    (dataplane still works, but cannot be configured).

    This commit defines these values:
    - Octavia CA validity period is 50 years.
    - Octavia client certificate validity period is 10 years.

    For existing deployment, the existing CA private key is fetched from
    controllers, is updated using AES256 cipher if needed, then the key is
    used to generate a new CA. Using an existing private key for this CA
    allows to keep compability with existing client certificates.

    Change-Id: I435c86306ecd5e0cafeda9d8d468483b7a34f040
    Related-Bug: #1869203