enable auto-tidy expired issuers in vault (as CA)

[eikenb]

When using vault as a CA and generating the local signing cert, try to enable the pki endpoint's auto-tidy feature with it set to tidy expired issuers.

[jkirschner-hashicorp]

@eikenb : Left some thoughts on log message copy and docs updates. Thanks for the finishing touches here! I also like that we now have a pattern to reference for testing against different Vault versions (when we expect the behavior to differ).

[jkirschner-hashicorp]

@eikenb : I'm good with this PR, but I can't approve on behalf of eng. Can you request a review from a ZTS eng team member?

[jkirschner-hashicorp]

Submitting to clear my previous "request changes" review. I'm happy with this, but someone from eng needs to give an eng review.

My comments have been satisfied, but I'm not an eng reviewer. Waiting on eng reviewer.

[kisunji]

Correct me if I'm missing some context behind the decision, but I think this should be called once during setupIntermediatePKIPath, since it's a one-time operation.

As-is, we're adding a network call and possibly unactionable INFO log to a hotpath (leaf cert generation) which might get noisy if there are many service registrations.

[eikenb]

Correct me if I'm missing some context behind the decision, but I think this should be called once during setupIntermediatePKIPath, since it's a one-time operation.

As-is, we're adding a network call and possibly unactionable INFO log to a hotpath (leaf cert generation) which might get noisy if there are many service registrations.

AFAIK setupIntermediatePKIPath only gets called once when the PKI path is created/mounted. This doesn't handle cases of the PKI path already being created and the auto-tidy needing to be set (E.g. by version upgrades or permissions settings). Jared and I discussed this and wanted to be sure it was being set.

We could change those log messages from INFO to DEBUG as that'd raise it above the default settings.

[kisunji]

Correct me if I'm missing some context behind the decision, but I think this should be called once during setupIntermediatePKIPath, since it's a one-time operation.
As-is, we're adding a network call and possibly unactionable INFO log to a hotpath (leaf cert generation) which might get noisy if there are many service registrations.

AFAIK setupIntermediatePKIPath only gets called once when the PKI path is created/mounted. This doesn't handle cases of the PKI path already being created and the auto-tidy needing to be set (E.g. by version upgrades or permissions settings). Jared and I discussed this and wanted to be sure it was being set.

We could change those log messages from INFO to DEBUG as that'd raise it above the default settings.

I think setupIntermediatePKIPath gets called on Configure which happens on every leader election so auto-tidy should eventually get set without user intervention.

[eikenb]

@kisunji .. I'll take a look at those code paths tomorrow and move the call if it looks like that will work. Thanks!

[eikenb]

@kisunji .. I verified your idea and am going to update my PR for that. I thought I had checked that path but I must have got off track as some point. Thanks again.

[eikenb]

@kisunji .. code and test updated. Ready for another look.

[kisunji]

small comment on the return vals but will preapprove!