[AWXMeshIngress] Extend expiration date for the cert for mesh ingress #1722
Assignees
Labels
Comments
|
F.Y.I., this can be implemented by just adding one line with simple ...
spec:
containers:
- args:
- /bin/sh
- -c
- |
internal_hostname=inbound-hop01
external_hostname=inbound-hop01.ansible.internal
receptor --cert-makereq bits=2048 \
commonname=$internal_hostname \
dnsname=$internal_hostname \
nodeid=$internal_hostname \
dnsname=$external_hostname \
outreq=/etc/receptor/tls/receptor.req \
outkey=/etc/receptor/tls/receptor.key
receptor --cert-signreq \
req=/etc/receptor/tls/receptor.req \
cacert=/etc/receptor/tls/ca/mesh-CA.crt \
cakey=/etc/receptor/tls/ca/mesh-CA.key \
outcert=/etc/receptor/tls/receptor.crt \
notafter=$(date --iso-8601=seconds --utc --date "10 years") \ ✅
verify=yes
exec receptor --config /etc/receptor/receptor.conf
...Result: bash-5.1$ openssl x509 -text -in /etc/receptor/tls/receptor.crt -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1708352354 (0x65d36362)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = awx Receptor Root CA
Validity
Not Before: Feb 19 14:19:14 2024 GMT
Not After : Feb 19 14:19:14 2034 GMT ✅
Subject: CN = inbound-hop01
... |
|
we can also consider bumping expiration for control node certs as well as remote hop/execution nodes via install bundle generation |
|
Ah thanks, I don't realize that the certs for control plane have the same limitation. Indeed the certs for control plane is valid for only one year. $ kubectl -n awx exec deployment/awx-task -c awx-ee -- openssl x509 -text -in /etc/receptor/tls/receptor.crt -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1708267806 (0x65d2191e)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = awx Receptor Root CA
Validity
Not Before: Feb 18 14:50:06 2024 GMT
Not After : Feb 18 14:50:06 2025 GMT ✅
...No $ kubectl -n awx get deployment/awx-task -o yaml
apiVersion: apps/v1
kind: Deployment
metadata:
...
name: awx-task
...
spec:
...
template:
...
spec:
...
initContainers:
- command:
- /bin/sh
- -c
- |
hostname=$MY_POD_NAME
receptor --cert-makereq bits=2048 commonname=$hostname dnsname=$hostname nodeid=$hostname outreq=/etc/receptor/tls/receptor.req outkey=/etc/receptor/tls/receptor.key
receptor --cert-signreq req=/etc/receptor/tls/receptor.req cacert=/etc/receptor/tls/ca/mesh-CA.crt cakey=/etc/receptor/tls/ca/mesh-CA.key outcert=/etc/receptor/tls/receptor.crt verify=yes ✅
...
name: init
... |
|
wait did i made this same bug the second time... i remember the first PR I personally saw from you was you fixing my bug in the instance install bundle |
|
@kurokobo I think we can bump default expiry date to 10 years for all of the receptor certs (mesh ingress nodes, and the control plane ee one) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Please confirm the following
Feature Summary
In the current implementation, the certificate used by mesh ingress appears to be valid for one year.
This certificate is regenerated each time the mesh ingress pod is restarted, so it will not expire unless the same pod has been running continuously for over a year, but it would be safer if it could be longer. To extend the expiration date, we can use
--cert-signreqwith specifingnotafter.@TheRealHaoLiu @rooftopcellist @fosterseth
I would like to hear your opinion. I'm sure we'll have little trouble with it as it is, but I wasn't sure if it was the intended design, so I'm creating this issue just in case.
The text was updated successfully, but these errors were encountered: