ssl cert update doesn't restart vault
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
vault-charm |
Fix Committed
|
Undecided
|
Samuel Walladge |
Bug Description
When updating the ssl certificates using the method below, we would expect vault to restart, so that vault status would use the new key
juju config vault \
ssl-cert="$(base64 servercert.pem)" \
ssl-ca="$(base64 cacert.pem)" \
ssl-key="$(base64 serverkey.pem)"
However, we get the following error instead, showing that the certificate has actually expired
Error checking seal status: Get https:/
The workaround is to restart vault, which will then pick up the new certs
It is understood that vault shouldn't restart automatically, but at minimum juju status output should notify the user that a restart is required for the certs be reflected in the current running environment.
Changed in vault-charm: | |
status: | New → In Progress |
assignee: | nobody → Samuel Walladge (swalladge) |
Changed in vault-charm: | |
status: | In Progress → Fix Committed |
patch: https:/ /review. opendev. org/c/openstack /charm- vault/+ /846235
(This proposed fix works by automatically triggering vault to reload, which will reload the certificate files. So we can get the best of both worlds here: automatic and doesn't reseal vault.)