Configurable pkiCert rendering interval

[fitz123]

Problem Description

We're using vault PKI engine to generate certificates. One of the requirements is to have dependant on certificates services running without access to vault for at least a week (time required for recovery in worst case infrastructure/servers/datacenter outage). This means we have to have at least 1 week before the expiration for any certificate in any given time. Currently vault-agent re-issues the certificate when 85% of the secrets time-to-live (TTL) is reached and this is not configurable. Therefore shortest possibly certificate's TTL we can have is "7days / 0.15". We are looking for a way to get shorten certificates.

Solution

It'd be great to have ability to configure when vault-agent have to re-issue the certificate. In described case if vault-agent re-issues certificates when 15% TTL is reached, then we can have 9-day-long (7days / 0.85) certificates instead of 47-day (7days / 0.15) which is much shorten certificates.
Option could be similar similar to static_secret_render_interval but for pkiCert templating function.

Considered alternatives

Using "secret" template function without a lease instead of pkiCert gives an ability to re-issue certificate on every token renew event which is 60 second in our case. We use short token renew period for security purpose. We also store certificates in the vault to be able to revoke them. Such scenario produces way too much certificates and affects storage backend performance.

[cipherboy]

This needs to be filed against https://github.com/hashicorp/consul-template not Vault :-)

(cc @eikenb).

[fitz123]

hashicorp/consul-template#1646