Increase validity period of Octavia CA and certificates
Current validity period of Octavia CA and certificates is one year, this
is too short for cloud deployments: Octavia services can no longer
control a load balancer that has been running for more than one year
(dataplane still works, but cannot be configured).
This commit defines these values:
- Octavia CA validity period is 50 years.
- Octavia client certificate validity period is 10 years.
For existing deployment, the existing CA private key is fetched from
controllers, is updated using AES256 cipher if needed, then the key is
used to generate a new CA. Using an existing private key for this CA
allows to keep compability with existing client certificates.
Change-Id: I435c86306ecd5e0cafeda9d8d468483b7a34f040
Related-Bug: #1869203
(cherry picked from commit 0f168dc9ca5b01fe616f196c2f49001d7882a2c8)
(cherry picked from commit f69dfefd055642f0fddfdf5e4bf910dbf98dea40)
Note-Queens: cherry picked from tripleo-ansible/stein
(cherry picked from commit f09b55266feffc4b25dd386575e7a78be4d15f42)
Reviewed: https:/ /review. opendev. org/746913 /git.openstack. org/cgit/ openstack/ tripleo- common/ commit/ ?id=734315ed7cc a281ffa36d978f1 db34df5fb8ec94
Committed: https:/
Submitter: Zuul
Branch: stable/queens
commit 734315ed7cca281 ffa36d978f1db34 df5fb8ec94
Author: Gregory Thiemonge <email address hidden>
Date: Tue Aug 18 14:34:00 2020 +0200
Increase validity period of Octavia CA and certificates
Current validity period of Octavia CA and certificates is one year, this
is too short for cloud deployments: Octavia services can no longer
control a load balancer that has been running for more than one year
(dataplane still works, but cannot be configured).
This commit defines these values:
- Octavia CA validity period is 50 years.
- Octavia client certificate validity period is 10 years.
For existing deployment, the existing CA private key is fetched from
controllers, is updated using AES256 cipher if needed, then the key is
used to generate a new CA. Using an existing private key for this CA
allows to keep compability with existing client certificates.
Change-Id: I435c86306ecd5e 0cafeda9d8d4684 83b7a34f040 e616f196c2f4900 1d7882a2c8) 0fddfdf5e4bf910 dbf98dea40) ansible/ stein b25dd386575e7a7 8be4d15f42)
Related-Bug: #1869203
(cherry picked from commit 0f168dc9ca5b01f
(cherry picked from commit f69dfefd055642f
Note-Queens: cherry picked from tripleo-
(cherry picked from commit f09b55266feffc4