Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: extend expiration date for the certs for receptor nodes to 10 years #1744

Merged
merged 1 commit into from
Mar 6, 2024
Merged

fix: extend expiration date for the certs for receptor nodes to 10 years #1744

merged 1 commit into from
Mar 6, 2024

Conversation

kurokobo
Copy link
Contributor

@kurokobo kurokobo commented Mar 3, 2024

SUMMARY

Closes #1722

Changes:

  • Add notafter for receptor --cert-makereq command for control plane ee and mesh ingress
  • Format long receptor command with line breaks
ISSUE TYPE
  • Bug, Docs Fix or other nominal change
ADDITIONAL INFORMATION

Tested by deploying custom Operator includes this PR:

$ IMG=registry.example.com/ansible/awx-operator:certs make docker-build docker-push deploy

Deploy AWX and Mesh Ingress:

$ cat minimal-awx.yaml 
---
apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
  namespace: awx
  name: awx-demo
spec:
  service_type: nodeport

$ kubectl apply -f minimal-awx.yaml 

$ cat minimal-meshingress.yaml 
---
apiVersion: awx.ansible.com/v1alpha1
kind: AWXMeshIngress
metadata:
  namespace: awx
  name: inbound-hop01
spec:
  deployment_name: awx-demo

  ingress_type: IngressRouteTCP
  ingress_controller: traefik
  ingress_class_name: traefik
  ingress_api_version: traefik.io/v1alpha1

  external_hostname: inbound-hop01.ansible.internal

$ kubectl apply -f minimal-meshingress.yaml

Ensure expiration date is extended for control plane ee and mesh ingress.

$ kubectl -n awx exec deployment/awx-demo-task -c awx-demo-ee -- openssl x509 -text -in /etc/receptor/tls/receptor.crt -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1709483251 (0x65e4a4f3)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = awx-demo Receptor Root CA
        Validity
            Not Before: Mar  3 16:27:31 2024 GMT
            Not After : Mar  3 16:27:31 2034 GMT   ✅
...

$ kubectl -n awx exec -it deployment/inbound-hop01 -- openssl x509 -text -in /etc/receptor/tls/receptor.crt -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1709484394 (0x65e4a96a)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = awx-demo Receptor Root CA
        Validity
            Not Before: Mar  3 16:46:34 2024 GMT
            Not After : Mar  3 16:46:34 2034 GMT   ✅
...

@fosterseth
Copy link
Member

@kurokobo thanks for this change and showing the change in the resulting x509 cert

@fosterseth fosterseth enabled auto-merge (squash) March 6, 2024 19:48
@fosterseth fosterseth merged commit 03cfe14 into ansible:devel Mar 6, 2024
6 checks passed
@kurokobo kurokobo deleted the extend_certs branch March 6, 2024 21:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fosterseth fosterseth fosterseth approved these changes

Assignees
No one assigned
Labels
community
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[AWXMeshIngress] Extend expiration date for the cert for mesh ingress
2 participants
@kurokobo @fosterseth