search

canonical / observability-libs

A collection of charm libraries curated by the Observability team.
https://charmhub.io/observability-libs
Apache License 2.0
3 stars 8 forks source link

Renew csr on migration #89

Closed PietroPasotti closed 4 months ago

PietroPasotti commented 4 months ago

Issue

when upgrading and migrating from peer-backed vault to secrets-backed vault, certhandler regenerates the privkey because it can't find one in the new (current) vault, but it migrates the old csr over. Consequently the csr is signed with an outdated and lost privkey.

Solution

on upgrade, after migrating the vault, if we have a csr but NO private key in the vault, we know the CSR is signed by an outdated privkey. Renew it.

Tandem pr

Testing Instructions

juju add-model mytestmodel
juju deploy cos-lite --trust --channel=stable
# refresh traefik from [the tandem pr branch]
curl -v -k https://<TRAEFIK IP>/mytestmodel-prometheus-0/api/v1/targets
PietroPasotti commented 4 months ago

Tandem PR CI is green (modulo forward_auth tests).