vault-charm

max-lease-ttl not being honored for PKI engine

Bug #1788945 reported by Cory Johns
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
vault-charm
Fix Released
High
James Page
vault-charm 19.04

Bug Description

The max-lease-ttl set by the charm (https://github.com/openstack/charm-vault/blob/master/src/lib/charm/vault_pki.py#L33) does not seem to be being honored. After deploying the charm and using the actions to set the certs and enable PKI, using `vault secrets list -detailed` still shows a Max TTL for the engine of "system" and certs get their expiration values set to 30 days (the default). Using `vault secrets tune` manually does update the Max TTL value.

Revision history for this message
Cory Johns (johnsca) wrote :

This has been hit by a user, reported here: https://github.com/juju-solutions/bundle-canonical-kubernetes/issues/719

Revision history for this message
Cory Johns (johnsca) wrote :

The line linked in the OP has moved. The new correct line is: https://github.com/openstack/charm-vault/blob/379b99f/src/lib/charm/vault_pki.py#L29

Revision history for this message
James Page (james-page) wrote :

The key used to set the TTL during PKI mount is not setting the TTL correctly.

Changed in vault-charm:
status: New → Triaged
importance: Undecided → High
status: Triaged → In Progress
assignee: nobody → James Page (james-page)
Revision history for this message
James Page (james-page) wrote :

The fix will also need to tune any existing PKI backend to set the TTL correctly, at which point a cert re-issue will then dtrt and re-issue certs with longer expiry dates

Revision history for this message
James Page (james-page) wrote :

https://review.openstack.org/#/c/631202/

James Page (james-page)
Changed in vault-charm:
status: In Progress → Fix Committed
milestone: none → 19.04
David Ames (thedac)
Changed in vault-charm:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.