
Currently, users can define TTL for their PKI authorities(`pki_authorities`) by defining `not_after` argument. It works because community.crypto collection that is used for standalone plugin uses `*_not_after` argument to define a TTL for a certificate in a format of `[+-]timespec`[1]. But there's one confusing thing: this format is not widely used and it's definitely not a standard. For example, hashicorp vault uses: - `not_after` to define the date until when certificate should be valid in a format of `YYYY-MM-ddTHH:MM:SSZ`[2] - `ttl` to define a time-to-live for a certificate in a format of `<duration><unit>`(ex. `7d`) If we keep using `not_after`, there would be a conflict because hashi_vault backend and standalone backend would expect completely different formats for these variables. As a solution, this patch encourages users to start using `ttl` in `<duration><unit>` format. It will work for both backends. `not_after` for standalone backend will be supported for some time to keep backwards compatibility. [1] https://docs.ansible.com/ansible/latest/collections/community/crypto/x509_certificate_module.html [2] https://developer.hashicorp.com/vault/api-docs/secret/pki#not_after Change-Id: I6d4ab98fb41e279dc15c902990e3a24aa0235b08 Signed-off-by: Damian Dabrowski <damian.dabrowski@cleura.com>
8 lines
192 B
YAML
8 lines
192 B
YAML
---
|
|
deprecations:
|
|
- |
|
|
``not_after`` parameter in ``pki_authorities`` was marked for
|
|
deprecation.
|
|
``ttl`` should be used instead in a format of ``<duration><unit>``
|
|
(ex. 7d).
|