set refresh hint to 1/3 of default CA TTL value fixes #335 (#343)

Signed-off-by: Drew Wells <[email protected]>

charts/spire/charts/spire-server/README.md

@@ -147,6 +147,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
 | `federation.enabled`                                                                         | Flag to enable federation                                                                                                                                                                                                                                                                                                                                            | `false`                                                                                        |
 | `federation.bundleEndpoint.port`                                                             | Port value for trust bundle federation                                                                                                                                                                                                                                                                                                                               | `8443`                                                                                         |
 | `federation.bundleEndpoint.address`                                                          | Address for trust bundle federation                                                                                                                                                                                                                                                                                                                                  | `0.0.0.0`                                                                                      |
+| `federation.bundleEndpoint.refresh_hint`                                                     | Hint used by federated servers on how often to refresh the bundle. CA TTL must be 3-5x the duration of this value to ensure public keys are loaded on federated servers prior to private key rotation on remote server.                                                                                                                                              | `5m`                                                                                           |
 | `federation.tls.spire.enabled`                                                               | Use spire to secure the federation bundle endpoint                                                                                                                                                                                                                                                                                                                   | `true`                                                                                         |
 | `federation.tls.externalSecret.enabled`                                                      | Provide your own certificate/key via tls style Kubernetes Secret                                                                                                                                                                                                                                                                                                     | `false`                                                                                        |
 | `federation.tls.externalSecret.secretName`                                                   | Specify which Secret to use                                                                                                                                                                                                                                                                                                                                          | `""`                                                                                           |

charts/spire/charts/spire-server/values.yaml

@@ -210,6 +210,8 @@ federation:
     port: 8443
     ## @param federation.bundleEndpoint.address Address for trust bundle federation
     address: "0.0.0.0"
+    ## @param federation.bundleEndpoint.refresh_hint Hint used by federated servers on how often to refresh the bundle. CA TTL must be 3-5x the duration of this value to ensure public keys are loaded on federated servers prior to private key rotation on remote server.
+    refresh_hint: "5m"
 
   tls:
     spire:
@@ -877,7 +879,7 @@ tornjak:
       issuer: ""
       ## @param tornjak.config.userManagement.audience UserManagement audience check
       audience: ""
-      
+
     # Tornjak supports 3 connection types: `http`, `tls`, and `mtls`.
     # The connections are determined based on provided configuration
     # When `tlsSecret` is created in this chart namespace, the TLS connection is started