Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add docs on handling Octavia certs #50

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Add docs on handling Octavia certs #50

wants to merge 4 commits into from

Conversation

MoteHue
Copy link
Contributor

@MoteHue MoteHue commented Apr 25, 2024

No description provided.

@MoteHue MoteHue requested a review from a team as a code owner April 25, 2024 14:02
markgoddard
markgoddard reviewed Apr 29, 2024
View reviewed changes
Copy link

@markgoddard markgoddard left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FWIW, here is what we have in the Leafcloud docs. Note the override of kolla-ansible variables to ensure certs are written to the correct place.

Octavia client certificates expire after a year, and should be rotated before they expire.

Note: only the client certificate needs to be rotated annually. The server CA and client CA both have 10 year expiries, and should not be rotated before this since it would break the trust chain.

Note to Mark: don't try to be clever with git here, just follow the procedure...

This can be done as follows:

We ensure that duplicate subject names are allowed, by setting unique_subject=no in etc/kayobe/kolla/octavia-certificates/client_ca/index.txt.attr. This should already be set.

Decrypt all certificate files:

git grep -l VAULT etc/kayobe/kolla/octavia-certificates | xargs ansible-vault decrypt --vault-password-file

Remove the existing client certificate and keys to ensure they are regenerated:

rm etc/kayobe/kolla/octavia-certificates/client_ca/client.*

Generate new certificates:

kayobe kolla ansible run octavia-certificates -ke node_custom_config=$KAYOBE_CONFIG_PATH/kolla/config -ke node_config=$KAYOBE_CONFIG_PATH/kolla

This is likely to modify several files, and possibly add some new ones. Add the new files:

git add etc/kayobe/kolla/octavia-certificates/client_ca/

Encrypt the changed files that we are interested in:

git grep -L VAULT etc/kayobe/kolla/octavia-certificates/client_ca | xargs ansible-vault encrypt --vault-password-file
git grep -L VAULT etc/kayobe/kolla/config/octavia/*.pem | xargs ansible-vault encrypt --vault-password-file

Add and commit:

git add etc/kayobe/kolla/octavia-certificates/client_ca/
git add etc/kayobe/kolla/config/octavia/client.cert-and-key.pem etc/kayobe/kolla/config/octavia/client_ca.cert.pem
git commit -m "octavia certs: rotate client certs"

Discard other unnecessary changes:

git status # check for anything unexpected!
git checkout etc/kayobe/kolla/octavia-certificates/ etc/kayobe/kolla/config/octavia

Deploy the new client certs:

kayobe overcloud service deploy --kolla-tags octavia

@MoteHue
Copy link
Contributor Author

MoteHue commented May 13, 2024

I've taken the instructions from Leafcloud, overriding the kolla-ansible variables makes it a smoother process. I'm a bit hazy on how the CAs are handled as I haven't needed to rotate these myself yet, would appreciate a close look on this section :)

@MoteHue MoteHue mentioned this pull request May 14, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@markgoddard markgoddard markgoddard left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@MoteHue @markgoddard