What is the nature and description of the request?
The customer is deploying Ansible Automation Platform (AAP 2.6) via the AAP Operator on OpenShift 4.18. AAP secures communication between the Controller, Receptor, and Execution Pods using mutual TLS.
While the documentation confirms customers can provide a Custom Receptor CA, it also states that changing this CA "will break connections to any existing execution nodes," causing them to enter an unavailable state. The customer requests a mechanism to allow these certificates to be managed and rotated automatically without interruption.
Why does the customer need this? (List the business requirements here)
Enterprise PKI Integration: The customer requires TLS certificates to be issued by their enterprise PKI with automatic certificate rotation (e.g., using VSI Sidecar) rather than relying on static, manual CA generation.
Business Continuity: The current limitation where changing the CA breaks execution nodes is blocking their operational requirements. They require rotation that does not force nodes into an unavailable state.
How would you like to achieve this? (List the functional requirements here)
Automated PKI Support: Enable Receptor and AAP internal communication to use TLS certificates issued and rotated automatically by an external PKI (e.g., cert-manager) without manual intervention.
Runtime Certificate Handling: Ensure that when TLS certificates or CAs are updated in Kubernetes Secrets, Receptor can reload them without breaking existing connections.
Non-disruptive Renewal: During certificate renewal, the internal communication layer must remain functional, allowing running jobs to continue without interruption
List any affected known dependencies: Doc, UI etc..
Documentation: Updates to the AWX / AAP Operator documentation regarding "Custom Receptor CA" and the warning about breaking connections.
Feature Request
Undefined
