[08:29:28] <brouberol>	 inflatador: looking at https://gerrit.wikimedia.org/r/plugins/gitiles/operations/puppet/+/689f78f15c6a1fa3e6a50c64d4d29d9188b29274/hieradata/role/common/pki/multirootca.yaml#36, we _could_ create a `k8s_dse_opensearch` profile for example, and tweak the default `expiry`, as done in `kafka_11` for example (kafka 1.1 does not support dynamic reload
[08:29:28] <brouberol>	 either, so the expiry was set to a year)
[08:33:49] <jayme>	 yes you can run multiple issuer instances using different config (profiles etc)
[08:35:18] <jayme>	 but that's not even required. You can create a second ClusterIssuer (CR) with a different config and reference that in the certs to be generated
[08:36:19] <jayme>	 see helmfile.d/admin_ng/cert-manager/cfssl-issuer-values.yaml, helmfile.d/admin_ng/values/ml-staging-codfw/cfssl-issuer-values.yaml, helmfile.d/admin_ng/helmfile_namespace_certs.yaml
[09:26:07] <elukey>	 TIL, but jayme what is the diff between the first and second option?
[09:26:23] <elukey>	 just to understand, afaics in both cases you have another issuer instance
[09:27:23] <jayme>	 yesno...the latter just configures two issuers leveraging the same "issuer" (as in the service actually running and doing the work)
[09:29:36] <jayme>	 while you could also decide to run two of the issuer services
[09:30:03] <jayme>	 more usefull when you have multiple different pki's to choose from I suppose
[09:33:29] <elukey>	 ah okok got it thanks
[15:21:33] <inflatador>	 thanks jayme , I'll take a closer look at the files you mentioned. I'm hoping we can utilize a new profile/issuer without having to refactor existing charts