For the record, I've tested the patchset 5 in https://review.opendev.org/c/openstack/charm-vault/+/846235/5 (reload strategy) and confirmed it's working as expected on reloading the new cert.
Here is how I tested:
[current charm]
1. deploy Vault with ssl-cert, ssl-key (and optionally ssl-chain or ssl-ca) 2. check the valid date of the cert
$curl -ksv https://localhost:8200/ |& grep 'expire date:' * expire date: Apr 5 06:24:57 2021 GMT
3. upload a new cert/key with charm configs 4. check the valid date again
$ curl -ksv https://localhost:8200/ |& grep 'expire date:' * expire date: Apr 5 06:24:57 2021 GMT -> unchanged
[proposed charm]
3. upload a new cert/key with charm configs
$ juju config vault \ ssl-cert="$(cat cert9.pem| base64)" \ ssl-key="$(cat privkey9.pem| base64)" \ ssl-chain="$(cat chain9.pem| base64)"
4. check the valid date again
curl -ksv https://localhost:8200/ |& grep 'expire date:' * expire date: Jul 31 09:15:51 2022 GMT -> updated as expected
5. double check Vault is unsealed still
$ vault status | grep Sealed Sealed false -> unsealed as expected since there was only reload of the service instead of restart.
For the record, I've tested the patchset 5 in https:/ /review. opendev. org/c/openstack /charm- vault/+ /846235/ 5 (reload strategy) and confirmed it's working as expected on reloading the new cert.
Here is how I tested:
[current charm]
1. deploy Vault with ssl-cert, ssl-key (and optionally ssl-chain or ssl-ca)
2. check the valid date of the cert
$curl -ksv https:/ /localhost: 8200/ |& grep 'expire date:'
* expire date: Apr 5 06:24:57 2021 GMT
3. upload a new cert/key with charm configs
4. check the valid date again
$ curl -ksv https:/ /localhost: 8200/ |& grep 'expire date:'
* expire date: Apr 5 06:24:57 2021 GMT
-> unchanged
[proposed charm]
3. upload a new cert/key with charm configs
$ juju config vault \
ssl-cert="$(cat cert9.pem| base64)" \
ssl-key="$(cat privkey9.pem| base64)" \
ssl-chain="$(cat chain9.pem| base64)"
4. check the valid date again
curl -ksv https:/ /localhost: 8200/ |& grep 'expire date:'
* expire date: Jul 31 09:15:51 2022 GMT
-> updated as expected
5. double check Vault is unsealed still
$ vault status | grep Sealed
Sealed false
-> unsealed as expected since there was only reload of the service instead of restart.