From 125696f69667319a4e7039d247393f36a9cadbfd Mon Sep 17 00:00:00 2001
From: kurokobo <2920259+kurokobo@users.noreply.github.com>
Date: Mon, 4 Mar 2024 01:51:46 +0900
Subject: [PATCH] fix: extend expiration date for the certs for receptor nodes
 to 10 years

---
 .../installer/templates/deployments/task.yaml.j2 | 16 ++++++++++++++--
 roles/mesh_ingress/templates/deployment.yml.j2   |  4 +++-
 2 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/roles/installer/templates/deployments/task.yaml.j2 b/roles/installer/templates/deployments/task.yaml.j2
index cb57fbd13..b323608db 100644
--- a/roles/installer/templates/deployments/task.yaml.j2
+++ b/roles/installer/templates/deployments/task.yaml.j2
@@ -83,8 +83,20 @@ spec:
             - -c
             - |
               hostname=$MY_POD_NAME
-              receptor --cert-makereq bits=2048 commonname=$hostname dnsname=$hostname nodeid=$hostname outreq=/etc/receptor/tls/receptor.req outkey=/etc/receptor/tls/receptor.key
-              receptor --cert-signreq req=/etc/receptor/tls/receptor.req cacert=/etc/receptor/tls/ca/mesh-CA.crt cakey=/etc/receptor/tls/ca/mesh-CA.key outcert=/etc/receptor/tls/receptor.crt verify=yes
+              receptor --cert-makereq \
+                bits=2048 \
+                commonname=$hostname \
+                dnsname=$hostname \
+                nodeid=$hostname \
+                outreq=/etc/receptor/tls/receptor.req \
+                outkey=/etc/receptor/tls/receptor.key
+              receptor --cert-signreq \
+                req=/etc/receptor/tls/receptor.req \
+                cacert=/etc/receptor/tls/ca/mesh-CA.crt \
+                cakey=/etc/receptor/tls/ca/mesh-CA.key \
+                outcert=/etc/receptor/tls/receptor.crt \
+                notafter=$(date --iso-8601=seconds --utc --date "10 years") \
+                verify=yes
 {% if bundle_ca_crt  %}
               mkdir -p /etc/pki/ca-trust/extracted/{java,pem,openssl,edk2}
               update-ca-trust
diff --git a/roles/mesh_ingress/templates/deployment.yml.j2 b/roles/mesh_ingress/templates/deployment.yml.j2
index 90bbe6463..b182e7924 100644
--- a/roles/mesh_ingress/templates/deployment.yml.j2
+++ b/roles/mesh_ingress/templates/deployment.yml.j2
@@ -24,7 +24,8 @@ spec:
 {% if external_ipaddress is defined %}
           external_ipaddress={{ external_ipaddress }}
 {% endif %}
-          receptor --cert-makereq bits=2048 \
+          receptor --cert-makereq \
+            bits=2048 \
             commonname=$internal_hostname \
             dnsname=$internal_hostname \
             nodeid=$internal_hostname \
@@ -41,6 +42,7 @@ spec:
             cacert=/etc/receptor/tls/ca/mesh-CA.crt \
             cakey=/etc/receptor/tls/ca/mesh-CA.key \
             outcert=/etc/receptor/tls/receptor.crt \
+            notafter=$(date --iso-8601=seconds --utc --date "10 years") \
             verify=yes
           exec receptor --config /etc/receptor/receptor.conf
         image: '{{ _control_plane_ee_image }}'