17fe111ea2
Currently, users can define TTL for their PKI authorities(`pki_authorities`) by defining `not_after` argument. It works because community.crypto collection that is used for standalone plugin uses `*_not_after` argument to define a TTL for a certificate in a format of `[+-]timespec`[1]. But there's one confusing thing: this format is not widely used and it's definitely not a standard. For example, hashicorp vault uses: - `not_after` to define the date until when certificate should be valid in a format of `YYYY-MM-ddTHH:MM:SSZ`[2] - `ttl` to define a time-to-live for a certificate in a format of `<duration><unit>`(ex. `7d`) If we keep using `not_after`, there would be a conflict because hashi_vault backend and standalone backend would expect completely different formats for these variables. As a solution, this patch encourages users to start using `ttl` in `<duration><unit>` format. It will work for both backends. `not_after` for standalone backend will be supported for some time to keep backwards compatibility. [1] https://docs.ansible.com/ansible/latest/collections/community/crypto/x509_certificate_module.html [2] https://developer.hashicorp.com/vault/api-docs/secret/pki#not_after Change-Id: I6d4ab98fb41e279dc15c902990e3a24aa0235b08 Signed-off-by: Damian Dabrowski <damian.dabrowski@cleura.com>
PKI role for OpenStack-Ansible
Ansible role to install Public Key Infrastructure.
- Documentation for the project can be found at:
- Release notes for the project can be found at:
- The project source code repository is located at:
- The project home is at:
- The bugs is at: