Skip to content

Commit ca37c7d

Browse files
MoteHueMoteHue
authored
Merge pull request #1438 from stackhpc/document-vault-cert-rotation
Document rotation of the overcloud vault cert
2 parents 11a5827 + 2052be9 commit ca37c7d

File tree

1 file changed

+57
-0
lines changed

1 file changed

+57
-0
lines changed

doc/source/configuration/vault.rst

Lines changed: 57 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -105,6 +105,63 @@ Setup Vault HA on the overcloud hosts
105105
106106
ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/vault/overcloud-vault-keys.json
107107
108+
Rotating Vault certificate on the overcloud hosts
109+
-------------------------------------------------
110+
111+
The certificate for the overcloud vaults has an expiry time of one year. While
112+
the cloud won't break if this expires, it will need rotating before new
113+
certificates can be generated for internal PKI. If a vault becomes sealed, it
114+
cannot be unsealed with an expired certificate.
115+
116+
1. Delete the old certificate:
117+
118+
.. code-block::
119+
120+
rm $KAYOBE_CONFIG_PATH/vault/overcloud.crt
121+
122+
Or if environments are being used
123+
124+
.. code-block::
125+
126+
rm $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/vault/overcloud.crt
127+
128+
2. Generate a new certificate (and key):
129+
130+
.. code-block::
131+
132+
kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/vault-deploy-seed.yml
133+
134+
3. Encrypt generated key with ansible-vault (use proper location of vault password file)
135+
136+
.. code-block::
137+
138+
ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/vault/overcloud.key
139+
140+
Or if environments are being used
141+
142+
.. code-block::
143+
144+
ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/vault/overcloud.key
145+
146+
4. Copy the new certificate to the overcloud hosts. Note, if the old
147+
certificate has expired this will fail on the unseal step.
148+
149+
.. code-block::
150+
151+
kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/vault-deploy-overcloud.yml
152+
153+
5. Restart the containers to use the new certificate:
154+
155+
.. code-block::
156+
157+
kayobe overcloud host command run --command "docker restart vault" -l controllers
158+
159+
6. If sealed, unseal the vault:
160+
161+
.. code-block::
162+
163+
kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/vault-unseal-overcloud.yml
164+
108165
Certificates generation
109166
=======================
110167

0 commit comments

Comments
 (0)