From 0c566edb0a7dcb137d7edf95ceac4ed906423a92 Mon Sep 17 00:00:00 2001
From: Jack Hodgkiss <jack@stackhpc.com>
Date: Fri, 18 Jul 2025 12:09:33 +0100
Subject: [PATCH] feat: increase `TTL` for `TLS` role

Increasing the `TTL` for both `Vault` and `OpenBao` server role will
allow for certificate replacement to be done in conjunction with
`OpenStack` upgrades.
---
 etc/kayobe/inventory/group_vars/all/openbao.yml           | 8 ++++----
 etc/kayobe/inventory/group_vars/all/vault                 | 8 ++++----
 releasenotes/notes/increase-tls-ttl-c1eba5cca7767d0f.yaml | 6 ++++++
 3 files changed, 14 insertions(+), 8 deletions(-)
 create mode 100644 releasenotes/notes/increase-tls-ttl-c1eba5cca7767d0f.yaml

diff --git a/etc/kayobe/inventory/group_vars/all/openbao.yml b/etc/kayobe/inventory/group_vars/all/openbao.yml
index ffd566dc8a..1c3c0b39ad 100644
--- a/etc/kayobe/inventory/group_vars/all/openbao.yml
+++ b/etc/kayobe/inventory/group_vars/all/openbao.yml
@@ -19,8 +19,8 @@ seed_openbao_pki_role_name: "ServerCert"
 seed_openbao_pki_roles:
   - name: "{{ seed_openbao_pki_role_name }}"
     config:
-      max_ttl: 8760h
-      ttl: 8760h
+      max_ttl: 730d
+      ttl: 730d
       allow_any_name: true
       allow_ip_sans: true
       require_cn: false
@@ -59,8 +59,8 @@ overcloud_openbao_pki_external_tls_role_name: "{{ overcloud_openbao_pki_default_
 overcloud_openbao_pki_roles:
   - name: "{{ overcloud_openbao_pki_default_role_name }}"
     config:
-      max_ttl: 8760h
-      ttl: 8760h
+      max_ttl: 730d
+      ttl: 730d
       allow_any_name: true
       allow_ip_sans: true
       require_cn: false
diff --git a/etc/kayobe/inventory/group_vars/all/vault b/etc/kayobe/inventory/group_vars/all/vault
index 22e89a4558..e623bf0380 100644
--- a/etc/kayobe/inventory/group_vars/all/vault
+++ b/etc/kayobe/inventory/group_vars/all/vault
@@ -25,8 +25,8 @@ seed_vault_pki_role_name: "ServerCert"
 seed_vault_pki_roles:
   - name: "{{ seed_vault_pki_role_name }}"
     config:
-      max_ttl: 8760h
-      ttl: 8760h
+      max_ttl: 730d
+      ttl: 730d
       allow_any_name: true
       allow_ip_sans: true
       require_cn: false
@@ -71,8 +71,8 @@ overcloud_vault_pki_external_tls_role_name: "{{ overcloud_vault_pki_default_role
 overcloud_vault_pki_roles:
   - name: "{{ overcloud_vault_pki_default_role_name }}"
     config:
-      max_ttl: 8760h
-      ttl: 8760h
+      max_ttl: 730d
+      ttl: 730d
       allow_any_name: true
       allow_ip_sans: true
       require_cn: false
diff --git a/releasenotes/notes/increase-tls-ttl-c1eba5cca7767d0f.yaml b/releasenotes/notes/increase-tls-ttl-c1eba5cca7767d0f.yaml
new file mode 100644
index 0000000000..848fa40c89
--- /dev/null
+++ b/releasenotes/notes/increase-tls-ttl-c1eba5cca7767d0f.yaml
@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Increase the ``ttl`` of the ``PKI`` role to two years providing
+    the opportunity to replace ``internal`` and ``backend`` certificates
+    during the annual upgrade.