Give ability to use skipreceptornamescheck

[mitnicki]

Please confirm the following

• [x] I agree to follow this project's code of conduct.
• [X] I have checked the current issues for duplicates.
• [X] I understand that AWX Operator is open source software provided for free and that I might not receive a timely response.

Feature Summary

It would be great if you give us the ability to use skipreceptornamescheck as an option for remote execution nodes (instances).

Usecase: we need to rollout multiple instances with just one certificate for encryption.

If there is a better solution for now or if this can be handled different - tell me pls

[fosterseth]

skipreceptornamescheck is only for when receptor service starts up. When connections are made, it will still do receptor name checking, even if this option is True.

[mitnicki]

Hello Seth,

thanks for clarifying things..

okay is there a possibility to disable tls namecheckings ? or to use a wildcard for the receptor nodes?

would be a great feature when it comes to rollouts of multiple receptor nodes into different environments with same image.

would be also great if you could advise me some hack into the container of receptor to disable that behavior.

Gesendet von Outlook für iOShttps://aka.ms/o0ukef

---

Von: Seth Foster @.> Gesendet: Wednesday, September 6, 2023 7:18:23 PM An: ansible/awx-operator @.> Cc: mitnicki @.>; Author @.> Betreff: Re: [ansible/awx-operator] Give ability to use skipreceptornamescheck (Issue #1551)

skipreceptornamescheck is only for when receptor service starts up. When connections are made, it will still do receptor name checking, even if this option is True.

— Reply to this email directly, view it on GitHubhttps://github.com/ansible/awx-operator/issues/1551#issuecomment-1708795546, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGDBO6O676QHIJK2C7CL63TXZCV57ANCNFSM6AAAAAA4LN5NQA. You are receiving this because you authored the thread.Message ID: @.***>

[fosterseth]

I think the only way around this is to disable TLS at the receptor level.

It would require a handful of changes:

• your receptor.conf running in your remote execution nodes need to disable TLS on the control service.
  • remove tls: tls_server under control-service
  • keep the tls enabled on the tcp-listener / tcp-peer entries. We still want backend connections to be encrypted, and receptor name checking doesn't occur for these (at verification time)
  • You do need to enable skipreceptornamescheck on the tls_client and tls_server entries on the remote receptor.conf to prevent naming checking at startup
• you need to change awx to not send tlsclient when doing work submit (e.g. the below diff)

diff --git a/awx/main/tasks/receptor.py b/awx/main/tasks/receptor.py
index 32c8e325ad..76ce238a51 100644
--- a/awx/main/tasks/receptor.py
+++ b/awx/main/tasks/receptor.py
@@ -169,8 +169,9 @@ def run_until_complete(node, timing_data=None, **kwargs):
     config_data = read_receptor_config()
     receptor_ctl = get_receptor_ctl(config_data)

-    use_stream_tls = getattr(get_conn_type(node, receptor_ctl), 'name', None) == "STREAMTLS"
-    kwargs.setdefault('tlsclient', get_tls_client(config_data, use_stream_tls))
+    if settings.RECEPTOR_WORK_SUBMIT_USE_TLS:
+        use_stream_tls = getattr(get_conn_type(node, receptor_ctl), 'name', None) == "STREAMTLS"
+        kwargs.setdefault('tlsclient', get_tls_client(config_data, use_stream_tls))
     kwargs.setdefault('ttl', '20s')
     kwargs.setdefault('payload', '')
     if work_signing_enabled(config_data):
@@ -335,8 +336,9 @@ class AWXReceptorJob:
         work_submit_kw = dict(worktype=self.work_type, params=self.receptor_params, signwork=self.sign_work)
         if self.work_type == 'ansible-runner':
             work_submit_kw['node'] = self.task.instance.execution_node
-            use_stream_tls = get_conn_type(work_submit_kw['node'], receptor_ctl).name == "STREAMTLS"
-            work_submit_kw['tlsclient'] = get_tls_client(self.config_data, use_stream_tls)
+            if settings.RECEPTOR_WORK_SUBMIT_USE_TLS:
+                use_stream_tls = get_conn_type(work_submit_kw['node'], receptor_ctl).name == "STREAMTLS"
+                work_submit_kw['tlsclient'] = get_tls_client(self.config_data, use_stream_tls)

         with concurrent.futures.ThreadPoolExecutor(max_workers=1) as executor:
             transmitter_future = executor.submit(self.transmit, sockin)
@@ -705,6 +707,7 @@ def generate_config_data():
     for instance in instances:
         peer = {'tcp-peer': {'address': f'{instance.hostname}:{instance.listener_port}', 'tls': 'tlsclient'}}
         receptor_config.append(peer)
+
     should_update = should_update_config(instances)
     return receptor_config, should_update

diff --git a/awx/settings/defaults.py b/awx/settings/defaults.py
index 19a83cdbcc..b52907842e 100644
--- a/awx/settings/defaults.py
+++ b/awx/settings/defaults.py
@@ -967,6 +967,11 @@ RECEPTOR_RELEASE_WORK = True
 # K8S only. Use receptor_log_level on AWX spec to set this properly
 RECEPTOR_LOG_LEVEL = 'info'

+# Use TLS when submitting work receptor
+# Only disable if you need to prevent receptor node ID
+# verification for virtual receptor-level connections
+RECEPTOR_WORK_SUBMIT_USE_TLS = True
+
 MIDDLEWARE = [
     'django_guid.middleware.guid_middleware',
     'awx.main.middleware.SettingsCacheMiddleware',

You would then set RECEPTOR_WORK_SUBMIT_USE_TLS to False

If you hack this up and get it working, let me know