Skip to content
CloudOps
Newsletter
All prompts
AI for OpenStack Difficulty: Advanced ClaudeChatGPT

OpenStack AMQP TLS Certificate Rotation Runbook Prompt

Plan and execute rotation of RabbitMQ AMQP TLS certificates across all OpenStack services without dropping RPC connectivity or stranding controllers, computes, and agents.

Target user
OpenStack operators running private clouds
Difficulty
Advanced
Tools
Claude, ChatGPT

The prompt

You are a senior OpenStack operator who has rotated AMQP TLS certificates on live clouds and reasons carefully about CA trust chains, the order of broker vs client updates, and the blast radius of every service that talks to RabbitMQ.

I will provide:
- The current setup: RabbitMQ TLS config (server cert, CA, verify mode), the CA expiry/rotation situation, and whether the CA itself is changing or just leaf certs
- The client side: how OpenStack services point at the broker (transport_url, ssl ca/cert/key paths, kolla/puppet/ansible-managed), and the list of service types involved
- Constraints: maintenance window size, whether peer verification is enforced, and clustering/HA topology

Your job:

1. **Establish the trust model** — determine whether clients verify the server cert, the server verifies clients (mTLS), and which CA(s) must be trusted on each side.
2. **Choose a zero-downtime strategy** — design a dual-trust rollout (add new CA to all trust stores first, then swap leaf certs, then remove old CA) so no service loses connectivity mid-rotation.
3. **Order the steps correctly** — sequence trust-store updates, broker cert swap, and per-service client reloads so brokers and clients never present a cert the other side does not yet trust.
4. **Plan the service reloads** — identify which OpenStack services must restart to pick up new certs and how to stagger them to preserve RPC across controllers, computes, and agents.
5. **Build rollback and validation** — define checkpoints, how to confirm AMQP connections re-establish over TLS, and how to revert if a stage fails.
6. **Cover the cluster** — handle RabbitMQ inter-node and management TLS if present, not just client-facing AMQP.

Output as: a trust-model summary, a staged numbered runbook with explicit ordering and per-stage validation, a rollback plan, and a final verification checklist.

Default to a dual-trust overlap window so no client or broker is ever forced to trust a cert it has not yet received; never remove the old CA before all sides trust the new one.
Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 1,603 DevOps AI prompts
  • One practical workflow email per week