$ echo | openssl s_client -showcerts -servername 10.246.116.11 -connect 10.246.116.11:5000 2>/dev/null | openssl x509 -inform pem -noout -text | grep DNS DNS:juju-b63bf5-2-lxd-6.maas, IP Address:10.246.114.37, IP Address:10.246.116.11
$ echo | openssl s_client -showcerts -servername 10.246.116.11 -connect 10.246.116.11:5000 2>/dev/null | openssl x509 -inform pem -noout -text | grep DNS DNS:juju-b63bf5-1-lxd-6.maas, IP Address:10.246.114.38, IP Address:10.246.116.11
The keystone application looks like this:
Unit Workload Agent Machine Public address Ports Message
keystone/0* active idle 0/lxd/2 10.246.114.58 5000/tcp Unit is ready
keystone-hacluster/0* active idle 10.246.114.58 Unit is ready and clustered
keystone-mysql-router/0* active idle 10.246.114.58 Unit is ready
keystone/1 active idle 1/lxd/6 10.246.114.38 5000/tcp Unit is ready
keystone-hacluster/1 active idle 10.246.114.38 Unit is ready and clustered
keystone-mysql-router/2 active idle 10.246.114.38 Unit is ready
keystone/2 active idle 2/lxd/6 10.246.114.37 5000/tcp Unit is ready
keystone-hacluster/2 active idle 10.246.114.37 Unit is ready and clustered
keystone-mysql-router/1 active idle 10.246.114.37 Unit is ready
I just hit this again. Looking deeper, only the certificate of the keystone leader is not being updated:
The leader is keystone/0 (10.246.114.58) and the VIP is 10.246.116.11.
$ echo | openssl s_client -showcerts -servername 10.246.116.11 -connect 10.246.116.11:5000 2>/dev/null | openssl x509 -inform pem -noout -text | grep DNS
DNS:juju- b63bf5- 0-lxd-2. maas, IP Address: 10.246. 114.58
$ echo | openssl s_client -showcerts -servername 10.246.116.11 -connect 10.246.116.11:5000 2>/dev/null | openssl x509 -inform pem -noout -text | grep DNS
DNS:juju- b63bf5- 2-lxd-6. maas, IP Address: 10.246. 114.37, IP Address: 10.246. 116.11
$ echo | openssl s_client -showcerts -servername 10.246.116.11 -connect 10.246.116.11:5000 2>/dev/null | openssl x509 -inform pem -noout -text | grep DNS
DNS:juju- b63bf5- 1-lxd-6. maas, IP Address: 10.246. 114.38, IP Address: 10.246. 116.11
The keystone application looks like this:
Unit Workload Agent Machine Public address Ports Message hacluster/ 0* active idle 10.246.114.58 Unit is ready and clustered mysql-router/ 0* active idle 10.246.114.58 Unit is ready hacluster/ 1 active idle 10.246.114.38 Unit is ready and clustered mysql-router/ 2 active idle 10.246.114.38 Unit is ready hacluster/ 2 active idle 10.246.114.37 Unit is ready and clustered mysql-router/ 1 active idle 10.246.114.37 Unit is ready
keystone/0* active idle 0/lxd/2 10.246.114.58 5000/tcp Unit is ready
keystone-
keystone-
keystone/1 active idle 1/lxd/6 10.246.114.38 5000/tcp Unit is ready
keystone-
keystone-
keystone/2 active idle 2/lxd/6 10.246.114.37 5000/tcp Unit is ready
keystone-
keystone-