Change default expire time for CI_JOB_JWT to 5 min

and update the docs.

doc/ci/examples/authenticating-with-hashicorp-vault/index.md

@@ -47,7 +47,9 @@ The JWT's payload looks like this:
 }
 ```
 
-The JWT is encoded by using RS256 and signed with your GitLab instance's OpenID Connect private key. You can use this JWT and the existing JWKS endpoint (for example, `https://gitlab.example.com/oauth/discovery/keys`) to authenticate with a Vault server that is configured to allow the JWT Authentication method for authentication.
+The JWT is encoded by using RS256 and signed with your GitLab instance's OpenID Connect private key. The expire time for the token will be set to job's timeout, if specifed, or 5 minutes if it is not.
+
+You can use this JWT and the existing JWKS endpoint (for example, `https://gitlab.example.com/oauth/discovery/keys`) to authenticate with a Vault server that is configured to allow the JWT Authentication method for authentication.
 
 When configuring roles in Vault, you can use [bound_claims](https://www.vaultproject.io/docs/auth/jwt/#bound-claims) to match against the JWT's claims and restrict which secrets each CI job has access to.
 

lib/gitlab/ci/jwt.rb

@@ -5,6 +5,8 @@ module Gitlab
     class Jwt < JSONWebToken::RSAToken
       include Gitlab::Utils::StrongMemoize
 
+      DEFAULT_EXPIRE_TIME = 5.minutes.to_i
+
       def self.for_build(build)
         self.new(build, ttl: build.metadata_timeout).encoded
       end

spec/lib/gitlab/ci/jwt_spec.rb

@@ -118,7 +118,7 @@ describe Gitlab::Ci::Jwt do
       payload, _headers = JWT.decode(jwt, rsa_key.public_key, true, { algorithm: 'RS256' })
       ttl = payload["exp"] - payload["iat"]
 
-      expect(ttl).to eq(60)
+      expect(ttl).to eq(5.minutes.to_i)
     end
   end
 end