fix: extend expiration date for the certs for receptor nodes to 10 years

ansible · Mar 3, 2024 · 125696f · 125696f
1 parent d0827ba
commit 125696f
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 3 deletions.
diff --git a/roles/installer/templates/deployments/task.yaml.j2 b/roles/installer/templates/deployments/task.yaml.j2
@@ -83,8 +83,20 @@ spec:
             - -c
             - |
               hostname=$MY_POD_NAME
-              receptor --cert-makereq bits=2048 commonname=$hostname dnsname=$hostname nodeid=$hostname outreq=/etc/receptor/tls/receptor.req outkey=/etc/receptor/tls/receptor.key
-              receptor --cert-signreq req=/etc/receptor/tls/receptor.req cacert=/etc/receptor/tls/ca/mesh-CA.crt cakey=/etc/receptor/tls/ca/mesh-CA.key outcert=/etc/receptor/tls/receptor.crt verify=yes
+              receptor --cert-makereq \
+                bits=2048 \
+                commonname=$hostname \
+                dnsname=$hostname \
+                nodeid=$hostname \
+                outreq=/etc/receptor/tls/receptor.req \
+                outkey=/etc/receptor/tls/receptor.key
+              receptor --cert-signreq \
+                req=/etc/receptor/tls/receptor.req \
+                cacert=/etc/receptor/tls/ca/mesh-CA.crt \
+                cakey=/etc/receptor/tls/ca/mesh-CA.key \
+                outcert=/etc/receptor/tls/receptor.crt \
+                notafter=$(date --iso-8601=seconds --utc --date "10 years") \
+                verify=yes
 {% if bundle_ca_crt  %}
               mkdir -p /etc/pki/ca-trust/extracted/{java,pem,openssl,edk2}
               update-ca-trust

diff --git a/roles/mesh_ingress/templates/deployment.yml.j2 b/roles/mesh_ingress/templates/deployment.yml.j2
@@ -24,7 +24,8 @@ spec:
 {% if external_ipaddress is defined %}
           external_ipaddress={{ external_ipaddress }}
 {% endif %}
-          receptor --cert-makereq bits=2048 \
+          receptor --cert-makereq \
+            bits=2048 \
             commonname=$internal_hostname \
             dnsname=$internal_hostname \
             nodeid=$internal_hostname \
@@ -41,6 +42,7 @@ spec:
             cacert=/etc/receptor/tls/ca/mesh-CA.crt \
             cakey=/etc/receptor/tls/ca/mesh-CA.key \
             outcert=/etc/receptor/tls/receptor.crt \
+            notafter=$(date --iso-8601=seconds --utc --date "10 years") \
             verify=yes
           exec receptor --config /etc/receptor/receptor.conf
         image: '{{ _control_plane_ee_image }}'