Support and document persisting the Octavia CA

MoteHue · MoteHue · commit 4362c8ed24d8 · 2025-11-18T15:17:53.000Z
diff --git a/doc/source/operations/octavia.rst b/doc/source/operations/octavia.rst
@@ -65,6 +65,151 @@ The default image path is ``/tmp/amphora-x64-haproxy.qcow2``.
 
   kayobe playbook run ${KAYOBE_CONFIG_PATH}/ansible/maintenance/octavia-amphora-image-register.yml -e image_path="<path-to-amphora-image>"
 
+Handling TLS certificates
+=========================
+
+Octavia uses mutual TLS to secure communication between the amphorae and
+Octavia services. It uses a private CA to sign both client and server
+certificates. We use the kolla-ansible built-in support for generating these
+certificates:
+
+.. code-block:: console
+
+   kayobe kolla ansible run octavia-certificates
+
+This command will output certificates and keys in ``${KOLLA_CONFIG_PATH}/octavia-certificates``
+
+Copy the relevant certificates into your kayobe-config:
+
+.. code-block:: console
+
+   cd ${KAYOBE_CONFIG_PATH}/environments/$KAYOBE_ENVIRONMENT/kolla/config/octavia
+   cp $KOLLA_CONFIG_PATH/octavia-certificates/client_ca/client_ca.cert.pem .
+   cp $KOLLA_CONFIG_PATH/octavia-certificates/client_ca/client.cert-and-key.pem .
+   cp $KOLLA_CONFIG_PATH/octavia-certificates/client_ca/server_ca.cert.pem .
+   cp $KOLLA_CONFIG_PATH/octavia-certificates/client_ca/server_ca.key.pem .
+
+Encrypt any files containing the keys:
+
+.. code-block:: console
+
+   ansible-vault encrypt client.cert-and-key.pem --vault-password-file ~/vault
+   ansible-vault encrypt server_ca.key.pem --vault-password-file ~/vault
+
+Checking certificate expiry
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. code-block:: console
+
+   ansible-vault decrypt client.cert-and-key.pem --vault-password-file  ~/vault
+   openssl x509 -enddate -noout -in client.cert-and-key.pem 
+   notAfter=Aug 12 10:45:35 2022 GMT
+
+Backing up the octavia-certificates directory
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+In the root of your kayobe-config checkout:
+
+.. code-block:: console
+
+   tools/backup-octavia-certificates.sh
+
+This will output an encrypted backup to ``$KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/kolla/certificates/octavia-certificates-backup.tar``
+Commit this file to store the backup.
+
+Restoring octavia-certificates directory when regenerating certificates
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+In the root of your kayobe-config checkout:
+
+.. code-block:: console
+
+   tools/restore-octavia-certificates.sh
+
+This will use the encrypted backup in ``$KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/kolla/certificates/octavia-certificates-backup.tar``
+to restore ``${KOLLA_CONFIG_PATH}/octavia-certificates``. This will allow you
+to reuse the client CA.
+
+Rotating client.cert-and-key.pem
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+This has a life time of 1 year. 
+
+1) Follow the steps to restore octavia-certificates so you can reuse the client
+   CA.
+
+3) Make sure your config allows you to regenerate a certificate with the same
+   common name.
+
+   .. code-block:: console
+      :caption: $KOLLA_CONFIG_PATH/octavia-certificates/client_ca/index.txt.attr
+
+      unique_subject = no
+
+5) Remove the old files relating to the client certificate:
+
+   .. code-block:: console
+
+      kayobe# rm $KOLLA_CONFIG_PATH/octavia-certificates/client_ca/{client.cert-and-key.pem,client.csr.pem,client.cert.pem}
+
+6) Regenerate the certificates
+
+   .. code-block:: console
+
+      kayobe# kayobe kolla ansible run octavia-certificates
+
+7) Backup your octavia-certificates directory (see previous section).
+
+8) Copy your new certificate to the correct location:
+
+   .. code-block:: console
+
+      cd ${KAYOBE_CONFIG_PATH}/environments/$KAYOBE_ENVIRONMENT/kolla/config/octavia
+      kayobe# cp  $KOLLA_CONFIG_PATH/octavia-certificates/client_ca/client_ca.cert.pem .
+      kayobe# cp  $KOLLA_CONFIG_PATH/octavia-certificates/client_ca/client.cert-and-key.pem .
+      kayobe# ansible-vault encrypt client.cert-and-key.pem --vault-password-file ~/vault
+      Encryption successful
+
+9) Reconfigure octavia
+
+   .. code-block:: console
+
+      kayobe# kayobe overcloud service reconfigure -kt octavia
+
+10) Run tempest with the `octavia` test list to check it is working.
+
+11) Commit and push any changes.
+
+Rotating the CAs
+~~~~~~~~~~~~~~~~
+
+The CAs have a 10 year lifetime. Simply delete the relevant directory under
+``$KOLLA_CONFIG_PATH/octavia-certificates/`` and regenerate it with:
+
+   .. code-block:: console
+
+      kayobe# kayobe kolla ansible run octavia-certificates
+
+Copy the relevant certificates into your kayobe-config.
+
+.. code-block:: console
+
+   kayobe# cd ${KAYOBE_CONFIG_PATH}/environments/$KAYOBE_ENVIRONMENT/kolla/config/octavia
+   kayobe# cp $KOLLA_CONFIG_PATH/octavia-certificates/client_ca/client_ca.cert.pem .
+   kayobe# cp $KOLLA_CONFIG_PATH/octavia-certificates/client_ca/client.cert-and-key.pem .
+   kayobe# cp $KOLLA_CONFIG_PATH/octavia-certificates/client_ca/server_ca.cert.pem .
+   kayobe# cp $KOLLA_CONFIG_PATH/octavia-certificates/client_ca/server_ca.key.pem .
+
+Encrypt any files containing the keys.
+
+.. code-block:: console
+
+   kayobe# ansible-vault encrypt client.cert-and-key.pem --vault-password-file ~/vault 
+   Encryption successful
+   kayobe# ansible-vault encrypt server_ca.key.pem --vault-password-file ~/vault 
+   Encryption successful
+
+Follow any instructions in the `upstream docs <https://docs.openstack.org/octavia/latest/admin/guides/operator-maintenance.html>`_.
 
 Manually deleting broken load balancers
 =======================================
diff --git a/tools/backup-octavia-certificates.sh b/tools/backup-octavia-certificates.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+set -eu
+
+if [ -z ${KAYOBE_CONFIG_PATH:+x} ]; then
+    1>&2 echo 'Please source kayobe-env'
+    exit -1
+fi
+
+if [ -z ${KAYOBE_VAULT_PASSWORD:+x} ]; then
+    1>&2 echo 'Please set Kayobe vault password'
+    exit -1
+fi
+
+if [ ! -d $KOLLA_CONFIG_PATH/octavia-certificates ]; then
+    1>&2 echo 'Certificates missing'
+    exit -1
+fi
+
+pushd $KOLLA_CONFIG_PATH
+ls octavia-certificates
+tar -c -f - octavia-certificates | ansible-vault encrypt --vault-password-file $KAYOBE_CONFIG_PATH/../../tools/vault-helper > $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/kolla/certificates/octavia-certificates-backup.tar 2>/dev/null
+popd
diff --git a/tools/restore-octavia-certificates.sh b/tools/restore-octavia-certificates.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+set -eu
+
+if [ -z ${KAYOBE_CONFIG_PATH:+x} ]; then
+    1>&2 echo 'Please source kayobe-env'
+    exit -1
+fi
+
+if [ -z ${KAYOBE_VAULT_PASSWORD:+x} ]; then
+    1>&2 echo 'Please set Kayobe vault password'
+    exit -1
+fi
+
+if [ -d $KOLLA_CONFIG_PATH/octavia-certificates ]; then
+    1>&2 echo 'Certificates exists. Please remove if you wish to restore.'
+    exit -1
+fi
+
+cat $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/kolla/certificates/octavia-certificates-backup.tar | ansible-vault decrypt --vault-password-file $KAYOBE_CONFIG_PATH/../../tools/vault-helper 2>/dev/null | tar -xvf - -C $KOLLA_CONFIG_PATH
