Rotate OpenStack credentials¶
The credential rotation procedure is designed to minimize the impact on service availability and workload downtime. It depends on the credential type and is based on the following principles:
Credentials for OpenStack admin database and messaging are immediately changed during one rotation cycle, without a transition period.
Credentials for OpenStack admin identity are rotated with a transition period of one extra rotation cycle. This means that the credentials become invalid after two rotations. MOSK exposes the latest valid credentials to the
openstack-external
namespace. For details, refer to Access OpenStack through CLI from your local machine.Credentials for OpenStack service users, including those for messaging, identity, and database, undergo a transition period of one extra rotation cycle during rotation.
Note
If immediate inactivation of credentials is required, initiate the rotation procedure twice.
Impact on workloads availability¶
The restarts of the Networking service may cause workload downtimes. The exact lengths of these downtimes depend on the cloud density and scale.
Impact on APIs availability¶
Rotating both administrator and service credentials can potentially result in certain API operations failing.
Rotation prerequisites¶
Verify that the current
state
of the LCM action inOpenstackDeploymentStatus
isAPPLIED
:kubectl -n openstack get osdplst -o yaml
Example of an expected system response:
1 kind: OpenStackDeploymentStatus 2 metadata: 3 name: osh-dev 4 namespace: openstack 5 spec: {} 6 status: 7 ... 8 osdpl: 9 cause: update 10 changes: '((''add'', (''status'',), None, {''watched'': {''ceph'': {''secret'': 11 {''hash'': ''0fc01c5e2593bc6569562b451b28e300517ec670809f72016ff29b8cbaf3e729''}}}}),)' 12 controller_version: 0.5.3.dev12 13 fingerprint: a112a4a7d00c0b5b79e69a2c78c3b50b0caca76a15fe7d79a6ad1305b19ee5ec 14 openstack_version: ussuri 15 state: APPLIED 16 timestamp: "2021-09-08 17:01:45.633143"
Verify that there are no other LCM operations running on the OpenStack cluster.
Thoroughly plan the maintenance window taking into account the following considerations:
All OpenStack control plane services, components of the Networking service (OpenStack Neutron) responsible for the data plane and messaging services are restarted during service credentials rotation.
OpenStack database and OpenStack messaging services are restarted during administrator credentials rotation, as well as some of the Openstack control plane services, including the Instance High Availability service (OpenStack Masakari), Dashboard (OpenStack Horizon), and Identity service (OpenStack Keystone).
For approximate maintenance window duration, refer to Calculate a maintenance window duration for update.
Rotate the credentials¶
Log in to the
osdpl
container in theopenstack-controller
pod:kubectl -n osh-system exec -it <openstack-controller-pod> -c osdpl -- bash
Use the osctl utility to trigger credentials rotation:
osctl credentials rotate --osdpl <osdpl-object-name> --type <credentials-type>
Where the
<credentials-type>
value is eitheradmin
orservice
.Note
Mirantis recommends rotating both admin and service credentials simultaneously to decrease the duration of the maintenance window and number of service restarts. You can do this by passing the
--type
argument twice:osctl credentials rotate --osdpl <osdpl-object-name> --type service --type admin
Wait until the
OpenStackDeploymentStatus
object has stateAPPLIED
and all OpenStack components in thehealth
group in theOpenStackDeploymentStatus
custom resource are in theReady
state.Alternatively, you can launch the rotation command with the
--wait
flag.
Now, the latest admin password for your OpenStack environment is available in
the openstack-identity-credentials
secret in the openstack-external
namespace.