By default, Director automatically creates the required private certificate authorities and issue the necessary certificates. However, the validity period of the generated certificates is limited to 365 days. Deployments with short-valid certificates are expected to start experiencing Octavia control plane problems on create, update and delete actions once over the 365 days.
Verification steps: 1. Deploy OSP16.1 GA or z1 (before this fix) Connect to a controller node and verify CA and certificate validity periods (excepted duration is 1 year): [root@controller-1 heat-admin]# openssl x509 -noout -text -in /var/lib/config-data/puppet-generated/octavia/etc/octavia/certs/ca_01.pem | grep Not Not Before: Oct 1 20:23:33 2020 GMT Not After : Oct 1 20:23:33 2021 GMT [root@controller-1 heat-admin]# openssl x509 -noout -text -in /var/lib/config-data/puppet-generated/octavia/etc/octavia/certs/client.pem | grep Not Not Before: Oct 1 20:23:34 2020 GMT Not After : Oct 1 20:23:34 2021 GMT From the undercloud, create a simple loadbalancer (don't need a listener) 2. Update to OSP16.1z2 (or a puddle with the fix) CA and Certification validity periods should have changed to respectively 50 and 10 years (check with openssl command) An existing load balancer/amphora should be able to receive requests without requiring a failover: - add a listener to the load balancer - it should not go into ERROR or perform a failover
After verification process that involved these steps I: 1. Deployed OSP16.1 with the RHOS-16.1-RHEL-8-20200903.n.0 puddle (before this fix). Connected to a controller node and verified CA and certificate validity periods are for 1 year. Created a simple loadbalancer. 2. Updated to OSP16.1 passed_phase2 (currently - 20201007, which is a puddle with the fix). (overcloud) [stack@undercloud-0 ~]$ cat /var/lib/rhos-release/latest-installed 16.1 -p RHOS-16.1-RHEL-8-20201007.n.0 CA and Certification validity periods have changed to respectively 50 and 10 years: [root@controller-0 ~]# openssl x509 -noout -text -in /var/lib/config-data/puppet-generated/octavia/etc/octavia/certs/ca_01.pem | grep Not Not Before: Oct 15 08:26:37 2020 GMT Not After : Oct 3 08:26:37 2070 GMT [root@controller-0 ~]# openssl x509 -noout -text -in /var/lib/config-data/puppet-generated/octavia/etc/octavia/certs/client.pem | grep Not Not Before: Oct 15 08:26:39 2020 GMT Not After : Oct 13 08:26:39 2030 GMT An existing load balancer/amphora is able to receive requests without requiring a failover: A listener was added to the load balancer, and as expected, the LB did not go into ERROR or perform a failover: (overcloud) [stack@undercloud-0 ~]$ openstack loadbalancer listener create BZ1812056_lb --protocol HTTP --protocol-port 80 +-----------------------------+--------------------------------------+ | Field | Value | +-----------------------------+--------------------------------------+ | admin_state_up | True | | connection_limit | -1 | | created_at | 2020-10-15T08:48:01 | | default_pool_id | None | | default_tls_container_ref | None | | description | | | id | c9ec943b-a582-43d5-abdf-10042c96bc45 | | insert_headers | None | | l7policies | | | loadbalancers | 19613796-c499-4028-b930-699e95807186 | | name | | | operating_status | OFFLINE | | project_id | 0ba81c7c5abc42d6ab465c10d7bca344 | | protocol | HTTP | | protocol_port | 80 | | provisioning_status | PENDING_CREATE | | sni_container_refs | [] | | timeout_client_data | 50000 | | timeout_member_connect | 5000 | | timeout_member_data | 50000 | | timeout_tcp_inspect | 0 | | updated_at | None | | client_ca_tls_container_ref | None | | client_authentication | NONE | | client_crl_container_ref | None | | allowed_cidrs | None | +-----------------------------+--------------------------------------+ (overcloud) [stack@undercloud-0 ~]$ openstack loadbalancer list +--------------------------------------+--------------+----------------------------------+--------------+---------------------+----------+ | id | name | project_id | vip_address | provisioning_status | provider | +--------------------------------------+--------------+----------------------------------+--------------+---------------------+----------+ | 19613796-c499-4028-b930-699e95807186 | BZ1812056_lb | 0ba81c7c5abc42d6ab465c10d7bca344 | 192.168.1.63 | ACTIVE | amphora | +--------------------------------------+--------------+----------------------------------+--------------+---------------------+----------+ (overcloud) [stack@undercloud-0 ~]$ openstack loadbalancer listener list +--------------------------------------+-----------------+------+----------------------------------+----------+---------------+----------------+ | id | default_pool_id | name | project_id | protocol | protocol_port | admin_state_up | +--------------------------------------+-----------------+------+----------------------------------+----------+---------------+----------------+ | c9ec943b-a582-43d5-abdf-10042c96bc45 | None | | 0ba81c7c5abc42d6ab465c10d7bca344 | HTTP | 80 | True | +--------------------------------------+-----------------+------+----------------------------------+----------+---------------+----------------+ (overcloud) [stack@undercloud-0 ~]$ Looks good to me, I am moving the BZ's status to VERIFIED.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Red Hat OpenStack Platform 16.1 bug fix and enhancement advisory), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2020:4284