Use ttl instead of not_after in pki_authorities

Currently, users can define TTL for their PKI authorities(`pki_authorities`) by defining `not_after` argument. It works because community.crypto collection that is used for standalone plugin uses `*_not_after` argument to define a TTL for a certificate in a format of `[+-]timespec`[1]. But there's one confusing thing: this format is not widely used and it's definitely not a standard. For example, hashicorp vault uses: - `not_after` to define the date until when certificate should be valid in a format of `YYYY-MM-ddTHH:MM:SSZ`[2] - `ttl` to define a time-to-live for a certificate in a format of `<duration><unit>`(ex. `7d`) If we keep using `not_after`, there would be a conflict because hashi_vault backend and standalone backend would expect completely different formats for these variables. As a solution, this patch encourages users to start using `ttl` in `<duration><unit>` format. It will work for both backends. `not_after` for standalone backend will be supported for some time to keep backwards compatibility. [1] https://docs.ansible.com/ansible/latest/collections/community/crypto/x509_certificate_module.html [2] https://developer.hashicorp.com/vault/api-docs/secret/pki#not_after Change-Id: I6d4ab98fb41e279dc15c902990e3a24aa0235b08 Signed-off-by: Damian Dabrowski <damian.dabrowski@cleura.com>
2025-05-02 15:19:33 +02:00
parent 678ca5e479
commit 17fe111ea2
3 changed files with 18 additions and 6 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -37,7 +37,7 @@ pki_search_authorities_pattern: "pki_authorities_"
 #       - digitalSignature
 #       - cRLSign
 #       - keyCertSign
-#     not_after: "+3650d"
+#     ttl: "3650d"

 #pki_authorities_intermediates:
 #   - name: "SnakeRootIntermediate"
@@ -52,7 +52,7 @@ pki_search_authorities_pattern: "pki_authorities_"
 #       - digitalSignature
 #       - cRLSign
 #       - keyCertSign
-#     not_after: "+365d"
+#     ttl: "365d"
 #     signed_by: "SnakeRoot"

 # example variable of CA to install
--- a/releasenotes/notes/not_after_deprecation-67d688b733e1e3f5.yaml
+++ b/releasenotes/notes/not_after_deprecation-67d688b733e1e3f5.yaml
@@ -0,0 +1,7 @@
+---
+deprecations:
+  - |
+    ``not_after`` parameter in ``pki_authorities`` was marked for
+    deprecation.
+    ``ttl`` should be used instead in a format of ``<duration><unit>``
+    (ex. 7d).
--- a/tasks/standalone/create_ca.yml
+++ b/tasks/standalone/create_ca.yml
@@ -29,10 +29,15 @@

 - name: Create certificate {{ ca.name }}
  vars:
-    next_serial_no: "{{ serial_no['content'] | b64decode | int + 1  }}"
+    next_serial_no: "{{ serial_no['content'] | b64decode | int + 1 }}"
    ansible_python_interpreter: "{{ pki_setup_host_python_interpreter }}"
    ca_dir: "{{ pki_dir }}/roots/{{ ca.name }}"
    ca_cert_prefix: "{{ pki_dir }}/roots/{{ ca.name }}/certs/{{ ca.name }}"
+    # NOTE(damiandabrowski): not_after support is kept only for backward compatbility and should be replaced after 2026.1 with:
+    #                        ownca_not_after: "+{{ ca.ttl }}"
+    ca_expires: "{{ ca.not_after | default(ca.ttl) | trim }}"
+    # NOTE(damiandabrowski): ensures that '+' is added at the beginning
+    ca_not_after: "{{ ca_expires.startswith('+') | ternary(ca_expires, '+' ~ ca_expires) }}"
  delegate_to: "{{ pki_setup_host }}"
  block:
    - name: Create directories for certificate authority {{ ca.name }}
@@ -86,7 +91,7 @@

    - name: Create the CA CSR for {{ ca.name }}
      community.crypto.openssl_csr:
-        path: "{{ ca_dir }}/csr/ca_csr-{{ next_serial_no  }}.csr"
+        path: "{{ ca_dir }}/csr/ca_csr-{{ next_serial_no }}.csr"
        privatekey_path: "{{ ca_privkey.filename }}"
        privatekey_passphrase: "{{ ca.key_passphrase | default(omit) }}"
        common_name: "{{ ca.cn }}"
@@ -117,7 +122,7 @@
        provider: "selfsigned"
        privatekey_path: "{{ ca_privkey.filename }}"
        privatekey_passphrase: "{{ ca.key_passphrase | default(omit) }}"
-        selfsigned_not_after: "{{ ca.not_after }}"
+        selfsigned_not_after: "{{ ca_not_after }}"
        backup: "{{ ca.backup | default(True) }}"
      register: ca_selfsigned_crt
      when:
@@ -134,7 +139,7 @@
        ownca_privatekey_path: "{{ pki_dir ~ '/roots/' ~ ca.signed_by ~ '/private/' ~ ca.signed_by ~ '.key.pem' }}"
        ownca_privatekey_passphrase: "{{ ca.ownca_key_passphrase | default(omit) }}"
        ownca_path: "{{ pki_dir ~ '/roots/' ~ ca.signed_by ~ '/certs/' ~ ca.signed_by ~ '.crt' }}"
-        ownca_not_after: "{{ ca.not_after }}"
+        ownca_not_after: "{{ ca_not_after }}"
        backup: "{{ ca.backup | default(True) }}"
      register: ca_ownca_crt
      when: