I read all the docs and browse through all possible forums, and I found out also here that:
Vault does not currently support automatic renewal of the certificates that it generates, but you can easily renew the certificates for the entire cluster with:
I tried it but certificate did not changed. There are still the same certs in /root/cdk, no change has been made. I also tried to use another units of Vault (I have HA 3 nodes setup) but no change.
Is there anything I missed?
I’m using k8s 1.22.11, Juju 2.9.28-ubuntu-amd64, Ubuntu 20.04 LTS
Hmmm. It sounds like the vault charm might be swallowing an error.
If I were to troubleshoot this in my own setup, I’d probably try to grab a shell on the unit, and inspect system logs and dbus logs. It’s possible that the writes are failing due to a full disk, or some other system level problem.
@billy-olsen ping on the comment about vault possibly being incautious in smooshing an error. (Apologies if my assumption is unfair.)
The first thing that comes to mind is bug 1940549 which revealed a problem with the certificate management across multiple units. Unfortunately the patch that was proposed for the current release, was just reverted as it causes a problem on deployment. We’re actively working to fix the problem.
It has a bit of an ugly work around identified, but hoping to get this resolved ASAP.