Skip to content

fix: extend expiration date for the certs for receptor nodes to 10 years#1744

Merged
fosterseth merged 1 commit intoansible:develfrom
kurokobo:extend_certs
Mar 6, 2024
Merged

fix: extend expiration date for the certs for receptor nodes to 10 years#1744
fosterseth merged 1 commit intoansible:develfrom
kurokobo:extend_certs

Conversation

@kurokobo
Copy link
Copy Markdown
Contributor

@kurokobo kurokobo commented Mar 3, 2024

SUMMARY

Closes #1722

Changes:

  • Add notafter for receptor --cert-makereq command for control plane ee and mesh ingress
  • Format long receptor command with line breaks
ISSUE TYPE
  • Bug, Docs Fix or other nominal change
ADDITIONAL INFORMATION

Tested by deploying custom Operator includes this PR:

$ IMG=registry.example.com/ansible/awx-operator:certs make docker-build docker-push deploy

Deploy AWX and Mesh Ingress:

$ cat minimal-awx.yaml 
---
apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
  namespace: awx
  name: awx-demo
spec:
  service_type: nodeport

$ kubectl apply -f minimal-awx.yaml 

$ cat minimal-meshingress.yaml 
---
apiVersion: awx.ansible.com/v1alpha1
kind: AWXMeshIngress
metadata:
  namespace: awx
  name: inbound-hop01
spec:
  deployment_name: awx-demo

  ingress_type: IngressRouteTCP
  ingress_controller: traefik
  ingress_class_name: traefik
  ingress_api_version: traefik.io/v1alpha1

  external_hostname: inbound-hop01.ansible.internal

$ kubectl apply -f minimal-meshingress.yaml

Ensure expiration date is extended for control plane ee and mesh ingress.

$ kubectl -n awx exec deployment/awx-demo-task -c awx-demo-ee -- openssl x509 -text -in /etc/receptor/tls/receptor.crt -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1709483251 (0x65e4a4f3)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = awx-demo Receptor Root CA
        Validity
            Not Before: Mar  3 16:27:31 2024 GMT
            Not After : Mar  3 16:27:31 2034 GMT   ✅
...

$ kubectl -n awx exec -it deployment/inbound-hop01 -- openssl x509 -text -in /etc/receptor/tls/receptor.crt -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1709484394 (0x65e4a96a)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = awx-demo Receptor Root CA
        Validity
            Not Before: Mar  3 16:46:34 2024 GMT
            Not After : Mar  3 16:46:34 2034 GMT   ✅
...

@fosterseth
Copy link
Copy Markdown
Member

fosterseth commented Mar 6, 2024

@kurokobo thanks for this change and showing the change in the resulting x509 cert

@fosterseth fosterseth enabled auto-merge (squash) March 6, 2024 19:48
@fosterseth fosterseth merged commit 03cfe14 into ansible:devel Mar 6, 2024
@kurokobo kurokobo deleted the extend_certs branch March 6, 2024 21:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fosterseth fosterseth fosterseth approved these changes

Assignees

No one assigned

Labels

community

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[AWXMeshIngress] Extend expiration date for the cert for mesh ingress

2 participants

@kurokobo @fosterseth