cert from vault has only around 1 month expire date

As a w/a, you could use:

vault secrets tune -max-lease-ttl=8760h -default-lease-ttl=8760h charm-pki-local

Then, Vault will start issuing certificates with expiration date = 1 year. However, it would be nice to have this configurable as a charm config option.

@vlgrevtsev

yes but when I put 87600h to both lease-ttl, it didn't work if I didn't change
actions.yaml.

I'm preparing this https://review.opendev.org/#/c/678161/ but adding option is the better you think?

I agree that this should be implemented as a configurable, and not hard-coded.

It is good to make more settings configurable (generating certs with specific TTLs) and update the 1 month default TTL, but I don't see the proposed fix addressing:

1) If a CA has already been created with 1 month max-ttl, there is no way to address this using the charm, the only way to fix it without creating another CA is to update the role directly in vault.

2) An alternative way of addressing the problem in the original description in a new cloud, the cloud should be deployed with auto-generate-ca=False, then run:

$ juju run-action --wait vault/0 generate-root-ca max-ttl='8760h' ttl='87600h' # 1 year TTL of certificates with 10 years TTL of root CA

Therefore, if someone doesn't want the new default cert TTL of 10 years, then the original description of this issue still persists.

Should we consider that the statement #2 above is the proper solution to this problem? Or should we consider adding an action to update the role TTLs (Feature Request?) ?

Thinking about this further, #2 above could be simplified if the ttl values are read from charm config instead of the defaults in actions.yaml, as they are right now. Essentially those config options could be used to also address #1 above.

Patch merged to master.

Backport patch submitted to stable/19.10 - https://review.opendev.org/#/c/697053/