[AWXMeshIngress] Extend expiration date for the cert for mesh ingress

[kurokobo]

Please confirm the following

• I agree to follow this project's code of conduct.
• I have checked the current issues for duplicates.
• I understand that AWX Operator is open source software provided for free and that I might not receive a timely response.

Feature Summary

In the current implementation, the certificate used by mesh ingress appears to be valid for one year.

$ kubectl -n awx exec -it deployment/inbound-hop01 -- openssl x509 -text -in /etc/receptor/tls/receptor.crt -noout
Certificate:
    Data:
        ...
        Issuer: CN = awx Receptor Root CA
        Validity
            Not Before: Feb 16 13:00:59 2024 GMT
            Not After : Feb 16 13:00:59 2025 GMT
        Subject: CN = inbound-hop01

This certificate is regenerated each time the mesh ingress pod is restarted, so it will not expire unless the same pod has been running continuously for over a year, but it would be safer if it could be longer. To extend the expiration date, we can use --cert-signreq with specifing notafter.

@TheRealHaoLiu @rooftopcellist @fosterseth
I would like to hear your opinion. I'm sure we'll have little trouble with it as it is, but I wasn't sure if it was the intended design, so I'm creating this issue just in case.

[kurokobo]

F.Y.I., this can be implemented by just adding one line with simple date command:

...
spec:
  containers:
  - args:
    - /bin/sh
    - -c
    - |
      internal_hostname=inbound-hop01
      external_hostname=inbound-hop01.ansible.internal
      receptor --cert-makereq bits=2048 \
        commonname=$internal_hostname \
        dnsname=$internal_hostname \
        nodeid=$internal_hostname \
        dnsname=$external_hostname \
        outreq=/etc/receptor/tls/receptor.req \
        outkey=/etc/receptor/tls/receptor.key
      receptor --cert-signreq \
        req=/etc/receptor/tls/receptor.req \
        cacert=/etc/receptor/tls/ca/mesh-CA.crt \
        cakey=/etc/receptor/tls/ca/mesh-CA.key \
        outcert=/etc/receptor/tls/receptor.crt \
        notafter=$(date --iso-8601=seconds --utc --date "10 years") \   ✅
        verify=yes
      exec receptor --config /etc/receptor/receptor.conf
    ...

Result:

bash-5.1$ openssl x509 -text -in /etc/receptor/tls/receptor.crt -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1708352354 (0x65d36362)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = awx Receptor Root CA
        Validity
            Not Before: Feb 19 14:19:14 2024 GMT
            Not After : Feb 19 14:19:14 2034 GMT   ✅
        Subject: CN = inbound-hop01
        ...

[fosterseth]

we can also consider bumping expiration for control node certs as well as remote hop/execution nodes via install bundle generation

[kurokobo]

Ah thanks, I don't realize that the certs for control plane have the same limitation. Indeed the certs for control plane is valid for only one year.

$ kubectl -n awx exec deployment/awx-task -c awx-ee -- openssl x509 -text -in /etc/receptor/tls/receptor.crt -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1708267806 (0x65d2191e)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = awx Receptor Root CA
        Validity
            Not Before: Feb 18 14:50:06 2024 GMT
            Not After : Feb 18 14:50:06 2025 GMT   ✅
       ...

No notafter in receptor --cert-signreq command.

$ kubectl -n awx get deployment/awx-task -o yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  ...
  name: awx-task
  ...
spec:
  ...
  template:
    ...
    spec:
      ...
      initContainers:
      - command:
        - /bin/sh
        - -c
        - |
          hostname=$MY_POD_NAME
          receptor --cert-makereq bits=2048 commonname=$hostname dnsname=$hostname nodeid=$hostname outreq=/etc/receptor/tls/receptor.req outkey=/etc/receptor/tls/receptor.key
          receptor --cert-signreq req=/etc/receptor/tls/receptor.req cacert=/etc/receptor/tls/ca/mesh-CA.crt cakey=/etc/receptor/tls/ca/mesh-CA.key outcert=/etc/receptor/tls/receptor.crt verify=yes   ✅
        ...
        name: init
        ...

[TheRealHaoLiu]

wait did i made this same bug the second time...

i remember the first PR I personally saw from you was you fixing my bug in the instance install bundle

ansible/awx#13020

[fosterseth]

@kurokobo I think we can bump default expiry date to 10 years for all of the receptor certs (mesh ingress nodes, and the control plane ee one)