fix: extend expiration date for the certs for receptor nodes to 10 years (#1744)

2026-03-26 21:33:14 +00:00 · 2024-03-07 04:52:04 +09:00
parent 82c7dd2f44
commit 03cfe14c07
2 changed files with 17 additions and 3 deletions
--- a/roles/installer/templates/deployments/task.yaml.j2
+++ b/roles/installer/templates/deployments/task.yaml.j2
@@ -104,8 +104,20 @@ spec:
            - -c
            - |
              hostname=$MY_POD_NAME
-              receptor --cert-makereq bits=2048 commonname=$hostname dnsname=$hostname nodeid=$hostname outreq=/etc/receptor/tls/receptor.req outkey=/etc/receptor/tls/receptor.key
-              receptor --cert-signreq req=/etc/receptor/tls/receptor.req cacert=/etc/receptor/tls/ca/mesh-CA.crt cakey=/etc/receptor/tls/ca/mesh-CA.key outcert=/etc/receptor/tls/receptor.crt verify=yes
+              receptor --cert-makereq \
+                bits=2048 \
+                commonname=$hostname \
+                dnsname=$hostname \
+                nodeid=$hostname \
+                outreq=/etc/receptor/tls/receptor.req \
+                outkey=/etc/receptor/tls/receptor.key
+              receptor --cert-signreq \
+                req=/etc/receptor/tls/receptor.req \
+                cacert=/etc/receptor/tls/ca/mesh-CA.crt \
+                cakey=/etc/receptor/tls/ca/mesh-CA.key \
+                outcert=/etc/receptor/tls/receptor.crt \
+                notafter=$(date --iso-8601=seconds --utc --date "10 years") \
+                verify=yes
 {% if bundle_ca_crt  %}
              mkdir -p /etc/pki/ca-trust/extracted/{java,pem,openssl,edk2}
              update-ca-trust
--- a/roles/mesh_ingress/templates/deployment.yml.j2
+++ b/roles/mesh_ingress/templates/deployment.yml.j2
@@ -24,7 +24,8 @@ spec:
 {% if external_ipaddress is defined %}
          external_ipaddress={{ external_ipaddress }}
 {% endif %}
-          receptor --cert-makereq bits=2048 \
+          receptor --cert-makereq \
+            bits=2048 \
            commonname=$internal_hostname \
            dnsname=$internal_hostname \
            nodeid=$internal_hostname \
@@ -41,6 +42,7 @@ spec:
            cacert=/etc/receptor/tls/ca/mesh-CA.crt \
            cakey=/etc/receptor/tls/ca/mesh-CA.key \
            outcert=/etc/receptor/tls/receptor.crt \
+            notafter=$(date --iso-8601=seconds --utc --date "10 years") \
            verify=yes
          exec receptor --config /etc/receptor/receptor.conf
        image: '{{ _control_plane_ee_image }}'