From 17fe111ea2d7b8350a0e68be8eaaf10b5f404973 Mon Sep 17 00:00:00 2001
From: Damian Dabrowski <damian.dabrowski@cleura.com>
Date: Fri, 2 May 2025 15:19:33 +0200
Subject: [PATCH] Use ttl instead of not_after in pki_authorities

Currently, users can define TTL for their PKI
authorities(`pki_authorities`) by defining `not_after` argument.

It works because community.crypto collection that is used for standalone
plugin uses `*_not_after` argument to define a TTL for a certificate in
a format of `[+-]timespec`[1].

But there's one confusing thing: this format is not widely used and it's
definitely not a standard.
For example, hashicorp vault uses:
- `not_after` to define the date until when certificate should be valid
in a format of `YYYY-MM-ddTHH:MM:SSZ`[2]
- `ttl` to define a time-to-live for a certificate in a format of
`<duration><unit>`(ex. `7d`)

If we keep using `not_after`, there would be a conflict because
hashi_vault backend and standalone backend would expect completely different formats for these variables.

As a solution, this patch encourages users to start using `ttl` in
`<duration><unit>` format. It will work for both backends.
`not_after` for standalone backend will be supported for some time to
keep backwards compatibility.

[1] https://docs.ansible.com/ansible/latest/collections/community/crypto/x509_certificate_module.html
[2] https://developer.hashicorp.com/vault/api-docs/secret/pki#not_after

Change-Id: I6d4ab98fb41e279dc15c902990e3a24aa0235b08
Signed-off-by: Damian Dabrowski <damian.dabrowski@cleura.com>
---
 defaults/main.yml                                   |  4 ++--
 .../not_after_deprecation-67d688b733e1e3f5.yaml     |  7 +++++++
 tasks/standalone/create_ca.yml                      | 13 +++++++++----
 3 files changed, 18 insertions(+), 6 deletions(-)
 create mode 100644 releasenotes/notes/not_after_deprecation-67d688b733e1e3f5.yaml

diff --git a/defaults/main.yml b/defaults/main.yml
index f1ced68..aa40704 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -37,7 +37,7 @@ pki_search_authorities_pattern: "pki_authorities_"
 #       - digitalSignature
 #       - cRLSign
 #       - keyCertSign
-#     not_after: "+3650d"
+#     ttl: "3650d"
 
 #pki_authorities_intermediates:
 #   - name: "SnakeRootIntermediate"
@@ -52,7 +52,7 @@ pki_search_authorities_pattern: "pki_authorities_"
 #       - digitalSignature
 #       - cRLSign
 #       - keyCertSign
-#     not_after: "+365d"
+#     ttl: "365d"
 #     signed_by: "SnakeRoot"
 
 # example variable of CA to install
diff --git a/releasenotes/notes/not_after_deprecation-67d688b733e1e3f5.yaml b/releasenotes/notes/not_after_deprecation-67d688b733e1e3f5.yaml
new file mode 100644
index 0000000..2152acd
--- /dev/null
+++ b/releasenotes/notes/not_after_deprecation-67d688b733e1e3f5.yaml
@@ -0,0 +1,7 @@
+---
+deprecations:
+  - |
+    ``not_after`` parameter in ``pki_authorities`` was marked for
+    deprecation.
+    ``ttl`` should be used instead in a format of ``<duration><unit>``
+    (ex. 7d).
diff --git a/tasks/standalone/create_ca.yml b/tasks/standalone/create_ca.yml
index 77cd646..4c5a6fd 100644
--- a/tasks/standalone/create_ca.yml
+++ b/tasks/standalone/create_ca.yml
@@ -29,10 +29,15 @@
 
 - name: Create certificate {{ ca.name }}
   vars:
-    next_serial_no: "{{ serial_no['content'] | b64decode | int + 1  }}"
+    next_serial_no: "{{ serial_no['content'] | b64decode | int + 1 }}"
     ansible_python_interpreter: "{{ pki_setup_host_python_interpreter }}"
     ca_dir: "{{ pki_dir }}/roots/{{ ca.name }}"
     ca_cert_prefix: "{{ pki_dir }}/roots/{{ ca.name }}/certs/{{ ca.name }}"
+    # NOTE(damiandabrowski): not_after support is kept only for backward compatbility and should be replaced after 2026.1 with:
+    #                        ownca_not_after: "+{{ ca.ttl }}"
+    ca_expires: "{{ ca.not_after | default(ca.ttl) | trim }}"
+    # NOTE(damiandabrowski): ensures that '+' is added at the beginning
+    ca_not_after: "{{ ca_expires.startswith('+') | ternary(ca_expires, '+' ~ ca_expires) }}"
   delegate_to: "{{ pki_setup_host }}"
   block:
     - name: Create directories for certificate authority {{ ca.name }}
@@ -86,7 +91,7 @@
 
     - name: Create the CA CSR for {{ ca.name }}
       community.crypto.openssl_csr:
-        path: "{{ ca_dir }}/csr/ca_csr-{{ next_serial_no  }}.csr"
+        path: "{{ ca_dir }}/csr/ca_csr-{{ next_serial_no }}.csr"
         privatekey_path: "{{ ca_privkey.filename }}"
         privatekey_passphrase: "{{ ca.key_passphrase | default(omit) }}"
         common_name: "{{ ca.cn }}"
@@ -117,7 +122,7 @@
         provider: "selfsigned"
         privatekey_path: "{{ ca_privkey.filename }}"
         privatekey_passphrase: "{{ ca.key_passphrase | default(omit) }}"
-        selfsigned_not_after: "{{ ca.not_after }}"
+        selfsigned_not_after: "{{ ca_not_after }}"
         backup: "{{ ca.backup | default(True) }}"
       register: ca_selfsigned_crt
       when:
@@ -134,7 +139,7 @@
         ownca_privatekey_path: "{{ pki_dir ~ '/roots/' ~ ca.signed_by ~ '/private/' ~ ca.signed_by ~ '.key.pem' }}"
         ownca_privatekey_passphrase: "{{ ca.ownca_key_passphrase | default(omit) }}"
         ownca_path: "{{ pki_dir ~ '/roots/' ~ ca.signed_by ~ '/certs/' ~ ca.signed_by ~ '.crt' }}"
-        ownca_not_after: "{{ ca.not_after }}"
+        ownca_not_after: "{{ ca_not_after }}"
         backup: "{{ ca.backup | default(True) }}"
       register: ca_ownca_crt
       when: