From c05020adeb2487897e374099372865de7b9cbdf5 Mon Sep 17 00:00:00 2001 From: Stig Telfer Date: Wed, 7 Sep 2022 17:44:33 +0100 Subject: [PATCH 1/3] Add useful details on ordering for cert rotation --- source/operations_and_monitoring.rst | 29 +++++++++++++++++++++++----- source/vars.rst | 1 + 2 files changed, 25 insertions(+), 5 deletions(-) diff --git a/source/operations_and_monitoring.rst b/source/operations_and_monitoring.rst index 596d8c3..eaa077e 100644 --- a/source/operations_and_monitoring.rst +++ b/source/operations_and_monitoring.rst @@ -113,8 +113,8 @@ On each controller: Some services may store data in a dedicated Docker volume, which can be removed with ``docker volume rm``. -Installing and Updating TLS Certificates ----------------------------------------- +Installing TLS Certificates +--------------------------- |tls_setup| @@ -127,7 +127,12 @@ file as ``secrets_kolla_external_tls_cert``. Use a command of this form: kayobe# ansible-vault edit ${KAYOBE_CONFIG_PATH}/secrets.yml --vault-password-file=|vault_password_file_path| Concatenate the contents of the certificate and key files to create -``secrets_kolla_external_tls_cert``. +``secrets_kolla_external_tls_cert``. The certificates should be installed in +this order: + +* TLS certificate for the |project_name| OpenStack endpoint |public_endpoint_fqdn| +* Any intermediate certificates +* The TLS certificate private key In ``${KAYOBE_CONFIG_PATH}/kolla.yml``, set the following: @@ -143,9 +148,23 @@ be updated in Keystone: kayobe# kayobe overcloud service reconfigure +Updating TLS Certificates +------------------------- + +Check the expiry date on an installed TLS certificate from a host that can +reach the |project_name| OpenStack APIs: + +.. code-block:: console + :substitutions: + + openstack# openssl s_client -connect |public_endpoint_fqdn|:443 2> /dev/null | openssl x509 -noout -dates + +*NOTE*: Blackbox monitoring can check certificates automatically +and alert when expiry is approaching. + To update an existing certificate, for example when it has reached expiration, -change the value of ``secrets_kolla_external_tls_cert`` and run the following -command: +change the value of ``secrets_kolla_external_tls_cert``, in the same order as +above. Run the following command: .. code-block:: console diff --git a/source/vars.rst b/source/vars.rst index b95f4ce..cb5aa96 100644 --- a/source/vars.rst +++ b/source/vars.rst @@ -35,6 +35,7 @@ .. |project_name| replace:: Acme .. |provisioning_net_cidr| replace:: 192.168.0.0/24 .. |public_api_access_host| replace:: |control_host| +.. |public_endpoint_fqdn| replace:: openstack.acme.example .. |public_network| replace:: public .. |public_subnet| replace:: 10.0.0.0/8 .. |public_vip| replace:: 10.0.0.1 From bfeac9a87e943d773fc6dbfd6c0c644c1730f181 Mon Sep 17 00:00:00 2001 From: Stig Telfer Date: Wed, 14 Sep 2022 15:14:37 +0100 Subject: [PATCH 2/3] Feedback from Mark --- source/operations_and_monitoring.rst | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/source/operations_and_monitoring.rst b/source/operations_and_monitoring.rst index eaa077e..cf43c73 100644 --- a/source/operations_and_monitoring.rst +++ b/source/operations_and_monitoring.rst @@ -118,8 +118,9 @@ Installing TLS Certificates |tls_setup| -To configure TLS for the first time, we write a PEM file to the ``secrets.yml`` -file as ``secrets_kolla_external_tls_cert``. Use a command of this form: +To configure TLS for the first time, we write the contents of a PEM +file to the ``secrets.yml`` file as ``secrets_kolla_external_tls_cert``. +Use a command of this form: .. code-block:: console :substitutions: @@ -141,13 +142,26 @@ In ``${KAYOBE_CONFIG_PATH}/kolla.yml``, set the following: kolla_enable_tls_external: True kolla_external_tls_cert: "{{ secrets_kolla_external_tls_cert }}" -To configure TLS, we need to reconfigure all services, as endpoint URLs need to +To apply TLS configuration, we need to reconfigure all services, as endpoint URLs need to be updated in Keystone: .. code-block:: console kayobe# kayobe overcloud service reconfigure +Alternative Configuration ++++++++++++++++++++++++++ + +As an alternative to writing the certificates as a variable to +``secrets.yml``, it is also possible to write the same data to a file, +``etc/kayobe/kolla/certificates/haproxy.pem``. The file should be +vault-encrypted in the same manner as secrets.yml. In this instance, +variable ``kolla_enable_tls_cert`` does not need to be defined. + +See `Kolla-Ansible TLS guide +`__ for +further details. + Updating TLS Certificates ------------------------- @@ -159,7 +173,7 @@ reach the |project_name| OpenStack APIs: openstack# openssl s_client -connect |public_endpoint_fqdn|:443 2> /dev/null | openssl x509 -noout -dates -*NOTE*: Blackbox monitoring can check certificates automatically +*NOTE*: Prometheus Blackbox monitoring can check certificates automatically and alert when expiry is approaching. To update an existing certificate, for example when it has reached expiration, From b2c6ed6b91ff1d0afdfd3b4afc5a8c3bfe7a0c78 Mon Sep 17 00:00:00 2001 From: Stig Telfer Date: Tue, 20 Sep 2022 09:48:59 +0100 Subject: [PATCH 3/3] Feedback from Mark --- source/operations_and_monitoring.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/operations_and_monitoring.rst b/source/operations_and_monitoring.rst index cf43c73..f265d36 100644 --- a/source/operations_and_monitoring.rst +++ b/source/operations_and_monitoring.rst @@ -156,7 +156,7 @@ As an alternative to writing the certificates as a variable to ``secrets.yml``, it is also possible to write the same data to a file, ``etc/kayobe/kolla/certificates/haproxy.pem``. The file should be vault-encrypted in the same manner as secrets.yml. In this instance, -variable ``kolla_enable_tls_cert`` does not need to be defined. +variable ``kolla_external_tls_cert`` does not need to be defined. See `Kolla-Ansible TLS guide `__ for