search

ansible / awx

AWX provides a web-based user interface, REST API, and task engine built on top of Ansible. It is one of the upstream projects for Red Hat Ansible Automation Platform.
Other
14k stars 3.42k forks source link

Add UI checks for any certs/keys used which might have expired #11100

Open ffirg opened 3 years ago

ffirg commented 3 years ago
ISSUE TYPE
SUMMARY

Now we have various certification chains and signing mechanisms in the mesh, I would like to be able to validate the certs/keys and notify where possible of pending expiry (much like we do with licenses already).

Mesh installer generate keys for signing work - for signing work from control to execution nodes using keys - https://github.com/ansible/tower-packaging/issues/1407 and https://github.com/ansible/receptor/pull/414

/etc/receptor/receptor.conf also contains a number of TLS certs, such as:

# TLS
- tls-server:
    name: tls_server
    cert: /etc/receptor/tls/192.168.111.126.crt
    key: /etc/receptor/tls/192.168.111.126.key
    clientcas: /etc/receptor/tls/ca/mesh-CA.crt
    requireclientcert: true

- tls-client:
    name: tls_client
    cert: /etc/receptor/tls/192.168.111.126.crt
    key: /etc/receptor/tls/192.168.111.126.key
    rootcas: /etc/receptor/tls/ca/mesh-CA.crt
    insecureskipverify: false

We should inform the user when they are coming up for expiry/renewal. Perhaps a management job which runs periodically, and informs the user 90,60 and 30 days out.

ffirg commented 3 years ago

This information is currently not available in the API so the mesh code pod will need to do some work here to expose that.

AlanCoding commented 3 years ago

Do we need any information from execution nodes for this? I'm thinking "no", because we distribute the same cert to all control nodes (in the case of job signing, less certain on tls). A system job is probably overkill from this, because it's just reading stuff from local receptor settings, and I'd suggest we could add a field to some endpoint.