Fix leader fail-over for cert provider

When leadership is transferred to another unit when Vault is in HA mode, the new leader didn't have the `charm.vault.ca.ready` flag set, so it would fail to respond to any cert requests, even though the CA was already properly configured. This addresses that issue, with the caveat that when the leadership takeover happens, all requested certs will be re-issued due to the new leader (potentially) not having access to the previously published data. (We can fix this once we have application-level relation data.) Fixes lp:1836348 Change-Id: Ifd8bfbf0a5c44f1e70ff7ad999dfda7333014a88
2019-07-12 17:13:48 -04:00
parent 1298ab66f4
commit 833a5e83a1
1 changed files with 9 additions and 0 deletions
--- a/src/reactive/vault_handlers.py
+++ b/src/reactive/vault_handlers.py
@@ -701,6 +701,15 @@ def auto_generate_root_ca_cert():
        log("Skipping auto-generate root CA cert: {}".format(e))


+@when('leadership.is_leader',
+      'leadership.set.root-ca')
+@when_not('charm.vault.ca.ready')
+def takeover_cert_leadership():
+    # the CA was configured by a previous leader, but we're the leader now so
+    # we need to take over cert management duties
+    set_flag('charm.vault.ca.ready')
+
+
@when('leadership.is_leader',
      'charm.vault.ca.ready',
      'certificates.available')